Learn about our RFC process, Open RFC meetings & more.Join in the discussion! »

This package has been deprecated

Author message:



1.0.6 • Public • Published

Feathers Passport-JWT

Build Status

feathers-passport-jwt adds shared PassportJS authentication for Feathers HTTP REST and websockets services using JSON Web Tokens.


If you are using the default options, setting up JWT auth for your Feathers app is as simple as the below example. Note: You must set up the body-parser module before setting up feathers-passport-jwt.

var feathers = require('feathers');
var hooks = require('feathers-hooks');
var bodyParser = require('body-parser');
var feathersPassportJwt = require('feathers-passport-jwt');
var mongooseService = require('feathers-mongoose');
var app = feathers()
  .use(bodyParser.urlencoded({ extended: true }))
  // Configure feathers-passport-jwt
    secret: 'feathers-rocks'
  .use('/api/users', mongooseService({
    schema: {
      email: {type: String, required: true, unique: true },
      password: {type: String, required: true },
      admin: {type: Boolean, default: false }
      create: [feathersPassportJwt.hashPassword('password')]

REST Requests

Authenticated REST requests must have an Authorization header in the format 'Bearer <token>', where the is the JWT token. For example:

Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IklseWEgRmFkZWV2IiwiYWRtaW4iOnRydWV9.YiG9JdVVm6Pvpqj8jDT5bMxsm0gwoQTOaZOLI-QfSNc

Websocket Connections

In order to authenticate a Websocket connection, you must first obtain a token using an Ajax request to your loginEndpoint. You then include that token in the request. The example below is for Socket.io, but the same query key can be passed to Primus.

socket = io('', {
    // Assuming you've already saved a token to localStorage.
    query: 'token=' + localStorage.getItem('featherstoken'),
    transports: ['websocket'], // optional, see below
    forceNew:true,             // optional, see below

In the above example, the transports key is only needed if you for some reason need to force the browser to only use websockets. The forceNew key is only needed if you have previously connected an unauthenticated Websocket connection and you now want to start an authenticated request.


The following options are available:

  • secret required - The secret used to create encrypted tokens.
  • userEndpoint - The api endpoint used to look up the user service. The default is '/api/users.
  • loginEndpoint - The url for posting the username and password during login. The default is /api/login.
  • usernameField The database field containing the username on the user service. The default is username.
  • passwordField The database field containing the password on the user service. The default is password.
  • loginError - The message to return for invalid login. Default is 'Invalid login.'
  • jwtOptions - Used to customize the configuration for the jsonwebtoken library. See the API
  • jwtOptions.expiresIn - The number of seconds until the token expires. Default is 36000 (10 hours).
  • strategy - Allows you to pass a custom strategy to use for local auth. The default strategy should fit most projects.
  • passport (default: require('passport')) - The passport module


The following shows a commented example for an application using local authentication with a Feathers user service:

var feathers = require('feathers');
var passport = require('passport');
var hooks = require('feathers-hooks');
var memory = require('feathers-memory');
var bodyParser = require('body-parser');
var feathersPassportJwt = require('feathers-passport-jwt');
var hashPassword = feathersPassportJwt.hashPassword;
// Initialize the application
var app = feathers()
  // Needed for parsing bodies (login)
  .use(bodyParser.urlencoded({ extended: true }))
  // Configure feathers-passport-jwt
    secret: 'feathers-rocks'
  // Initialize a user service
  .use('/api/users', memory())
  // A simple Todos service that we can used for testing
  .use('/todos', {
    get: function(id, params, callback) {
      callback(null, {
        id: id,
        text: 'You have to do ' + id + '!',
        user: params.user
  .use('/', feathers.static(__dirname));
var userService = app.service('/api/users');
// Add a hook to the user service that automatically replaces 
// the password with a hash of the password before saving it.
  create: hashPassword()
// Create a user that we can use to log in
  username: 'feathers',
  password: 'secret'
}, {}, function(error, user) {
  console.log('Created default user', user);

Add a login.html with an HTML form that allows to log our user in:

<!DOCTYPE html>
<head lang="en">
  <meta charset="UTF-8">
  <form action="/login" method="post">
      <input type="text" name="username"/>
      <input type="password" name="password"/>
      <input type="submit" value="Log In"/>



  • Initial release



Copyright (c) 2015 Marshall Thompson

Licensed under the MIT license.


npm i feathers-passport-jwt

DownloadsWeekly Downloads






Last publish


  • avatar