In addition to the above - you don't show how you are getting the token and ensuring that is passed as part of the request. As the Flask-Security documentation suggests - if this is a normal browser-based application - it is simpler and more secure to use session based authentication (using the session cookie) and using @auth_required()