Creating/Using JSON Web Tokens (JWT)

In this article I will be addressing a brief introduction/tutorial on how to create and understand the open standard, JSON web tokens (JWT). Let’s get started.

What is a JWT?

A JSON Web Token (JWT), is an access token used in we applications that defines a compact and self-contained way to secure data being produced or sent between parties via JSON objects, and verified through digital signatures using secrets. JWTs come in three different parts, each described below:

Header: The header is the section of the token which identifies algorithms to generate signatures. The default Types of JWTs include HMAC and RSA.

Payload: The payload is the section that contains the required information used to access control of the app. The payload is also where the data of the token in stored.

Signature: The signature is the section of the token that is utilized for validation to prevent the token from being tampered with. The signature is the combination of both the header and the payload but as an encoded display to prevent potential decoding and account breeches.

The inner workings of a JWT:

Learning about how the JSON web token works internally can provide a clarity for

1: Login using a username/password: Having a feature which contains users which require both a username and password could then use this information as a source for JWTs to be in use, recording user credentials in order to access the said user’s information.

2: If credentials equates to true, JWT defines user: If the said credentials given to through a login for a specific user turns out to be true credentials, then the token will access the user’s information.

3: Restricted webpage access/validation: If the user would want to gain access to a specific webpage by travelling via a specific route, what would be required could be a validation through a JWT.

Creating a JWT:


When it comes to the installation process for a JWT, it is important to have npm installed so that with node we can install the JWT package and import the package using the require method. From there we can proceed to create two variables, private_key, and payload.

Private_key will act as the password string, while the payload will be an object containing user public user information, such as username and email.


During the creation of a JWT, what we can do is utilize one of the methods we have obtained from the module, more specifically the jwt.sign(payload, secret, optional) method.

From there we can set an expiration so that when a set time interval hits, the token will automatically reset and the user will log out.


Now that the JWT module is installed and the token has been created, let’s test out our token’s verification.

What we can do is create a set-timeout method to iterate over the data and using the verify method provided by the JWT module to require a interval for a verification process to prevent third party access of private user information.

JS Dev

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store