Minimal JWT authentication playground built on Node.js, Elysia, and HttpOnly cookies, with a modern Tailwind CSS UI.
- Uses Elysia as the HTTP framework with
@elysiajs/nodeadapter - Fully JWT-based authentication with access + refresh tokens
- HttpOnly cookies for secure token storage
- Tailwind CSS for responsive, modern UI
- Fully written in TypeScript for type safety
- Single-file frontend served via Elysia — no build tools required
- Frontend is a single-page application (SPA) served directly by Elysia, requiring no frontend build tools.
- Install dependencies:
npm install- Run the server:
npm run dev- Open in your browser:
- Login / logout with email & password
- Access tokens (short-lived) and refresh tokens (long-lived)
- HttpOnly cookies for secure token storage
- Protected routes:
/mefor authenticated users,/adminfor admins only - Role-based access control
- Refresh token endpoint for seamless session extension
- Refresh tokens are stored in-memory only and are not persisted in a database; for production, consider using a persistent store.
- Rate limiting per IP to prevent abuse
- Modern Tailwind CSS UI for interactive testing
| Path | Method | Description |
|---|---|---|
/ |
GET | Serves the HTML frontend |
/auth/login |
POST | Authenticates user and sets HttpOnly cookies |
/auth/refresh |
POST | Issues new access token using refresh token |
/auth/logout |
POST | Clears cookies and revokes refresh token |
/me |
GET | Returns info about authenticated user |
/admin |
GET | Admin-only endpoint, requires admin role |
- Open http://localhost:8080/ in a browser.
- Enter credentials (
admin@local/adminoruser@local/user). - Click Login.
- Test
/meand/adminbuttons —/adminrestricted to admins. - Click Logout to clear session.
- HttpOnly cookies prevent direct JS access to tokens.
- Uses fetch with credentials to include cookies automatically.
- JSON responses displayed in a Tailwind-styled
<pre>for debugging. - Logout clears both access and refresh tokens.
- JWT access tokens contain
sub(user ID) androle. - JWTs are signed using a secret key; in production, the secret should be set via an environment variable for security.
- Refresh tokens stored server-side in-memory for revocation.
- Rate limiting implemented per IP address.
- Protected routes check user authentication and role.
- TypeScript provides type safety for tokens, users, and routes.
- Node.js >=22 – Runtime
- Elysia 1.4.x – Lightweight HTTP framework
- @elysiajs/node – Node.js adapter
- @elysiajs/html – Middleware to serve HTML
- jsonwebtoken 9.x – JWT support
- Tailwind CSS – Modern responsive UI styling
- TypeScript 5.9.x – Static typing
- Add persistent storage for refresh tokens
- Implement hashed passwords
- Add email verification
- Add user registration
- Enhance frontend UI/UX
- Add logging and monitoring for server requests and authentication events
- Designed as a learning and testing playground for JWT authentication.
- Fully one-file frontend and backend for simplicity.
- Easily extendable for small projects or experiments.
- Uses vanilla JS + Tailwind CSS, no frontend build tools required.
- Mobile-friendly and responsive.
- Admin:
admin@local/admin - User:
user@local/user
