Back to Agent Skills
Security & Quality
JWT Token Authentication
Implement JWT-based stateless authentication with token signing, verification, and refresh token flows.
Claude Code Cursor Copilot Windsurf Gemini CLI Codex
Overview
JSON Web Tokens (JWT) provide a compact, URL-safe way to represent claims between parties. The jsonwebtoken library is the most popular JWT implementation for Node.js, supporting HMAC, RSA, and ECDSA algorithms for token signing and verification. It enables stateless authentication where the server does not need to store session data.
JWTs consist of three parts: a header specifying the algorithm, a payload containing claims (user data, expiration, issuer), and a signature ensuring integrity. The library supports standard claims like `exp` (expiration), `iss` (issuer), `sub` (subject), and `aud` (audience), plus custom claims for application-specific data like user roles or permissions.
For production use, JWTs are typically paired with refresh tokens to balance security and user experience. Short-lived access tokens (15 minutes) limit the window of compromise, while longer-lived refresh tokens allow seamless token renewal. The library supports asymmetric algorithms (RS256, ES256) for scenarios where token verification needs to happen without access to the signing key.
JWTs consist of three parts: a header specifying the algorithm, a payload containing claims (user data, expiration, issuer), and a signature ensuring integrity. The library supports standard claims like `exp` (expiration), `iss` (issuer), `sub` (subject), and `aud` (audience), plus custom claims for application-specific data like user roles or permissions.
For production use, JWTs are typically paired with refresh tokens to balance security and user experience. Short-lived access tokens (15 minutes) limit the window of compromise, while longer-lived refresh tokens allow seamless token renewal. The library supports asymmetric algorithms (RS256, ES256) for scenarios where token verification needs to happen without access to the signing key.
Who Is This For?
- Build stateless API authentication with access tokens
- Implement refresh token rotation for secure sessions
- Create signed tokens for email verification links
- Validate JWTs in API middleware with role checks
Installation
Setup for Claude Code
npm install jsonwebtoken && npm install -D @types/jsonwebtokenConfiguration
import jwt from "jsonwebtoken"
const SECRET = process.env.JWT_SECRET!
// Sign a token
const token = jwt.sign(
{ userId: user.id, role: user.role },
SECRET,
{ expiresIn: "15m" }
)
// Verify a token
const payload = jwt.verify(token, SECRET)Explore AI Tools
Discover the best AI tools that complement your skills
Read AI & Design Articles
Tips and trends in the world of design and AI
Related Skills
Security & Quality
Snyk Security Scan
Detect vulnerabilities in your dependencies and application code. Get actionable remediation advice and automatic fix pull requests.
Claude Code Codex Copilot
Security & Quality SonarQube Code Quality
Run continuous code quality and security analysis to catch bugs, code smells, and vulnerabilities before they reach production.
Claude Code Codex Copilot
Security & Quality OWASP ZAP Security Testing
Perform automated web application security testing to find common vulnerabilities like XSS, injection flaws, and misconfigurations.
Claude Code Codex