Get Started
Back to Templates

Self-Hosted JWT Authentication System with Data Tables and Token Management

Created by

Created by: Luka Zivkovic || zivkovic58

Luka Zivkovic

Last update

Last update a day ago

Categories

Share

Complete JWT Authentication System

Description

A production-ready authentication workflow implementing secure user registration, login, token verification, and refresh token mechanisms. Perfect for adding authentication to any application without needing a separate auth service.

What it does

This template provides a complete authentication backend using n8n workflows and Data Tables:

  • User Registration: Creates accounts with secure password hashing (SHA-512 + unique salts)
  • Login System: Generates access tokens (15 min) and refresh tokens (7 days) using JWT
  • Token Verification: Validates access tokens for protected endpoints
  • Token Refresh: Issues new access tokens without requiring re-login
  • Security Features: HMAC-SHA256 signatures, hashed refresh tokens in database, protection against rainbow table attacks

Why use this template

  • No external services: Everything runs in n8n - no Auth0, Firebase, or third-party dependencies
  • Production-ready security: Industry-standard JWT implementation with proper token lifecycle management
  • Easy integration: Simple REST API endpoints that work with any frontend framework
  • Fully customizable: Adjust token lifespans, add custom user fields, implement your own business logic
  • Well-documented: Extensive inline notes explain every security decision and implementation detail

How to set up

Prerequisites

  • n8n instance (cloud or self-hosted)
  • n8n Data Tables feature enabled

Setup Steps

  1. Create Data Tables:
  • users table: id, email, username, password_hash, refresh_token
  • refresh_tokens table: id, user_id, token_hash, expires_at
  1. Generate Secret Keys:
    Run this command to generate a random secret:
  node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Generate two different secrets for ACCESS_SECRET and REFRESH_SECRET
3. Configure Secrets:

  • Update the three "SET ACCESS AND REFRESH SECRET" nodes with your generated keys
  • Or migrate to n8n Variables for better security (instructions in workflow notes)
  1. Connect Data Tables:
  • Open each Data Table node
  • Select your created tables from the dropdown
  1. Activate Workflow:
  • Save and activate the workflow
  • Note your webhook URLs

API Endpoints

Register: POST /webhook/register-user
Request body:

{
 "email": "[email protected]",
 "username": "username",
 "password": "password123"
}

Login: POST /webhook/login
Request body:

{
 "email": "[email protected]",
 "password": "password123"
}

Returns:

{
 "accessToken": "...",
 "refreshToken": "...",
 "user": {...}
}

Verify Token: POST /webhook/verify-token
Request body:

{
 "access_token": "your_access_token"
}

Refresh: POST /webhook/refresh
Request body:

{
 "refresh_token": "your_refresh_token"
}

Frontend Integration Example (Vue.js/React)

Login flow:

const response = await fetch('https://your-n8n.app/webhook/login', {
 method: 'POST',
 headers: { 'Content-Type': 'application/json' },
 body: JSON.stringify({ email, password })
});
const { accessToken, refreshToken } = await response.json();
localStorage.setItem('accessToken', accessToken);

Make authenticated requests:

const data = await fetch('https://your-api.com/protected', {
 headers: { 'Authorization': Bearer ${accessToken} }
});

Key Features

  • Secure Password Storage: Never stores plain text passwords; uses SHA-512 with unique salts
  • Two-Token System: Short-lived access tokens (security) + long-lived refresh tokens (convenience)
  • Database Token Revocation: Refresh tokens can be revoked for logout-all-devices functionality
  • Duplicate Prevention: Checks username and email availability before account creation
  • Error Handling: Generic error messages prevent information leakage
  • Extensive Documentation: 30+ sticky notes explain every security decision

Use Cases

  • SaaS applications needing user authentication
  • Mobile app backends
  • Internal tools requiring access control
  • MVP/prototype authentication without third-party costs
  • Learning JWT and auth system architecture

Customization

  • Token Lifespan: Modify expiration times in "Create JWT Payload" nodes
  • User Fields: Add custom fields to registration and user profile
  • Password Rules: Update validation in "Validate Registration Request" node
  • Token Rotation: Implement refresh token rotation for enhanced security (notes included)

Security Notes

:warning: Important:

  • Change the default secret keys before production use
  • Use HTTPS for all webhook endpoints
  • Store secrets in n8n Variables (not hardcoded)
  • Regularly rotate secret keys in production
  • Consider rate limiting for login endpoints

Support & Documentation

The workflow includes comprehensive documentation:

  • Complete authentication flow overview
  • Security explanations for every decision
  • Troubleshooting guide
  • Setup instructions
  • FAQ section with common issues
    Perfect for developers who want full control over their authentication system without the complexity of managing separate auth infrastructure.

Tags: authentication, jwt, login, security, user-management, tokens, password-hashing, api, backend