5 Authentication Patterns Every Node.js Dev Should Know
While most developers focus on which auth library to use, the real game-changer is understanding authentication patterns. Here are 5 battle-tested approaches that'll transform how you think about security in Node.js.
While I was reviewing authentication code for a client project the other day, I realized something troubling. The codebase had excellent libraries—Passport.js, bcrypt, jsonwebtoken—all the right tools. But the authentication pattern itself was fundamentally flawed. They were using JWT tokens without refresh tokens, storing sensitive data in localStorage, and had no strategy for token revocation.
I was once guilty of the same mistake. I spent weeks learning how to implement JWT authentication, reading docs, following tutorials. Little did I know that choosing the right authentication pattern matters far more than mastering any single library.
Why Authentication Architecture Matters More Than Implementation
Here's what I've learned after building auth systems for dozens of applications: the pattern you choose determines your security posture, scalability, and user experience—often for years to come. You can have perfect implementation of a bad pattern and still end up with a security nightmare.
The industry has converged on five core patterns that cover 95% of real-world scenarios. Each has specific trade-offs, and understanding when to use which pattern has saved me countless hours of refactoring. Let's look at these patterns with real code examples.
Pattern 1: Session-Based Authentication with Redis
This is the pattern I reach for when building internal tools or applications where I control both the frontend and backend. Sessions are stateful—the server remembers who you are.
Here's what surprised me when I first implemented this properly: session-based auth is actually more secure than JWT for many use cases because you can invalidate sessions instantly.
import express from 'express';
import session from 'express-session';
import RedisStore from 'connect-redis';
import { createClient } from 'redis';
const app = express();
const redisClient = createClient({ url: 'redis://localhost:6379' });
await redisClient.connect();
app.use(session({
store: new RedisStore({ client: redisClient }),
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
secure: true, // HTTPS only
httpOnly: true, // No JavaScript access
maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
sameSite: 'strict'
}
}));
app.post('/login', async (req, res) => {
const { email, password } = req.body;
const user = await authenticateUser(email, password);
if (!user) {
return res.status(401).json({ error: 'Invalid credentials' });
}
req.session.userId = user.id;
req.session.email = user.email;
res.json({ message: 'Logged in successfully' });
});
app.post('/logout', (req, res) => {
req.session.destroy((err) => {
if (err) {
return res.status(500).json({ error: 'Logout failed' });
}
res.json({ message: 'Logged out successfully' });
});
});
app.get('/profile', (req, res) => {
if (!req.session.userId) {
return res.status(401).json({ error: 'Not authenticated' });
}
res.json({ userId: req.session.userId, email: req.session.email });
});The key insight here is using Redis instead of in-memory storage. I cannot stress this enough! In-memory sessions break when you scale horizontally. Redis gives you session persistence across multiple servers and instant revocation capabilities.
Pattern 2: JWT with Refresh Token Rotation
When I finally decided to implement JWT properly, I discovered that most tutorials skip the most critical part: refresh token rotation. Without it, you're basically building a security vulnerability.
Here's the pattern I use now:
import jwt from 'jsonwebtoken';
import { randomBytes } from 'crypto';
const ACCESS_TOKEN_SECRET = process.env.ACCESS_TOKEN_SECRET;
const REFRESH_TOKEN_SECRET = process.env.REFRESH_TOKEN_SECRET;
const ACCESS_TOKEN_EXPIRY = '15m';
const REFRESH_TOKEN_EXPIRY = '7d';
interface TokenPair {
accessToken: string;
refreshToken: string;
}
// Store refresh tokens in database with user ID
const refreshTokens = new Map<string, { userId: string, expiresAt: Date }>();
function generateTokenPair(userId: string): TokenPair {
const accessToken = jwt.sign(
{ userId, type: 'access' },
ACCESS_TOKEN_SECRET,
{ expiresIn: ACCESS_TOKEN_EXPIRY }
);
const refreshToken = randomBytes(40).toString('hex');
const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
refreshTokens.set(refreshToken, { userId, expiresAt });
return { accessToken, refreshToken };
}
app.post('/token/refresh', async (req, res) => {
const { refreshToken } = req.body;
const tokenData = refreshTokens.get(refreshToken);
if (!tokenData || tokenData.expiresAt < new Date()) {
return res.status(401).json({ error: 'Invalid refresh token' });
}
// Critical: Delete old refresh token (rotation)
refreshTokens.delete(refreshToken);
// Generate new token pair
const tokens = generateTokenPair(tokenData.userId);
res.json(tokens);
});
app.get('/protected', (req, res) => {
const authHeader = req.headers.authorization;
const token = authHeader?.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'No token provided' });
}
try {
const decoded = jwt.verify(token, ACCESS_TOKEN_SECRET) as { userId: string };
res.json({ data: 'Protected resource', userId: decoded.userId });
} catch (error) {
res.status(401).json({ error: 'Invalid or expired token' });
}
});The rotation mechanism is what makes this secure. Every time a refresh token is used, it's invalidated and a new pair is issued. If someone steals a refresh token, they can only use it once before the legitimate user's next refresh invalidates it.
Pattern 3: OAuth 2.0 with PKCE for Third-Party Identity
Luckily we can offload authentication entirely to providers like Google, GitHub, or Auth0. When I first encountered OAuth, I thought it was overcomplicated. Then I realized it solves a problem I didn't want to solve myself: password management.
The PKCE (Proof Key for Code Exchange) extension is crucial for protecting the authorization code flow:
import crypto from 'crypto';
import axios from 'axios';
function generateCodeVerifier(): string {
return crypto.randomBytes(32).toString('base64url');
}
function generateCodeChallenge(verifier: string): string {
return crypto
.createHash('sha256')
.update(verifier)
.digest('base64url');
}
app.get('/auth/google', (req, res) => {
const codeVerifier = generateCodeVerifier();
const codeChallenge = generateCodeChallenge(codeVerifier);
// Store verifier in session for later verification
req.session.codeVerifier = codeVerifier;
const authUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');
authUrl.searchParams.set('client_id', process.env.GOOGLE_CLIENT_ID);
authUrl.searchParams.set('redirect_uri', 'http://localhost:3000/auth/google/callback');
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('scope', 'openid email profile');
authUrl.searchParams.set('code_challenge', codeChallenge);
authUrl.searchParams.set('code_challenge_method', 'S256');
res.redirect(authUrl.toString());
});
app.get('/auth/google/callback', async (req, res) => {
const { code } = req.query;
const codeVerifier = req.session.codeVerifier;
try {
const tokenResponse = await axios.post('https://oauth2.googleapis.com/token', {
client_id: process.env.GOOGLE_CLIENT_ID,
client_secret: process.env.GOOGLE_CLIENT_SECRET,
code,
code_verifier: codeVerifier,
grant_type: 'authorization_code',
redirect_uri: 'http://localhost:3000/auth/google/callback'
});
const { access_token, id_token } = tokenResponse.data;
// Verify and decode id_token to get user info
const userInfo = jwt.decode(id_token);
// Create or update user in your database
// Generate your own session/JWT tokens
res.redirect('/dashboard');
} catch (error) {
res.status(500).json({ error: 'OAuth authentication failed' });
}
});PKCE protects against authorization code interception attacks. Without it, an attacker who intercepts the authorization code could exchange it for tokens.
Pattern 4: API Key Authentication with Rate Limiting
For API-to-API communication, I've found that API keys with proper rate limiting provide the best balance of security and simplicity. This pattern shines when you're building a public API or microservices.
import rateLimit from 'express-rate-limit';
const apiKeys = new Map<string, { userId: string, tier: 'free' | 'pro' }>();
// Rate limiters based on tier
const freeLimiter = rateLimit({
windowMs: 60 * 1000, // 1 minute
max: 10, // 10 requests per minute
message: 'Free tier rate limit exceeded'
});
const proLimiter = rateLimit({
windowMs: 60 * 1000,
max: 100, // 100 requests per minute
message: 'Pro tier rate limit exceeded'
});
function validateApiKey(req, res, next) {
const apiKey = req.headers['x-api-key'];
if (!apiKey) {
return res.status(401).json({ error: 'API key required' });
}
const keyData = apiKeys.get(apiKey);
if (!keyData) {
return res.status(401).json({ error: 'Invalid API key' });
}
req.userId = keyData.userId;
req.tier = keyData.tier;
next();
}
app.use('/api', validateApiKey);
app.get('/api/data', (req, res, next) => {
const limiter = req.tier === 'pro' ? proLimiter : freeLimiter;
limiter(req, res, () => {
res.json({ data: 'Your data here', tier: req.tier });
});
});The beauty of this pattern is its simplicity. No complex OAuth flows, no token refresh logic—just a key that identifies the caller. The rate limiting prevents abuse while allowing different service tiers.
Pattern 5: Passwordless Authentication with Magic Links
This pattern has become my favorite for consumer-facing applications. When I came across passwordless auth, I was skeptical. Then I measured the conversion rates. Wonderful! Users complete signup at 3x the rate compared to traditional password forms.
import nodemailer from 'nodemailer';
import crypto from 'crypto';
const magicTokens = new Map<string, { email: string, expiresAt: Date }>();
const transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST,
port: 587,
secure: false,
auth: {
user: process.env.SMTP_USER,
pass: process.env.SMTP_PASS
}
});
app.post('/auth/magic-link', async (req, res) => {
const { email } = req.body;
const token = crypto.randomBytes(32).toString('hex');
const expiresAt = new Date(Date.now() + 15 * 60 * 1000); // 15 minutes
magicTokens.set(token, { email, expiresAt });
const magicLink = `http://localhost:3000/auth/verify?token=${token}`;
await transporter.sendMail({
from: 'noreply@yourapp.com',
to: email,
subject: 'Your login link',
html: `Click here to login: <a href="${magicLink}">${magicLink}</a>`
});
res.json({ message: 'Magic link sent to your email' });
});
app.get('/auth/verify', async (req, res) => {
const { token } = req.query;
const tokenData = magicTokens.get(token);
if (!tokenData || tokenData.expiresAt < new Date()) {
return res.status(401).json({ error: 'Invalid or expired token' });
}
magicTokens.delete(token);
// Create user session or JWT
const user = await findOrCreateUser(tokenData.email);
req.session.userId = user.id;
res.redirect('/dashboard');
});The security model here is fascinating. Instead of relying on a password the user might reuse across sites, we rely on email account security. In other words, if someone controls your email, they control all your accounts anyway.
Choosing the Right Pattern: Decision Matrix
After implementing all five patterns across different projects, here's what I've learned about when to use each:
Use Session-Based when you control both frontend and backend, need instant revocation, and don't need to support mobile apps. Perfect for admin dashboards and internal tools.
Use JWT with Refresh Tokens when building APIs consumed by multiple clients (web, mobile, desktop). The stateless nature scales beautifully, but you sacrifice instant revocation.
Use OAuth 2.0 when you don't want to handle passwords, need social login, or want enterprise SSO. Let someone else deal with credential management.
Use API Keys for server-to-server communication, public APIs, or IoT devices. Simple, fast, and easy to rotate.
Use Magic Links for consumer apps where conversion rate matters more than immediate access. Users love the simplicity.
Defense-in-Depth: Combining Patterns for Maximum Security
Here's what really transformed my thinking about authentication: you don't have to choose just one pattern. The most secure systems I've built combine multiple patterns.
For example, use OAuth for initial signup and passwordless magic links for returning users. Or use JWT for your main application but API keys for webhook endpoints. Or sessions for web clients and JWT for mobile apps.
The critical insight is that each pattern solves specific problems. Understanding these patterns gives you the vocabulary to design authentication systems that actually match your security requirements.
I've seen too many developers cargo-cult JWT into every project because "that's what everyone uses." Or worse, roll their own authentication because "it's just a few endpoints." Both approaches miss the point. Authentication is about choosing the right pattern for your context, implementing it correctly, and layering security controls.
And that concludes the end of this post! I hope you found this valuable and look out for more in the future!