Join egghead, unlock knowledge.

Want more egghead?

This lesson is for members. Join us? Get access to all 3,000+ tutorials + a community with expert developers around the world.

Unlock This Lesson
Become a member
to unlock all features

Level Up!

Access all courses & lessons on egghead today and lock-in your price for life.


    Authenticate Users With JWT for Access to Protected Resources


    In this lesson, we build a simple API with two endpoints, one public and one secure. Using JWT and validating with the signature, we ensure that the user is authorized and has access to a protected resource before serving it.



    Become a Member to view code

    You must be a Pro Member to view code

    Access all courses and lessons, track your progress, gain confidence and expertise.

    Become a Member
    and unlock code for this lesson
    orLog In




    Instructor: In this lesson, we will create an API with two routes. The first one for the /resource endpoint will be public, and simply return a status of 200, and a message saying, "Public resource. You can see this."

    Our second route will be for the /resource/secret endpoint. This will be a secured route. For this endpoint, we will return a 200, as well as a message that says, "Secret resource. You should be logged in to see this."

    This server will run on the port specified by the environment variable API port. Let's go into our terminal, set this using export, and set the API port to 5000. Now, we can run the server by using Node and the name of the file.

    To test our API, we will use Postman. If we go to localhost:5000, we're getting a 404, page not found, because that route was not defined. If we try localhost:5000/resource, we should see our public resource there. If we try localhost:5000/resource/secret, we can also see the content of this resource. Our next step will be to block those requests by requesting a valid JSON web token. To do so, we will require the Express JWT middleware.

    Let's now open a terminal, and install it, using npm install express-jwt. Good. Now, let's define this middleware. We can initialize this middleware by using Express JWT and passing it some options. If you are using a real authentication server, you'd want to check for the issuer, the audience, and more to validate the integrity of the server.

    In our case, we will only check to see in the signature matches the one from our authentication server, my super secret key, in this case. Finally, we can secure our private route by adding the middleware as the second argument of our app.get method. We are now ready to restart our server and test it in Postman.

    Now, if we try a route again, we see that we're getting an error message, saying that no authorization token was found. Let's go to the authorization section, and select a bearer token type of authentication.

    We can take a valid token from JWT-IO in this case, and simply paste that in the token box in Postman. We can now try to make our call to /resource/secret again, and we can now see the content of this route. Now, you have an API with a secured endpoint.