JSON Web Token Integration in Node.js

Doug Schallmoser
4 min readFeb 3, 2021


In my last article I went over how to integrate JSON Web Tokens into the backend of your Rails application. That article can be found:

In this article I will go over a simple integration of JSON Web Tokens with Node.js, specifically with Express. The request from the frontend will remain the same, namely you will be sending a token to the backend on every request that requires authorization. You do this by adding the Authorization header to your fetch request with the token. In this example, we will be making a GET request for an individual task…

This request will hit our backend routers and execute the appropriate route. You’ll notice below that the first line of code has an auth function as the second argument of the get function. This is a custom middleware function that gets executed between when the request was made and when the route runs. A middleware function in Express has access to to the request object (req), response object(res), and next function. We of course have to load this auth module in at the top of our router in order to use it.

const auth = require(‘../middleware/auth’)

So what does the auth middleware function do? Well, remember our goal is to authorize the token that is sent in the request. We don’t actually want to run the route if the user (token) is not authorized. In this context, authorized means that the token sent with the request exists on the token property of a particular user in the database. As a reference, our database has a name and tokens property as shown below. Multiple tokens are stored in an array on the users table so that logging out of your account on one device (smartphone) doesn’t log you out on other devices (laptop).

So, the auth middleware function should either:
1) Allow the route to continue executing, or
2) Send back a 401 Error (Unauthorized client error)

Like we mentioned above, an Express middleware function takes in req, res, and next. In our auth function, we are going to find the user in the database that corresponds to the decoded JWT passed in. We do this by utilizing the jsonwebtoken library. This library gives us access to the verify method. Before verifying the token, we first need to parse out the token from the request by grabbing the ‘Authorization’ header property of the req object and removing the ‘Bearer’ keyword so we are just left with the pure token in string format.

Then we verify the token by passing in the token and a public/private key. We use the findOne method from Mongoose and pass in the user ID and token that was decoded previously. If the user is found, we optionally set the token property on the request, req.token = token and also set the user property on the request, req.user = user which gives our route access to the user without searching the database again. We call the next function which allows our route to continue running. If the user is NOT found, the route will not run, so we change the status to 401 and send back a JSON response with a ‘Please authenticate’ error message.

Here’s what the auth middleware function looks like:

If next() is called, our route continues to execute since we are now past the auth function argument. We have successfully authorized a route, and the great thing is we can use the auth middleware function over and over again in all of our routes. So if we wanted to create a new task, we can easily add auth to our POST request route and it will authorize in the same way!

That’s it!