How to Implement API Authentication with Passport

May 27, 2026at 2:01 PM UTCBy Pocket Portfolio TeamTechnology

#api#authentication#passport#node.js

Problem

In modern web applications, securing your API endpoints is critical. As APIs are often exposed to a wide range of clients, ensuring that only authenticated users can access these endpoints is a fundamental security requirement. Developers need an efficient way to authenticate API requests while minimizing the complexity of managing user credentials and sessions.

Solution with Code

Passport.js is a popular authentication middleware for Node.js that supports a variety of authentication strategies, including local username and password authentication, OAuth, and more. Here's how you can implement a basic API authentication using Passport.js.

Step 1: Setup Project and Install Dependencies

First, set up a Node.js project and install the necessary packages:

npm init -y
npm install express passport passport-jwt jsonwebtoken body-parser

Step 2: Configure Passport with JWT Strategy

In this example, we'll use the JWT strategy to secure our API. Create a passport-config.js file:

const passport = require('passport');
const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt');
const User = require('./models/user'); // Assuming you have a User model

const opts = {
  jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
  secretOrKey: 'your_jwt_secret',
};

passport.use(new JwtStrategy(opts, (jwt_payload, done) => {
  User.findById(jwt_payload.sub, (err, user) => {
    if (err) {
      return done(err, false);
    }
    if (user) {
      return done(null, user);
    }
    return done(null, false);
  });
}));

module.exports = passport;

Step 3: Protect Routes using Passport

Use Passport to protect your API routes. In your main application file (e.g., app.js), initialize Passport and apply it to your routes:

const express = require('express');
const bodyParser = require('body-parser');
const passport = require('./passport-config');

const app = express();
app.use(bodyParser.json());
app.use(passport.initialize());

app.get('/protected', passport.authenticate('jwt', { session: false }), (req, res) => {
  res.json({ message: 'This is a protected route' });
});

app.listen(3000, () => {
  console.log('Server running on http://localhost:3000');
});

Step 4: Issue JWTs on User Login

When a user logs in, issue a JWT. For example, in your login route:

const jwt = require('jsonwebtoken');

app.post('/login', (req, res) => {
  // Authenticate user
  const user = authenticateUser(req.body.username, req.body.password);
  if (!user) {
    return res.status(401).json({ message: 'Authentication failed' });
  }

  const token = jwt.sign({ sub: user.id }, 'your_jwt_secret');
  res.json({ token });
});

Key Concepts

Passport.js: A flexible authentication middleware for Node.js.
JWT (JSON Web Tokens): A compact, URL-safe means of representing claims to be transferred between two parties.
Middleware: Functions that have access to the request object, response object, and the next middleware function in the application’s request-response cycle.

By leveraging Passport.js and JWT, you can effectively secure your API endpoints, ensuring only authenticated users have access. This guide provides a foundational approach, which you can expand to include additional strategies and customizations as needed.