#30DaysOfAppwrite : JWT Support in Appwrite

#30DaysOfAppwrite : JWT Support in Appwrite
May 26, 2021 - Originally posted on Dev.to


#30DaysOfAppwrite is a month long event focused at giving developers a walk through of all of Appwrite's features, starting from the basics to more advanced features like Cloud Functions! Alongside we will also be building a fully featured Medium Clone to demonstrate how these concepts can be applied when building a real world app. We also have some exciting prizes for developers who follow along with us!

What is a JWT

JWT (JSON Web Token) is a standard used to create access tokens for an application. It works this way: the server generates a token that certifies the user identity, and sends it to the client. The client will send the token back to the server for every subsequent request, so the server knows the request comes from a particular identity.

A well-formed JWT consists of three concatenated Base64 url-encoded strings, separated by dots (.):

  • Header: contains metadata about the type of token and the cryptographic algorithms used to secure its contents.
  • Payload: contains verifiable security statements, such as the identity of the user and the permissions they are allowed.
  • Signature: used to validate that the token is trustworthy and has not been tampered with.


This architecture proves to be very effective in modern Web Apps, where after the user is authenticated we perform API requests either to a REST or a GraphQL API.

Anyway, it is not always recommended to use JWTs for sessions. Using a regular server-side session combined with Cookies is usually much more efficient and less prone to data exposure.

So, why do we need a JWT then?

In the modern web, you will often have several entities communicating with each other. Certain features will naturally be restricted and require some sort of authorization mechanism. At Appwrite we are using Cookies for the Client Side to communicate with the Backend.

Using a JWT, you will be able to authorize the user on the Server-Side within a Cloud Function, Microservice or SSR.

Create a JWT

Version 0.8 of Appwrite introduced JWT and it's really easy to generate using the Web or Flutter SDK. Because JWTs are used for authentication and authorisation - we can only generate them when we are authenticated.


appwrite.account.createJWT().then(response => {
    console.log(response); // Success
}, error => {
    console.log(error); // Failure
Enter fullscreen mode Exit fullscreen mode


account.createJWT().then((response) {
}).catchError((error) {
Enter fullscreen mode Exit fullscreen mode

The createJWT() method will receive an object like this:

  jwt: "eyJhbGciOiJIUzI1NiIsInR5cCI6I..."
Enter fullscreen mode Exit fullscreen mode

This JWT will be valid for 15 minutes and can only be generated 10 times in every 60 minutes per user account.

JWT with Server SDK

Now that we can get our hands on a JWT, we can use it to do actions on the Server on behalf of a user without needing to login or providing an API Key.

For demonstration let's try to get our current User with a Node.js script:

mkdir appwrite-jwt-test
cd appwrite-jwt-test
npm init -y
Enter fullscreen mode Exit fullscreen mode

Now add node-appwrite as a dependency:

npm install node-appwrite
Enter fullscreen mode Exit fullscreen mode

Create index.js file and put in following content:

const appwrite = require('node-appwrite');
const client = new appwrite.Client();
const account = new appwrite.Account(client);

    .setEndpoint("[ENDPOINT]") // Your API Endpoint
    .setProject("[PROJECT_ID]") // Your project ID
    .setJWT("[INSERT_JWT_HERE]") // Your users JWT

account.get().then(r => console.log(r));
Enter fullscreen mode Exit fullscreen mode

Remember to fill out the endpoint, project ID and JWT. Keep in mind that a JWT is only valid for 15 minutes after generation.

Now we can execute this file with node index.js and if everything went well, we should see our user's object 👏

JWT With Cloud Functions

Remember from Day 23, that users can execute Cloud Functions over the Rest API? If a user does this, the Cloud Function will be passed a JWT in the APPWRITE_FUNCTION_JWT environment variable by default for the user who executed the function.

This way we don't even have to create a JWT from the client side and pass it around 🎉


With release 3.0.0 of the Web SDK for Appwrite, we have refactored it to be isomorphic. This is important in the ecosystem of JavaScript - since with the rising popularity of SSR, libraries need to work in the Browser - as well as on the Server Side with Node.js.

That's why we have added the setJWT(jwt) method, found in the Server SDK, to the Web SDK as well - which allows developers to use the same SDK for Client and Server Side actions with Frameworks like Next.js, Nuxt.js and Svelte Kit.


We hope you liked this write up. You can follow #30DaysOfAppwrite on Social Media to keep up with all of our posts. The complete event timeline can be found here

Feel free to reach out to us on Discord if you would like to learn more about Appwrite, Aliens or Unicorns 🦄. Stay tuned for tomorrow's article! Until then 👋