Secure authentication and authorisation to industry standard.
JWT and OAuth2 are the established building blocks used to implement secure sign-in and authorisation on the web, and they solve two distinct jobs. OAuth2 governs the flow through which an application gains access on a user's behalf without ever seeing their password. A JWT is the compact, signed token that then travels with every request and can be checked without a round trip to the database. On top of them we build logins, cross-system single sign-on and finely graded permissions to industry standard.
More in the documentationWe use this when a login comes from third parties like Google or an API should be secured statelessly. Our services verify the signed token locally, so not every request needs a round trip to the database. With several services working together, this gives us a shared single sign-on without logging in twice.
import jwt from "jsonwebtoken";
const token = jwt.sign({ sub: user.id }, secret, { expiresIn: "15m" });
const payload = jwt.verify(token, secret);
console.log(payload.sub);Good to know
A JWT, once issued, cannot easily be revoked before it expires, because it is deliberately checked statelessly. So we keep the lifetime of access tokens short and renew them via a separate refresh token, which can be blocked if needed.
More tools we work with in the same area.
Node.js
A JavaScript runtime for performant, event-driven servers.
NestJS
A structured Node framework for clean, testable backend architectures.
Express
A lean, flexible framework for APIs and web services.
Socket.IO
Bidirectional realtime communication for chats, live data and more.
GraphQL
Flexible APIs that deliver exactly the data your client needs.
REST APIs
Clear, standardised interfaces for any integration.
You don't have to decide that, it's our job. Tell us about your plans.