Globus SDK TokenStorage

A Globus SDK contrib module providing simple token storage.

Basic Usage

Install with pip install globus-sdk-tokenstorage

You can then import helpers from globus_sdk_tokenstorage. For example:

import os
import globus_sdk
from globus_sdk_tokenstorage import SimpleJSONFileAdapter

my_file_adapter = SimpleJSONFileAdapter(

if not my_file_adapter.file_exists():
    # ... do a login low, getting back initial tokens
    # elided for simplicity here
    token_response = ...
    # now store the tokens, and pull out the tokens for the
    # resource server we want
    by_rs = token_response.by_resource_server
    tokens = by_rs['']
    # otherwise, we already did this whole song-and-dance, so just
    # load the tokens from that file
    tokens = my_file_adapter.read_as_dict()

# RereshTokenAuthorizer and ClientCredentialsAuthorizer both use
# `on_refresh` callbacks
# this feature is therefore only relevant for those auth types
# auth_client is the internal auth client used for refreshes,
# and which was used in the login flow
# note that this is all normal SDK usage wherein my_file_adapter
# is providing the on_refresh callback
auth_client = ...
authorizer = globus_sdk.RefreshTokenAuthorizer(
    tokens['refresh_token'], auth_client,
    tokens['access_token'], tokens['access_token_expires'],

# or, for client credentials
authorizer = globus_sdk.ClientCredentialsAuthorizer(
    auth_client, [''],

# and then use as normal, tada!
tc = globus_sdk.TransferClient(authorizer=authorizer)

Full Library Contents

class globus_sdk_tokenstorage.abstract_base.AbstractStorageAdapter

Bases: object


By default, the on_refresh handler for a token storage adapter simply stores the token response.

class globus_sdk_tokenstorage.file_adapters.AbstractFileAdapter

Bases: globus_sdk_tokenstorage.abstract_base.AbstractStorageAdapter

File adapters are for single-user cases, where we can assume that there’s a simple file-per-user and users are only ever attempting to read their own files.


Check if the file used by this file storage adapter exists.

class globus_sdk_tokenstorage.SimpleJSONFileAdapter(filename, resource_server=None, scopes=None)

Bases: globus_sdk_tokenstorage.file_adapters.AbstractFileAdapter

  • filename – the name of the file to write to and read from
  • resource_server – the resource server name for tokens to look up in a token response object
  • scopes – a list of scope names for tokens to look up in a token response object

A storage adapter for storing tokens in JSON files. Callers must provide exactly one of resource_server and scopes


Load the config file contents as JSON and return the resulting dict object.

Although the whole token response is passed in for, this will only return the token data for the particular scopes or resource server for which this File Adapter is configured.


By default, self.on_refresh is just an alias for this function.

Given a token response, extract the token data for the configured scopes or resource servers of this file adapter and write it to self.filename as JSON data. Additionally will write the version of globus_sdk_tokenstorage which was in use.

Under the assumption that this may be running on a system with multiple local users, this sets the umask such that only the owner of the resulting file can read or write it.

class globus_sdk_tokenstorage.SQLiteAdapter(dbname, namespace='DEFAULT')

Bases: globus_sdk_tokenstorage.abstract_base.AbstractStorageAdapter

  • dbname – the name of the DB file to write to and read from
  • namespace – A “namespace” to use within the database. All operations will be performed indexed under this string, so that multiple distinct sets of tokens may be stored in the database. You might use usernames as the namespace to implement a multi-user system, or profile names to allow multiple Globus accounts to be used by a single user.

A storage adapter for storing tokens in sqlite databases.

SQLite adapters are for more complex cases, where there may be multiple users or “profiles” in play, and additionally a dynamic set of resource servers which need to be stored in an extensible way.

The namespace is a user-supplied way of partitioning data, and any token responses passed to the storage adapter are broken apart and stored indexed by resource_server. If you have a more complex use-case in which this scheme will be insufficient, you should encode that in your choice of namespace values.


Load the token data JSON and return the resulting dict objects, indexed by resource server. This should look identical to an OAuthTokenResponse.by_resource_server in format and content. (But it is not attached to a token response object.)

Parameters:config_name – A string name for the configuration value

Load a config dict under the current namespace in the config table. If no value is found, returns None


By default, self.on_refresh is just an alias for this function.

Given a token response, extract the token data for the resource servers and write it to self.dbname, stored under the adapter’s namespace

store_config(config_name, config_dict)
  • config_name – A string name for the configuration value
  • config_dict – A dict of config which will be stored serialized as JSON

Store a config dict under the current namespace in the config table. Allows arbitrary configuration data to be namespaced under the namespace, so that application config may be associated with the stored tokens.

Uses sqlite “REPLACE” to perform the operation.