Recently, I have been working on a few projects that rely on users being able to authenticate against an API. I couldn't use session cookies due to the API host and client being on separate hostnames. I decided to go with using JWTs due to the fact that they were able to be signed and verified on the server.

This meant that I was able to generate access tokens without storing them on the server, they would simply be sent to the client and verified on the server.

Start by installing the required NPM libraries (this assumes an Express app has already been setup)

#install express-jwt, jsonwebtoken
npm i --save express-jwt jsonwebtoken
install express-jwt, jsonwebtoken
var expressjwt = require('express-jwt');
var jwt = require('jsonwebtoken');
import the libraries to index.js (or file where routes are defined)

JWTs are able to be verified using a secret string that stays on the server. I have found RandomKeygen to be a good source for generating secrets to be used in production. I used a 256-bit CodeIgniter encryption key. You'll need to define the secret in your app file (preferably using an environment variable) and add the middleware to the routes you want to protect. An example is below, it responds to GET requests on /jwt-test and checks to see if a valid JWT was provided.

let jwt_secret = process.env.JWT_SECRET || "staging";

app.get("/jwt-test", expressjwt({ secret: jwt_secret, algorithms: ['HS256'] }), async (req, res) => {
    if (req.user) {
        res.send("Howdy do!");
    } else {
        res.status(401).send("unauthorized :(");

Often times, you will find the need to generate (or sign) a JWT and send it to the client.

const jwt_string = jwt.sign({
    exp: Math.floor( / 1000) + (60 * 60 * 1),
    data: {
        test: "Signed data!"
}, jwt_secret);