Express.js - REST API with Token Authentication
What is Token Authentication?
Token authentication is a secure way to authenticate users by issuing a token after a successful login. This token is sent with each request instead of username and password to access protected routes. It is stateless, efficient, and widely used in modern APIs and web applications.
Key Features of Token Authentication
- Stateless Authentication : No need to store session data on the server.
- Secure & Encrypted : Tokens are signed using a secret key or public/private key pair (e.g., HMAC, RSA).
- Efficient & Scalable : No need for a database lookup for every request (unlike session-based authentication).
- Time-Limited Access : Tokens usually have an expiration time (e.g., 1h or 24h).
- Supports Role-Based Access Control (RBAC) : Tokens can contain user roles (e.g., admin, user), allowing permission-based access.
- Cross-Platform Compatibility : Works for web, mobile, and desktop applications. Clients can authenticate using the same token across different platforms.
Install Dependencies
Install Express.js with the npm command.
npm install express
Setting Up an Express.js Server
- This Express.js app implements token-based authentication using Node's built-in crypto module.
- It includes login, logout, and a protected /dashboard route secured with custom token validation.
index.js
const express = require('express'); const crypto = require('crypto'); const app = express(); app.use(express.json()); const users = [ { id: 1, username: 'ram', password: '1234' }, { id: 2, username: 'sara', password: 'sara123' } ]; // In-memory token store: token -> userId const tokens = {}; // Generate secure token function generateToken() { return crypto.randomBytes(32).toString('hex'); } // Login endpoint app.post('/login', (req, res) => { const { username, password } = req.body; const user = users.find(u => u.username === username && u.password === password); if (!user) { return res.status(401).json({ message: 'Invalid credentials' }); } const token = generateToken(); tokens[token] = user.id; // store token with user id res.json({ message: 'Login successful', token }); }); // Middleware to protect routes function authenticateToken(req, res, next) { const token = req.headers['authorization']; if (!token || !tokens[token]) { return res.status(401).json({ message: 'Unauthorized - Invalid or missing token' }); } req.userId = tokens[token]; // pass user ID to route next(); } // Dashboard endpoint app.get('/dashboard', authenticateToken, (req, res) => { const user = users.find(u => u.id === req.userId); res.json({ message: 'Welcome to your profile', user }); }); // Logout app.post('/logout', authenticateToken, (req, res) => { const token = req.headers['authorization']; delete tokens[token]; // remove token from store res.json({ message: 'Logged out successfully' }); }); // Start server const PORT = 5000; app.listen(PORT, () => { console.log(`Server running at http://localhost:${PORT}`); });
Run the Server
Run the server using the command is given below.
node index.js
D:\my-app>node index.js Server running at http://localhost:5000
Output
Login User
Request:
POST: http://localhost:5000/login
Content-Type: application/json
{
"username": "ram",
"password": "1234"
}
Response:
Status: 200 OK
Content-Type: application/json
{
"message": "Login successfully"
"token": "ad26c5a4d42859a922ccb8c659540e2dc87df3237b74460ff0748533ff60d6df"
}
Access protected dashboard with token
Request:
GET: http://localhost:5000/dashboard
Authorization: ad26c5a4d42859a922ccb8c659540e2dc87df3237b74460ff0748533ff60d6df
Response:
Status: 200 OK
Content-Type: application/json
{
"message": "Welcome to your profile",
"user": {
"id": 1,
"username": "ram"
"password": "1234"
}
}
Logout User
Request:
POST: http://localhost:5000/logout
Content-Type: application/json
Response:
Status: 200 OK
Content-Type: application/json
{
"message": "Logged out successfully"
}
Why Use Token Authentication
- More Secure than Sessions
- Scales Well for APIs & Microservices
- Works for Single Page Applications (SPA) & Mobile Apps
- Reduces Server Load
- Easy to Implement