Concept Flow - JWT strategy

Client sends login request

↓

Server verifies user credentials

↓

Server creates JWT token

↓

Client stores JWT token

↓

Client sends request with JWT in header

↓

JWT Strategy extracts token

↓

JWT Strategy verifies token signature and expiry

↓

Allow access

This flow shows how JWT strategy in NestJS checks a token from client requests to allow or deny access.

Execution Sample

NestJS

import { Injectable } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { ExtractJwt, Strategy } from 'passport-jwt';

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor() {
    super({
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
      secretOrKey: 'secretKey',
    });
  }

  async validate(payload: any) {
    return { userId: payload.sub, username: payload.username };
  }
}

This code defines a JWT strategy that extracts and verifies JWT tokens from request headers.

Execution Table

Step	Action	Input/State	Output/Result
1	Client sends login request	User credentials	Credentials received by server
2	Server verifies credentials	Credentials	Valid user or error
3	Server creates JWT token	User info	JWT token with payload and signature
4	Client stores JWT token	JWT token	Token saved in client storage
5	Client sends request with JWT	JWT in Authorization header	Request with token arrives at server
6	JWT Strategy extracts token	Request headers	Extracted JWT token string
7	JWT Strategy verifies token	JWT token string	Valid token or invalid error
8	If valid, validate() runs	Token payload	User info object returned
9	If invalid, access denied	Invalid token	Unauthorized error response
10	Request proceeds with user info	User info from validate()	Access granted to protected route

💡 Execution stops if token is invalid or missing, denying access.

Variable Tracker

Variable	Start	After Step 3	After Step 6	After Step 7	After Step 8	Final
credentials	undefined	user input	user input	user input	user input	used for token creation
jwtToken	undefined	created JWT string	created JWT string	verified JWT string	verified JWT string	passed to validate()
payload	undefined	undefined	undefined	extracted from JWT	payload object	user info returned
userInfo	undefined	undefined	undefined	undefined	{ userId, username }	used for access control

Key Moments - 3 Insights

Why does the JWT strategy extract the token from the Authorization header?

What happens if the JWT token is expired or invalid?

Why does the validate() method return user info?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table, at which step does the JWT token get created?

AStep 8

BStep 6

CStep 3

DStep 10

Concept Snapshot

JWT Strategy in NestJS:
- Extracts JWT from Authorization header
- Verifies token signature and expiry
- On valid token, validate() returns user info
- On invalid token, denies access
- Used to protect routes by confirming user identity

Full Transcript

This visual execution trace shows how the JWT strategy in NestJS works step-by-step. First, the client sends login credentials to the server. The server verifies these credentials and creates a JWT token containing user info. The client stores this token and sends it with future requests in the Authorization header. The JWT strategy extracts the token from the header, verifies its signature and expiry. If valid, the validate() method returns user info from the token payload, allowing access to protected routes. If invalid, the request is denied with an unauthorized error. Variables like credentials, jwtToken, payload, and userInfo change state through these steps, helping track the flow. Key moments clarify why the token is extracted from headers, what happens on invalid tokens, and the purpose of validate(). The quizzes test understanding of token creation, payload extraction, and invalid token handling. This helps beginners see exactly how JWT strategy processes tokens to secure NestJS applications.