2 files changed, 64 insertions, 0 deletions

diff --git a/docs/fernet.rst b/docs/fernet.rst
new file mode 100644
index 00000000..241bf1ea
--- /dev/null
+++ b/docs/fernet.rst
@@ -0,0 +1,63 @@
+Fernet
+======
+
+.. currentmodule:: cryptography.fernet
+
+`Fernet`_ is an implementation of symmetric (also known as "secret key")
+authenticated cryptography. Fernet provides guarantees that a message encrypted
+using it cannot be manipulated or read without the key.
+
+.. class:: Fernet(key)
+
+    This class provides both encryption and decryption facilities.
+
+    .. doctest::
+
+        >>> from cryptography.fernet import Fernet
+        >>> key = Fernet.generate_key()
+        >>> f = Fernet(key)
+        >>> ciphertext = f.encrypt(b"my deep dark secret")
+        >>> ciphertext
+        '...'
+        >>> f.decrypt(ciphertext)
+        'my deep dark secret'
+
+    :param bytes key: A URL-safe base64-encoded 32-byte key. This **must** be
+                      kept secret. Anyone with this key is able to create and
+                      read messages.
+
+    .. classmethod:: generate_key()
+
+        Generates a fresh fernet key. Keep this some place safe! If you lose it
+        you'll no longer be able to decrypt messages; if anyone else gains
+        access to it, they'll be able to decrypt all of your messages.
+
+    .. method:: encrypt(plaintext)
+
+        :param bytes plaintext: The message you would like to encrypt.
+        :returns bytes: A secure message which cannot be read or altered
+                        without the key. It is URL-safe base64-encoded.
+
+    .. method:: decrypt(ciphertext, ttl=None)
+
+        :param bytes ciphertext: An encrypted message.
+        :param int ttl: Optionally, the number of seconds old a message may be
+                        for it to be valid. If the message is older than
+                        ``ttl`` seconds (from the time it was originally
+                        created) an exception will be raised. If ``ttl`` is not
+                        provided (or is ``None``), the age of the message is
+                        not considered.
+        :returns bytes: The original plaintext.
+        :raises InvalidToken: If the ``ciphertext`` is in any way invalid, this
+                              exception is raised. A ciphertext may be invalid
+                              for a number of reasons: it is older than the
+                              ``ttl``, it is malformed, or it does not have a
+                              valid signature.
+
+
+.. class:: InvalidToken
+
+    See :meth:`Fernet.decrypt` for more information.
+
+
+.. _`Fernet`: https://github.com/fernet/spec/
diff --git a/docs/index.rst b/docs/index.rst
index 776c9d37..ab5d1593 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -39,6 +39,7 @@ Contents
 .. toctree::
     :maxdepth: 2
 
+    fernet
     architecture
     exceptions
     glossary