node-jsonwebtoken
JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
node-jsonwebtoken is a Node.js library for creating and verifying JSON Web Tokens, the most common way to handle user logins by sending a signed token instead of storing sessions on the server.
node-jsonwebtoken is a Node.js library for creating and verifying JSON Web Tokens (JWTs). A JWT is a compact, self-contained package of information — typically used to prove that a user is who they say they are after logging in. Instead of storing session data on the server, a server generates a signed token and sends it to the client; the client presents that token with future requests, and the server verifies the signature to confirm the token is genuine and unmodified.
The library provides three main functions. The sign function creates a new token from a payload (any data you want to embed, like a user ID or permissions) and a secret key or private key, optionally setting an expiration time. The verify function checks that an incoming token's signature is valid, that it has not expired, and that it matches expected values like issuer or audience. The decode function reads the token's content without verifying the signature, useful for inspecting tokens in non-security-critical situations.
It supports both synchronous and asynchronous usage. Multiple signing algorithms are available, including HMAC-based ones (which use a shared secret) and RSA or ECDSA-based ones (which use a public/private key pair). The library enforces a minimum key size for RSA signatures to prevent use of weak keys. It is published on npm and maintained by Auth0.
Where it fits
- Add JWT-based login to a Node.js API so users get a signed token after authenticating that proves their identity on future requests
- Protect API routes by verifying incoming tokens to confirm the user is who they claim to be, without a database lookup
- Issue tokens with expiration times so users are automatically logged out after a set period
- Sign tokens with RSA private keys so multiple services can verify user identity using only the public key