Skip to content

dj-rest-auth

Drop-in authentication endpoints for Django REST Framework. Works seamlessly with SPAs and mobile apps.

CI PyPI Python Django

Why dj-rest-auth?

Building authentication for your API shouldn't require reinventing the wheel. dj-rest-auth provides a complete set of REST API endpoints for user authentication, registration, and account management—all following security best practices.

  • Quick Setup

    Install with pip and add a few lines to your Django settings. Get authentication working in minutes.

    Getting started

  • Secure by Default

    HTTP-only JWT cookies, token blacklisting, throttling, and CSRF protection built-in.

    Security options

  • Fully Customizable

    Every serializer is overridable. Extend or replace any component to fit your needs.

    Customization

  • Social Authentication

    Integrate Google, GitHub, Facebook, and other OAuth providers via django-allauth.

    Social auth

  • Passkeys (WebAuthn)

    Passwordless login with Touch ID, Windows Hello, and hardware security keys via FIDO2/WebAuthn.

    Passkeys guide

Features

Feature Description
Login / Logout Token and JWT-based authentication with session support
Registration User signup with email verification (via django-allauth)
Password Management Reset via email, change with old password verification
User Details Retrieve and update user profile information
JWT Cookies Secure HTTP-only cookie transport for SPAs
Social Auth OAuth2 login with Google, GitHub, Facebook, and more
Passkeys Passwordless login via FIDO2/WebAuthn (Touch ID, security keys)
Token Refresh Automatic JWT refresh with sliding sessions

Requirements

Package Version
Python >= 3.10
Django >= 4.2
Django REST Framework >= 3.14

Quick Example

settings.py
INSTALLED_APPS = [
    # ...
    'rest_framework',
    'rest_framework.authtoken',
    'dj_rest_auth',
]

REST_AUTH = {
    'USE_JWT': True,
    'JWT_AUTH_COOKIE': 'auth',
    'JWT_AUTH_HTTPONLY': True,
}
urls.py
from django.urls import path, include

urlpatterns = [
    path('api/auth/', include('dj_rest_auth.urls')),
]

That's it! You now have these endpoints:

  • POST /api/auth/login/ - Obtain token
  • POST /api/auth/logout/ - Revoke token
  • POST /api/auth/password/reset/ - Request password reset
  • POST /api/auth/password/change/ - Change password
  • GET /api/auth/user/ - Get current user

See the full quickstart guide

Architecture

flowchart LR
    subgraph client [Client App]
        SPA[React / Vue / Mobile]
    end

    subgraph djrestauth [dj-rest-auth]
        Login[LoginView]
        Logout[LogoutView]
        User[UserDetailsView]
        PWReset[PasswordResetView]
    end

    subgraph django [Django]
        Auth[django.contrib.auth]
        Allauth[django-allauth]
        SimpleJWT[djangorestframework-simplejwt]
    end

    SPA -->|POST /login/| Login
    SPA -->|POST /logout/| Logout
    SPA -->|GET /user/| User
    SPA -->|POST /password/reset/| PWReset

    Login --> Auth
    Login --> SimpleJWT
    Logout --> Auth
    User --> Auth
    PWReset --> Allauth

License

MIT License - See LICENSE for details.