Join egghead, unlock knowledge.

Want more egghead?

This lesson is for members. Join us? Get access to all 3,000+ tutorials + a community with expert developers around the world.

Unlock This Lesson
Become a member
to unlock all features

Level Up!

Access all courses & lessons on egghead today and lock-in your price for life.


    Provide Users With A JSON Web Token


    In this lesson, we will build a token issuer that will return a JSON Web Token. This simple server will have a single endpoint for login that queries a list of users and returns a web token for the matching user.



    Become a Member to view code

    You must be a Pro Member to view code

    Access all courses and lessons, track your progress, gain confidence and expertise.

    Become a Member
    and unlock code for this lesson
    orLog In




    Instructor: Since this lesson is all about creating an authentication server, let's start by creating a user database. We will use a user array that contains all of our users and store the passwords in plain text right now.

    Warning, do not do this in production. You should always encrypt passwords and ensure that no sensitive information about your users is accessible to potential hackers. For the sake of this lesson, let's just do it this way.

    We can now start with our /login POST request. This is the request that will handle user authentication. The first thing to check is if the request is formatted correctly. We are expecting both a username and a password.

    If we don't have both, we return a status code of 400 for invalid request, and we send a message to the user, saying that they need a username and password. We can then do a return to stop the execution of this callback.

    Now, if we have a valid request, we need to check if the user is in our database. Using the find method, we will check if we have a user that have a username and password that matches those in the request.

    If we find a matching user, it will be stored in a constant, user. If we can't find a matching user, we can send a response with the status of 401 for unauthorized. We can also send a message to the user, saying user is not found. Once again, we return to stop the execution of this callback.

    If we have a valid user, we will send back a JSON web token as a response. In order to do so, we will need to require the JSON web token library. We will also need to install it using npm install jsonwebtoken.

    Now that it's installed, we can use the sign method to create a sign token. We start by passing the payload we want to attach in the JWT. We then pass a string which is the secret key. In this case, it's mysupersecretkey.

    Finally, we can pass some options like in how much time this token will expire, so we'll say expires in three hours for us. Finally, we can send back our response with a status of 200 and a JSON object with our access token.

    We can now run the authentication server using node end, the name of the file. Let's now open postman to test this out.

    If we try a GET request on the server, we're getting a 404 because we haven't defined any GET route on the server. Let's change that to a POST and use the /login endpoint that we just created. Sending a request to that URL without a body will give us a 400 with a message, "You need a username and password." Let's try to add those.

    By going in body, select raw and make sure that the type is set to application/json. You can now type in a username and password in JSON format. If we type your wrong password and we try this, we are getting the "User not found" message. If we fix the password to use the right one, we get our JSON object with an access token.

    You can copy and paste this JSON web token in a website like and you will be able to see the content. If you try it with another user like guest, you will get a different access token, and it we go into, we can once again see all of the content and we can see that it's different this time.

    That's it. You have now created your first authentication server.