# django-oauth-toolkit > OAuth2 Provider for Django - **URL**: https://www.freshcrate.ai/projects/django-oauth-toolkit - **Author**: Federico Frenguelli - **Category**: Security - **Latest version**: `3.2.0` (2026-04-21) - **License**: non-standard - **Source**: https://github.com/django-oauth/django-oauth-toolkit - **Homepage**: https://pypi.org/project/django-oauth-toolkit/ - **Language**: Python - **GitHub**: 3,320 stars, 840 forks - **Registry**: pypi (`django-oauth-toolkit`) - **Tags**: `django`, `oauth`, `oauth2`, `oauthlib`, `pypi` ## Description Django OAuth Toolkit ==================== *OAuth2 goodies for the Djangonauts!* .. image:: https://badge.fury.io/py/django-oauth-toolkit.svg :target: http://badge.fury.io/py/django-oauth-toolkit .. image:: https://github.com/django-oauth/django-oauth-toolkit/workflows/Test/badge.svg :target: https://github.com/django-oauth/django-oauth-toolkit/actions :alt: GitHub Actions .. image:: https://codecov.io/gh/django-oauth/django-oauth-toolkit/branch/master/graph/badge.svg :target: https://codecov.io/gh/django-oauth/django-oauth-toolkit :alt: Coverage .. image:: https://img.shields.io/pypi/pyversions/django-oauth-toolkit.svg :target: https://pypi.org/project/django-oauth-toolkit/ :alt: Supported Python versions .. image:: https://img.shields.io/pypi/djversions/django-oauth-toolkit.svg :target: https://pypi.org/project/django-oauth-toolkit/ :alt: Supported Django versions If you are facing one or more of the following: * Your Django app exposes a web API you want to protect with OAuth2 authentication, * You need to implement an OAuth2 authorization server to provide tokens management for your infrastructure, Django OAuth Toolkit can help you providing out of the box all the endpoints, data and logic needed to add OAuth2 capabilities to your Django projects. Django OAuth Toolkit makes extensive use of the excellent `OAuthLib `_, so that everything is `rfc-compliant `_. Reporting security issues ------------------------- Please report any security issues to the Django OAuth security team at . Do not file an issue on the tracker. Requirements ------------ * Python 3.8, 3.9, 3.10, 3.11, 3.12, 3.13 or 3.14 * Django 4.2, 5.0, 5.1 or 5.2 * oauthlib 3.2.2+ Installation ------------ Install with pip:: pip install django-oauth-toolkit Add ``oauth2_provider`` to your ``INSTALLED_APPS`` .. code-block:: python INSTALLED_APPS = ( ... 'oauth2_provider', ) If you need an OAuth2 provider you'll want to add the following to your ``urls.py``. .. code-block:: python from oauth2_provider import urls as oauth2_urls urlpatterns = [ ... path('o/', include(oauth2_urls)), ] Changelog --------- See `CHANGELOG.md `_. Documentation -------------- The `full documentation `_ is on *Read the Docs*. License ------- django-oauth-toolkit is released under the terms of the **BSD license**. Full details in ``LICENSE`` file. Help Wanted ----------- We need help maintaining and enhancing django-oauth-toolkit (DOT). Join the team ~~~~~~~~~~~~~ There are no barriers to participation. Anyone can open an issue, pr, or review a pull request. Please dive in! How you can help ~~~~~~~~~~~~~~~~ See our `contributing `__ info and the open `issues `__ and `PRs `__, especially those labeled `help-wanted `__. Discussions ~~~~~~~~~~~ Have questions or want to discuss the project? See `the discussions `__. Submit PRs and Perform Reviews ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PR submissions and reviews are always appreciated! Since we require an independent review of any PR before it can be merged, having your second set of eyes looking at PRs is extremely valuable. Become a Maintainer ~~~~~~~~~~~~~~~~~~~~~ If you are interested in stepping up to be a Maintainer, please open an issue. For maintainers we're looking for a positive attitude, attentiveness to the specifications, strong coding and communication skills, and a willingness to work with others. Maintainers are responsible for merging pull requests, managing issues, creating releases, and ensuring the overall health of the project. ## Recent releases | Version | Date | Urgency | Changes | | --- | --- | --- | --- | | `3.2.0` | 2026-04-21 | Low | Imported from PyPI (3.2.0) | | `3.1.0` | 2025-11-02 | Low | **NOTE**: This is the first release under the new [django-oauth](https://github.com/django-oauth) organization. The project moved in order to be more independent and to bypass quota limits on parallel CI jobs we were encountering in Jazzband. The project will emulateDjango Commons going forward in it's operation. We're always on the look for willing maintainers and contributors. Feel free to start participating any time. PR's are always welcome. ### Added * #1506 Support for Wildcard Origin | | `3.0.1` | 2024-09-07 | Low | bugfix #1491 Fix migration error when there are pre-existing Access Tokens. | | `3.0.0` | 2024-09-06 | Low | ## Release 3.0.0 ### WARNING - POTENTIAL BREAKING CHANGES * Changes to the `AbstractAccessToken` model require doing a `manage.py migrate` after upgrading. * If you use swappable models you will need to make sure your custom models are also updated (usually `m | | `2.4.0` | 2024-05-20 | Low | ## [2.4.0] - 2024-05-13 ### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or s | | `2.3.0` | 2023-05-31 | Low | ## [2.3.0] 2023-05-31 ### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or s | | `2.2.0` | 2022-10-18 | Low | ## [2.2.0] 2022-10-18 ### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or s | | `2.1.0` | 2022-06-23 | Low | ### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` | | `2.0.0` | 2022-04-24 | Low | ## What's Changed * WIP: Hash application client secrets using Django password hashing by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1093 * OIDC: Add "scopes_supported" to openid-configuration. by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1106 * OIDC: Standard scopes to determine which claims are returned by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1108 * Prevent the tests/migrations directory from getting packaged by @brianhe | | `1.7.0` | 2022-01-23 | Low | ## [1.7.0] 2022-01-23 ### Added * #969 Add batching of expired token deletions in `cleartokens` management command and `models.clear_expired()` to improve performance for removal of large numers of expired tokens. Configure with [`CLEAR_EXPIRED_TOKENS_BATCH_SIZE`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-expired-tokens-batch-size) and [`CLEAR_EXPIRED_TOKENS_BATCH_INTERVAL`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-exp | ## Citation - HTML: https://www.freshcrate.ai/projects/django-oauth-toolkit - Markdown: https://www.freshcrate.ai/projects/django-oauth-toolkit.md - Dependencies JSON: https://www.freshcrate.ai/api/projects/django-oauth-toolkit/deps _Generated by freshcrate.ai. Indexes pypi releases for AI-agent ecosystem packages._