Authentication is one of those things every developer has to implement… but very few get completely right the first time.
JWT (JSON Web Tokens) is often the go-to solution, but most tutorials either:
- oversimplify it, or
- skip important security details
So in this guide, we'll do it the right way — production mindset, but still beginner-friendly. Updated for 2026 with the latest security practices, vulnerability data, and Node.js ecosystem changes.
Table of Contents
- What is JWT?
- How JWT Authentication Works
- Structure of a JWT
- Setting Up the Node.js Project
- Folder Structure
- Step 1: User Login & Token Generation
- Step 2: Authentication Middleware
- Step 3: Protect Routes
- Choosing the Right Signing Algorithm (RS256 vs HS256)
- Token Storage: Where to Store JWTs Securely
- Backend for Frontend (BFF) Pattern
- Access Token vs Refresh Token
- Token Fingerprinting (Advanced)
- Common Mistakes
- 2026 Threat Landscape
- Production Best Practices
- Logout Strategy
- My Thoughts
What is JWT (in Simple Terms)?
JWT is a secure way to send data between client and server.
Think of it like this:
Instead of asking the server "who are you?" on every request,
the client carries a proof (token) that says: "I'm already authenticated."
JSON Web Tokens (JWTs) are an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWTs are widely used for authentication and authorization because they let systems verify requests without relying on centralized session storage.
Why JWT Over Sessions?
In traditional web applications, authentication often relies on server-side sessions. The server stores session data and checks it whenever a request arrives. This approach works well for simple architectures but can become difficult to scale when systems grow or distribute across regions and services.
JWTs solve this problem by allowing identity information to be stored inside the token itself. Each service can verify the token independently, without contacting a central database. This improves performance, reduces latency, and simplifies scaling.
However, this comes with a trade-off: this design changes the security model. Once a token is issued, if a token is leaked, copied, or forged, it can grant unauthorized access until it expires or is revoked.
How JWT Authentication Works
Here's the flow:
┌──────────┐ ┌──────────┐
│ Client │ │ Server │
└────┬─────┘ └────┬─────┘
│ 1. Login Request │
│ (email + password) │
│────────────────────►│
│ │ 2. Verify Credentials
│ │ 3. Generate JWT
│ 4. Return Token │
│◄────────────────────│
│ │
│ 5. Request + Token │
│────────────────────►│
│ │ 6. Verify Token
│ 7. Protected Data │
│◄────────────────────│
- User logs in (email + password)
- Server verifies credentials against the database
- Server generates a JWT with user claims
- Client receives and stores the token
- Client sends token in
Authorizationheader in future requests - Server verifies the token signature → allows access
- Protected resource is returned
Structure of a JWT
What parts the token has depends on the type of the JWT: whether it's a JWS (a signed token) or a JWE (an encrypted token). If the token is signed it will have three sections: the header, the payload, and the signature. If the token is encrypted it will consist of five parts: the header, the encrypted key, the initialization vector, the ciphertext (payload), and the authentication tag.
For signed tokens (the most common type):
HEADER.PAYLOAD.SIGNATURE
Header
Contains the algorithm and token type:
{
"alg": "RS256",
"typ": "JWT"
}
Payload
Contains claims — the user data:
{
"sub": "1234567890",
"name": "Jane Doe",
"iat": 1672531200,
"exp": 1672534800
}
Tokens are signed to protect against manipulation and are easily decoded. Add the bare minimum number of claims to the payload for best performance and security.
Signature
Ensures the token hasn't been tampered with. Generated by combining the encoded header, encoded payload, and a secret key.
Encoded Example:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNjcyNTMxMjAwfQ.signature_here
⚠️ Critical distinction: Signatures are not encryptions! Signing JWTs doesn't make their data unreadable. Signatures only verify that the content of the JWT was not changed.
Setting Up the Node.js Project (2026)
The jsonwebtoken package latest version is 9.0.3. Start using jsonwebtoken in your project by running npm i jsonwebtoken. There are 35,822 other projects in the npm registry using jsonwebtoken.
2026 Node.js Security Note: The Node.js project will release new versions of the 25.x, 24.x, 22.x, 20.x releases lines on or shortly after March 24, 2026, to address multiple high severity issues. Always keep Node.js updated.
Install dependencies:
npm init -y
npm install express jsonwebtoken bcrypt dotenv helmet cors express-rate-limit
What each package does:
| Package | Purpose |
|---|---|
express |
Web framework |
jsonwebtoken |
JWT creation & verification |
bcrypt |
Password hashing |
dotenv |
Environment variable management |
helmet |
Security HTTP headers |
cors |
Cross-origin resource sharing |
express-rate-limit |
Rate limiting for brute force protection |
.env file:
JWT_ACCESS_SECRET=your-super-long-random-access-secret-at-least-32-chars
JWT_REFRESH_SECRET=your-super-long-random-refresh-secret-at-least-32-chars
ACCESS_TOKEN_EXPIRY=15m
REFRESH_TOKEN_EXPIRY=7d
PORT=3000
Use separate secrets for access and refresh tokens, proper expiration times, and validation at startup to catch configuration errors early. Using different secrets prevents token type confusion attacks.
Basic Folder Structure
src/
├── config/
│ └── env.js # Environment validation
├── controllers/
│ └── authController.js
├── middleware/
│ ├── auth.js # JWT verification
│ └── rateLimiter.js # Rate limiting
├── models/
│ └── User.js
├── routes/
│ ├── authRoutes.js
│ └── protectedRoutes.js
├── utils/
│ ├── tokenUtils.js # Token generation/verification helpers
│ └── cookieUtils.js # Secure cookie helpers
└── app.js
Step 1: User Login and Token Generation
Environment Validation (config/env.js):
// Fail fast if secrets are missing or weak
if (!process.env.JWT_ACCESS_SECRET || process.env.JWT_ACCESS_SECRET.length < 32) {
throw new Error("JWT_ACCESS_SECRET must be at least 32 characters");
}
if (!process.env.JWT_REFRESH_SECRET || process.env.JWT_REFRESH_SECRET.length < 32) {
throw new Error("JWT_REFRESH_SECRET must be at least 32 characters");
}
export default {
accessToken: {
secret: process.env.JWT_ACCESS_SECRET,
expiresIn: process.env.ACCESS_TOKEN_EXPIRY || "15m",
},
refreshToken: {
secret: process.env.JWT_REFRESH_SECRET,
expiresIn: process.env.REFRESH_TOKEN_EXPIRY || "7d",
},
};
Token Utility (utils/tokenUtils.js):
import jwt from "jsonwebtoken";
import config from "../config/env.js";
export const generateAccessToken = (user) => {
return jwt.sign(
{ sub: user._id, email: user.email },
config.accessToken.secret,
{
expiresIn: config.accessToken.expiresIn,
algorithm: "HS256", // See algorithm section below for RS256 upgrade
}
);
};
export const generateRefreshToken = (user) => {
return jwt.sign(
{ sub: user._id },
config.refreshToken.secret,
{
expiresIn: config.refreshToken.expiresIn,
algorithm: "HS256",
}
);
};
export const verifyAccessToken = (token) => {
return jwt.verify(token, config.accessToken.secret, {
algorithms: ["HS256"], // ALWAYS whitelist algorithms
});
};
export const verifyRefreshToken = (token) => {
return jwt.verify(token, config.refreshToken.secret, {
algorithms: ["HS256"],
});
};
Login Controller (controllers/authController.js):
import bcrypt from "bcrypt";
import User from "../models/User.js";
import {
generateAccessToken,
generateRefreshToken,
} from "../utils/tokenUtils.js";
export const loginUser = async (req, res) => {
try {
const { email, password } = req.body;
// 1. Find user
const user = await User.findOne({ email }).select("+password");
// Use generic error to prevent user enumeration
if (!user) {
return res.status(401).json({ message: "Invalid credentials" });
}
// 2. Compare password
const isMatch = await bcrypt.compare(password, user.password);
if (!isMatch) {
return res.status(401).json({ message: "Invalid credentials" });
}
// 3. Generate tokens
const accessToken = generateAccessToken(user);
const refreshToken = generateRefreshToken(user);
// 4. Store refresh token hash in DB (for rotation/revocation)
user.refreshToken = await bcrypt.hash(refreshToken, 10);
await user.save();
// 5. Send refresh token as HTTP-only cookie
res.cookie("refreshToken", refreshToken, {
httpOnly: true,
secure: true, // HTTPS only
sameSite: "Strict", // CSRF protection
maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
path: "/api/auth", // Only sent to auth routes
});
// 6. Send access token in response body
res.json({
accessToken,
user: { id: user._id, email: user.email },
});
} catch (error) {
console.error("Login error:", error);
res.status(500).json({ message: "Internal server error" });
}
};
Step 2: Authentication Middleware
This protects your routes by validating the access token on every request.
It is crucial to validate and verify tokens on each request to prevent token tampering and expiration.
import { verifyAccessToken } from "../utils/tokenUtils.js";
export const authMiddleware = (req, res, next) => {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith("Bearer ")) {
return res.status(401).json({ message: "No token provided" });
}
const token = authHeader.split(" ")[1];
try {
const decoded = verifyAccessToken(token);
req.user = decoded; // Attach user info to request
next();
} catch (error) {
if (error.name === "TokenExpiredError") {
return res.status(401).json({
message: "Token expired",
code: "TOKEN_EXPIRED",
});
}
if (error.name === "JsonWebTokenError") {
return res.status(401).json({
message: "Invalid token",
code: "INVALID_TOKEN",
});
}
return res.status(401).json({ message: "Authentication failed" });
}
};
Role-Based Authorization Middleware (Bonus):
Just because the token proves who someone is doesn't mean it should decide what they're allowed to do. That's a different layer of logic, and you have to keep the two separate.
export const authorize = (...roles) => {
return (req, res, next) => {
if (!req.user) {
return res.status(401).json({ message: "Not authenticated" });
}
if (!roles.includes(req.user.role)) {
return res.status(403).json({ message: "Insufficient permissions" });
}
next();
};
};
Step 3: Protect Routes
import express from "express";
import { authMiddleware } from "../middleware/auth.js";
import { authorize } from "../middleware/auth.js";
const router = express.Router();
// Any authenticated user
router.get("/dashboard", authMiddleware, (req, res) => {
res.json({ message: "Welcome to dashboard", user: req.user });
});
// Only admin users
router.get("/admin", authMiddleware, authorize("admin"), (req, res) => {
res.json({ message: "Admin panel", user: req.user });
});
// User profile
router.get("/profile", authMiddleware, (req, res) => {
res.json({ message: "Your profile", userId: req.user.sub });
});
export default router;
app.js (Main Entry):
import "dotenv/config";
import "./config/env.js"; // Validate env on startup
import express from "express";
import helmet from "helmet";
import cors from "cors";
import rateLimit from "express-rate-limit";
import authRoutes from "./routes/authRoutes.js";
import protectedRoutes from "./routes/protectedRoutes.js";
const app = express();
// Security middleware
app.use(helmet());
app.use(cors({ origin: process.env.CLIENT_URL, credentials: true }));
app.use(express.json({ limit: "10kb" })); // Limit body size
// Rate limiting
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per window
standardHeaders: true,
legacyHeaders: false,
});
app.use(limiter);
// Stricter rate limit for auth routes
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 10, // Only 10 auth attempts per 15 minutes
});
// Routes
app.use("/api/auth", authLimiter, authRoutes);
app.use("/api", protectedRoutes);
app.listen(process.env.PORT || 3000, () => {
console.log(`Server running on port ${process.env.PORT || 3000}`);
});
Choosing the Right Signing Algorithm (RS256 vs HS256)
One of the most critical (and often overlooked) decisions in JWT security is choosing the right signing algorithm.
HS256 (Symmetric)
HS256 is a symmetric algorithm that shares one secret key between the identity provider and your application. The same key is used to sign a JWT and verify that signature.
RS256 (Asymmetric)
RS256 algorithm is an asymmetric algorithm that uses a private key to sign a JWT and a public key to verify that signature. RS256 is the recommended algorithm when signing your JWTs. It is more secure, and you can rotate keys quickly if they are compromised.
Recommendation for 2026
The option with the best security and performance is EdDSA, though ES256 is also a good choice. The most widely used option, supported by most technology stacks, is RS256.
For new applications: RS256 or ES256 are best for most scenarios requiring public key distribution. PS256 offers enhanced security over RS256 with probabilistic signatures. EdDSA is the most secure and efficient, excellent for new implementations.
| Algorithm | Type | Speed | Security Level | Best For |
|---|---|---|---|---|
| HS256 | Symmetric | ⚡ Fast | Good (if key is protected) | Internal, single-service apps |
| RS256 | Asymmetric | Moderate | Very Good | Multi-service, distributed systems |
| ES256 | Asymmetric (ECC) | Fast | Excellent | Modern apps, mobile |
| EdDSA | Asymmetric | ⚡ Fastest | Excellent | New implementations (2026 preferred) |
⚠️ Algorithm Confusion Attack
Algorithm confusion occurs when a system fails to properly verify the type of signature used in a JWT, allowing an attacker to exploit insufficient distinction between different signing methods. The most dangerous variant involves switching from RS256 to HS256.
Prevention: Never trust the algorithm declared in the JWT header alone. Use allowlists of accepted algorithms (['RS256'], ['HS256']) instead of denylists.
// ✅ ALWAYS specify the allowed algorithm
jwt.verify(token, secret, { algorithms: ["HS256"] });
// ❌ NEVER do this — allows any algorithm
jwt.verify(token, secret);
Token Storage: Where to Store JWTs Securely
This is one of the most debated topics in JWT security — and one of the areas where most tutorials get it wrong.
❌ localStorage / sessionStorage
If JWTs are stored in less secure places, like local storage, attackers can steal them using XSS attacks.
Storing JWTs in localStorage or sessionStorage is discouraged for sensitive use cases, as these storage mechanisms are accessible via JavaScript and more vulnerable to injection attacks.
✅ HTTP-only Cookies
When configured with security-focused attributes, HttpOnly, Secure, and SameSite cookies offer a more secure alternative. These settings help shield against XSS and CSRF, ensuring cookies are sent over secure connections and are inaccessible to client-side scripts.
res.cookie("refreshToken", token, {
httpOnly: true, // Not accessible via JavaScript
secure: true, // Only sent over HTTPS
sameSite: "Strict", // CSRF protection
maxAge: 7 * 24 * 60 * 60 * 1000,
path: "/api/auth", // Limit cookie scope
});
✅ In-Memory Storage (for access tokens)
Store the access token in a JavaScript variable (not localStorage). It's lost on page refresh, but that's solved with the refresh token flow.
Token Storage Comparison (2026)
| Method | XSS Safe | CSRF Safe | Persists | Recommended |
|---|---|---|---|---|
| localStorage | ❌ | ✅ | ✅ | ❌ Never for sensitive apps |
| sessionStorage | ❌ | ✅ | ❌ | ❌ Same risk as localStorage |
| HTTP-only Cookie | ✅ | ⚠️ (use SameSite) | ✅ | ✅ For refresh tokens |
| In-Memory (JS variable) | ✅ | ✅ | ❌ | ✅ For access tokens |
| BFF Pattern | ✅ | ✅ | ✅ | ✅✅ Best for production |
Mobile App Token Storage
For native apps, use platform-secure storage APIs. For example, in iOS, use Keychain, and in Android, use Keystore. Keychain and Keystore are designed to isolate sensitive information and provide encryption at rest, making them ideal for storing tokens.
The Backend for Frontend (BFF) Pattern
The BFF pattern is the gold standard for token security in 2026, especially for SPAs.
In this scenario, the backend has three core responsibilities: It interacts with the authorization server as a confidential client. It manages all the tokens on behalf of the SPA, which can't access them anymore. It proxies all requests to the API, embedding the access token before forwarding them. The SPA only interacts with the backend, relying on traditional cookies for authenticated sessions.
This architecture improves the security of token negotiation, since it now happens via a confidential client, and token storage, since it now occurs on the server side.
How It Works:
┌──────────┐ Cookie ┌───────┐ JWT Bearer ┌──────────┐
│ SPA │ ◄──────────► │ BFF │ ◄─────────────► │ API │
│ (React) │ (HttpOnly) │ Proxy │ (Access Token) │ (Server) │
└──────────┘ └───────┘ └──────────┘
│
│ OAuth 2.0 Flow
▼
┌──────────────┐
│ Auth │
│ Server │
└──────────────┘
Key Benefits:
- All authentication and token handling occurs server-side, including issuing Secure & HttpOnly cookies to maintain the session. This prevents JWTs from ever being exposed to browser storage or JavaScript access.
- The best security recommendation for SPA is to avoid storing tokens in the browser and create a lightweight backend to help with this process.
When to Use BFF:
Teams that choose JWTs for SPAs often later add BFF when security requirements increase. localStorage token storage is a common audit finding.
Access Token vs Refresh Token
For real-world apps, you need both tokens:
Access tokens should have a short expiration time, typically between 15 minutes to 1 hour.
In web and mobile scenarios, it's common to use JWTs that expire quickly, let's say within 5–15 minutes, and longer-lasting refresh tokens that allow the user to get a new JWT without logging in again.
| Token Type | Expiry | Storage | Purpose |
|---|---|---|---|
| Access Token | Short (5–15m) | Memory / Auth Header | API access |
| Refresh Token | Long (7–30 days) | HTTP-only cookie / DB | Get new access token |
Refresh Token Endpoint:
import { verifyRefreshToken, generateAccessToken } from "../utils/tokenUtils.js";
import User from "../models/User.js";
import bcrypt from "bcrypt";
export const refreshAccessToken = async (req, res) => {
const { refreshToken } = req.cookies;
if (!refreshToken) {
return res.status(401).json({ message: "No refresh token" });
}
try {
// 1. Verify the refresh token
const decoded = verifyRefreshToken(refreshToken);
// 2. Find user & check stored refresh token
const user = await User.findById(decoded.sub);
if (!user || !user.refreshToken) {
return res.status(401).json({ message: "Invalid refresh token" });
}
// 3. Compare with stored hash (rotation detection)
const isValid = await bcrypt.compare(refreshToken, user.refreshToken);
if (!isValid) {
// Possible token theft — invalidate ALL tokens for this user
user.refreshToken = null;
await user.save();
return res.status(401).json({ message: "Token reuse detected" });
}
// 4. Rotate: Generate new tokens
const newAccessToken = generateAccessToken(user);
const newRefreshToken = generateRefreshToken(user);
// 5. Store new refresh token hash
user.refreshToken = await bcrypt.hash(newRefreshToken, 10);
await user.save();
// 6. Set new refresh token cookie
res.cookie("refreshToken", newRefreshToken, {
httpOnly: true,
secure: true,
sameSite: "Strict",
maxAge: 7 * 24 * 60 * 60 * 1000,
path: "/api/auth",
});
res.json({ accessToken: newAccessToken });
} catch (error) {
return res.status(401).json({ message: "Invalid refresh token" });
}
};
Why Rotate Refresh Tokens?
If an attacker steals a refresh token and the legitimate user also uses it, the server detects token reuse and can invalidate all sessions for that user. This is a critical security pattern for 2026.
Token Fingerprinting (Advanced)
An advanced technique to bind tokens to a specific client, making stolen tokens useless:
import crypto from "crypto";
import jwt from "jsonwebtoken";
function generateTokenWithFingerprint(user, req) {
// Generate unique fingerprint from client characteristics
const fingerprint = crypto
.createHash("sha256")
.update(req.get("User-Agent") || "")
.update(req.ip)
.digest("hex");
const accessToken = jwt.sign(
{
sub: user._id,
fingerprint: fingerprint.substring(0, 16),
},
process.env.JWT_ACCESS_SECRET,
{ expiresIn: "15m" }
);
return accessToken;
}
// Verify fingerprint in middleware
function authenticateWithFingerprint(req, res, next) {
// ... verify token as usual, then:
const expectedFingerprint = crypto
.createHash("sha256")
.update(req.get("User-Agent") || "")
.update(req.ip)
.digest("hex")
.substring(0, 16);
if (decoded.fingerprint !== expectedFingerprint) {
return res.status(401).json({ error: "Token fingerprint mismatch" });
}
next();
}
⚠️ Note: Token fingerprinting adds defense in depth but isn't foolproof (User-Agent can be spoofed, IPs can change). Use it as an additional layer, not the only protection.
⚠️ Common Mistakes (Most Tutorials Ignore These)
1. Storing Sensitive Data in JWT
Encryption is only necessary if sensitive data is included. In most systems, it is safer to avoid storing confidential information inside tokens at all.
Never store:
- Passwords
- API keys
- Full user profiles
- Confidential business data
✅ Only store: user ID, email (if needed), role, expiry.
2. No Expiration Time
Technically, once a token is signed, it is valid forever—unless the signing key is changed or expiration explicitly set. This could pose potential issues so have a strategy for expiring and/or revoking tokens.
Always set expiry:
{ expiresIn: "15m" } // For access tokens
{ expiresIn: "7d" } // For refresh tokens
3. Using localStorage Blindly
Although it is pretty easy to use these storages, they are vulnerable to XSS attacks. If an attacker injects a script, it can access the stored data, which poses a risk when storing sensitive information like JWTs.
4. Not Whitelisting Algorithms
When verifying or decrypting the token you should always check the value of this claim with a list of algorithms that your system accepts. This mitigates an attack vector where someone would tamper with the token and make you use a different, probably less secure algorithm. You should prefer allow-lists over deny-lists. There were attacks on APIs that leveraged the fact that even though the server was configured to deny the none algorithm it was still accepting noNe as a valid option. Once the server accepted the token, it was treating it as "signed" with the none algorithm.
5. Using Same Secret for Access & Refresh Tokens
Always use separate secrets. If one is compromised, the other remains safe.
6. Not Validating All Claims
Always fully validate JWTs, including signature, issuer, and audience. Never use access tokens and ID tokens interchangeably.
7. Mixing Authentication & Authorization in the Token
Use the token to identify the user, and leave the access decisions to your authorization layer. The JWT tells you who the user is. That's its job. From there, your app can figure out what that user is allowed to do—based on real-time data, current system state, relationships, and dynamic rules.
🚨 2026 Threat Landscape — Why This Matters Now
As we move into 2026, Node.js applications are facing more risks than ever before. Hackers are no longer using simple methods. They are using automated tools, AI-based attacks, and supply chain vulnerabilities to break into applications. A single weak dependency, leaked API key, or unprotected endpoint can lead to serious data loss, downtime, or financial damage.
Key 2026 Security Statistics:
- By 2026, more than half of Node.js security incidents are expected to come from compromised dependencies. This makes regular audits and automatic updates extremely important.
- Attacks on JavaScript-based backends are increasing rapidly. Between 2024 and 2026, security incidents are expected to rise by more than 60%, mainly due to dependency risks and AI-powered attacks.
Recent JWT-Specific Threats:
Recent high-profile breaches involving JSON Web Tokens have highlighted persistent risks, with six major CVEs disclosed in 2025 affecting cloud platforms and enterprise systems.
Six critical CVEs from 2025 dominate the updated JWT vulnerabilities list, targeting libraries and cloud services used in SaaS and enterprise stacks. These include CVE-2025-4692 (cloud platform flaw), CVE-2025-30144 (library bypass), exposing millions to remote code execution risks.
Node.js Buffer Vulnerability (January 2026):
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak. While exploitation typically requires precise timing, it can become remotely exploitable when untrusted input influences workload and timeouts.
Action Item: Run
npm auditregularly, update Node.js to the latest security patch, and audit yourjsonwebtokenversion.
Production Best Practices (2026 Checklist)
Transport Security
- Do not send tokens over non-HTTPS connections as those requests can be intercepted and tokens compromised.
- By 2026, TLS 1.3 will become the standard.
Key Management
- Keys should be rotated regularly according to security policy or risk level. Rotation limits damage if a key is exposed and is considered a standard best practice.
- Use separate secrets for access and refresh tokens
- Store secrets in environment variables / secret managers (never in code)
Token Design
- Keep claims minimal: common claims include a user ID and expiration timestamp. Use identifiers instead of verbose objects.
- Avoid placing sensitive or business data in JWTs, especially across organizational boundaries.
- Use short-lived tokens to reduce the risk of token theft.
Validation
- Use asymmetric signing keys and centralized key management.
- Always validate claims: iss, aud, exp, nbf, and jti for freshness.
Infrastructure
- Implement rate limiting on auth endpoints
- Add CSRF protection when using cookies
- Use Helmet.js for security headers
- Implement logging and monitoring for auth events
- Assume zero trust, even for internal traffic and service-to-service communication.
Dependencies
- Run
npm auditon every build - Use
npm audit fixor tools likeSnyk/Socket.dev - Pin dependency versions in production
- Security is no longer optional. It is a core part of development.
Bonus: Logout Strategy
JWT is stateless, so logout is tricky. Here are your options ranked by effectiveness:
Option 1: Short-Lived Access Tokens (Simplest)
- Access tokens expire in 5–15 minutes
- On "logout", just delete the client-side token and refresh cookie
- The access token becomes useless quickly
export const logout = (req, res) => {
res.clearCookie("refreshToken", {
httpOnly: true,
secure: true,
sameSite: "Strict",
path: "/api/auth",
});
res.json({ message: "Logged out successfully" });
};
Option 2: Token Blacklist (Redis-backed)
import Redis from "ioredis";
const redis = new Redis();
export const logout = async (req, res) => {
const token = req.headers.authorization?.split(" ")[1];
if (token) {
const decoded = jwt.decode(token);
const ttl = decoded.exp - Math.floor(Date.now() / 1000);
if (ttl > 0) {
await redis.set(`blacklist:${token}`, "true", "EX", ttl);
}
}
res.clearCookie("refreshToken", {
httpOnly: true,
secure: true,
sameSite: "Strict",
path: "/api/auth",
});
res.json({ message: "Logged out" });
};
// In auth middleware, add:
const isBlacklisted = await redis.get(`blacklist:${token}`);
if (isBlacklisted) {
return res.status(401).json({ message: "Token revoked" });
}
Option 3: Token Version in DB
- Store a
tokenVersionfield on the user - Include it in the JWT payload
- On logout, increment the version
- Middleware rejects tokens with old versions
Strategy Comparison:
| Strategy | Instant Logout | Scalability | Complexity | Statefulness |
|---|---|---|---|---|
| Short-lived tokens only | ❌ (up to 15m delay) | ✅ Excellent | ✅ Simple | Stateless |
| Redis blacklist | ✅ | ✅ Good | ⚠️ Medium | Adds state |
| DB token version | ✅ | ⚠️ DB hit per request | ⚠️ Medium | Adds state |
| Refresh token deletion | ⚠️ (on next refresh) | ✅ Excellent | ✅ Simple | Mostly stateless |
My Thoughts
JWT is not a protocol but merely a message format. The RFC just shows you how you can structure a given message and how you can add layers of security. JWTs are not secure just because they are JWTs; it's the way in which they're used that determines whether they are secure or not.
JWT is powerful, but only if used correctly.
In 2026, the stakes are higher than ever. Hackers are using automated tools, AI-based attacks, and supply chain vulnerabilities to break into applications. A casual implementation is no longer acceptable.
Your 2026 JWT Action Checklist:
- ✅ Use separate secrets for access & refresh tokens
- ✅ Set short expiry (5–15m) for access tokens
- ✅ Store refresh tokens in HTTP-only cookies
- ✅ Whitelist algorithms (never trust the
algheader blindly) - ✅ Implement refresh token rotation with reuse detection
- ✅ Add rate limiting on auth endpoints
- ✅ Use HTTPS everywhere (TLS 1.3)
- ✅ Consider the BFF pattern for SPAs
- ✅ Run
npm auditand keep Node.js updated - ✅ Validate all claims:
iss,aud,exp,nbf
"JWT is not just about generating tokens — it's about managing trust."
Further Reading & Resources
- RFC 7519 — JSON Web Token Specification
- RFC 8725 — JWT Best Current Practices
- OWASP JWT Cheat Sheet
- jwt.io — JWT Debugger & Library Directory
- Node.js Security Releases
- Auth0 Token Best Practices
- Curity JWT Best Practices
If You Found This Useful
Follow for more real-world backend guides.
Also, check out my other articles:
- Node.js Architecture Patterns
- API Security Deep Dive
- Performance Optimization for Node.js
- OAuth 2.0 & OpenID Connect Explained
Top comments (0)