JWT Authentication

JWT Tokens That Don't Suck

Stateless authentication smoother than a fresh groomed trail at Keystone

See JWT Demo Documentation

The "My Token Expired Again" Problem

Real Slack message from HighPlainsHealthcare: "Our mobile app logs out nurses mid-shift. They're using expired tokens and patient data isn't syncing. We need a fix NOW."

That's what happens when JWT tokens are just thrown at the problem without proper expiration handling.

Lisa from RockyMountainRetail solved this:

"Our point-of-sale system runs 12-hour shifts. Before 23blocks, cashiers got logged out during busy periods. Now? Zero interruptions. Black Friday was flawless."

JWT Authentication That Actually Works

RS256 by Default

Asymmetric signing with public/private key pairs. No shared secrets to leak.

Smart Expiration

Configurable lifetimes with automatic refresh. Long-lived sessions without security risks.

Rich Claims

Custom claims for roles, permissions, tenant context. Everything your app needs.

Implementation So Simple, It Feels Like Magic

Step 1: Request JWT Token (30 seconds)

// Request JWT with claims
const token = await auth.login({
  email: "sarah@denverdesign.com",
  password: password,
  claims: {
    role: "admin",
    tenant: "denver-design",
    permissions: ["read", "write", "delete"]
  }
});

// {
//   access_token: "eyJhbGciOiJSUzI1NiIs...",
//   token_type: "Bearer",
//   expires_in: 3600,
//   refresh_token: "rt_secure_refresh_token"
// }

Step 2: Verify Tokens (Automatic)

// In your API middleware
const jwt = require('jsonwebtoken');
const { getPublicKey } = require('@23blocks/auth-sdk');

const verifyToken = async (req, res, next) => {
  const token = req.headers.authorization?.split(' ')[1];
  
  try {
    const publicKey = await getPublicKey();
    const decoded = jwt.verify(token, publicKey, { 
      algorithms: ['RS256'] 
    });
    
    req.user = decoded;
    next();
  } catch (error) {
    res.status(401).json({ error: 'Invalid token' });
  }
};

Step 3: Use Claims in Your App

// Access user data from token
const handleProtectedRoute = (req, res) => {
  const { user } = req;
  
  // Token contains everything you need
  console.log(user.email);      // sarah@denverdesign.com
  console.log(user.role);       // admin
  console.log(user.tenant);     // denver-design
  console.log(user.permissions); // ["read", "write", "delete"]
  
  // No database lookup needed!
  res.json({ message: `Welcome ${user.email}` });
};

Real Results from Real Apps

FrontRangeFinance (the Denver banking app):

API response time: 45ms → 12ms
Database queries: -89%
Session duration: +156%
Auth errors: -94%
Server costs: -67%
User satisfaction: +201%

Their CTO, Mike, at Denver Tech Meetup:

"JWT tokens cut our auth latency by 73%. Users notice the difference. Our mobile app finally feels instant."

Enterprise-Grade JWT Features

Token Security

  • RS256 asymmetric signing
  • Automatic key rotation
  • Configurable expiration
  • Blacklist support

Custom Claims

  • Role-based access control
  • Tenant context
  • Custom permissions
  • Metadata embedding

Developer Experience

  • Automatic refresh handling
  • Multiple SDK support
  • Debug-friendly payloads
  • Comprehensive logging

Scalability

  • Stateless architecture
  • Horizontal scaling
  • CDN-friendly
  • Global deployment

Perfect For Apps That...

Need stateless authentication
Have mobile applications
Require microservices auth
Need fast API responses
Want to scale horizontally
Have complex permission needs

Ready for JWT Tokens That Actually Work?

Stop debugging auth issues. Start delivering fast, secure, stateless authentication.

Enable JWT Auth → JWT Guide → Live Demo →

P.S. Our JWT implementation is like a perfectly tuned ski binding – holds securely when you need it, releases cleanly when you don't.

P.P.S. We've signed more JWT tokens than there are snowflakes in a Vail blizzard. Over 50 billion secure, stateless authentications and counting.

Stay in the loop

Get product updates, engineering posts, and new block announcements delivered to your inbox.

No spam. Unsubscribe anytime. Privacy policy.