JWT or Passport or Both for Authentication?

Hi guys,

Im working on a MERN project and I’m now on the authentication part of it. I originally planned on using JWT because I’ve never used it before but after reading more into it JWT it seems that it’s not secure. I have used Passport before and believe it’s considered to be more secure. Also, i have read in certain articles that JWT and Passport can be used together.

What would be a good example for each option?

I think I will switch over to Passport and getting rid of JWT but should I consider finding a way to use both? Would it be overkill? Should I just use Passport alone?

If using both is a good idea do you know of a tutorial for a MERN project?

Is there another method I should consider? Any references or tutorials?

What do you use/prefer? Any other thoughts?


JWT isn’t an auth mechanism itself, it’s just a standardised way to securely exchange credentials in the form of a [json-encoded] token. It is something you use as the basis for an authorisation (or authentication) strategy.

Passport is a way to dump basically any given authorisation strategy into a Node app as middleware, just a way of avoiding having to manually wire everything together yourself and also allowing you to add/remove/swap out strategies. Passport itself doesn’t do {auth thing} on its own.

So eg you could integrate some JWT-based auth strategy into your Node app using Passport

Thanks for the information.

Do you know of a tutorial that uses both?

I’m new to everything authentication and security so I still get confused. I just want my project to be secure as possible.

I can’t recommend anything specifically, but if you Google “node passport jwt”, there are a vast number of results which seem to fit exactly what you’re asking for.

Passport is used by installing the base library + a plug-in or plugins for the strategy/strategies you want to use. There are hundreds of strategy plugins, the basic JWT one is one of the most popular by the looks of things.

Just as an aside, learn how to set this stuff up but if you have a real thing with real users then just use an auth provider if you can (for example, Google’s Firebase). An auth flow using the basic primitives, done properly, in a real app, for an organisation, tested etc: that’s gonna be maybe ~3 months work. A turnkey solution using a trusted provider is maybe going to take a day or two, and can be extremely confident that it’ll work.

Thank you! I was able to find a youtuber named Dave Gray and he has a lot of helpful videos for this.

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.