RobustAuth Documentation
Modern session-based opaque token authentication for Django REST Framework.
RobustAuth replaces JWT complexity with secure, database-backed opaque tokens — giving you instant revocation, full session intelligence, and production-grade security controls out of the box.
Why RobustAuth?
Most Django auth packages make you choose between simplicity and power. DRF’s built-in TokenAuthentication is simple but has no revocation, no sessions, no history. SimpleJWT adds refresh tokens but locks you into JWT — which can’t be instantly revoked.
RobustAuth gives you the best of both worlds: the simplicity of opaque tokens with the full session intelligence of a modern auth system.
Documentation
Installation — get up and running in minutes
Configuration — all available settings with defaults
API Endpoints — full REST API reference
Session Policies — controlling concurrent logins
Signals — hooking into authentication events
Changelog — version history
Quick Example
# settings.py
INSTALLED_APPS = [
...
"rest_framework",
"robustauth",
]
REST_FRAMEWORK = {
"DEFAULT_AUTHENTICATION_CLASSES": [
"robustauth.authentication.RobustTokenAuthentication",
],
}
ROBUST_AUTH = {
"SESSION_POLICY": "single", # one active session per user
"ROTATE_REFRESH_TOKENS": True,
"TRACK_IPS": True,
}
# Login
curl -X POST http://localhost:8000/auth/login/ \
-H "Content-Type: application/json" \
-d '{"username": "alice", "password": "secret"}'
# Response
{
"access_token": "a3f9...",
"refresh_token": "b7c2...",
"session_id": "550e8400-...",
"token_type": "Bearer"
}
Requirements
Python 3.10+
Django 4.2+
Django REST Framework 3.14+
user-agents(optional, for device/browser detection)