express-jwt vs. jsonwebtoken

Question

I have a feeling this is going to be a quick answer, but I can't seem to find any great definitive answers on the web - what is the difference between the jsonwebtoken npm package and the express-jwt npm package? I think express-jwt is written on top of jsonwebtoken and simply verifies incoming tokens and sets req.user to the user payload on the JWT.

Is that correct? Sorry if this is a total noob question... I just started learning authentication and node/express, so it's all pretty new to me.

Answer 1

Coming back to this many months later. In case it's helpful to anyone, express-jwt is built on top of the jsonwebtoken package and does a bunch of additional cool things. You still use jsonwebtoken to sign and verify your JWTs, but express-jwt helps you protect routes, checks JWTs against a secret, and creates a req.user from the payload of the token if it can verify it.

tl;dr: express-jwt uses jsonwebtoken in its own code and adds additional neatness.

Answer 2

Express-JWT is just a library for Express that validates/signs json web tokens whcih can be used with the express web server (middleware). JsonWebTokens is just another implementation of json web tokens. There are many other JWT token libraries you can implement with node. Express-jwt is just one of those. They both essentially do the same thing and you can use either or. None are built on top of each other, they are build using the JWT standard. Choose the one which best suites your requirements.