{"id":18341,"library":"express-jwt","title":"express-jwt","description":"Express middleware for validating JWTs (JSON Web Tokens) via the jsonwebtoken library. As of v8.5.1, it supports async secret retrieval, token revocation checks, and a customizable request property (default `req.auth`). It is fully typed (TypeScript) and ESM/CJS compatible. Key differentiators: built-in `.unless()` for path exclusion, optional `credentialsRequired` for public endpoints, and all jsonwebtoken verify options (audience, issuer, clockTolerance, etc.). However, v7→v8 introduced several breaking changes: the exported function is now `expressjwt` (not `jwt`), the request property changed from `req.user` to `req.auth`, and `algorithms` is now required to prevent downgrade attacks. The package is maintained by Auth0 with quarterly releases.","status":"active","version":"8.5.1","language":"javascript","source_language":"en","source_url":"git://github.com/auth0/express-jwt","tags":["javascript","auth","authn","authentication","authz","authorization","http","jwt","token","typescript"],"install":[{"cmd":"npm install express-jwt","lang":"bash","label":"npm"},{"cmd":"yarn add express-jwt","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-jwt","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Core dependency for JWT verification; used internally and its secrets, algorithms, and options are passed through.","package":"jsonwebtoken","optional":false},{"reason":"Provides Express type definitions required for TypeScript users to correctly type the middleware and request extensions.","package":"@types/express","optional":true}],"imports":[{"note":"v8+ exports only named `expressjwt`; default export was removed.","wrong":"import jwt from 'express-jwt'","symbol":"expressjwt","correct":"import { expressjwt } from 'express-jwt'"},{"note":"TypeScript only; re-exported as needed.","wrong":"import { RequestWithAuth } from 'express-jwt'","symbol":"ExpressJwtRequest","correct":"import { ExpressJwtRequest as RequestWithAuth } from 'express-jwt'"},{"note":"Type-only import to avoid runtime errors when not used as a value.","wrong":"import { GetVerificationKey } from 'express-jwt'","symbol":"GetVerificationKey","correct":"import type { GetVerificationKey } from 'express-jwt'"}],"quickstart":{"code":"import { expressjwt } from 'express-jwt';\nimport express from 'express';\n\nconst app = express();\n\n// Protected route\napp.get(\n  '/protected',\n  expressjwt({\n    secret: process.env.JWT_SECRET ?? 'my-secret',\n    algorithms: ['HS256'],\n  }),\n  (req, res) => {\n    // Access payload via req.auth\n    if (!req.auth.admin) return res.sendStatus(401);\n    res.json({ message: 'Protected data', user: req.auth });\n  }\n);\n\n// Public route\napp.get('/token', (req, res) => {\n  res.send('No auth required');\n});\n\napp.listen(3000);","lang":"typescript","description":"Shows basic usage: importing expressjwt, setting up a protected route with secret and algorithms, and accessing the decoded payload from req.auth."},"warnings":[{"fix":"Replace `import jwt from 'express-jwt'` with `import { expressjwt } from 'express-jwt'`.","message":"v8 changed the exported function from default export `jwt` to named export `expressjwt`.","severity":"breaking","affected_versions":">=8.0.0"},{"fix":"Access decoded payload via `req.auth` instead of `req.user`.","message":"v8 changed the request property from `req.user` to `req.auth`.","severity":"breaking","affected_versions":">=8.0.0"},{"fix":"Always pass `algorithms: ['HS256']` (or your chosen algorithm) in options.","message":"The `algorithms` option is required; not providing it will throw an error.","severity":"gotcha","affected_versions":">=6.0.0"},{"fix":"Use only one set of algorithms (symmetric or asymmetric) and validate against the expected algorithms list.","message":"Do not mix symmetric and asymmetric algorithms (e.g., HS256 and RS256) as it can lead to downgrade attacks.","severity":"gotcha","affected_versions":">=5.0.0"},{"fix":"If you want optional auth, consider using `.unless()` or handle missing tokens in your own middleware.","message":"The `credentialsRequired` option defaulted to `true`; setting to `false` bypasses token validation entirely.","severity":"deprecated","affected_versions":">=7.0.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Change import to `import { expressjwt as jwt } from 'express-jwt'`","cause":"Using default import on v8+ where only named export `expressjwt` exists.","error":"TypeError: jwt is not a function"},{"fix":"Ensure secret is a non-empty string or Buffer, e.g., `secret: process.env.JWT_SECRET ?? 'fallback'`","cause":"Providing an undefined or invalid `secret` option to expressjwt.","error":"Error: secret must be a string or buffer"},{"fix":"Add `algorithms: ['HS256']` (or your desired algorithm) to the options object.","cause":"Missing required `algorithms` option in expressjwt config.","error":"Algorithms is not provided"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}