How To Use JSON Web Tokens (JWTs) in Express.js

JWT authentication has quietly become the backbone of modern web APIs, allowing servers to verify users without storing session data by using self-contained, signed tokens that travel between client and server. The authentication flow relies on two distinct tokens working in tandem: short-lived access tokens that expire in about fifteen minutes to authorize individual requests, and longer-lived refresh tokens that can regenerate access tokens for days without forcing users to log in repeatedly. While developers often debate whether to store these tokens in localStorage or cookies, security experts increasingly favor HttpOnly cookies with Secure and SameSite attributes to protect against cross-site scripting attacks. The implementation requires careful middleware design in Express.js, where token verification happens once and user information gets attached to each request, plus robust key management using environment variables rather than hardcoded secrets. Though alternatives like PASETO and OAuth 2.1 offer different approaches, JWTs remain deeply embedded in the Express.js ecosystem through mature libraries like jsonwebtoken and the more modern jose, making them a practical choice for teams building scalable, stateless authentication systems.