If you are building a web application or working on client’s project which need to have better authentication method, So most probably you will go for JWT or OAuth. But do you know What exactly you should use? Both are authentication methods use to secure the user information inside the application. But they both have some differences in their usage. What are they ?

In this article we gonna see the practice difference between JWT & OAuth. And Which is suitable for your project application So lets Begin.

Topic Covered

JWT

1. What is JWT?
2. Why JWTs?
3. How to use JWT?

OAuth

1. What is OAuth
2. Why OAuth
3. How to use OAuth

What is JWT ?

JWT (JSON Web Token) is a secure way to send information between two parties as a small, encoded text. It's often used to log users in and keep them logged in without saving their session on the server.

The information contained in a JWT is encoded as a JSON object, which is then digitally signed using a cryptographic algorithm to ensure its veracity. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

They Consist of three parts -

1. Header - consist of type of Token which is JWT and the signing algorithm 
2. Payload - Typically consist of User information and additional metadata (Title, Description, Email)
3. Signature -It checks that the token is from the right sender and that it hasn’t been changed.

Why JWTs ? Practical approach

Even though we checked the token and got the user's name from the backend, we didn't save that information. So if the user refreshes the page, they’ll be logged out. Also, other API requests won’t include any login info, so the APIs can’t restrict access properly.

Another way to persist the authentication information is to create a session in backend using express-session package (Express-js framework). By adding property req.session the variable like UserID and Email can be retrieved.

The middleware keeps a record (in memory) that connects the session data to a cookie. This cookie is automatically sent to the browser, helping track the user's session.

But for some reasons such memory session is not get considered.

1. If there are multiple server instances (for scaling or reliability), they won’t share session data. This means users might have to sign in separately on each server.

2. The session data is encoded in a way that makes it unreadable and hard to share between different services, especially if they use different languages or technologies.

3. If the server restarts, the login session will be lost and the user will have to log in again.

How to use JWT ?

Installation

 npm install express jsonwebtoken

Express.js app

 const express = require('express');
const jwt = require('jsonwebtoken');

const app = express();
app.use(express.json());

const SECRET_KEY = 'your_secret_key';

// Dummy login route to generate JWT
app.post('/login', (req, res) => {
  const user = { id: 1, name: 'John' }; // pretend user is logged in
  const token = jwt.sign(user, SECRET_KEY, { expiresIn: '1h' });
  res.json({ token });
});

// Protected route
app.get('/profile', (req, res) => {
  const authHeader = req.headers.authorization;
  if (!authHeader) return res.status(401).send('No token');

  const token = authHeader.split(' ')[1];
  jwt.verify(token, SECRET_KEY, (err, user) => {
    if (err) return res.status(403).send('Invalid token');
    res.json({ message: 'Welcome!', user });
  });
});

app.listen(3000, () => console.log('Server running on port 3000'));

Send a POST to /login → get a token.

Use that token as a header:

Authorization: Bearer

Send a GET to /profile → you’ll get the protected data.

OAuth

OAuth is a way for apps to safely access your information from another service without needing your password.

In general, when a media platform provides its services through an API, it often uses OAuth for secure user authentication and access. Simply if we consider login with Google, OAuth 2 is being use in this process.

Why OAuth?

OAuth should be used because it allows users to give apps limited access to their data without sharing passwords. It’s secure, flexible, and helps prevent unauthorized access to user accounts.

If you are implementing login with Google feature in your application then in this case you will not have to take password from the user. Simply you will take users details like name, email etc-provided by the google in response and will store in your database.

How to use OAuth

As it is industry. Standard protocol for authorization various companies like google/Facebook etc provides the user details (Name, Email etc) to the app when user get logged in via  these platforms.

If you have created api service where user can use your platform via apis like (Imgur-image stroking platform) then you will have to use OAuth to authenticate the user.

Every service platform used this OAuth in different way but most of the things will be same.

Example

Sign in with Google/Facebook

-User clicks “Login with Google/Facebook/etc.”
-The app sends the user to the OAuth provider (like Google).
-User logs in and approves access.
-The OAuth provider sends back a code to your app.
-Your app exchanges the code for an access token.
-Your app uses the access token to access user data (like name, email).

This way, the app gets limited access — without ever knowing the user's password.

Imgur platform api service - Image sharing platform

If you want to use Imgur platform for storing  your website images then you will have to provide access token for use validation where OAuth 2.0 is playing the role.

1. Provide Client ID and Client Secrete (provided by Imgur for your account after registering the app) to get access token.
2. While Uploading the image file on Imgur through api request, apply this access-token in a header.
3. If everything Is good, you will get success response with some other parameters.

JWT vs OAuth (Simple Difference)

Both are used for user authentication, but in different situations.

•  JWT: Used when your app talks to your own API (same system).
• OAuth: Used when others use your API or when your app connects to external services (like Google, Facebook, etc.).

Conclusion

In this article, we learned about JWT and OAuth, how they work, when to use them, and the different scenarios where each is most suitable.