JWT Authentication in Express

JWT authentication is a stateless way to prove who a user is: the server signs a token at login, the client sends it back on every request, and a middleware verifies the signature before letting the request reach a protected route.

Learn JWT Authentication in Express in our free Node.js course — a beginner-friendly interactive lesson with worked examples, a practice exercise and a quick…

Part of the free Node.js course at LearnCodingFast — hands-on lessons with examples you run in your browser, plus practice exercises and a quick quiz.

In this lesson you'll sign and verify tokens with jsonwebtoken, hash passwords with bcrypt, build a reusable auth middleware that reads the Bearer header, protect routes, and understand expiry and refresh tokens — the exact pattern real Express APIs use to lock things down.

What You'll Learn in This Lesson

1️⃣ Signing & Verifying Tokens

Authentication with JWTs comes down to two functions. jwt.sign(payload, secret, options) takes the data you trust (a user id, a role), bundles it with a header and an expiry, and produces a signed string. jwt.verify(token, secret) does the reverse: it checks the signature against your secret and the expiry, and either returns the decoded payload or throws.

The magic is the signature . Because it's computed from the payload and your secret, nobody can change the payload (say, bump their role to admin ) without invalidating the token. That's why JWTs are stateless — the server doesn't store sessions; it just re-checks the signature on every request.

2️⃣ Hashing Passwords with bcrypt

Before you can issue a token at login, you have to verify the password — and you must never store passwords in plain text. bcrypt turns a password into a slow, salted hash. You store the hash, and at login you call bcrypt.compare(candidate, storedHash) , which returns true or false .

The second argument to hash is the cost factor . A value of 10 means bcrypt does 2¹⁰ rounds of work — slow enough to make brute-forcing painful, fast enough for a login. Notice the wrong password returns false without you ever decrypting anything.

3️⃣ Login + an Auth Middleware

Now put it together. A login function checks credentials and signs a token. An auth middleware runs before protected routes: it reads the Authorization: Bearer <token> header, verifies the token, and attaches the decoded claims to the request. The runnable version below uses plain objects so you can see the logic without a server.

Here's the same idea wired into a real Express app, with registration, login, a reusable requireAuth middleware, and a protected /me route. This is the shape you'll copy into your own projects:

Tokens don't last forever, and that's the point. expiresIn stamps an expiry into the token; once it passes, verify throws a TokenExpiredError . A token signed with the wrong secret throws invalid signature . Short-lived access tokens limit the damage of a stolen one — and a longer-lived refresh token lets the client quietly get a fresh access token without re-entering a password.

Your turn. Fill in the two ___ blanks, follow the 👉 hints, then run it.

No blanks this time — just a brief and an outline. Write it yourself, run it, and check your output against the example in the comments. This ties together signing, the Bearer header, and verification in one short program.

📋 Quick Reference — JWT & bcrypt

Practice quiz

• Browse all free courses
• Cheat sheets & quizzes
• Coding dictionary