If you're building your own authentication system, it's a really good idea to include a flag in your payloads, to indicate whether that token was generated by authenticating with user credentials, or by using a refresh token. You can use this flag to authorize sensitive operations, such as changing your password or making payments - so if the user didn't log in recently, you can prompt them to log in again for sensitive operations. I would say this is a must for most applications.
What a great information right there! Thank you for sharing. I immediately recognize the use of the flag in payload when I changing my facebook password for example, it requests me to re-enter my password again for authenticating with user credential
The single tutorial a dev should ever watch to get their heads wrapped around auth. Great pace and flow, pure English, pleasure to watch and listen to!
Even after 4 years you made this video guy, I found it so resourceful. It just killed my fear for JWT as a complex auth method. Sometimes I just want to use just session to manage auth... Now I want to fight it and sincere with you short well explained lesson, I think it's a good start! After watching the video, I access the source code and spent almost 40 minutes to read and digest the codes, then re-watch the video again. It's really broke the fear!!
I discovered your channel 30 minutes ago and I have already subscribed. Your way of explaining things with minimum jargon and straight forward approach is so refreshing.Keep up the good work!
Thank you so much! My goal with the channel is to teach the most amount of content in the least amount of time, since time is the most valuable resource we have.
I am so close to start crying of joy. I just spent so long trying to figure this out and then I found this video. Thank you so much. Honestly, you make my favourite tutorials.
Thanks for making this! Fun fact for anyone else watching: you can configure dotenv from your package.json scripts so that you don't have to write require in every file by using the -r flag and dotenv/config like so: "scripts": { "dev": "nodemon -r dotenv/config index.js" },
Kyle has an amazing talent for teaching and this demystifies a lot of how to implement JWTs on the server end. If I may, one caveat I would add is adding access and refresh tokens in the body payload may be prone to being stolen in an XSS attack and depending on how secure you would like to make your site you might want to instead store them on http-only & secure cookies with a samesite set to at least lax so they're not read by Javascript and easily stolen. Again, this tutorial is on point on so many levels and amazing!
You nailed these tutorials! I actually understand what you are explaining. You don't dilute it with unnecessary lingo in an attempt to sound smart. Thank you!
Damn this is amazing. Wasted 4 hours watching shitty videos and then came through this. Just 30 mins and everything well explained on point. Thanks a lot bro. You got a new subscriber!!!
Thanks for keeping it simple! You are living up to your name. I watched 5 other jwt videos from well-known vloggers, and was still left confused. This one was spot on. I get it now. Thanks!
I come to your channel to learn one thing and most of the time I learn 2-4 new things for sure.. Thankyou..You are one the best teachers..Love from INDIA..🇮🇳🇮🇳🇮🇳
This is probably the first time I'm writing a comment to a video. The reason - just wanted to acknowledge the quality of content. Especially how nice & simple everything is explained.
Hi, I would particularly like to praise your clear explanations and your super clear pronunciation. So it is very easy to understand, even for someone like me, who doesn't have a lot of experience in English and who often has trouble following English-language content with a strong accent. Really great!
Great video as always! Just wanted point out that what's being covered here is called authorization, not authentication. Authentication is when you confirm a user's identity and authorization is giving that user access to parts of the website
Yoooo, I just found your channel this week and wanted to let you know I love your content. Super informative, clear explanations, all around great videos. Keep up the good work!
I tried to implement JWT by watching different tutorials but i couldnt understand it, your video was the only video i understood, best node js videos keep it up; great work
Everything was straight-forward and on-point. One question arises - Why we need to create a refresh token when we can delete the previous access token when user logs out? In that way he will not be able to use that access token forever
Thank you Kyle for another great video!! Especially by making some confusing topics much clearer and understandable in such little time. I think that many of us could benefit a thousand times more from this jwt knowledge if you created a sequel to this video, or even simply a separate video all together explaining how this backend logic is tied in with the front end via a js framework or keeping it simple like ejs or regular html. There is not a whole lot of good quality educational videos or documentation covering how it can all be connected and implemented into a true fullstack application. It took me a very long time to figure out how to serve my front end as well as authenticate users with jwt using ejs. I would love to see a good video on this from you. Thank you again!
11/10 video. I just implemented this for a rock climbing app i'm creating. Tomorrow I will figure out how to manage the keys in my database rather than in the program.
I spent days trying to implement this with passport and didn't succeed. But with your help, I managed to do the same in a couple hours , Thanks a lot!!!
Have to say this was short and loaded with information. I really liked the part where you also explained the Auth and Resource server. Really appreciate the content :)
Exactily what I need! You just got a new subscriber. Simple, direct to the point, no use of database and other things, really direct to the point! Saves a lot of time. Thank you!
quick tip for people struggling with the request.rest file... there should be no line between the request and the header, but there should be one line between the header and the body. I was confused because I'd never been in a situation where the blank lines really mattered but... it does here.
Kyle, it would be amazing if you could make a video on how to handle JWTs on the client-side, particularly in React, in order to close the loop on this topic. As always, awesome video :)
Funny, I'm coming to this video because I know how to implement it with React and not without it. I learned through Brad Travery so you may want to look through his videos.
God Bless you man, this is great within 30 minutes JWT and auth isn't mystery anymore, keep it up, you're going to help a lot of people. God Bless you!
Thanks youtube for recommend this channel. I just started to learn programming two weeks ago and find your channel. It is great content for me even i still did not really understand it most of the part so i need to learn a lot from the scratch.
Thanks, coming from the world of ASP.NET this was piece of cake. Dudes over there make it look like rocket launching, when it actually is a very simple mechanism.
I still have some stuff that isn't clear to me, but you probably won't see my message, so i'l just say that you are an amazing teacher, you really have a skill in that area!
Thanks for the video, I never saw tutorial video without skipping its part, but you broke that with the great way of story telling. Very helpful video.
I'm using sails JS and their documentation is a hit or miss with a lot of things. They also have support for sessions instead of JWT. Your explanation and walkthrough were so nicely made that I was able to translate the logic of signing and verifying JWT into helpers for my project. Thank you!
Thank you for the quality tutorial. You're clear-spoken, and just the right speed for learning. At one point, I thought "This guys IQ must be over 140" - BTW, this is the first video of yours I watched. I found this video when I did a google search for "web token authentication". Again, very nice work.
Is reading books about programming a thing? I mean it would be good for something like assembly or c or c++ but defo not for anything that is related to js
Thank you for explaining complex concepts in very simple and straight forward way I watched many of your videos and I learnt a lot of things that no body could teach in 1 video but you are way of explaination is awesome, you are one of the best teacher in the universe, thank you so much :)
I know this is kind of older, but great presentation, very clear! I have a similar video for doing this in c# (also pretty old), but love how you explained it all here. Thanks!!
Owow I just realised I clicked like button while watching just like natural action I never like most videos I see in general I must have instinctively like your videos!
Your channel is incredible and so informative! I clicked on the video to learn the best way to handle JWTs and in the first couple of minutes I am already learning about all these different things I didn't even know I didn't know. Do you happen to be an educator at all? It seems like you would be a great lecturer or teacher at a Uni or College.
Thank you so much! I am not a professional educator. I have been offered a job as a University professor before, but I love teaching online so I turned it down.
this is a very good starting point, but in my opinion it misses some parts: - first if the client refreshes, since you are not persisting the refresh token anywhere it will need to login again, and this can be fixed by storing it in a httponly cookie which is still vulnerable, - second the client part is completely missing, i know the purpose of this is to keep things simple, but then ppl needs to do real stuff. probably the refresh requests should be sent little before the accesstoken expires. - the array of refresh tokens or the db where you store them, means that we are not differing too much from usual session management which is opinable. Anyway, yours are very great tutorial, i am wondering what tools you use for registering videos
great content.since the video is outdated and also you are handling the refresh token manually(u are getting the refresh token through a post request not from the client directly) and does not have expire time,also we like to see how we can implement in react and also with the passport-jwt.we need updated new video on this since you are good at time.ya u deserve 1m subscribers.
If you're building your own authentication system, it's a really good idea to include a flag in your payloads, to indicate whether that token was generated by authenticating with user credentials, or by using a refresh token. You can use this flag to authorize sensitive operations, such as changing your password or making payments - so if the user didn't log in recently, you can prompt them to log in again for sensitive operations. I would say this is a must for most applications.
I’ve encountered this in some websites. Nice to know how it was implemented.
What a great information right there! Thank you for sharing. I immediately recognize the use of the flag in payload when I changing my facebook password for example, it requests me to re-enter my password again for authenticating with user credential
ya.we love to see how we can implement that.
You have a UA-cam channel. Please make a video on this topic
Thanks for the note. it helped me.
It took me only 27 minutes to understand a simple concept that has been overly complicated by some bloggers. Thanks man, that was great.
The single tutorial a dev should ever watch to get their heads wrapped around auth. Great pace and flow, pure English, pleasure to watch and listen to!
Even after 4 years you made this video guy, I found it so resourceful. It just killed my fear for JWT as a complex auth method. Sometimes I just want to use just session to manage auth... Now I want to fight it and sincere with you short well explained lesson, I think it's a good start! After watching the video, I access the source code and spent almost 40 minutes to read and digest the codes, then re-watch the video again. It's really broke the fear!!
I discovered your channel 30 minutes ago and I have already subscribed. Your way of explaining things with minimum jargon and straight forward approach is so refreshing.Keep up the good work!
Thank you so much! My goal with the channel is to teach the most amount of content in the least amount of time, since time is the most valuable resource we have.
@@WebDevSimplified that is what makes you and your channel great!
@@WebDevSimplified great
totally agree :)
True. He is one of the best ones.
I'm from South Korea, Kyle explains in a concise and straight plus simple easy way which makes me understand way better than Udemy courses.
I am so close to start crying of joy. I just spent so long trying to figure this out and then I found this video. Thank you so much. Honestly, you make my favourite tutorials.
Thanks for making this! Fun fact for anyone else watching: you can configure dotenv from your package.json scripts so that you don't have to write require in every file by using the -r flag and dotenv/config like so:
"scripts": {
"dev": "nodemon -r dotenv/config index.js"
},
Everything is good. But i would suggest you to be little slow when you do the code.
Kyle has an amazing talent for teaching and this demystifies a lot of how to implement JWTs on the server end. If I may, one caveat I would add is adding access and refresh tokens in the body payload may be prone to being stolen in an XSS attack and depending on how secure you would like to make your site you might want to instead store them on http-only & secure cookies with a samesite set to at least lax so they're not read by Javascript and easily stolen. Again, this tutorial is on point on so many levels and amazing!
Do you have any solution for that? Thx
@@heysisteronion Store tokens in cookies with http-only, secure and same-site
You nailed these tutorials! I actually understand what you are explaining. You don't dilute it with unnecessary lingo in an attempt to sound smart. Thank you!
Damn this is amazing. Wasted 4 hours watching shitty videos and then came through this. Just 30 mins and everything well explained on point. Thanks a lot bro. You got a new subscriber!!!
Thank you so much!
You blink a lot, but holy crap! You speak so clearly and teach so well without any cuts! AMAZING! Thank you so much!
Man, this is the most efficient tutorial on the topic. Where is your applause button dude.
this is how code tutorial video should look like! Simply, precize, no overtalking, just exact content we need, very good job!
Thanks for keeping it simple! You are living up to your name.
I watched 5 other jwt videos from well-known vloggers, and was still left confused.
This one was spot on. I get it now. Thanks!
I come to your channel to learn one thing and most of the time I learn 2-4 new things for sure.. Thankyou..You are one the best teachers..Love from INDIA..🇮🇳🇮🇳🇮🇳
This is probably the first time I'm writing a comment to a video. The reason - just wanted to acknowledge the quality of content. Especially how nice & simple everything is explained.
Hi, I would particularly like to praise your clear explanations and your super clear pronunciation. So it is very easy to understand, even for someone like me, who doesn't have a lot of experience in English and who often has trouble following English-language content with a strong accent. Really great!
Great video as always! Just wanted point out that what's being covered here is called authorization, not authentication. Authentication is when you confirm a user's identity and authorization is giving that user access to parts of the website
No nonsense just straight to the point.
Clear and precise explanation.
Thanks you for time for a good tutorial, cheers!
Your tutorials are some of the best on YT and I watch a LOT of programming tutorials! 👍🏻👍🏻👍🏻👍🏻👍🏻 🌟🌟🌟🌟🌟
Yoooo, I just found your channel this week and wanted to let you know I love your content. Super informative, clear explanations, all around great videos. Keep up the good work!
Thank you so much! I hope my future videos are just as useful.
same :) feeling very lucky
Who said pretty men can't code... man thanks sooooo much for this.. i 'have been afraid of backend dev, but now i learning smoothly..
I tried to implement JWT by watching different tutorials but i couldnt understand it, your video was the only video i understood, best node js videos keep it up; great work
Everything was straight-forward and on-point. One question arises - Why we need to create a refresh token when we can delete the previous access token when user logs out? In that way he will not be able to use that access token forever
Where have you been all my life Bro. --- THANK YOU for making my job eaaaaaaasy.
Thank you Kyle for another great video!! Especially by making some confusing topics much clearer and understandable in such little time. I think that many of us could benefit a thousand times more from this jwt knowledge if you created a sequel to this video, or even simply a separate video all together explaining how this backend logic is tied in with the front end via a js framework or keeping it simple like ejs or regular html. There is not a whole lot of good quality educational videos or documentation covering how it can all be connected and implemented into a true fullstack application. It took me a very long time to figure out how to serve my front end as well as authenticate users with jwt using ejs. I would love to see a good video on this from you. Thank you again!
11/10 video. I just implemented this for a rock climbing app i'm creating. Tomorrow I will figure out how to manage the keys in my database rather than in the program.
Very distinct skill of explanation, could not be more lucid than this, 2 days of here and there in 20 min
certified beginner-friendly
enlighten my noob jwt knowledge in less than an hour
The absolute clearest tutorial I've ever seen on the topic. I wish I had found this earlier.
This is the cleanest for me: ua-cam.com/video/YocRq-KesCM/v-deo.html
I spent days trying to implement this with passport and didn't succeed. But with your help, I managed to do the same in a couple hours , Thanks a lot!!!
Kyle is a really good teacher. His tutorials helping me a better developer.
Yeah, I appreciate tutorials like this, a perfect blend of explanation and implementation. Thanks a million!
Have to say this was short and loaded with information. I really liked the part where you also explained the Auth and Resource server. Really appreciate the content :)
Its really hard to explain how valuable this channel is to me. Thank you for existing
Exactily what I need! You just got a new subscriber. Simple, direct to the point, no use of database and other things, really direct to the point! Saves a lot of time. Thank you!
i echo the sentiment that i have learned more with this video then reading books for hours.. Well done :)
Thank you man, you are one of the rarest who gives real solutions
This lives up to its name. Truly simplified. 💙
quick tip for people struggling with the request.rest file...
there should be no line between the request and the header, but there should be one line between the header and the body.
I was confused because I'd never been in a situation where the blank lines really mattered but... it does here.
Kyle, it would be amazing if you could make a video on how to handle JWTs on the client-side, particularly in React, in order to close the loop on this topic. As always, awesome video :)
I second this! I think Ben Awad made a video about that but doesn't go into much detail
I want to see this too, wanna know if what I'm implementing is actually correct
Funny, I'm coming to this video because I know how to implement it with React and not without it. I learned through Brad Travery so you may want to look through his videos.
@@Robd515 could you share an URL?
@Kyle, please see this comment! Awesome work man, you are giving immense value to society.
I wish I could write codes from scratch like you and explain things that clearly. Good content! 👍
You're the JWT mastermind :)
Kyle.....You are a gem for developers....
Man! every video of yours are most simplified on the web one could ever find.....Great work
When I feel to buy any paid course then your video motivate me to save my money ❤️
God Bless you man, this is great within 30 minutes JWT and auth isn't mystery anymore, keep it up, you're going to help a lot of people. God Bless you!
Thanks youtube for recommend this channel. I just started to learn programming two weeks ago and find your channel. It is great content for me even i still did not really understand it most of the part so i need to learn a lot from the scratch.
Thanks, coming from the world of ASP.NET this was piece of cake. Dudes over there make it look like rocket launching, when it actually is a very simple mechanism.
I still have some stuff that isn't clear to me, but you probably won't see my message, so i'l just say that you are an amazing teacher, you really have a skill in that area!
Thanks! I have another video on JWT that explains JWT in depth you may want to checkout.
@@WebDevSimplified I think my biggest question is how the refresh token isnt prone to stealing as the access one
Thanks for the video, I never saw tutorial video without skipping its part, but you broke that with the great way of story telling. Very helpful video.
Dude you might be my favorite web dev channel at this point. Massive Traversy fan and I also like Academind but damn this stuff is good
Same here :)
He explains things very well and at a nice pace.
I'm using sails JS and their documentation is a hit or miss with a lot of things. They also have support for sessions instead of JWT. Your explanation and walkthrough were so nicely made that I was able to translate the logic of signing and verifying JWT into helpers for my project. Thank you!
i was looking for one day some simple explanation like this for jwt usage, thanks a LOT!
Thank you for the quality tutorial. You're clear-spoken, and just the right speed for learning. At one point, I thought "This guys IQ must be over 140" - BTW, this is the first video of yours I watched. I found this video when I did a google search for "web token authentication". Again, very nice work.
Bro you are the best. That is all I can say. you simplify the complex. ...keep it up.
In just 30 mins i've learned what a ton of books couldn't explain clearly.
You must be reading a wrong book
@@juraev0056 Probably
Sometimes you just need to see it in action to understand it. I learn math better by example than by reading theory.
Is reading books about programming a thing? I mean it would be good for something like assembly or c or c++ but defo not for anything that is related to js
@@jawad9757 I think it is good to read about best practices and design patterns regarding any programming language
Superb tutorial, video and sound! It's rare to find such quality. Subscribed and looking forward to more of your content.
Thank you so much! I hope the rest of my videos are just as helpful.
Your videos are always brilliant. A big 🙏
Best programming ASMR channel 💓
Best tutorial on JWT token. You are straight forward and that's why I have already subscribed to your channel.
i love how effortless and efficient you explain everything. and all the tools you use are really cool and easy to setup. thanks!
Thank you for explaining complex concepts in very simple and straight forward way I watched many of your videos and I learnt a lot of things that no body could teach in 1 video but you are way of explaination is awesome, you are one of the best teacher in the universe, thank you so much :)
The greatest video about jwt implementation on node i've found at internet!
Thanks a lot!
This Person is gem for developers :)
Excellent video. Probably one of the best explanations I have seen. Also, fast - in a good way.
I know this is kind of older, but great presentation, very clear! I have a similar video for doing this in c# (also pretty old), but love how you explained it all here. Thanks!!
This video is perfect for me to understand a concept of JWT token and refresh token. I really appreciate it. Thanks Kyle. :)
The best JWT video ever! You are amazing! Keep doing things like this.
Thanks a lot from France for your video, this is so simple doing things with your explainations, please never stop ;)
I LOVE anything you make related to Node.js. Thanks always
Thank you! I'm really glad you enjoy my node videos because I love making them.
I always pick up something new from your videos. Thanks
Hello Fireship, I love your 100 seconds videos.
I am very grateful for this tutorial, thank you! My hobby project is one step closer to not being a hobby project.
Let me tell you that it was complicated, but after watching few times, I got the concept and implementation.
God bless you dev. This tutorial was fantastic! I understand what you're saying. You don't dilute it with unnecessary jargon. Thank you very much.
Dude this was the best video I've seen about JWT and how easy you made it to implement.
this is amazing, the way you explain all this concepts make it look easy
That Rest Client plugin is so useful! Works like a charm.
You did a really good job with this video dude. Simple and clean.
Kyle your video inspires me to learn more...and makes easy to understand all the aspects. Thank you so much.
You have such a fantastic way of teaching!
As always: first like button then watching
Hopefully the video doesn't disappoint
@@WebDevSimplified they never do. That's why we undoubtably can like it before watching (also, it's easy to forget to like it after watching).
Thank you, Kyle, for this informative content. I filled many gaps watching your videos and following your advices
u r a great teacher .... u r making my career
Have a good day you too...👍🎊
You just SIMPLIFIED my WEB DEV query in few minutes... ❤️🙏
Thank you bro for this amazing content. Just clean content, no bullshit. Thank you so much.
Owow I just realised I clicked like button while watching just like natural action
I never like most videos I see in general
I must have instinctively like your videos!
Your channel is incredible and so informative! I clicked on the video to learn the best way to handle JWTs and in the first couple of minutes I am already learning about all these different things I didn't even know I didn't know. Do you happen to be an educator at all? It seems like you would be a great lecturer or teacher at a Uni or College.
Thank you so much! I am not a professional educator. I have been offered a job as a University professor before, but I love teaching online so I turned it down.
Thank you very much, Kyle. Your video helped me find a job. Thanks for sharing.
this is a very good starting point, but in my opinion it misses some parts:
- first if the client refreshes, since you are not persisting the refresh token anywhere it will need to login again, and this can be fixed by storing it in a httponly cookie which is still vulnerable,
- second the client part is completely missing, i know the purpose of this is to keep things simple, but then ppl needs to do real stuff. probably the refresh requests should be sent little before the accesstoken expires.
- the array of refresh tokens or the db where you store them, means that we are not differing too much from usual session management which is opinable.
Anyway, yours are very great tutorial, i am wondering what tools you use for registering videos
You have won a subscriber! Good content, thank you for sharing!
great content.since the video is outdated and also you are handling the refresh token manually(u are getting the refresh token through a post request not from the client directly) and does not have expire time,also we like to see how we can implement in react and also with the passport-jwt.we need updated new video on this since you are good at time.ya u deserve 1m subscribers.
Exactly what I was waiting for
Takk!
Amazing! Your content always fascinates me and I learnt many things from you man!
Great pacing, great delivery. Well done!
Another epic from the best dude on youtube ever!! thanks a ton, Kyle!
Thank you!
This video cleared up a lot of things regarding JWT. Thanks a lot!