Authentication is one of the most important parts of any modern web application.
One of the most popular solutions today is JWT (JSON Web Token).
π€ What is JWT?
JWT (JSON Web Token) is a compact, URL-safe token used to securely transmit information between parties.
A JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
It consists of three parts:
HEADER.PAYLOAD.SIGNATURE
𧩠JWT Structure
1οΈβ£ Header
Contains token type and signing algorithm.
{
"alg": "HS256",
"typ": "JWT"
}
2οΈβ£ Payload
Contains user data (claims).
{
"id": 42,
"email": "user@example.com"
}
β οΈ Never store passwords or sensitive data in payload
3οΈβ£ Signature
Used to verify the token wasnβt modified.
HMACSHA256(base64UrlHeader + "." + base64UrlPayload, secret)
π How JWT Authentication Works
π οΈ Implementing JWT Auth in Node.js (Express)
π¦ Install Dependencies
npm install express auth-verify
π Generate (signing) JWT on Login
const AuthVerify = require('auth-verify')
const auth = new AuthVerify({
jwtSecret: "SUPER_SECRET" // setting secret for jwt
})
// Generating jwt
auth.jwt.sign({userId: 1, user: "John Doe"}, "1h") // 1h expiration time of jwt
π Login Route Example
const express = require('express')
const app = express()
app.use(express.json())
app.use(express.urlencoded({ extended: true }))
const AuthVerify = require('auth-verify')
const auth = new AuthVerify({ jwtSecret: "SUPER_SECRET" })
app.post('/login', async (req, res)=> {
const { email, password } = req.body
const user = await findUserByEmail(email)
if (!user) return res.status(401).json({ message: 'Invalid credentials' })
const isValid = await auth.crypto.verify(password, user.password)
if (!isValid) return res.status(401).json({ message: 'Invalid credentials' })
const token = await auth.jwt.sign({userId: 1, user: "John Doe"}, "1h")
res.json({ token })
})
𧱠Protecting Routes with JWT Middleware
auth.jwt.protect()
π Protected Route Example
app.get('/profile', auth.jwt.protect(), (req, res)=> {
res.json({
message: 'Welcome!',
user: req.user
})
})
π€ Sending JWT from Client
Authorization: Bearer YOUR_JWT_TOKEN
β οΈ Common JWT Mistakes
π§ When Should You Use JWT?
JWT is great when:
JWT is not ideal when:
π Conclusion
JWT provides a simple, scalable, and stateless way to handle authentication.
When used correctly, itβs powerful and secure.
If youβre building APIs, SPAs, or mobile apps β JWT is worth mastering.
More...
One of the most popular solutions today is JWT (JSON Web Token).
π€ What is JWT?
JWT (JSON Web Token) is a compact, URL-safe token used to securely transmit information between parties.
A JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
It consists of three parts:
HEADER.PAYLOAD.SIGNATURE
𧩠JWT Structure
1οΈβ£ Header
Contains token type and signing algorithm.
{
"alg": "HS256",
"typ": "JWT"
}
2οΈβ£ Payload
Contains user data (claims).
{
"id": 42,
"email": "user@example.com"
}
β οΈ Never store passwords or sensitive data in payload
3οΈβ£ Signature
Used to verify the token wasnβt modified.
HMACSHA256(base64UrlHeader + "." + base64UrlPayload, secret)
π How JWT Authentication Works
- User logs in with email & password
- Server verifies credentials
- Server generates a JWT
- Client stores JWT (usually in memory or cookie)
- Client sends JWT in Authorization header
- Server verifies JWT on every request
π οΈ Implementing JWT Auth in Node.js (Express)
π¦ Install Dependencies
npm install express auth-verify
π Generate (signing) JWT on Login
const AuthVerify = require('auth-verify')
const auth = new AuthVerify({
jwtSecret: "SUPER_SECRET" // setting secret for jwt
})
// Generating jwt
auth.jwt.sign({userId: 1, user: "John Doe"}, "1h") // 1h expiration time of jwt
π Login Route Example
const express = require('express')
const app = express()
app.use(express.json())
app.use(express.urlencoded({ extended: true }))
const AuthVerify = require('auth-verify')
const auth = new AuthVerify({ jwtSecret: "SUPER_SECRET" })
app.post('/login', async (req, res)=> {
const { email, password } = req.body
const user = await findUserByEmail(email)
if (!user) return res.status(401).json({ message: 'Invalid credentials' })
const isValid = await auth.crypto.verify(password, user.password)
if (!isValid) return res.status(401).json({ message: 'Invalid credentials' })
const token = await auth.jwt.sign({userId: 1, user: "John Doe"}, "1h")
res.json({ token })
})
𧱠Protecting Routes with JWT Middleware
auth.jwt.protect()
π Protected Route Example
app.get('/profile', auth.jwt.protect(), (req, res)=> {
res.json({
message: 'Welcome!',
user: req.user
})
})
π€ Sending JWT from Client
Authorization: Bearer YOUR_JWT_TOKEN
β οΈ Common JWT Mistakes
- β Storing JWT in localStorage (XSS risk)
- β Putting sensitive data inside payload
- β No token expiration
- β Using weak secrets
- β Use HTTP-only cookies if possible
- β Always set expiresIn
- β Rotate secrets in production
π§ When Should You Use JWT?
JWT is great when:
- You have stateless APIs
- You use microservices
- You need mobile or SPA authentication
JWT is not ideal when:
- You need instant logout everywhere
- You need heavy session control
π Conclusion
JWT provides a simple, scalable, and stateless way to handle authentication.
When used correctly, itβs powerful and secure.
If youβre building APIs, SPAs, or mobile apps β JWT is worth mastering.
More...