explaingit

auth0/node-jsonwebtoken

18,167JavaScriptAudience · developerComplexity · 2/5ActiveLicenseSetup · easy

TLDR

Node.js library for creating and verifying JSON Web Tokens (JWTs), compact signed tokens used to prove user identity without storing session data on the server.

Mindmap

mindmap
  root((repo))
    What it does
      Create tokens
      Verify tokens
      Decode tokens
    Key concepts
      Signed payload
      Expiration time
      Public/private keys
    Algorithms
      HMAC
      RSA
      ECDSA
    Use cases
      User authentication
      API authorization
      Stateless sessions
    Tech stack
      Node.js
      JavaScript

Things people build with this

USE CASE 1

Build login systems where the server issues a signed token instead of storing session data.

USE CASE 2

Secure API endpoints by verifying tokens sent with each request.

USE CASE 3

Implement single sign-on (SSO) by issuing tokens that work across multiple services.

Tech stack

Node.jsJavaScript

Getting it running

Difficulty · easy Time to first run · 5min
Use freely for any purpose, including commercial use, as long as you keep the copyright notice and license text.

In plain English

node-jsonwebtoken is a Node.js library for creating and verifying JSON Web Tokens (JWTs). A JWT is a compact, self-contained package of information, typically used to prove that a user is who they say they are after logging in. Instead of storing session data on the server, a server generates a signed token and sends it to the client; the client presents that token with future requests, and the server verifies the signature to confirm the token is genuine and unmodified. The library provides three main functions. The sign function creates a new token from a payload (any data you want to embed, like a user ID or permissions) and a secret key or private key, optionally setting an expiration time. The verify function checks that an incoming token's signature is valid, that it has not expired, and that it matches expected values like issuer or audience. The decode function reads the token's content without verifying the signature, useful for inspecting tokens in non-security-critical situations. It supports both synchronous and asynchronous usage. Multiple signing algorithms are available, including HMAC-based ones (which use a shared secret) and RSA or ECDSA-based ones (which use a public/private key pair). The library enforces a minimum key size for RSA signatures to prevent use of weak keys. It is published on npm and maintained by Auth0.

Copy-paste prompts

Prompt 1
Show me how to create a JWT with a user ID and 1-hour expiration using node-jsonwebtoken.
Prompt 2
How do I verify a JWT token in an Express middleware to protect routes?
Prompt 3
Generate a JWT using RSA public/private keys instead of a shared secret.
Prompt 4
Decode a JWT without verifying the signature to inspect its payload.
Open on GitHub → Explain another repo

Generated 2026-05-18 · Model: sonnet-4-6 · Verify against the repo before relying on details.