What is JWT Authentication?

JWT (JSON Web Token) is a secure, compact way to authenticate API requests. Mock API Builder simulates real JWT authentication flows, allowing you to test your application's authentication logic without setting up a backend.

Realistic Flow

Token Expiration

Tokens expire after 7 days by default, simulating real-world security

Protected Routes

Mark endpoints as protected—requires valid JWT to access

How JWT Authentication Works

The Authentication Flow

User Logs In

POST credentials to the /auth/login endpoint

Receive JWT Token

Server returns a signed JWT token that expires in 7 days

Store Token

Client stores token securely (localStorage, sessionStorage, or cookies)

Include in Requests

Add token to Authorization header for protected endpoints

Verification

Server validates token and grants or denies access

Login Endpoint

POST /auth/login

Request Body:

json

Success Response (200):

json

Error Response (401):

json

Mock Credentials

For testing, you can use any email/password combination. The mock API will accept any credentials and return a valid token.

In production, you would validate against a real user database.

Using JWT Tokens in Requests

Authorization Header Format

Include the JWT token in the Authorization header using the Bearer scheme:

cURL Example:

bash

JavaScript fetch():

javascript

Axios Example:

javascript

Protecting Endpoints

Enable Authentication for Endpoints

Mark endpoints as "protected" to require JWT authentication:

Step-by-Step:

1. Navigate to your endpoint in the project dashboard
2. Click "Edit Endpoint"
3. Toggle "Require Authentication"
4. Save changes

What Happens:

Requests without a token → 401 Unauthorized
Requests with invalid token → 401 Unauthorized
Requests with expired token → 401 Token Expired
Requests with valid token → 200 OK (or appropriate status)

Unauthorized Response

json

Token Expired Response

json

JWT Token Structure

Understanding the Token

A JWT consists of three parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Part 1: Header

Contains the token type (JWT) and hashing algorithm (HS256)

json

Part 2: Payload

Contains the user data and claims

json

Part 3: Signature

Verifies the token hasn't been tampered with

Complete Authentication Example

React Login Flow

javascript

Common Use Cases

User Dashboard Applications

Build and test login flows for SaaS applications, admin panels, or user portals before connecting to a real authentication system.

Mobile App Development

Test authentication in iOS and Android apps without waiting for backend APIs. Store tokens securely using platform-specific storage.

Testing Token Expiration

Verify your app handles expired tokens correctly by testing with tokens that are set to expire soon. Ensure users are redirected to login when tokens expire.

Best Practices

Store tokens securely using httpOnly cookies when possible, or secure storage APIs
Always use HTTPS in production to prevent token interception
Handle token expiration gracefully by redirecting users to login
Include tokens in Authorization header rather than URL parameters
Clear tokens on logout to prevent unauthorized access
Validate tokens on every protected request to ensure they're still valid
Test both success and failure scenarios including invalid credentials and expired tokens

What is JWT Authentication?

Realistic Flow

Token Expiration

Tokens expire after 7 days by default, simulating real-world security

Protected Routes

Mark endpoints as protected—requires valid JWT to access

How JWT Authentication Works

The Authentication Flow

User Logs In

POST credentials to the /auth/login endpoint

Receive JWT Token

Server returns a signed JWT token that expires in 7 days

Store Token

Client stores token securely (localStorage, sessionStorage, or cookies)

Include in Requests

Add token to Authorization header for protected endpoints

Verification

Server validates token and grants or denies access

Protecting Endpoints

Enable Authentication for Endpoints

Mark endpoints as "protected" to require JWT authentication:

Step-by-Step:

1. Navigate to your endpoint in the project dashboard
2. Click "Edit Endpoint"
3. Toggle "Require Authentication"
4. Save changes

What Happens:

Requests without a token → 401 Unauthorized
Requests with invalid token → 401 Unauthorized
Requests with expired token → 401 Token Expired
Requests with valid token → 200 OK (or appropriate status)

Unauthorized Response

json

Token Expired Response

json

JWT Token Structure

Understanding the Token

A JWT consists of three parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Part 1: Header

Contains the token type (JWT) and hashing algorithm (HS256)

json

Part 2: Payload

Contains the user data and claims

json

Part 3: Signature

Verifies the token hasn't been tampered with

Common Use Cases

User Dashboard Applications

Build and test login flows for SaaS applications, admin panels, or user portals before connecting to a real authentication system.

Mobile App Development

Test authentication in iOS and Android apps without waiting for backend APIs. Store tokens securely using platform-specific storage.

Testing Token Expiration

Verify your app handles expired tokens correctly by testing with tokens that are set to expire soon. Ensure users are redirected to login when tokens expire.

Best Practices

Store tokens securely using httpOnly cookies when possible, or secure storage APIs
Always use HTTPS in production to prevent token interception
Handle token expiration gracefully by redirecting users to login
Include tokens in Authorization header rather than URL parameters
Clear tokens on logout to prevent unauthorized access
Validate tokens on every protected request to ensure they're still valid
Test both success and failure scenarios including invalid credentials and expired tokens

JWT Authentication & Authorization

What is JWT Authentication?

How JWT Authentication Works

User Logs In

Receive JWT Token

Store Token

Include in Requests

Verification

Login Endpoint

Request Body:

Success Response (200):

Error Response (401):

Mock Credentials

Using JWT Tokens in Requests

cURL Example:

JavaScript fetch():

Axios Example:

Protecting Endpoints

Step-by-Step:

What Happens:

JWT Token Structure

Part 1: Header

Part 2: Payload

Part 3: Signature

Complete Authentication Example

Common Use Cases

Best Practices

JWT Authentication & Authorization

What is JWT Authentication?

How JWT Authentication Works

User Logs In

Receive JWT Token

Store Token

Include in Requests

Verification

Login Endpoint

Request Body:

Success Response (200):

Error Response (401):

Mock Credentials

Using JWT Tokens in Requests

cURL Example:

JavaScript fetch():

Axios Example:

Protecting Endpoints

Step-by-Step:

What Happens:

JWT Token Structure

Part 1: Header

Part 2: Payload

Part 3: Signature

Complete Authentication Example

Common Use Cases

Best Practices