Normally, first you check the credentials, then you create a JWT and return it (you can set a cookie for it).
constbodyParser=require('body-parser')constexpress=require('express')constjsonwebtoken=require('jsonwebtoken')constwithBody=bodyParser.json()constjwtKey=process.env['JWT_KEY']||'shared-secret'constapp=express()app.post('/api/login',withBody,(req,res)=>{constuserId=1/* Get credentials somehow */constjwt=jsonwebtoken.sign({sub:userId},jwtKey)res.coookie('jwt',jwt)res.json({jwt})})
Then in each endpoint you require auth, you get that token, parse and validate to get it content (claims).
Normally, first you check the credentials, then you create a JWT and return it (you can set a cookie for it).
Then in each endpoint you require auth, you get that token, parse and validate to get it content (claims).
There is more things to get done, like expiration dates, refresh tokens, etc. So I recommend using a service like auth0.