Node.js JWT Authentication & PostgreSQL – Express RestAPIs + JSON Web Token + BCryptjs + Sequelize


JSON Web Token defines a compact and self-contained way for securely transmitting information as a JSON object.
In the tutorial, we show how to build a Nodejs Token Authentication RestAPIs with JSON Web Token (JWT) and PostgreSQL.

Related posts:
Sequelize Many-to-Many association – NodeJS/Express, MySQL
Node.js/Express RestAPIs CRUD – Sequelize ORM – PostgreSQL
– Fullstack with Angular: Angular & Nodejs JWT Authentication fullstack


– Nodejs/Express
– Json Web Token
– BCryptjs
– Sequelize
– PosgreSQL

JSON Web Token

JSON Web Token (JWT) defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

-> Scenarios where JSON Web Tokens are useful:

  • Authorization: the most common scenario for using JWT. Single Sign On is a feature that widely uses JWT
  • Information Exchange: Because JWTs can be signed, JSON Web Tokens are a good way of securely transmitting information between parties.

JSON Web Tokens consist of 3 parts:

  • Header
  • Payload
  • Signature

-> JWT looks like Header-Base64-String.Payload-Base64-String.Signature-Base64-String

Header consists of two parts:

  • token type.
  • hashing algorithm.

-> Example:

Payload contains the claims. Claims are statements about an entity and additional information.
There are 3 types of claims ->

  • Registered claims -> These are a set of predefined claims: iss (issuer), exp (expiration time), sub (subject)
  • Public claims
  • Private claims

Example ->

Signature -> To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

Example ->

Combine all together, we get 3 Base64-URL strings separated by dots,


– Encoded ->

– Decoded ->



Project Structure


  • config package defines PostgreSQL Database Configuration, JWT Secret Key & User Roles.
  • model package defines Role & User Sequelize models.


  • router package defines RestAPI URLs, verification functions for signup, & verification JWT token function for signin.
  • controller package defines proccesing functions for each RestAPIs declared in router package.

We will define 5 workflows as below ->

  • SignUp Scenarios:

    – Code in router.js ->

  • SignIn Scenarios:

    – Code in router.js ->

  • Access User Content:

    – Code in router.js ->

  • Access PM Content:

    – Code in router.js ->

  • Access Admin Content

    – Code in router.js ->


Sign Up ->


Sign In ->


Access API Successfully ->


Unauthorized Access ->



Create Nodejs Project

Following the guide to create a NodeJS/Express project

Install Express, Sequelize, PostgreSQL, Json Web Token, Bcryptjs:

-> package.json file:

Create Sequelize Models

User model ->

Role model:

Sequelize Database Configuration

/app/config/env.js file ->

/app/config/db.config.js ->

Because Role & User has many-to-many association, so we use belongsToMany to configure them.

-> See more at: Sequelize Many-to-Many association – NodeJS/Express, MySQL

Define RestAPIs Router

We define 5 RestAPIs in /app/router/router.js

We need implement middleware functions to do a verification for SignUp & SignIn:

/app/router/verifySignUp.js implements 2 middleware functions:

  • checkDuplicateUserNameOrEmail -> checking the posted username or email is duplicated or NOT
  • checkRolesExisted -> checking the posted User Role is existed or NOT

/app/router/verifyJwtToken.js implements 3 middleware functions:

  • verifyToken -> checking a JWT token is valid or NOT
  • isAdmin -> checking an User has ADMIN role or NOT
  • isPmOrAdmin -> checking an User has PM or ADMIN role or NOT

Implement Controller

/app/controller/controller.js exports 5 funtions:

  • signup -> be used to register new User
  • signin -> be used to Login
  • userContent -> get User Info
  • managementBoard -> get Management Board Content
  • adminBoard -> get Admin Board Content

– Create /app/config/config.js file that defines jwt-secret-key & User Roles.


/app/server.js file ->

Run & Check Results
Start Nodejs Server

– Run Nodejs server by cmd npm start -> Logs:

-> Check PostgreSQL database:



Sign Up


-> All Logs of Sign Up:

-> PostgreSQL records:


SignIn and Access Protected Resources

Adam can access api/test/user url, can NOT access others.

-> Sign In:


-> Access Protected Resources:



Jack can access api/test/user & api/test/pm url.
Can NOT access /api/test/admin url.

-> Sign In:


-> Access Protected Resources:




Thomas can access all URLs.

-> Sign In:


-> Access Protected Resource:




By grokonez | October 4, 2018.

Last updated on February 6, 2020.

Related Posts

2 thoughts on “Node.js JWT Authentication & PostgreSQL – Express RestAPIs + JSON Web Token + BCryptjs + Sequelize”

Got Something To Say:

Your email address will not be published. Required fields are marked *