Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
JSON Web Token Tutorial: Express
// file: index.js
var _ = require("lodash");
var express = require("express");
var bodyParser = require("body-parser");
var jwt = require('jsonwebtoken');
var passport = require("passport");
var passportJWT = require("passport-jwt");
var ExtractJwt = passportJWT.ExtractJwt;
var JwtStrategy = passportJWT.Strategy;
var users = [
id: 1,
name: 'jonathanmh',
password: '%2yx4'
id: 2,
name: 'test',
password: 'test'
var jwtOptions = {}
jwtOptions.jwtFromRequest = ExtractJwt.fromAuthHeader();
jwtOptions.secretOrKey = 'tasmanianDevil';
var strategy = new JwtStrategy(jwtOptions, function(jwt_payload, next) {
console.log('payload received', jwt_payload);
// usually this would be a database call:
var user = users[_.findIndex(users, {id:})];
if (user) {
next(null, user);
} else {
next(null, false);
var app = express();
// parse application/x-www-form-urlencoded
// for easier testing with Postman or plain HTML forms
extended: true
// parse application/json
app.get("/", function(req, res) {
res.json({message: "Express is up!"});
});"/login", function(req, res) {
if( && req.body.password){
var name =;
var password = req.body.password;
// usually this would be a database call:
var user = users[_.findIndex(users, {name: name})];
if( ! user ){
res.status(401).json({message:"no such user found"});
if(user.password === req.body.password) {
// from now on we'll identify the user by the id and the id is the only personalized value that goes into our token
var payload = {id:};
var token = jwt.sign(payload, jwtOptions.secretOrKey);
res.json({message: "ok", token: token});
} else {
res.status(401).json({message:"passwords did not match"});
app.get("/secret", passport.authenticate('jwt', { session: false }), function(req, res){
res.json({message: "Success! You can not see this without a token"});
function(req, res, next){
}, function(req, res){
app.listen(3000, function() {
console.log("Express running");
"name": "jwt-tutorial",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"body-parser": "^1.15.2",
"express": "^4.14.0",
"jsonwebtoken": "^7.1.9",
"lodash": "^4.16.4",
"passport": "^0.3.2",
"passport-jwt": "^2.1.0"
Copy link

dumptyd commented Jan 10, 2017

Thanks 👍

Copy link

ghost commented Mar 21, 2017

Thank you for this sample.
I have a question in regards to this part:

app.get("/secret", passport.authenticate('jwt', { session: false }), function(req, res){
  res.json({message: "Success! You can not see this without a token"});

when I do the get request I get:


Do I set a header parameter passing in the token with that get request?
How do I use the generated token with that GET request to get the success message?

Copy link

nikolay-govorov commented Apr 25, 2017

Thank, it is that I need! 👍

Copy link

pjchender commented Jun 21, 2017

Great Article!!

Copy link

Evgenyx82 commented Aug 18, 2017

developermhayden use fetch polyfill with headers options (

Copy link

harrylincoln commented Aug 23, 2017

TypeError: ExtractJwt.fromAuthHeader is not a function

Line 28 needs to change to: jwtOptions.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme('jwt'); ?


Copy link

lmontoya1974 commented Sep 8, 2017

I have all working now and I'm getting===== > "Success! You can not see this without a token".

I need to continue with my application and adding more options like:"/read", function(req, res) {  
    // do all here just when the access is granted, but error if no access or  "Unauthorized"

What else I need to include?

Thank you all guys.

Copy link

premgowda commented Nov 28, 2017


prefix token with JWT
example : "JWT token"

Copy link

wisetc commented Dec 29, 2017

I used ExtractJwt.fromAuthHeaderAsBearerToken() instead of ExtractJwt.fromAuthHeader() and set Authorization header to 'Bearer ' + token.


It worked.

Copy link

jjjjcccjjf commented Jan 6, 2018

@wisetc I used this instead
jwtOptions.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme('bearer');

Copy link

soumodips commented Feb 3, 2018

Hello everyone. I still have this issue. Tried using bearer strategy too. Here is the link to my repo

I will be glad if any one can help.

Screenshots from Postman:


Thanks a ton in advance!

Be sure to use all key names as expected by the modules. I had used 'exp' for expiry time in the payload instead of 'expiresIn'. Enjoy!!

Copy link

ClausClaus commented Jul 14, 2018


Copy link

ianfabs commented Aug 19, 2018

Copy link

rmar72 commented Sep 2, 2018

These 2 ways worked for me:
ExtractJwt.fromAuthHeaderWithScheme('bearer') or with ('jwt');

Headers: Authorization: bearer + token or jwt + token

Copy link

ironbyte commented Oct 5, 2018

Very helpful! Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment