JSON Web Token / JWT Raw Implementation in Python3

In this article, we are going to walkthrough a version of the raw implementation of the JWT specification in Python3. For simplicity, we will use the HMAC + SHA256 for the signing algorithm.

Let’s look at the JWT in a functional sense. There are three outputs to the JWT concatenated with a dot(“.”).


When building the JWT, there are three inputs.

  • the header describing the token type and the signing algorithm in JSON
  • the payload describing the claims or information about the user assigned the token in JSON
  • the private key that is used to sign the header and the payload

The following are the functional operations.

  • Removing all non-key, non-value white spaces in the JSON message
  • URL Safe Base64 encoding
  • HMAC (Keyed-Hashing for Message Authentication) operation

Functional Operations

We will first look at the individual operations and bring it all together.

import jsoncleaned_json_str = json.dumps(
separators = (",", ":"), # default is (",", ": ") notice the space
import base64b64_encoded_json = base64.urlsafe_b64encode(
cleaned_json_str.encode("ascii") # convert to bytes
# here we need to strip the offsets filled with "=" for use
b64_final_json = b64_encoded_json.decode("ascii").rstrip("=")
import hmac
import hashlib
import base64
secret_key_bytes = b"my_secret_key"signature_bytes = hmac.new(
msg = your_message_to_sign.encode("ascii"),
digestmod = hashlib.sha256,
b64_signature = base64.urlsafe_b64encode(


For the illustration we will use the following header and payload JSON’s.

"alg": "HS256",
"typ": "JWT"
"sub": "cd08769d-c6a5-43cf-be5f-14f34ecddaa2",
"name": "Your Friendly Neighbor",
"iat": 1609459200

Bring It All Together


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store