Django Rest Framework Token Authentication


I have read the Django Rest Framework Guides and done all the tutorials. Everything seemed to make sense and work just how it should. I got basic and session authentication working as described.

However, I'm struggling with the Token Authentication part of the documentation, its a little lacking or does not go into as much depth as the tutorials.

It says I need to create tokens for users but does state where, in

My question is:

Can someone explain the Token Authentication part of the documentation a little better for a first timer?

5/8/2018 7:44:34 PM

Accepted Answer

No, not in your -- on the models side of things, all you need to do is include the appropriate app (rest_framework.authtoken) in your INSTALLED_APPS. That will provide a Token model which is foreign-keyed to User.

What you need to do is decide when and how those token objects should be created. In your app, does every user automatically get a token? Or only certain authorized users? Or only when they specifically request one?

If every user should always have a token, there is a snippet of code on the page you linked to that shows you how to set up a signal to create them automatically:

@receiver(post_save, sender=User)
def create_auth_token(sender, instance=None, created=False, **kwargs):
    if created:

(put this in a file, anywhere, and it will be registered when a Django thread starts up)

If tokens should only be created at certain times, then in your view code, you need to create and save the token at the appropriate time:

# View Pseudocode
from rest_framework.authtoken.models import Token

def token_request(request):
    if user_requested_token() and token_request_is_warranted():
        new_token = Token.objects.create(user=request.user)

Once the token is created (and saved), it will be usable for authentication.

2/12/2013 6:11:21 PM

@ian-clelland has already provided the correct answer. There are just a few tiny pieces that wasn't mentioned in his post, so I am going to document the full procedures (I am using Django 1.8.5 and DRF 3.2.4):

  1. Do the following things BEFORE you create the superuser. Otherwise, the superuser does not get his/her token created.

  2. Go to and add the following:

  3. Add the following code in myapp's

    from django.db.models.signals import post_save
    from django.dispatch import receiver
    from rest_framework.authtoken.models import Token
    from django.conf import settings
    # This code is triggered whenever a new user has been created and saved to the database
    @receiver(post_save, sender=settings.AUTH_USER_MODEL)
    def create_auth_token(sender, instance=None, created=False, **kwargs):
        if created:

    Alternatively, if you want to be more explicit, create a file named under myapp project. Put the code above in it, then in, write import signals

  4. Open up a console window, navigate to your project dir, and enter the following command:

    python migrate
    python makemigrations

    Take a look in your database, a table named authtoken_token should be created with the following fields: key (this is the token value), created (the datetime it was created), user_id (a foreign key that references the auth_user table's id column)

  5. create a superuser with python createsuperuser. Now, take a look at the authtoken_token table in your DB with select * from authtoken_token;, you should see a new entry has been added.

  6. Using curl or a much simpler alternative httpie to test access to your api, I am using httpie:

    http GET 'Authorization: Token your_token_value'

    That's it. From now on, for any API access, you need to include the following value in the HTTP header (pay attention to the whitespaces):

    Authorization: Token your_token_value
  7. (Optional) DRF also provides the ability to return a user's token if you supply the username and password. All you have to do is to include the following in

    from rest_framework.authtoken import views
    urlpatterns = [
        url(r'^api-token-auth/', views.obtain_auth_token),

    Using httpie to verify:

    http POST username='admin' password='whatever'

    In the return body, you should see this:

        "token": "blah_blah_blah"

That's it!

Licensed under: CC-BY-SA with attribution
Not affiliated with: Stack Overflow