whatisgithub

What is express-jwt?

auth0/express-jwt — explained in plain English

Analysis updated 2026-06-26

4,510TypeScriptAudience · developerComplexity · 2/5Setup · easy

In one sentence

Express middleware maintained by Auth0 that automatically validates JSON Web Tokens on incoming requests, blocks invalid or expired ones, and puts the decoded user identity on the request object for your route handlers.

Mindmap

mindmap
  root((express-jwt))
    What it does
      Validates JWT tokens
      Blocks bad requests
      Exposes user identity
    Configuration
      Secret key or keypair
      Signing algorithm
      Token location
    Advanced features
      Dynamic key retrieval
      Token revocation check
      Route-level skip
    Tech stack
      TypeScript
      Node.js
      Express middleware
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Protect Express API routes so only requests with a valid login token are allowed through

USE CASE 2

Decode JWT payload and make user identity available to downstream route handlers with no extra code

USE CASE 3

Support multiple token issuers or public-key signing by providing a dynamic key-retrieval function

USE CASE 4

Implement token revocation by hooking in a custom check that queries your database or cache

What is it built with?

TypeScriptNode.jsExpress

How does it compare?

auth0/express-jwttypestack/routing-controllerszdhxiong/mdui
Stars4,5104,5094,509
LanguageTypeScriptTypeScriptTypeScript
Setup difficultyeasymoderateeasy
Complexity2/53/52/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 30min

Requires an existing Express app and a JWT secret or public key, basic setup is a single middleware call.

So what is it?

This library is a piece of middleware for Express, a popular framework for building web servers in JavaScript. Its specific job is to check incoming requests for a JWT, which stands for JSON Web Token. A JWT is a small, self-contained string that a server hands out when a user logs in, and which that user then sends along with future requests to prove who they are. This library reads that token, validates it, and if it checks out, makes the user's identity information available to the rest of the application. Setting it up is straightforward for a developer. You add it as a step in your request-handling chain, pass it a secret key, and specify which signing algorithm to expect. From that point on, any route you protect with it will automatically reject requests that lack a valid token or carry one that has expired, been tampered with, or fails any other check. The decoded token data ends up on the request object, where your own code can read it to decide what a given user is allowed to do. The library covers several practical scenarios beyond the basics. If your application issues tokens using a public and private key pair rather than a shared secret, that is supported. You can provide a custom function that retrieves the verification key dynamically, which is useful when multiple issuers with different keys might be sending tokens. There is also support for checking whether a specific token has been revoked, for cases where you need to invalidate credentials before they naturally expire. Other options let you choose where in the request the token lives, skip authentication on certain routes using an unless helper, and configure how expired tokens are handled. If a token is invalid, the library throws an error that your existing Express error handler can catch and respond to however you prefer. The library is maintained by Auth0, a company that specializes in authentication services.

Copy-paste prompts

Prompt 1
Add express-jwt to my Express API to protect all routes under /api so requests without a valid JWT get a 401 response.
Prompt 2
My Express app uses RS256 public-key JWT signing instead of a shared secret. How do I configure express-jwt to verify tokens using a PEM public key?
Prompt 3
How do I use the unless helper with express-jwt to skip token validation for the /login and /register routes?
Prompt 4
A user logged out and I want to reject their JWT even though it has not expired yet. How do I implement token revocation with express-jwt?
Prompt 5
express-jwt is throwing an UnauthorizedError but I want to return a custom JSON error body. How do I set up the Express error handler to catch it?

Frequently asked questions

What is express-jwt?

Express middleware maintained by Auth0 that automatically validates JSON Web Tokens on incoming requests, blocks invalid or expired ones, and puts the decoded user identity on the request object for your route handlers.

What language is express-jwt written in?

Mainly TypeScript. The stack also includes TypeScript, Node.js, Express.

How hard is express-jwt to set up?

Setup difficulty is rated easy, with roughly 30min to a first successful run.

Who is express-jwt for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.