express-jwt vs express-jwt-authz vs express-jwt-permissions vs jsonwebtoken vs passport-jwt
JWT Authentication and Authorization Strategies in Express.js
Search packages..
express-jwtexpress-jwt-authzexpress-jwt-permissionsjsonwebtokenpassport-jwtSimilar Packages:

JWT Authentication and Authorization Strategies in Express.js

These five packages address different layers of JSON Web Token (JWT) security within the Node.js ecosystem. jsonwebtoken is the foundational utility for creating and verifying tokens cryptographically. express-jwt and passport-jwt are middleware solutions that integrate token verification into Express request pipelines, with the latter fitting into the broader Passport authentication strategy system. express-jwt-authz and express-jwt-permissions focus on authorization, checking if an authenticated user has specific scopes or permissions to access a resource. Together, they cover the full spectrum from token generation to access control.

Npm Package Weekly Downloads Trend

3 Years

Github Stars Ranking

Stat Detail

Package
Downloads
Stars
Size
Issues
Publish
License
express-jwt04,51028.5 kB66a year agoMIT
express-jwt-authz0997.75 kB6-MIT
express-jwt-permissions052219.9 kB9-MIT
jsonwebtoken018,16143.4 kB1873 months agoMIT
passport-jwt01,98552 kB43-MIT

JWT Authentication and Authorization Strategies in Express.js

Securing a Node.js API usually involves two distinct steps: proving who the user is (authentication) and checking what they are allowed to do (authorization). The packages jsonwebtoken, express-jwt, passport-jwt, express-jwt-authz, and express-jwt-permissions each solve a specific part of this puzzle. Choosing the right combination depends on your architecture, existing dependencies, and security requirements.

🔐 Core Token Handling: Low-Level vs Middleware

The foundation of any JWT system is the ability to sign and verify tokens securely. This is where jsonwebtoken stands apart from the rest.

jsonwebtoken is the cryptographic engine. It does not know about Express, HTTP requests, or middleware. It simply takes data, signs it with a secret or private key, and verifies incoming tokens.

// jsonwebtoken: Manual verification
const jwt = require('jsonwebtoken');

function verifyToken(req, res, next) {
  const token = req.headers['authorization'];
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
    req.user = decoded;
    next();
  } catch (err) {
    res.status(401).send('Invalid Token');
  }
}

express-jwt wraps this logic into an Express middleware. It automatically extracts the token from the Authorization header and attaches the decoded payload to req.user.

// express-jwt: Middleware verification
const { auth } = require('express-jwt');

app.use(auth({
  secret: process.env.JWT_SECRET,
  algorithms: ['HS256'],
  requestProperty: 'user'
}));

passport-jwt integrates JWT verification into the Passport strategy pattern. It requires a bit more setup but allows you to mix JWT auth with other strategies like Google OAuth or username/password.

// passport-jwt: Strategy-based verification
const JwtStrategy = require('passport-jwt').Strategy;

passport.use(new JwtStrategy({
    jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
    secretOrKey: process.env.JWT_SECRET
  },
  (payload, done) => {
    // Find user in DB here if needed
    return done(null, payload);
  }
));

🛡️ Authorization: Scopes and Permissions

Once a user is authenticated, you often need to restrict access based on roles, scopes, or permissions. This is where express-jwt-authz and express-jwt-permissions come into play.

express-jwt-authz is designed for simple scope checking. It expects the decoded token to contain a scope claim (usually a space-separated string) and checks if the required scope is present.

// express-jwt-authz: Scope checking
const jwtAuthz = require('express-jwt-authz');

app.get('/admin', 
  jwtAuthz(['read:admin', 'write:admin']), 
  (req, res) => {
    res.send('Admin access granted');
  }
);

express-jwt-permissions offers a more flexible model. It allows you to define custom permission rules and checks them against the token payload. It is useful if your permissions are stored as arrays or custom objects rather than simple space-separated scopes.

// express-jwt-permissions: Custom permission checking
const permissions = require('express-jwt-permissions');

const guard = permissions();

app.get('/dashboard', 
  guard.check(['dashboard:view']), 
  (req, res) => {
    res.send('Dashboard loaded');
  }
);

⚠️ Security and Maintenance Status

Security libraries require active maintenance. jsonwebtoken is the industry standard for the cryptographic piece and is widely trusted when configured correctly.

express-jwt has had significant security issues in the past (specifically regarding algorithm confusion attacks). Modern versions require you to explicitly specify allowed algorithms. If you use it, you must ensure you are on the latest version and strictly define the algorithms option.

// express-jwt: Secure configuration required
// NEVER omit the algorithms array
app.use(auth({
  secret: process.env.SECRET,
  algorithms: ['RS256'] // Explicitly define algorithm
}));

passport-jwt benefits from the broader Passport ecosystem. While Passport itself is mature, some plugins receive updates less frequently. However, because the core logic is simple, it remains a stable choice for many teams.

// passport-jwt: Stable strategy setup
// Ensure secretOrKey is managed securely (env vars)
passport.use(new JwtStrategy({
  secretOrKey: process.env.JWT_SECRET,
  jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken()
}, verifyCallback));

express-jwt-authz and express-jwt-permissions are smaller, niche packages. They are generally stable because they perform simple logic, but they rely on the authentication middleware (like express-jwt) running before them. If the authentication step fails to attach the user object, these will error.

// express-jwt-authz: Depends on prior auth middleware
app.use(auth({ secret: '...', algorithms: ['HS256'] })); // Must run first
app.use(jwtAuthz(['read:data'])); // Runs second

🔄 Integration Patterns

How you combine these tools defines your app's architecture.

Pattern A: The Minimalist Stack

Use jsonwebtoken + custom middleware + express-jwt-permissions. This gives you full control without extra dependencies like Passport.

// Minimalist: Custom middleware + permissions
app.use(verifyToken); // Custom using jsonwebtoken
app.get('/api', permissions.check(['read']), handler);

Pattern B: The Passport Ecosystem

Use passport-jwt + express-jwt-authz. Ideal if you already use Passport for session or OAuth login.

// Passport Stack: Strategy + Authz
app.get('/api', 
  passport.authenticate('jwt', { session: false }), 
  jwtAuthz(['read']), 
  handler
);

Pattern C: The Auth0 Style

Use express-jwt + express-jwt-authz. This mirrors the default setup often suggested for Auth0 integration.

// Auth0 Style: Dedicated middleware + Authz
app.use(auth({ secret: jwks.expressJwtSecret(...), algorithms: ['RS256'] }));
app.get('/api', jwtAuthz(['read:messages']), handler);

📊 Summary: Key Differences

Featurejsonwebtokenexpress-jwtpassport-jwtexpress-jwt-authzexpress-jwt-permissions
Primary RoleCrypto UtilityAuth MiddlewareAuth StrategyScope MiddlewarePermission Middleware
Express Specific❌ No✅ Yes✅ Yes✅ Yes✅ Yes
Handles Signing✅ Yes❌ No❌ No❌ No❌ No
Handles Verification✅ Yes✅ Yes✅ Yes❌ No❌ No
Authorization❌ No❌ No❌ No✅ Scopes✅ Permissions
EcosystemStandaloneAuth0 / StandalonePassportAuth0 / StandaloneStandalone

💡 Final Recommendation

For most new projects, passport-jwt combined with jsonwebtoken offers the best balance of flexibility and ecosystem support. It allows you to swap authentication strategies later without rewriting your middleware stack.

If you are building a simple microservice that only needs to verify tokens issued by a trusted authority (like Auth0 or AWS Cognito), express-jwt is lighter and faster to set up. Just be rigorous about security configuration.

For authorization, express-jwt-authz is sufficient for simple role-based access control (RBAC). If your permissions are complex (e.g., resource-level access), consider writing a custom middleware using jsonwebtoken data rather than relying on a niche package that might not fit your exact data model.

How to Choose: express-jwt vs express-jwt-authz vs express-jwt-permissions vs jsonwebtoken vs passport-jwt

  • express-jwt:

    Choose express-jwt if you want a dedicated, lightweight middleware solely for verifying JWTs in Express without the overhead of the Passport ecosystem. Ensure you configure the algorithms option explicitly to avoid security vulnerabilities.

  • express-jwt-authz:

    Choose express-jwt-authz if you need simple scope-based authorization (e.g., checking for 'read:users' scope) and are already using express-jwt or a similar middleware that attaches the decoded token to the request.

  • express-jwt-permissions:

    Choose express-jwt-permissions if you require more flexible permission modeling than simple scopes, such as checking specific resource permissions, and need a middleware that integrates directly with Express request handlers.

  • jsonwebtoken:

    Choose jsonwebtoken if you need low-level control over signing and verifying tokens without Express-specific middleware. It is the core dependency for most other JWT libraries and is essential if you are building custom authentication logic or working outside of Express.

  • passport-jwt:

    Choose passport-jwt if your application already uses Passport for other strategies (like OAuth or Local) and you want a unified interface for authentication. It is ideal for complex apps requiring multiple login methods.

Similar Npm Packages to express-jwt

express-jwt is a middleware for Express.js that allows you to authenticate JSON Web Tokens (JWT) in your Node.js applications. It simplifies the process of securing your API endpoints by verifying the token sent in the request headers and ensuring that the user is authenticated before granting access to protected resources. This package is particularly useful in applications that require user authentication and authorization, making it a popular choice among developers.

However, there are several alternatives to express-jwt that also provide JWT authentication and authorization capabilities:

  • express-jwt-authz is an authorization middleware for Express.js that works in conjunction with express-jwt. While express-jwt handles authentication by verifying the token, express-jwt-authz focuses on authorization by checking if the authenticated user has the necessary permissions to access specific resources. This package is ideal for applications that require fine-grained access control based on user roles and permissions.

  • jsonwebtoken is a widely-used library for creating and verifying JWTs. While it is not a middleware like express-jwt, it provides the core functionality needed to generate and decode JWTs. Developers often use jsonwebtoken in conjunction with express-jwt to create and verify tokens, making it a fundamental part of the JWT ecosystem in Node.js applications.

  • jwt-simple is another lightweight library for encoding and decoding JWTs. It provides a simple API for working with JWTs, making it easy to integrate into your applications. While it lacks some of the advanced features of jsonwebtoken, jwt-simple is a good choice for developers looking for a minimalistic solution for handling JWTs.

  • koa-jwt is a middleware for Koa.js, similar to express-jwt but specifically designed for the Koa framework. It provides JWT authentication capabilities for Koa applications, allowing developers to secure their APIs with ease. If you are using Koa instead of Express, koa-jwt is the go-to option for handling JWT authentication.

  • passport-jwt is a strategy for the Passport authentication middleware that allows you to authenticate users using JWTs. It integrates seamlessly with the Passport framework, making it a suitable choice for applications that already use Passport for authentication. This package provides a robust solution for managing user authentication with JWTs in a modular way.

To explore how express-jwt compares with its alternatives, check out the comparison: Comparing express-jwt vs express-jwt-authz vs jsonwebtoken vs jwt-simple vs koa-jwt vs passport-jwt.

Similar Npm Packages to express-jwt-authz

express-jwt-authz is a middleware for Express.js that simplifies the process of authorizing requests based on JSON Web Tokens (JWT). It allows developers to enforce access control by checking user permissions against the claims present in the JWT. This package is particularly useful for building secure APIs where user roles and permissions are essential for determining access to various resources.

While express-jwt-authz provides a robust solution for JWT-based authorization, there are several alternatives that can also be used for managing authentication and authorization in Express applications. Here are a few notable options:

  • express-jwt is a middleware that helps protect routes by validating JWTs. It ensures that incoming requests contain a valid token and can automatically handle token expiration. While express-jwt focuses on authentication, it does not handle authorization directly, making it a good companion to express-jwt-authz for complete security solutions.
  • express-jwt-permissions is an extension of express-jwt that provides a more granular approach to permissions management. It allows developers to define specific permissions for different routes and resources, making it easier to implement role-based access control (RBAC) in applications. This package can be used alongside express-jwt to create a comprehensive authentication and authorization strategy.
  • jsonwebtoken is a library for creating and verifying JSON Web Tokens. While it does not provide middleware for Express directly, it is often used in conjunction with other packages like express-jwt to handle token creation and verification. Developers can use jsonwebtoken to generate tokens that include user claims and roles, which can then be validated by express-jwt or express-jwt-authz.
  • passport-jwt is a Passport.js strategy for authenticating with JWTs. It integrates seamlessly with the Passport authentication middleware, allowing developers to use JWTs alongside other authentication strategies. This package is particularly useful for applications that require a flexible authentication system with multiple strategies, as it can be combined with other Passport strategies for comprehensive user authentication.

To see how these packages compare, check out the comparison: Comparing express-jwt vs express-jwt-authz vs express-jwt-permissions vs jsonwebtoken vs passport-jwt.

Similar Npm Packages to jsonwebtoken

jsonwebtoken is a widely-used library for creating and verifying JSON Web Tokens (JWT) in Node.js applications. JWTs are a compact, URL-safe means of representing claims to be transferred between two parties. The jsonwebtoken library provides a simple API for signing and verifying tokens, making it a popular choice for authentication and authorization in web applications. It supports various algorithms for signing tokens and allows developers to easily manage user sessions and secure API endpoints.

While jsonwebtoken is a robust solution for handling JWTs, there are alternatives that cater to different needs:

  • jwt-decode is a lightweight library that focuses solely on decoding JWTs. Unlike jsonwebtoken, which can both sign and verify tokens, jwt-decode is used to extract the payload from a JWT without validating its signature. This can be useful when you need to read the claims contained in a token without requiring the secret key. If your application needs to read JWTs but does not require signing or verifying them, jwt-decode is a great choice.
  • jwt-simple is another library that provides a simple way to encode and decode JSON Web Tokens. It offers a minimalist API for creating and verifying tokens, focusing on simplicity and ease of use. While it does not support as many features as jsonwebtoken, such as advanced signature algorithms or token expiration handling, it can be a good option for projects that require a straightforward implementation of JWTs without the overhead of a more complex library.

To compare these libraries, check out the following link: Comparing jsonwebtoken vs jwt-decode vs jwt-simple.

Similar Npm Packages to passport-jwt

passport-jwt is a Passport strategy for authenticating with JSON Web Tokens (JWT) in Node.js applications. It allows developers to easily implement JWT-based authentication in their Express applications, providing a straightforward way to secure routes and manage user sessions. By using passport-jwt, developers can ensure that only authenticated users can access certain resources, enhancing the security of their applications.

While passport-jwt is a robust solution for JWT authentication, there are other libraries that can also help manage JWTs in Node.js applications. Here are a few alternatives:

  • express-jwt is a middleware for Express applications that validates JWTs and automatically handles authentication. It checks the incoming requests for a valid JWT and denies access if the token is missing or invalid. express-jwt is a great choice for developers looking for a simple and effective way to secure their Express routes without the additional overhead of a full authentication framework like Passport. It is particularly useful for applications that require straightforward JWT validation without the need for user session management.

  • jsonwebtoken is a library that allows developers to sign, verify, and decode JSON Web Tokens. While it does not handle authentication directly, it provides the tools necessary to create and manage JWTs. Developers can use jsonwebtoken to generate tokens upon user login and verify them in subsequent requests. This library is ideal for those who want more control over the JWT lifecycle and prefer to implement their own authentication logic without relying on middleware.

To see how passport-jwt compares with express-jwt and jsonwebtoken, check out the comparison: Comparing express-jwt vs jsonwebtoken vs passport-jwt.

README for express-jwt

express-jwt

This module provides Express middleware for validating JWTs (JSON Web Tokens) through the jsonwebtoken module. The decoded JWT payload is available on the request object.

Install

$ npm install express-jwt

API

expressjwt(options)

Options has the following parameters:

  • secret: jwt.Secret | GetVerificationKey (required): The secret as a string or a function to retrieve the secret.
  • getToken?: TokenGetter (optional): A function that receives the express Request and returns the token, by default it looks in the Authorization header.
  • isRevoked?: IsRevoked (optional): A function to verify if a token is revoked.
  • onExpired?: ExpirationHandler (optional): A function to handle expired tokens.
  • credentialsRequired?: boolean (optional): If its false, continue to the next middleware if the request does not contain a token instead of failing, defaults to true.
  • requestProperty?: string (optional): Name of the property in the request object where the payload is set. Default to req.auth.
  • Plus... all the options available in the jsonwebtoken verify function.

The available functions have the following interface:

  • GetVerificationKey = (req: express.Request, token: jwt.Jwt | undefined) => Promise<jwt.Secret>;
  • IsRevoked = (req: express.Request, token: jwt.Jwt | undefined) => Promise<boolean>;
  • TokenGetter = (req: express.Request) => string | Promise<string> | undefined;

Usage

Basic usage using an HS256 secret:

var { expressjwt: jwt } = require("express-jwt");
// or ES6
// import { expressjwt, ExpressJwtRequest } from "express-jwt";

app.get(
  "/protected",
  jwt({ secret: "shhhhhhared-secret", algorithms: ["HS256"] }),
  function (req, res) {
    if (!req.auth.admin) return res.sendStatus(401);
    res.sendStatus(200);
  }
);

The decoded JWT payload is available on the request via the auth property.

The default behavior of the module is to extract the JWT from the Authorization header as an OAuth2 Bearer token.

Required Parameters

The algorithms parameter is required to prevent potential downgrade attacks when providing third party libraries as secrets.

:warning: Do not mix symmetric and asymmetric (ie HS256/RS256) algorithms: Mixing algorithms without further validation can potentially result in downgrade vulnerabilities.

jwt({
  secret: "shhhhhhared-secret",
  algorithms: ["HS256"],
  //algorithms: ['RS256']
});

Additional Options

You can specify audience and/or issuer as well, which is highly recommended for security purposes:

jwt({
  secret: "shhhhhhared-secret",
  audience: "http://myapi/protected",
  issuer: "http://issuer",
  algorithms: ["HS256"],
});

If the JWT has an expiration (exp), it will be checked.

If you are using a base64 URL-encoded secret, pass a Buffer with base64 encoding as the secret instead of a string:

jwt({
  secret: Buffer.from("shhhhhhared-secret", "base64"),
  algorithms: ["RS256"],
});

To only protect specific paths (e.g. beginning with /api), use express router call use, like so:

app.use("/api", jwt({ secret: "shhhhhhared-secret", algorithms: ["HS256"] }));

Or, the other way around, if you want to make some paths unprotected, call unless like so.

app.use(
  jwt({
    secret: "shhhhhhared-secret",
    algorithms: ["HS256"],
  }).unless({ path: ["/token"] })
);

This is especially useful when applying to multiple routes. In the example above, path can be a string, a regexp, or an array of any of those.

For more details on the .unless syntax including additional options, please see express-unless.

This module also support tokens signed with public/private key pairs. Instead of a secret, you can specify a Buffer with the public key

var publicKey = fs.readFileSync("/path/to/public.pub");
jwt({ secret: publicKey, algorithms: ["RS256"] });

Customizing Token Location

A custom function for extracting the token from a request can be specified with the getToken option. This is useful if you need to pass the token through a query parameter or a cookie. You can throw an error in this function and it will be handled by express-jwt.

app.use(
  jwt({
    secret: "hello world !",
    algorithms: ["HS256"],
    credentialsRequired: false,
    getToken: function fromHeaderOrQuerystring(req) {
      if (
        req.headers.authorization &&
        req.headers.authorization.split(" ")[0] === "Bearer"
      ) {
        return req.headers.authorization.split(" ")[1];
      } else if (req.query && req.query.token) {
        return req.query.token;
      }
      return null;
    },
  })
);

Retrieve key dynamically

If you need to obtain the key dynamically from other sources, you can pass a function in the secret parameter with the following parameters:

  • req (Object) - The express request object.
  • token (Object) - An object with the JWT payload and headers.

For example, if the secret varies based on the issuer:

var jwt = require("express-jwt");
var data = require("./data");
var utilities = require("./utilities");

var getSecret = async function (req, token) {
  const issuer = token.payload.iss;
  const tenant = await data.getTenantByIdentifier(issuer);
  if (!tenant) {
    throw new Error("missing_secret");
  }
  return utilities.decrypt(tenant.secret);
};

app.get(
  "/protected",
  jwt({ secret: getSecret, algorithms: ["HS256"] }),
  function (req, res) {
    if (!req.auth.admin) return res.sendStatus(401);
    res.sendStatus(200);
  }
);

Secret rotation

The getSecret callback could also be used in cases where the same issuer might issue tokens with different keys at certain point:

var getSecret = async function (req, token) {
  const { iss } = token.payload;
  const { kid } = token.header;
  // get the verification key by a given key-id and issuer.
  return verificationKey;
};

Revoked tokens

It is possible that some tokens will need to be revoked so they cannot be used any longer. You can provide a function as the isRevoked option. The signature of the function is function(req, payload, done):

  • req (Object) - The express request object.
  • token (Object) - An object with the JWT payload and headers.

For example, if the (iss, jti) claim pair is used to identify a JWT:

const jwt = require("express-jwt");
const data = require("./data");

const isRevokedCallback = async (req, token) => {
  const issuer = token.payload.iss;
  const tokenId = token.payload.jti;
  const token = await data.getRevokedToken(issuer, tokenId);
  return token !== "undefined";
};

app.get(
  "/protected",
  jwt({
    secret: "shhhhhhared-secret",
    algorithms: ["HS256"],
    isRevoked: isRevokedCallback,
  }),
  function (req, res) {
    if (!req.auth.admin) return res.sendStatus(401);
    res.sendStatus(200);
  }
);

Handling expired tokens

You can handle expired tokens as follows:

  jwt({
    secret: "shhhhhhared-secret",
    algorithms: ["HS256"],
    onExpired: async (req, err) => {
      if (new Date() - err.inner.expiredAt < 5000) { return;}
      throw err;
    },,
  })

Error handling

The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows:

app.use(function (err, req, res, next) {
  if (err.name === "UnauthorizedError") {
    res.status(401).send("invalid token...");
  } else {
    next(err);
  }
});

You might want to use this module to identify registered users while still providing access to unregistered users. You can do this by using the option credentialsRequired:

app.use(
  jwt({
    secret: "hello world !",
    algorithms: ["HS256"],
    credentialsRequired: false,
  })
);

Typescript

A Request type is provided from express-jwt, which extends express.Request with the auth property. It could be aliased, like how JWTRequest is below.

import { expressjwt, Request as JWTRequest } from "express-jwt";

app.get(
  "/protected",
  expressjwt({ secret: "shhhhhhared-secret", algorithms: ["HS256"] }),
  function (req: JWTRequest, res: express.Response) {
    if (!req.auth?.admin) return res.sendStatus(401);
    res.sendStatus(200);
  }
);

Migration from v6

  1. The middleware function is now available as a named import rather than a default one: import { expressjwt } from 'express-jwt'
  2. The decoded JWT payload is now available as req.auth rather than req.user
  3. The secret function had (req, header, payload, cb), now it can return a promise and receives (req, token). token has header and payload.
  4. The isRevoked function had (req, payload, cb), now it can return a promise and receives (req, token). token has header and payload.

Related Modules

Tests

$ npm install
$ npm test

Contributors

Check them out here

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Author

Auth0

License

This project is licensed under the MIT license. See the LICENSE file for more info.

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc, the official website for the npm registry. Note that npm is a registered trademark of npm, Inc. Please share your feedback via our GitHub repository. For more details, please refer to our Terms & Privacy.