0
0
Node.jsframework~10 mins

JWT token generation and verification in Node.js - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - JWT token generation and verification
Start
Create Payload
Sign Payload with Secret
Generate JWT Token
Send Token to Client
Client Sends Token Back
Verify Token with Secret
If Valid -> Access Granted
If Invalid -> Access Denied
This flow shows how a JWT token is created by signing data, sent to a client, then verified later to allow or deny access.
Execution Sample
Node.js
import jwt from 'jsonwebtoken';

const secret = 'mysecret';
const payload = { userId: 123 };

const token = jwt.sign(payload, secret);

const verified = jwt.verify(token, secret);
This code creates a JWT token from a payload and secret, then verifies the token using the same secret.
Execution Table
StepActionInputOutputNotes
1Define secret'mysecret''mysecret'Secret key for signing and verifying
2Create payload{ userId: 123 }{ userId: 123 }Data to encode in token
3Sign payloadpayload + secretJWT token stringToken is a long string with header.payload.signature
4Send tokenJWT token stringToken sent to clientClient stores token
5Receive tokenToken from clientJWT token stringToken sent back for verification
6Verify tokenToken + secret{ userId: 123 }Returns decoded payload if valid
7Access decisionVerification resultAccess grantedIf token valid, allow access
8End--Process complete
💡 Verification fails if token is tampered or secret is wrong, then access is denied.
Variable Tracker
VariableStartAfter Step 2After Step 3After Step 6Final
secretundefined'mysecret''mysecret''mysecret''mysecret'
payloadundefined{ userId: 123 }{ userId: 123 }{ userId: 123 }{ userId: 123 }
tokenundefinedundefinedJWT token stringJWT token stringJWT token string
verifiedundefinedundefinedundefined{ userId: 123 }{ userId: 123 }
Key Moments - 3 Insights
Why do we need the same secret for signing and verifying the JWT token?
Because the secret is used to create the signature part of the token. If the secret is different during verification, the signature won't match and verification fails. See execution_table step 6.
What happens if the token is changed after it is created?
If the token is tampered, the signature won't match the payload and header, so verification fails and access is denied. This is why the token is secure. See execution_table exit_note.
Is the payload data encrypted in the JWT token?
No, the payload is only encoded (base64), not encrypted. Anyone with the token can read it, but cannot change it without the secret. See execution_table step 3.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the value of 'verified' after step 6?
A{ userId: 123 }
BJWT token string
Cundefined
DAccess granted
💡 Hint
Check the 'verified' variable value in variable_tracker after step 6.
At which step is the JWT token string created?
AStep 2
BStep 3
CStep 5
DStep 6
💡 Hint
Look at the 'Action' and 'Output' columns in execution_table for token creation.
If the secret used in step 6 is different from step 3, what happens?
AVerification succeeds
BToken is regenerated
CVerification fails
DPayload changes
💡 Hint
Refer to key_moments about secret matching and verification.
Concept Snapshot
JWT token generation and verification:
- Use jwt.sign(payload, secret) to create token
- Token includes header, payload, and signature
- Send token to client for authentication
- Use jwt.verify(token, secret) to check token validity
- Same secret must be used for signing and verifying
- Payload is encoded, not encrypted
Full Transcript
This visual execution shows how JWT tokens are generated and verified in Node.js. First, a secret key is defined. Then, a payload object with user data is created. The payload is signed with the secret using jwt.sign, producing a JWT token string. This token is sent to the client, who stores it. Later, the client sends the token back to the server. The server verifies the token using jwt.verify with the same secret. If verification succeeds, the decoded payload is returned and access is granted. If verification fails, access is denied. The secret must be the same for signing and verifying to ensure security. The payload is only encoded, so it can be read but not changed without invalidating the token.