passport-jwt

Passport.js strategy for authenticating requests using JSON Web Tokens (JWT). Extracts JWT from Authorization header (Bearer), query parameter, or cookie, verifies signature using configurable secret or public key, and exposes the decoded payload as req.user. Part of the Passport.js ecosystem for building stateless API authentication.

Evaluated Mar 06, 2026 (0d ago) v4.x

Homepage ↗ Repo ↗ Developer Tools passport jwt authentication bearer token express api stateless

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

Stateless JWT verification — HTTPS required in production. RS256/ES256 asymmetric keys are more secure than HS256 shared secrets. Secret management is developer responsibility. No built-in revocation — implement token blacklisting for logout scenarios.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You're building a stateless REST API with Express.js that needs JWT authentication and may combine it with other Passport.js strategies.

Avoid When

You don't need the full Passport.js ecosystem — a simpler express-jwt middleware or manual jsonwebtoken.verify() in middleware may be cleaner for simple JWT-only APIs.

Use Cases

• Protect Express.js API routes with JWT authentication — verify tokens and expose user context without session state
• Implement stateless agent API authentication where agents authenticate with JWTs issued by an OAuth server
• Add Bearer token authentication to REST APIs with support for RS256 asymmetric signing (public key verification)
• Build multi-strategy auth combining JWT for API clients and local/session auth for browser clients
• Verify and decode service-to-service JWTs in microservice architectures

Not For

• Web applications with browser sessions — use passport-local with express-session for cookie-based auth
• JWT generation — passport-jwt only VERIFIES tokens; use jsonwebtoken package to generate them
• JWT refresh token management — implement refresh logic separately; passport-jwt handles verification only

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Authentication

Methods: none

OAuth: No Scopes: No

Implements JWT verification — the library IS the auth mechanism. No external service credentials needed, but JWT secret/public key required for configuration.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

MIT licensed. Zero cost.

Agent Metadata

Pagination

none

Idempotent

Full

Retry Guidance

Not documented

Known Gotchas

⚠ JWT extractor must be configured correctly — ExtractJwt.fromAuthHeaderAsBearerToken() for standard Bearer auth, or fromExtractors([...]) for multiple sources
⚠ secretOrKey accepts string, Buffer, or function — for RS256/ES256, pass the public key (not private key) as secretOrKey; algorithm must be specified in jwtFromRequest options
⚠ Expired JWTs: by default passport-jwt does NOT reject expired tokens — set ignoreExpiration: false (which is actually the default in v4; verify your version behavior)
⚠ The verify callback receives (jwt_payload, done) — jwt_payload is the decoded token object, not the raw token string; access claims as jwt_payload.sub, jwt_payload.email, etc.
⚠ No built-in token revocation — JWT tokens are valid until expiry; implement a token blacklist in Redis for revocation scenarios
⚠ req.user is set to whatever the verify callback passes as done(null, user) — ensure the user object shape matches what route handlers expect

Alternatives

passport-local-api jsonwebtoken-api express-jwt-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for passport-jwt.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.