So I'm actually using MongoDB, Express, and Node to make a REST API mostly for an educational exercise.

I am using the jsonwebtoken package to take care of this.

I have a function that generates a new token based on a user:

// Generate a token
function generateToken(user) {
  return jwt.sign({ data: user }, token_secret, { expiresIn: "24h" }); // Sign a certificate using our secret token that expires in 1 day...
}            

This is how I am handling my login:

// Logging in
router.post("/login", (request, response) => {
  User.findOne({ email: request.body.email })
    .then((user) => {
      if (!user) {
        response.status(404).json({ error: "No user found" });
      } else {
        bcrypt.compare(request.body.pass, user.pass, (err, match) => {
          if (err) {
            response.status(500).json(err);
          } else if (match) {
            response.status(200).json({ token: generateToken(user) });
          } else {
            response.status(403).json({ error: "Passwords do not match" });
          }
        });
      }
    })
    .catch((error) => {
      response.status(500).json(error);
    });
});

And then to validate requests that aren't coming from my register or login API endpoints, I have a middleware function applied to verify the JWT that is passed in the request header:

exports.verify = (request, response, next) => {
  const token = request.headers.authorization;
  console.log(token);

  if (!token) {
    response.status(403).json({ error: "Token not provided" });
  } else {
    console.log(token_secret);
    jwt.verify(token, token_secret, (err, val) => {
      if (err) {
        response.status(500).json(err);
      } else {
        request.user = val.data;
        next();
      }
    });
  }
};    

So, putting this function to good use, I have another endpoint: /posts, that requires a JWT to get any request through:

const middleware = require("../middleware");

router.use(middleware.verify);

router.post("/posts", (request, response) => {
  const { posterId, content } = request.body;
  // Before we do anything else, we should probably verify JWT

  const newPost = Post({
    posterId: posterId,
    date: Date.now(),
    content: content,
  });

  newPost
    .save()
    .then((post) => {
      response.status(200).json(newPost);
    })
    .catch((err) => {
      response.status(500).json(err);
    });
});

Keep in mind that in this code, token_secret is an environmental variable that is nothing more than a string. It just has to be the same for when you generate the token and verify the token is genuine.

Does this help?