Update 5/11/2016: Trying to build authentication in Flask? Check out our new article: Flask Auth in One Line of Code!

Flask App Tutorial in 30 minutes

Flask is an awesome web framework for Python. It’s minimal, it’s simple, and best of all: easy to learn.

Today I’m going to walk you through a tutorial for building your very first Flask web app! Just like the official Flask tutorial, you’ll be building your very own micro blog: Flaskr. Unlike the official Flask tutorial – you’ll be speeding things up by using Stormpath to create and manage user accounts and data. This will dramatically speed up the development process!

Let’s get right to it.

NOTE: This tutorial is meant for new Flask developers, to help give them an understanding of how to build a simple website with Flask and Stormpath. This is a modified version of the official Flask tutorial.

Python Flaskr App Tutorial Goals

  • Let a user sign in and out of the micro blog using a previously generated user account (which will be stored by Stormpath).
  • Let a logged in user add new entries to a page consisting of a text-only title, and some HTML body text. This HTML won’t be sanitized, as this user is trusted.
  • Display all blog entries on the main page of the site, in reverse chronological order (newest on top).

The final site should look like this:

Flaskr App Example


Before continuing, we’ll need to install several Python packages to make things work! We’ll do this via pip – the Python package manager.

The above command will install two packages: Flask, and Flask-Stormpath, which will both be used through this tutorial.

Next, you need to create a Stormpath account. You can do so by signing up on the Stormpath website.

Once you’ve created a Stormpath account, and logged into it, you’ll also need to create an API key. You can do this by clicking the Create API Key button on the dashboard page.

When you create an API key, you will be prompted to download a file named apiKey.properties. We’ll use this later.

NOTE: Do not check the apiKey.properties file into your version control system (if you’re using one)! This file holds your Stormpath credentials, so it should be kept safe.

Next, you’ll want to create a new Stormpath application by visiting the Applications page, then clicking Register Application. Create a new app named flaskr, with the default options selected.

Lastly, visit the Accounts page and create a new user account in: flaskr Directory. Any account created here can be used to log into the micro blog you’re about to build.

Directory Structure

The first thing you need to do is create a directory structure to hold your application code. You’ll need to generate several directories, and move your apiKey.properites file into the new project directory:

The flaskr folder will be the root of your application. The static folder will hold all of your static assets (css, javascript, and images). The templates folder will hold your Jinja templates, which render HTML.

App Setup

Now that you’ve got the directory structure figured out let’s configure the Flask app!

Firstly, create a new file in your flaskr folder named flaskr.py. This is where you’ll put your application code.

Here’s what you’ll start with:

There are a few things to note here:

  • You’re importing several libraries at the top of the flaskr.py file — these will be used down below, through the rest of the tutorial.
  • You’re creating an app object — this is the core of every Flask project.
  • You’re adding several configuration variables to app.config. app.config is a Python dictionary that allows you to store whatever custom settings you’d like. Here, we’re setting several important variables for usage later on:
    • The DEBUG variable can be set to True or False. This controls Flask’s built in error reporting behavior (it makes Flask display verbose error messages while in development mode).
    • The SECRET_KEY variable is used internally to help keep client-side sessions secure. Make sure this is a long, randomly generated string when deploying a real Flask app.
    • The STORMPATH_API_KEY_FILE variable should point to the location of your apiKey.properties file. For more advanced information, see: http://flask-stormpath.readthedocs.io/en/latest/setup.html
    • The STORMPATH_APPLICATION variable should be the name of your Stormpath application, which you created previously.
    • You’re creating a stormpath_manager object. This controls the Stormpath library and allows you to interact easily with users and user data later on.
    • You’re calling app.run() at the bottom. This tells Flask to run your site in development mode for testing.

If you now run the following, you’ll see your Flask app start running on port 5000:

If you visit, however, you’ll get a 404 not found message. This is because we haven’t yet defined any views or URL routes!


Now that you’ve got the setup part finished let’s define the views. This code should go inside the flaskr.py file, above the:


Here’s the code:

Let’s discuss the code above.

You’ll notice the first function defined is show_posts. This function is what displays blog posts on the front page of the site. As you might have guessed, the decorator, @app.route('/'), is what tells Flask how to run this function.

Each time a user requests the URL /, Flask will run the show_posts function and return the output to the user.

The show_posts function works simply:

  • It iterates over all user accounts, looking for posts. Each post is a simple Python dictionary of the form:

  • If a post is found, it is added to the posts array.
  • It sorts the posts array by date so that newest posts are in front.
  • It renders an HTML template named show_posts.html, passing in the posts array as input.

The add_posts view allows logged in users to add new posts to the site. This view introduces several new things:

  • The @app.route('/add', methods=['POST']) decorator tells Flask to only allow HTTP POST requests on the given URL. By default, Flask only allows GET requests.
  • The @login_required decorator ensures users are logged in before allowing them access to this view. If a user isn’t logged in and tries POST’ing to the view, they’ll get an HTTP 401 UNAUTHORIZED response.
  • Any view decorated with the @login_required decorator can access the user variable. This is an object that holds the user’s account details.

The way it works is simple:

  • It checks to see if this user has any posts stored in their account yet. This is done by checking to see if user.custom_data.get('posts') is not False. user.custom_data is a Python dictionary that allows you to store any data you’d like into this user’s account.
  • It grabs the title and text fields from the POST request and creates a new post object in the user’s posts array.
  • It saves this new post to Stormpath on this user’s account.
  • It flashes a message to be displayed to the user later on.
  • Lastly, it redirects the user to the show_posts view so the newly added post can be displayed.
  • The login and logout views are especially simple.

The login view simply grabs an email address and password from the user’s POST request, then attempts to log the user in by grabbing the user object from Stormpath, and creating a local session.

The logout view just destroys the user’s session.


The next thing that needs to be added is the template code. Flask uses the Jinja template language, which makes writing HTML templates very easy.

Let’s start by defining a layout template, templates/layout.html. This base template will be the parent of all the other templates we write. This strategy is often useful, as it allows you to define a good amount of boilerplate template code in a single place.

Add the following code to your layout.html template file:

Next is the templates/show_posts.html file:

And lastly, here’s the templates/login.html template:

The first thing to note is that the layout.html template defines a body block. This can be replaced by a block of the same name in any child template. The layout.html template displays a login or logout template, and also displays any flashed messages.

Because you’re using Flask-Stormpath, all templates have access to a magical user variable. If a user is logged in, the user’s details will be available (hence the {% if user.email %} checks).

The show_posts.html template iterates over the posts array that was passed into the render_template call in the show_posts view. Jinja allows you to loop over any iterable with the for statement.

It’s also important to note that in order to output variable contents, you need to surround the variable by squiggly braces:

Since we’ve decided to allow users to input arbitrary HTML in their blog posts, we’re outputting the body of the post using the safe template filter:

By default, Jinja will automatically escape any special characters, so we need to use the safe filter to actually display any user-inputted HTML / Javascript.

Adding Style

The last thing to do is create a static/style.css file with the following contents:

This file is loaded by the layout.html template, and provides some decent styling.

Testing it Out

Now that we’ve gone over the application code let’s take a look at the final product!

To run your shiny new site, you’ll want to first start up your Flask web server again by running:

Then visit in your browser. You should now see the flaskr site running, and be able to log in using a Stormpath account, create posts, etc.!

Below is a video of the site running — check it out 🙂

Any questions? Feel free to shoot us an email! We’re happy to help: [email protected]