DEV Community

Ilyas Abdisalam
Ilyas Abdisalam

Posted on • Edited on

1

Secure Your REST API with JWT Authentication (Beginner Friendly)

#webdev #programming #authjs #jwt

1. Introduction

As APIs become more central to modern web apps, securing them is critical. One common and powerful method is JWT (JSON Web Token) authentication. It allows secure, stateless communication between client and server.

In this guide, we’ll walk through the core concepts, the authentication flow, and how to implement JWT in a Node.js + Express API.

2. What is JWT?

JWT (JSON Web Token) is a compact, URL-safe way of representing claims between two parties. It’s widely used for authentication.
A JWT has three parts:

HEADER.PAYLOAD.SIGNATURE
Enter fullscreen mode Exit fullscreen mode

Example Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsImlhdCI6MTY3Nzg0NTM1Nn0.vPObNvSaNfrqzuhRRYtNnmlbRrFYP7oowC_NWkpiW1k
Enter fullscreen mode Exit fullscreen mode
Part purpose
Header Algorithm + Token type
Payload Claims (user ID, role, etc.)
Signature Verifies token integrity (signed)

3. JWT Authentication Flow

JWT Authentication Flow

4. Example Project Structure (Node.js + Express) 

project/
├── controllers/
│   └── auth.js
├── middleware/
│   └── authMiddleware.js
├── routes/
│   └── authRoutes.js
├── app.js
├── .env
└── package.json
Enter fullscreen mode Exit fullscreen mode

5. Code Breakdown

5.1 Install Required Packages 

npm install express jsonwebtoken dotenv
Enter fullscreen mode Exit fullscreen mode

5.2 Generate Token (Login Route) 

const jwt = require('jsonwebtoken');
const SECRET = process.env.JWT_SECRET;

function login(req, res) {
  const user = { id: 1, username: 'ilyas' }; // dummy user
  const token = jwt.sign({ userId: user.id }, SECRET, { expiresIn: '1h' });
  res.json({ token });
}
Enter fullscreen mode Exit fullscreen mode

5.3 Protect Routes with Middleware 

function verifyToken(req, res, next) {
  const token = req.headers['authorization']?.split(' ')[1];
  if (!token) return res.sendStatus(401);

  jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
    if (err) return res.sendStatus(403);
    req.userId = decoded.userId;
    next();
  });
}
Enter fullscreen mode Exit fullscreen mode

5.4 Secure Endpoint Example 

app.get('/profile', verifyToken, (req, res) => {
  res.send(`This is a protected route for user ${req.userId}`);
});
Enter fullscreen mode Exit fullscreen mode

6. Best Practices for JWT

Tip Why It Matters
Use short expiration times Limits damage from stolen tokens
Store tokens securely Avoid localStorage for sensitive data
Rotate tokens periodically Increase security
Never store JWT secret in code Use environment variables

7. Conclusion

JWT is a powerful way to secure RESTful APIs in a stateless and scalable manner. You now understand the structure, flow, and implementation of JWT authentication in a Node.js Express app.

profile
Embeddable
 Promoted

I ❤️ building dashboards for my customers

I ❤️ building dashboards for my customers

Said nobody, ever. Embeddable's dashboard toolkit is built to save dev time. It loads fast, looks native and doesn't suck like an embedded BI tool.

Get early access

Top comments (0)

profile
LaunchDarkly
 Promoted

Feature flag article image

Create a feature flag in your IDE in 5 minutes with LaunchDarkly’s MCP server 🏁

How to create, evaluate, and modify flags from within your IDE or AI client using natural language with LaunchDarkly's new MCP server. Follow along with this tutorial for step by step instructions.

Read full post