Auth in Hapi with JWT

Marcos Bérgamo
Dec 11, 2015 · 3 min read


The new buzz word is JWT(JSON Web Token)[I know, is not so new now :( ]. Well, this cool approach for send and consume an information easily with an encode for "security".

So, Hapi have an awesome auth system where you can create a lot of auth types, for you use when is required for that case, for example, internally you can use a JWT and for external connection an Hawk, Basic Auth, or an OAuth auth. You can have one for case you need, but in this case we'll talk about JWT auth!

The Road

I really don't want to entry in the internals about the auth system in Hapi, but show how you can implementing Hapi + JWT for authenticate your users and distribute a token for retrieve information.

My favorite plugin for that is hapi-auth-jwt2. You maybe are asking: "Why jwt2?" this is simple because "hapi-auth-jwt" was taken :p

This is my implementation of hapi-auth-jwt2, this code consist in two "big" functions.

registerAuth is the registry function in Hapi, that configuring the plugin with your settings.

You must passing an object with key value to be an "secretKey" for your JWT validating if the token is trusted.

validateFunc is a function that is called every time a request is received and you business rules validate if the token is valid.

verifyOptions is an Object with some options for JWT internals, but I only use the algorithms for setting it, you can see more here.

The second "big" function is the validate function. This function is used in validateFunc.

In that function, we receive an decoded JWT and a request interface and a callback.

My case is so simple, my JWT is the ID of the user in database, so just find the user's ID and if the ID is valid, we can continue or not, YOU SHALL NOT PASS!

But Marcos, you don't show me how I can generate the JWT to send for my clients. Just see bellow Padawan!

When a user is created or just logged in, we send the token for our users.

Because when you create your account is very useful(and cool) when the site redirect you already logged(IMO).

And in my function getToken I just use the module jsonwebtoken for sign the token with the ID.

If you want to use scopes for require a specific role for this route, you can pass in JWT an array with the user's roles.(In a soon post, I'll talk about it! *-*)

getToken, set the secretKey, equal than our previously secretKey in our auth plugin above. (If you specify a different secretKey, the plugin cannot trust your token)

In jwt.sign function, you need pass the object that you want to encode in a JWT, your secretKey and options for your JWT. In my case I just set expiresIn with 18 hours.

And thats all folks! Simple and Cool!

You can see this authenticate schema implemented in my boilerplate project called start-hapiness.


If you want to use JWT please, never, I said NEVER send sensitive informations here, because JWT is not encrypted, is just encoded you can encrypt it with a RSA key stored the User's model or something like that, but NEVER send passwords or other sensitive informations.

Because JWT is just encoded, if you've an token, you can see the content easily like this:

This token is extracted from JWT's site, you can see the real content there.

Thanks folks

I need to say Thank you folks for seeing, replying and recommend my post. It's very gratifying to know that I’m helping someone with my posts.


Marcos Bérgamo

Written by

Just another developer who want to change the world

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade