explaingit

auth0/express-jwt

4,510TypeScriptAudience · developerComplexity · 2/5Setup · easy

TLDR

Express middleware maintained by Auth0 that automatically validates JSON Web Tokens on incoming requests, blocks invalid or expired ones, and puts the decoded user identity on the request object for your route handlers.

Mindmap

mindmap
  root((express-jwt))
    What it does
      Validates JWT tokens
      Blocks bad requests
      Exposes user identity
    Configuration
      Secret key or keypair
      Signing algorithm
      Token location
    Advanced features
      Dynamic key retrieval
      Token revocation check
      Route-level skip
    Tech stack
      TypeScript
      Node.js
      Express middleware
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Protect Express API routes so only requests with a valid login token are allowed through

USE CASE 2

Decode JWT payload and make user identity available to downstream route handlers with no extra code

USE CASE 3

Support multiple token issuers or public-key signing by providing a dynamic key-retrieval function

USE CASE 4

Implement token revocation by hooking in a custom check that queries your database or cache

Tech stack

TypeScriptNode.jsExpress

Getting it running

Difficulty · easy Time to first run · 30min

Requires an existing Express app and a JWT secret or public key, basic setup is a single middleware call.

In plain English

This library is a piece of middleware for Express, a popular framework for building web servers in JavaScript. Its specific job is to check incoming requests for a JWT, which stands for JSON Web Token. A JWT is a small, self-contained string that a server hands out when a user logs in, and which that user then sends along with future requests to prove who they are. This library reads that token, validates it, and if it checks out, makes the user's identity information available to the rest of the application. Setting it up is straightforward for a developer. You add it as a step in your request-handling chain, pass it a secret key, and specify which signing algorithm to expect. From that point on, any route you protect with it will automatically reject requests that lack a valid token or carry one that has expired, been tampered with, or fails any other check. The decoded token data ends up on the request object, where your own code can read it to decide what a given user is allowed to do. The library covers several practical scenarios beyond the basics. If your application issues tokens using a public and private key pair rather than a shared secret, that is supported. You can provide a custom function that retrieves the verification key dynamically, which is useful when multiple issuers with different keys might be sending tokens. There is also support for checking whether a specific token has been revoked, for cases where you need to invalidate credentials before they naturally expire. Other options let you choose where in the request the token lives, skip authentication on certain routes using an unless helper, and configure how expired tokens are handled. If a token is invalid, the library throws an error that your existing Express error handler can catch and respond to however you prefer. The library is maintained by Auth0, a company that specializes in authentication services.

Copy-paste prompts

Prompt 1
Add express-jwt to my Express API to protect all routes under /api so requests without a valid JWT get a 401 response.
Prompt 2
My Express app uses RS256 public-key JWT signing instead of a shared secret. How do I configure express-jwt to verify tokens using a PEM public key?
Prompt 3
How do I use the unless helper with express-jwt to skip token validation for the /login and /register routes?
Prompt 4
A user logged out and I want to reject their JWT even though it has not expired yet. How do I implement token revocation with express-jwt?
Prompt 5
express-jwt is throwing an UnauthorizedError but I want to return a custom JSON error body. How do I set up the Express error handler to catch it?
Open on GitHub → Explain another repo

← auth0 on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.