SkillsMay 16, 2026·3 min read

jsonwebtoken — JSON Web Token Implementation for Node.js

The standard library for signing, verifying, and decoding JWTs in Node.js applications, used by Auth0 and thousands of production APIs.

Agent ready

Ready-to-run agent install

This asset can be installed after the agent chooses its runtime, checks the plan, and runs the matching command.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
jsonwebtoken Overview
Direct install command
npx -y tokrepo@latest install 8db5897e-50fe-11f1-9bc6-00163e2b0d79 --target codex

Run after dry-run confirms the install plan.

Introduction

jsonwebtoken is the reference JWT library for Node.js, implementing RFC 7519 for creating and validating tokens. It handles HMAC and RSA/ECDSA signing out of the box and is the backbone of stateless authentication in Express, Fastify, and NestJS applications.

What jsonwebtoken Does

  • Signs payloads into compact JWT strings using HS256, RS256, ES256, and other algorithms
  • Verifies token signatures and expiration, returning the decoded payload or throwing specific errors
  • Supports asymmetric keys (RSA, EC, Ed25519) for distributed verification without sharing secrets
  • Allows custom claims, audience, issuer, and subject validation
  • Provides a synchronous and callback-based API for flexibility

Architecture Overview

The library splits into three phases: header construction, payload serialization, and signature computation. It base64url-encodes the header and payload, concatenates them with a dot separator, then signs using Node.js's crypto module. Verification reverses the process: it splits the token, re-computes the signature, and performs timing-safe comparison before validating claims like exp, nbf, aud, and iss.

Self-Hosting & Configuration

  • Install via npm with zero native dependencies
  • Pass secrets as strings or Buffers; asymmetric keys as PEM strings or KeyObjects
  • Set expiresIn as a human-readable string ('2h', '7d') or numeric seconds
  • Use algorithms option in verify to restrict accepted signing methods and prevent algorithm confusion attacks
  • Combine with Express middleware or Passport.js for route-level authentication

Key Features

  • Full RFC 7519 compliance with support for all standard registered claims
  • Algorithm allowlist in verify prevents none-algorithm and confusion attacks
  • Over 18,000 GitHub stars and 50 million weekly npm downloads
  • Synchronous API for simple scripts, callback API for async flows
  • Maintained by Auth0 with regular security patches

Comparison with Similar Tools

  • jose — modern, Web Crypto-based, supports JWE and JWK; jsonwebtoken is simpler and Node-only
  • passport-jwt — a Passport strategy that wraps jsonwebtoken for Express integration
  • fast-jwt — faster verification via caching; jsonwebtoken is more broadly tested and adopted
  • express-jwt — middleware layer on top of jsonwebtoken for automatic token extraction
  • Auth.js — full authentication framework; jsonwebtoken is a low-level primitive for custom flows

FAQ

Q: Is HS256 safe for production? A: Yes, if the secret is long (32+ bytes) and kept confidential. For microservices where verifiers should not hold the signing key, use RS256 or ES256 instead.

Q: How do I handle token expiration gracefully? A: Catch the TokenExpiredError from jwt.verify() and issue a refresh flow. The error includes the decoded payload via the expiredAt property.

Q: Can I store JWTs in cookies? A: Yes. Use HttpOnly, Secure, SameSite=Strict cookies to prevent XSS and CSRF when using JWTs for session management.

Q: Does it support Ed25519? A: Yes, via the EdDSA algorithm option when using Node.js 16+ with Ed25519 key pairs.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets