Creating Secure API using Node.js, Express Js and Passport-JWT

Creating Secure API using Node.js, Express Js and Passport-JWT

Node.js is a server-side platform built on Google Chrome's JavaScript Engine (V8 Engine). It is an open-source, cross-platform runtime environment for executing Javascript code outside of the browser. Node.js is used for developing server-side and networking applications.

  1. Steps for the Installation of Node.js  
    1. For Windows Users 
      1. Go to
      2. Click on windows-installer.
      3. Now click on “continue” for all the popup screens.
      4. Check the node version by running the command
        node -v
        Check the node version by running the command: node -v
    2. For ubuntu/mac users
      1. The first step is to check node version using the below-mentioned commands

        $ node -v
        $ v5.0.0
      2. The next step is to check npm version using the below-mentioned commands

        $ npm -v
        $ 4.0.0
      3. If ‘YES’, then go to the next step; and if ‘NOT’, then Remove node by -
        $ sudo apt-get remove --purge nodejs
      4. Now, Install again using
        $ sudo apt-get install curl
      5. Download node package

        $ curl -sL | sudo bash -
        Note: You can use any version instead of 10.x such as 8.x, 6.x
      6. Lets install NodeJS package
        $ sudo apt-get install -y nodejs
        Check node and npm version using the above commands and make sure it is greater than or equal to the given value.
  2. Create your first simple Node.js project

    1. Create the folder “node-project”

    2. Create file “app.js” in that and add the below code.

    3. Run command “node app.js”
      Run command “node app.js”

    4. It will print “Hello! World” in the command line.

3. Creating Secure API using Node.js, Express Js and Passport-JWT

Express Js: Express js is a web application framework for Node.js. It is a third-party library, used for routing. 

Passport-JWT: This module lets you authenticate API endpoints using a JSON web tokens. It is used to secure RESTful endpoints without sessions.

Npm: It is a ‘Node Package Manager’, basically a command-line tool, as well as a registry for third party library, which can add our node applications.

Steps For Creating Secure Node Api  

 1. Create folder ‘ Node-project ‘ and inside the folder run command

 npm init

it will create the package.json file. This file will contain the details about the project like name, author, version, dependencies and GitHub related items etc.
create the package.json file containing the details about the project like name, author, version, dependencies and GitHub related items etc


2. Then, Run the command inside of the root folder.

npm install --save express passport passport-local passport-jwt jsonwebtoken 

Then, check the package.json. It will contain all the above modules.

3. Create file “app.js” and include the installed modules in app.js file using require keyword.

4. Create one more folder called “API” inside the root folder and create a file called user.js and add the following code as shown below:

Creation and Storage of JWT : 

Const token = jwt.sign({ userName: response.userName, userId: response.userId }, "secretekey");
  1. When user logins, first we check wheather user exists in our database or not.
  2. If user exists, then create the token (which will be the combination of the user object and secret key). It is JWT(JSON Web Token).
  3.  It will be stored in the client-side (typically local storage).
  4.  Whenever a user requests to access API, we will pass the token to our middleware function to verify the token is valid or not. If it is valid, only then we will allow accessing our API endpoints.


5. Now add the lines to our “app.js”

app.get('/login', user.login);

6. Now create one more folder called middleware, and inside middleware folder create file passport.js. In passport.js add the following code.

Here, I am using the passport-jwt strategy. Once the token is stored in the client-end while accessing our API, we call this function and decrypt the token using the “secret key” and again we check whether user exists in our database or not. If it exists, it will return the user object as a response and then it will call our API endpoint. If the user does not exist, then it will show the error “Unauthorised”.

7.  Then include this file to our app.js . i.e


8. Create one function and fetch all user data in user.js. Add the below-mentioned code.

9. Then add our middleware passport-jwt in app.js.

passport.authenticate('jwt', {session: false})

10. While accessing our api /userData,it will call the middleware. If the token is valid, only then, it will allow accessing the getAllUsers function in user.js or else it will show the error as “Unauthorised”