Security is the primary concern when it comes to building modern backend applications. Whether a project is being worked on on the side or whether it is a full-fledged production app, endpoints must be blocked from unauthorized access. And that is why JWT authentication in Node.js will come in handy.
In this article, we will learn how to protect an API with JWT in Node.js, accompanied with all the code examples. The segment will also include token generation with jsonwebtoken, middleware protection, and token validation to have a secure, yet professional REST API.
What is JWT and Why Use It?
JWT (JSON Web Token) is a compact, self-contained token format used for securely transmitting information between a client and a server. What is more, it is stateless, meaning that no session is tracked on the server side.
JWT consists of three parts:
- Header- contains token type (JWT) and signing algorithm (HS256).
- Payload- contains claims (user id, role, etc.).
- Signature- is created through the header and payload encoded with a secret key.
All the above will validate the integrity of the token on every request, thus making Jwt authentication in Node js a power package.
Tools You’ll Use
- Node.js & Express.js for the REST API
- bcryptjs for password hashing
- jsonwebtoken for handling JWTs
- dotenv to store secrets
- Postman for API testing
Step 1: Install Required Packages
npm init -y
npm install express bcryptjs jsonwebtoken dotenv
This setup will allow you to build a secure REST API in Node.js from scratch.
Step 2: Set Up Express Server
const express = require(‘express’);
const app = express();
require(‘dotenv’).config();
app.use(express.json());
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => console.log(`Server running on ${PORT}`));
Step 3: Add Signup and Login Routes
We’ll use an in-memory array users[] for simplicity.
Signup Route
const bcrypt = require(‘bcryptjs’);
const users = [];
app.post(‘/signup’, async (req, res) => {
const { username, password } = req.body;
const hashed = await bcrypt.hash(password, 10);
users.push({ username, password: hashed });
res.status(201).send(“User registered”);
});
Login Route with JWT Token
const jwt = require(‘jsonwebtoken’);
app.post(‘/login’, async (req, res) => {
const { username, password } = req.body;
const user = users.find(u => u.username === username);
if (!user || !(await bcrypt.compare(password, user.password))) {
return res.status(401).send(‘Invalid credentials’);
}
const token = jwt.sign({ username }, process.env.JWT_SECRET, { expiresIn: ‘1h’ });
res.json({ token });
});
Step 4: Protect Routes with JWT Middleware
function authenticateToken(req, res, next) {
const authHeader = req.headers[‘authorization’];
const token = authHeader && authHeader.split(‘ ‘)[1];
if (!token) return res.sendStatus(401);
jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
if (err) return res.sendStatus(403);
req.user = user;
next();
});
}
Use it on protected routes:
app.get(‘/dashboard’, authenticateToken, (req, res) => {
res.send(`Welcome ${req.user.username}, to your secure dashboard.`);
});
Refresh Tokens and Logout Strategy
Access tokens ought to be short-lived in production (15 to 30-minute expiration) while refresh tokens remain long-lived (for instance, 7 days). This two-token scheme augments security further.
A possible sample logic for a refresh token looks like this:
- Store access token in memory or localStorage
- Store refresh token in HttpOnly cookie
- When access token expires, call /refresh to get a new one
Additionally, on logout, you can blacklist the tokens you stored in Redis or a database.
Common Use Cases of JWT in Production
- Single Page Apps (SPAs) like React, Vue
- Mobile Apps (Flutter, React Native)
- Microservices with centralized authentication
- 3rd-party integrations using Bearer tokens
Test Everything Using Postman
Use Postman to:
- Send POST /signup to register
- POST /login to receive JWT
- Add Authorization: Bearer <token> header in GET /dashboard
This step verifies that your Node.js API authentication is secure.
Best Practices
- Use HTTPS to avoid token leakage.
- Set HttpOnly and Secure flags on cookies (if using cookies).
- Implement token expiration and refresh logic.
- Limit JWT payload – don’t store sensitive data like passwords.
Use environment variables (.env) for your JWT secret.
Bonus Tip: Handle Token Expiry Gracefully
From the frontend, detect the expiry of the token and automatically redirect to login or call the refresh endpoint. It provides a smooth user experience without unnecessarily exposing the app to re-login.
Final Summary
You’ve now built a full JWT authentication Node.js workflow. Let’s recap:
- What are JWTs, and why are they secure?
- How to issue and verify tokens with jsonwebtoken?
- How to protect routes with Express JWT authentication?
- Best practices to secure a REST API in Node.js
- Use cases and integration tips
If you’re building SaaS, a mobile backend, or a freelance project, this knowledge will give you confidence in securing any API.
