Add Middleware to Validate a JSON Web Token (JWT)

Share this video with your friends

Social Share Links

Send Tweet
Published 4 years ago
Updated 3 years ago

Sending a JSON Web Token is one way to valid your identity as a user of an API or service. In this lesson, we will see how to add an Express middleware which will check for a valid JWT and return a 401 Unauthorized error if not.

Kevin Cunningham: [0:00] Having set up Auth0, we're now going to prepare our project. I'm going to install some dependencies.

[0:06] First of all, I'll install the express-jwt, which is the middleware for Express that deals with JSON Web Tokens. The second library I'll install is jwks-rsa, which is a library to retrieve our RSA signing key from a JSON Web Key Set endpoint, which is provided to us via Auth0.

[0:26] I also install dotenv, which is a library that allows us to access environment variables securely so that we don't have to store them in our source code. Once you've done that, we'll start our API.

[0:40] Now that we have our dependencies installed, we're going to create a new file called auth.js in our utils folder. In that, we're going to create a middleware function called checkJwt, which is going to check the JSON Web Token that's provided to us on our request. In our file, we'll require the two libraries which we just installed.

[1:01] The next thing we're going to do is we're going to create a checkJwt function, attached to JSON Web Token, and we're going to use the middleware that we imported up above. We're going to pass an options object to that middleware.

[1:14] The first option is the secret, which we're going to generate using the jwksRsa library, using the exposed function expresseJwtSecret(). We're going to cache that secret with rateLimit. We're going to say you can request 5 times per minute, and we'll use the URI that's provided to us by Auth0.

[1:32] We have to define the audience. In this case, we're going to use the one that we defined in the last video, and the issuer. Again, that's provided to us by Auth0. The algorithm we're going to use is RS256, as we declared earlier, and we are going to export that function to be able to be used in our application.

[1:51] Back in our server.js file, we are going to import the function that we've just created checkJwt, which we're going to import from our utils directory, and specifically, our auth file.

[2:05] I currently have one unprotected and public route/test. In this, we'll send a response back that says, "This is a test."

[2:13] I'm going to copy this route and change it to test-auth, and I'm going to add in the middleware that is going to check and test whether or not the request has passed a valid jwt JSON Web Token. I add that anywhere in the chain.

[2:28] Let's follow the logic. We have a root that's being hit, test-auth. We have some middleware which is checking the jwt, and of these fields, if there's an invalid JSON Web Token, then we'll return a 401 error unauthenticated. Otherwise, we'll continue. We'll process the request, and we'll say, "This is a test."

[2:49] I'll now open my favorite API tester, Insomnia, and I'll go to 3001/test, send a request, and I should get a 200 OK with, "This is a test."

[3:00] If I send a test request to test-auth, I get a 401 unauthorized and I'm told that there is no authorization token found. Lastly, if I do authenticate my request using a bearer token with some random text rather than a valid token, I'll be told that my jwt is malformed, and I will also fail on the 401.

[3:23] Now we need to be able to get a valid JSON token to be able to access and use our API.

~ 32 minutes ago

Member comments are a way for members to communicate, interact, and ask questions about a lesson.

The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on

Be on-Topic

Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at

Avoid meta-discussion

  • This was great!
  • This was horrible!
  • I didn't like this because it didn't match my skill level.
  • +1 It will likely be deleted as spam.

Code Problems?

Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context

Details and Context

Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!

Markdown supported.
Become a member to join the discussionEnroll Today