18.2. Working with JSON Web Tokens (JWT) in NodeJS: How to generate a JWT in NodeJS

JSON Web Tokens (JWT) is an open standard technology (RFC 7519) that enables the secure exchange of information between parties in the form of a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

In NodeJS, we can use packages like jsonwebtoken to work with JWTs. In this tutorial, we are going to explore how to generate a JWT in NodeJS.

Installation

To get started, we need to install the jsonwebtoken package. You can do this using npm (Node Package Manager) with the following command:

npm install jsonwebtoken

Once installed, you can import it into your file using:

const jwt = require('jsonwebtoken');

Creating a JWT

To create a JWT, we use the sign() function from the jsonwebtoken package. This function accepts three arguments:

1. The payload, which is a JSON object containing the claims. Claims are statements about an entity (usually the user) and additional information.
2. The secret, which is a string used to sign the token. This secret must be kept safe and must never be exposed.
3. The options, which is an object containing additional options such as the signature algorithm and token validity.

Here is an example:

const payload = {
  id: 1,
  name: 'John Doe',
  admin: true
};

const secret = 's3cr3t';

const options = {
  expiresIn: '2h'
};

const token = jwt.sign(payload, secret, options);

In this example, the payload contains three claims: id, name, and admin. The secret is 's3cr3t' and the token expires in 2 hours.

Checking a JWT

Once you create a JWT, you can verify its signature and decode the payload using the verify() function in the jsonwebtoken package. This function accepts three arguments:

1. The token, which is the JWT string you want to verify.
2. The secret, which is the same string used to sign the token.
3. The options, which is an object containing additional options, such as the signature algorithm.

Here is an example:

const decoded = jwt.verify(token, secret);

In this example, the verify() function returns the decoded payload if the token is valid. If the token is not valid (for example, if the signature does not match), the function will throw an error.

Conclusion

Working with JWTs in NodeJS is simple and straightforward thanks to the jsonwebtoken package. This package provides functions for creating and verifying JWTs, allowing you to implement secure authentication and authorization in your NodeJS applications.

It is important to remember that JWTs are only as secure as the secret used to sign them. So make sure you keep your secret safe and never expose it. Also, JWTs are encoded, not encrypted, which means that anyone who obtains the token will be able to decode the payload. Therefore, never put sensitive information in the payload of a JWT.