// the find
iMerica/dj-rest-auth
Authentication for Django Rest Framework
dj-rest-auth is a drop-in auth layer for Django REST Framework, covering login/logout, password reset, JWT with HTTP-only cookies, MFA via TOTP, and passkey/WebAuthn authentication. It's the practical successor to the abandoned django-rest-auth package, actively maintained and supporting Django 4.2–6.0. If you're building a Django API that needs auth and don't want to wire it all together yourself, this is the obvious starting point.
The JWT-with-HTTP-only-cookie setup is done right — access and refresh tokens in separate cookies, httpOnly by default, which is exactly what you want for SPAs without exposing tokens to JavaScript. MFA and passkeys are opt-in sub-packages rather than bolted onto core, so you pay no complexity cost if you don't use them. The serializer override pattern is straightforward — subclass and point a setting at your class, which is the correct way to handle customization in DRF land. Django 4.2 through 6.0 support with Python 3.10–3.14 means you won't be blocked on a version upgrade.
It still depends on django-allauth for registration and social auth, which is a heavy dependency that brings its own opinions about models, adapters, and signal handling — expect friction if you have a custom user model or non-standard registration flow. Token blacklisting on logout requires simplejwt's blacklist app with its own migrations, and the docs undersell how easy it is to ship a 'logout' endpoint that doesn't actually invalidate the token server-side. Social auth configuration is allauth-first, so you'll be reading two sets of docs simultaneously. Star count (1.8k) is modest for a core auth library, which means the community surface area for finding StackOverflow answers is smaller than django-allauth or DRF itself.