How to Use JWT in Node.js (Express Authentication Step-by-Step Guide)

Introduction

JWT (JSON Web Token) is one of the most popular methods for handling authentication in modern web applications, especially in Node.js and Express.

If you're building APIs, SaaS products, or full-stack applications, understanding how to implement JWT authentication is essential.

In this guide, you will learn:

• How JWT authentication works in Node.js
• How to generate and verify tokens
• How to build secure authentication middleware
• Best practices for production-ready apps

👉 You can decode and test your tokens here: https://www.mydevtoolhub.com/tools/jwt-decoder

What is JWT Authentication?

JWT authentication is a stateless authentication mechanism.

Instead of storing sessions on the server:

• The server generates a token
• The client stores it
• The client sends it with every request

Project Setup

Step 1: Initialize Project

npm init -y
npm install express jsonwebtoken dotenv

Step 2: Basic Server Setup

const express = require('express');
const jwt = require('jsonwebtoken');
require('dotenv').config();

const app = express();
app.use(express.json());

Step 1: Create Login Route (Generate JWT)

app.post('/login', (req, res) => {
  const { username } = req.body;

  const user = { name: username };

  const accessToken = jwt.sign(user, process.env.JWT_SECRET, {
    expiresIn: '15m'
  });

  res.json({ accessToken });
});

Explanation:

• jwt.sign() creates token
• Payload = user data
• Secret = private key

Step 2: Create Middleware (Verify JWT)

function authenticateToken(req, res, next) {
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1];

  if (!token) return res.sendStatus(401);

  jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
    if (err) return res.sendStatus(403);

    req.user = user;
    next();
  });
}

Step 3: Protect Routes

app.get('/dashboard', authenticateToken, (req, res) => {
  res.json({ message: 'Welcome!', user: req.user });
});

Step 4: Using Token in Frontend

Send token in headers:

fetch('/dashboard', {
  headers: {
    Authorization: `Bearer ${token}`
  }
});

Full Flow Diagram

1. User logs in
2. Server generates JWT
3. Client stores token
4. Client sends token in requests
5. Server verifies token

Refresh Token Implementation (Advanced)

Why Needed?

Access tokens expire quickly.

Solution:

• Short-lived access token
• Long-lived refresh token

const refreshToken = jwt.sign(user, process.env.REFRESH_SECRET);

Common Errors in JWT Auth

"Unauthorized (401)"

• Missing token

"Forbidden (403)"

• Invalid token

"jwt expired"

• Token expired

👉 Debug tokens here: https://www.mydevtoolhub.com/tools/jwt-decoder

Best Practices

• Use HTTPS
• Store secret in .env
• Set short expiration
• Use refresh tokens
• Use HTTP-only cookies

Production Tips

• Rotate secrets
• Use rate limiting
• Log authentication failures
• Monitor suspicious activity

FAQs

Q1: Where should I store JWT?

Use HTTP-only cookies.

Q2: Can JWT replace sessions?

Yes, for stateless apps.

Q3: Is JWT secure?

Yes, if implemented correctly.

Q4: What is Bearer token?

A token sent in Authorization header.

Conclusion

JWT authentication is powerful, scalable, and widely used in Node.js applications.

By following this guide, you can build a secure authentication system from scratch.

👉 Test and decode your tokens here: https://www.mydevtoolhub.com/tools/jwt-decoder

Now you are ready to implement JWT like a pro 🚀