Using Django Access Tokens for Sending Unique Email Links

by Applied Informatics

Important aspects of Django Access tokens

Secure access tokens that grant permissions at the level of model instances, models, apps, or globally.
Expire access tokens after a given age.
Generate more compact access tokens by including ‘django.contrib.auth’ and ‘django.contrib.contenttypes’ in your project.


Run pip install django-access-tokens.
Add ‘access_tokens’ to your INSTALLED_APPS setting.
Optionally, ad ‘django.contrib.auth’ and ‘django.contrib.contenttypes’ for more compact access tokens.

Generating tokens
first import the necessary files
from access_tokens import tokens

Now tokens can be generated as follows:

tokens.generate(scope=(), key=None, salt=None)

now Add value to key and salt.
example how generating a token and using it for creating unique email link:

def send_review_mail(self):
token = tokens.generate(scope=(), key="some value", salt="None")
message = render_to_string('email_to.html',{'token': token})
msg = EmailMessage('Subject here',
'Here is the message.',
msg.content_subtype = "html"

Also remember to include :
from django.core.mail import send_mail

Validating tokens

Tokens can be validated as follows:

tokens.validate(token, scope=(), key=None, salt=None, max_age=None)

Example of token validation:
Here we are validating the token by supplying the same values to key and salt which we gave it while generating the token.
here is the function to validate the token

def validate_token(function):
def wrap(request, *args, **kwargs):
token = kwargs.get('token')
case_id = kwargs.get('case_id')
validate = tokens.validate(token, scope=(), key=case_id, salt=settings.TOKEN_SALT, max_age=None)
if validate:
return function(request, *args, **kwargs)
raise Http404
return wrap

Things to consider when validating tokens:

Tokens, by default, never expire, but you can force an expiry by passing a max_age argument to tokens.validate.
Token validation should only raise an exception if the code used to generate it was faulty. A bad signature on an access token, or an expired max_age, will not raise an exception, but will instead simply fail validation and return False.


django-access-tokens generates access tokens by serializing a representation of the granted permissions and then signing it using django.core.signing. As such, it uses the latest cryptographic techniques developed by the core Django team, and will stay up-to-date as you upgrade Django.

In order for django-access-tokens to work, it is important that you keep the secret key used to generate the tokens a secret. By default, tokens are generated using settings.SECRET_KEY. If you ever believe that your secret key has been compromised, change it immediately. Changing your secret key will also immediately invalidate all access tokens generated from it.

By using Django access token we can integrate it with email functionality to create a unique link to provide access to different modules of a web application to different users

Leave a Reply

Your email address will not be published. Required fields are marked *

Tools & Practices

Tools and Technologies we use at Applied

Contact us now

Popular Posts