Implementing JWT Authentication and Refresh Tokens in Node.js

Published on December 16, 2025 | M.E.A.N Stack Development
WhatsApp Us

Implementing JWT Authentication and Refresh Tokens in Node.js: A Secure Guide

Implementing secure JWT authentication nodejs involves using short-lived access tokens paired with long-lived refresh tokens stored in httponly cookie jwt containers. This pattern, known as refresh token rotation, enhances security by minimizing the exposure of credentials and providing a mechanism for silent, secure re-authentication. The core of a secure auth nodejs system lies in proper token generation, storage, validation, and revocation.

  • Use Access Tokens (short-lived, 15 mins) for API authorization, sent in the Authorization header.
  • Use Refresh Tokens (long-lived, 7 days) solely to obtain new access tokens, stored in HttpOnly, Secure, SameSite cookies.
  • Implement token rotation to issue a new refresh token with each use, invalidating the old one.
  • Always validate token signatures and maintain a server-side blocklist for immediate revocation.

Authentication is the cornerstone of modern web applications. For developers building APIs with Node.js and Express, JSON Web Tokens (JWTs) have become the de facto standard. However, a basic JWT implementation is fraught with security pitfalls. This guide moves beyond theory to deliver a production-ready, secure authentication system using access and refresh tokens—a critical skill for any developer aiming to build robust, user-friendly applications.

What is JWT Authentication?

A JSON Web Token (JWT) is a compact, URL-safe token that securely transmits information between parties as a JSON object. In jwt authentication nodejs, after a user successfully logs in with their credentials, the server generates a JWT (the access token) and sends it back to the client. The client then includes this token in the header of subsequent requests to access protected routes and resources. The beauty of JWT lies in its statelessness; the server doesn't need to store session data, as the token itself contains all the necessary verified information (like user ID and role).

The Critical Need for Refresh Tokens

If JWTs are so useful, why not just make them last for weeks? Security. A long-lived access token is a major liability if it's stolen—an attacker has prolonged access. Conversely, a very short-lived token (e.g., 15 minutes) forces users to log in constantly, ruining the user experience.

This is where refresh tokens solve the dilemma. They are separate, long-lived tokens (e.g., 7 days) whose only job is to obtain a new access token. The client uses a valid refresh token to hit a dedicated `/refresh` endpoint, which returns a brand new short-lived access token. This process is silent and happens behind the scenes, keeping the user logged in securely.

Access Token vs. Refresh Token: A Comparison

Criteria Access Token Refresh Token
Primary Purpose Authorize API requests to access protected resources. Securely obtain a new access token without re-entering credentials.
Lifespan Short (e.g., 5-15 minutes). Long (e.g., 7 days, 30 days).
Storage on Client In memory (JavaScript variable) or a non-HTTPOnly cookie for SPA frameworks. Securely in an HttpOnly, Secure, SameSite cookie.
Transmission Via the `Authorization: Bearer <token>` header. Automatically via cookies when calling the refresh endpoint.
Revocation Strategy Expires quickly; can be added to a short-lived blocklist. Requires a server-side token store or blocklist for immediate revocation.
Risk if Stolen Limited window of malicious access. High risk; allows generation of new access tokens.

Step-by-Step: Implementing Secure Auth in Node.js

Let's build a practical implementation. We'll use Express.js, the `jsonwebtoken` library, and a simple in-memory store for demonstration (use a database like Redis in production).

Step 1: Project Setup and Dependencies

  1. Initialize a new Node.js project: `npm init -y`
  2. Install required packages:
    • `npm install express jsonwebtoken bcryptjs cookie-parser dotenv`
  3. Create a `.env` file to store secrets:
    • `ACCESS_TOKEN_SECRET=your_super_secret_access_key_here`
    • `REFRESH_TOKEN_SECRET=your_super_secret_refresh_key_here`

Step 2: Creating and Signing Tokens

We'll create helper functions to generate both tokens. The refresh token will be stored server-side.


// utils/generateTokens.js
const jwt = require('jsonwebtoken');

const generateAccessToken = (user) => {
    return jwt.sign(
        { userId: user.id, email: user.email },
        process.env.ACCESS_TOKEN_SECRET,
        { expiresIn: '15m' }
    );
};

const generateRefreshToken = (user) => {
    const refreshToken = jwt.sign(
        { userId: user.id },
        process.env.REFRESH_TOKEN_SECRET,
        { expiresIn: '7d' }
    );
    // In production, store this in a database (e.g., Redis) with user ID
    // refreshTokenStore[user.id] = refreshToken;
    return refreshToken;
};

Step 3: The Login Endpoint

This endpoint validates credentials and sets the refresh token as an HttpOnly cookie.

  1. Validate user email and password (using bcrypt to compare hashes).
  2. Generate a new access token and a new refresh token.
  3. Store the refresh token in your database associated with the user.
  4. Send the access token in the JSON response and the refresh token in a secure cookie.

// In your login route handler
res.cookie('refreshToken', newRefreshToken, {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production', // HTTPS only
    sameSite: 'Strict',
    maxAge: 7 * 24 * 60 * 60 * 1000 // 7 days
});
res.json({ accessToken: newAccessToken });

Step 4: The Token Refresh Endpoint

This is where refresh token rotation happens, a key to secure auth nodejs.

  1. The client automatically calls `/api/refresh` when the access token expires (handled via axios interceptors or fetch wrappers).
  2. The server reads the refresh token from the HttpOnly cookie.
  3. It verifies the token's signature and checks it against the stored token in the database.
  4. If valid, it deletes the old refresh token from storage.
  5. It generates a new access token and a brand new refresh token.
  6. The new refresh token is stored and sent via cookie, and the new access token is sent in the response.

This rotation limits the usefulness of a stolen refresh token, as it can only be used once.

Step 5: Protecting Routes with Middleware

Create an authentication middleware to protect your API routes.


const authenticateToken = (req, res, next) => {
    const authHeader = req.headers['authorization'];
    const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN

    if (!token) return res.sendStatus(401);

    jwt.verify(token, process.env.ACCESS_TOKEN_SECRET, (err, user) => {
        if (err) return res.sendStatus(403); // Token is invalid/expired
        req.user = user;
        next();
    });
};

// Usage
app.get('/api/protected-data', authenticateToken, (req, res) => {
    res.json({ data: 'Secret info for user ' + req.user.userId });
});

Step 6: Implementing Logout and Token Revocation

A proper logout must invalidate tokens. For immediate revocation, maintain a server-side blocklist (e.g., in Redis) of revoked refresh tokens or simply delete the stored refresh token from your database.

  1. On logout, clear the refresh token cookie on the client.
  2. On the server, delete the refresh token from your storage/database. This ensures it cannot be used again.
  3. (Optional) For immediate access token revocation, you can maintain a short-lived blocklist of invalidated access tokens until they naturally expire.

Why HttpOnly Cookies are Non-Negotiable for Refresh Tokens

Storing refresh tokens in localStorage or regular JavaScript-accessible cookies is a common beginner mistake that exposes your application to XSS (Cross-Site Scripting) attacks. An attacker could steal a token from localStorage and use it indefinitely.

HttpOnly Cookie: A cookie that is inaccessible to client-side JavaScript. It is only sent to the server with HTTP requests. By storing your refresh token in an httponly cookie jwt, you make it immune to theft via XSS. Coupled with the `Secure` flag (for HTTPS) and `SameSite=Strict` (to prevent CSRF), this forms the most secure storage strategy for refresh tokens.

For a deeper dive into building secure, full-featured backends, our Node.js Mastery course covers authentication, authorization, security best practices, and deployment in exhaustive, project-based detail.

Common Pitfalls and Best Practices

  • Never Store Sensitive Data in JWTs: The payload is base64 encoded, not encrypted. Anyone can decode it.
  • Use Strong, Unique Secrets: Your `ACCESS_TOKEN_SECRET` and `REFRESH_TOKEN_SECRET` must be long, random strings, different from each other.
  • Always Set Token Expiry: Both tokens must have an expiration. Refresh tokens can also implement sliding expiration on use.
  • Implement Rate Limiting: Protect your login and refresh endpoints from brute-force attacks.
  • Use a Database for Refresh Tokens: An in-memory store is lost on server restart. Use Redis (for speed) or your main SQL/NoSQL database to persist them, allowing for user-specific logout and token invalidation.

Mastering these patterns is what separates a functional prototype from a production-grade application. If you're looking to build comprehensive full-stack applications with these secure patterns at their core, explore our project-based Full Stack Development program.

Visual Learning: See It in Action

Sometimes, seeing the flow of requests and tokens clarifies the entire concept. For a practical walkthrough of this implementation, including code review and debugging, check out this tutorial on our dedicated channel.

Explore more practical, project-driven tutorials on our YouTube channel:

Visit LeadWithSkills on YouTube for more in-depth development guides.

FAQs on JWT and Refresh Tokens

Why not just use sessions instead of JWTs?
Sessions are stateful (server stores session data), which can be a bottleneck for scaling across multiple servers unless you use a shared session store like Redis. JWTs are stateless, making them inherently more scalable for distributed systems. However, with refresh tokens, you reintroduce some state for security, which is a necessary trade-off.
My frontend (React/Angular) can't access the HttpOnly cookie. How do I know if the user is logged in?
The frontend doesn't need to access the refresh token. User "logged-in" state is determined by the presence of a valid access token in memory. When it expires, your frontend code (via an interceptor) will attempt to call the `/refresh` endpoint. If the HttpOnly cookie is present and valid, it will get a new access token silently. If not, it will redirect to login.
What happens if the refresh token is stolen from the cookie?
This is a serious breach. However, with token rotation, a stolen token can only be used once to get a new access/refresh token pair, after which the legitimate user's next refresh will fail (as the old token is invalidated), forcing a logout. For high-security apps, you can also associate metadata (IP, user-agent) with the refresh token and reject mismatches.
How do I handle multiple devices? Should each device get its own refresh token?
Yes. Best practice is to issue a unique refresh token per device/session. Store each token in your database linked to the user ID and potentially a device identifier. This allows users to see and revoke specific sessions (like "Log out from all other devices").
Where do I store the access token on the frontend?
For a Single Page Application (SPA), store it in memory (a JavaScript variable, e.g., in a React context or Vuex store). You can also use a non-HttpOnly cookie, but in-memory is generally safer from CSRF. Avoid localStorage due to XSS risk.
Is it okay to use JWTs for roles and permissions?
Yes, you can include a `roles` or `permissions` array in the JWT payload. However, remember that this data becomes stale until the token is refreshed. For critical, real-time permission changes, you need a supplementary server-side check or use very short-lived tokens.
How do I invalidate all tokens for a user immediately (e.g., on password change)?
Maintain a version number (e.g., `tokenVersion`) in your user database record. Include this version in the JWT payload. When you change a password or need a forced logout, increment

Ready to Master Node.js?

Transform your career with our comprehensive Node.js & Full Stack courses. Learn from industry experts with live 1:1 mentorship.

Node.js Mastery → Full Stack Development →