July 06 2018

Vue.js + Vuex - JWT Authentication Tutorial & Example

Tutorial built with Vue.js 2.5.16 + Vuex 3.0.1 and Webpack 4.15

Other versions available:

The following is a custom example and tutorial on how to setup a simple login page using Vue.js + Vuex and JWT authentication. Webpack 4 is used to compile and bundle all the project files, styling of the example is done with Bootstrap 4.

The tutorial code is available on GitHub at https://github.com/cornflourblue/vue-vuex-jwt-authentication-example.

Here it is in action: (See on StackBlitz at https://stackblitz.com/edit/vue-vuex-jwt-authentication-example)

Running the Vue.js + Vuex JWT Tutorial Example Locally

The tutorial example uses Webpack 4 to transpile the ES6 code and bundle the Vue components together, and the webpack dev server is used as the local web server, to learn more about webpack you can check out the webpack docs.

  1. Install NodeJS and NPM from https://nodejs.org/en/download/.
  2. Download or clone the tutorial project source code from https://github.com/cornflourblue/vue-vuex-jwt-authentication-example
  3. Install all required npm packages by running npm install from the command line in the project root folder (where the package.json is located).
  4. Start the application by running npm start from the command line in the project root folder.

Running the Vue Tutorial Example with a Real Backend API

The Vue.js example app uses a fake / mock backend by default so it can run in the browser without a real api, to switch to a real backend api you just have to remove a couple of lines of code from the main vue entry file /src/index.js below the comment // setup fake backend.

You can build your own backend api or start with one of the below options:

Vue.js + Vuex Tutorial Project Structure

All source code for the Vue + Vuex JWT authentication app is located in the /src folder. Inside the src folder there is a folder per feature (app, home, login) and a few folders for non-feature code that can be shared across different parts of the app (_store, _services, _helpers).

I prefixed non-feature folders with an underscore "_" to group them together and make it easy to distinguish between features and non-features, it also keeps the project folder structure shallow so it's quick to see everything at a glance from the top level and to navigate around the project.

Click any of the below links to jump down to a description of each file in the tutorial along with it's code:


Vue + Vuex Helpers Folder

Path: /src/_helpers

The helpers folder contains all the bits and pieces that don't fit into other folders but don't justify having a folder of their own.


Vue Auth Header

Path: /src/_helpers/auth-header.js

Auth header is a helper function that returns an HTTP Authorization header containing the JSON Web Token (JWT) of the currently logged in user from local storage. If the user isn't logged in an empty object is returned.

The auth header is used to make authenticated HTTP requests to the server api using JWT authentication.

export function authHeader() {
    // return authorization header with jwt token
    let user = JSON.parse(localStorage.getItem('user'));

    if (user && user.token) {
        return { 'Authorization': 'Bearer ' + user.token };
    } else {
        return {};

Vue Fake / Mock Backend

Path: /src/_helpers/fake-backend.ts

The fake backend is used for running the tutorial example without a server api (backend-less). It monkey patches the fetch() function to intercept certain api requests and mimic the behaviour of a real api. Any requests that aren't intercepted get passed through to the real fetch() function.

I created it so I could focus the tutorial on the Vue + Vuex code and not worry about the backend, and also to make it work on StackBlitz.

export function configureFakeBackend() {
    let users = [{ id: 1, username: 'test', password: 'test', firstName: 'Test', lastName: 'User' }];
    let realFetch = window.fetch;
    window.fetch = function (url, opts) {
        return new Promise((resolve, reject) => {
            // wrap in timeout to simulate server api call
            setTimeout(() => {

                // authenticate
                if (url.endsWith('/users/authenticate') && opts.method === 'POST') {
                    // get parameters from post request
                    let params = JSON.parse(opts.body);

                    // find if any user matches login credentials
                    let filteredUsers = users.filter(user => {
                        return user.username === params.username && user.password === params.password;

                    if (filteredUsers.length) {
                        // if login details are valid return user details and fake jwt token
                        let user = filteredUsers[0];
                        let responseJson = {
                            id: user.id,
                            username: user.username,
                            firstName: user.firstName,
                            lastName: user.lastName,
                            token: 'fake-jwt-token'
                        resolve({ ok: true, text: () => Promise.resolve(JSON.stringify(responseJson)) });
                    } else {
                        // else return error
                        reject('Username or password is incorrect');


                // get users
                if (url.endsWith('/users') && opts.method === 'GET') {
                    // check for fake auth token in header and return users if valid, this security is implemented server side in a real application
                    if (opts.headers && opts.headers.Authorization === 'Bearer fake-jwt-token') {
                        resolve({ ok: true, text: () => Promise.resolve(JSON.stringify(users)) });
                    } else {
                        // return 401 not authorised if token is null or invalid


                // pass through any requests not handled above
                realFetch(url, opts).then(response => resolve(response));

            }, 500);

Vue Router

Path: /src/_helpers/router.js

The vue router defines all of the routes for the application, and contains a function that runs before each route change to prevent unauthenticated users from accessing restricted routes.

import Vue from 'vue';
import Router from 'vue-router';

import HomePage from '../home/HomePage'
import LoginPage from '../login/LoginPage'


export const router = new Router({
  mode: 'history',
  routes: [
    { path: '/', component: HomePage },
    { path: '/login', component: LoginPage },

    // otherwise redirect to home
    { path: '*', redirect: '/' }

router.beforeEach((to, from, next) => {
  // redirect to login page if not logged in and trying to access a restricted page
  const publicPages = ['/login'];
  const authRequired = !publicPages.includes(to.path);
  const loggedIn = localStorage.getItem('user');

  if (authRequired && !loggedIn) {
    return next('/login');


Vue Helpers Index

Path: /src/_helpers/index.js

The helpers index file groups all helper exports together so they can be imported in other parts of the app using only the folder path, and enables importing multiple helpers in a single statement (e.g. import { helper1, helper2, ... } from '../_helpers').

export * from './fake-backend';
export * from './router';
export * from './auth-header';

Vue Services Folder

Path: /src/_services

The services layer handles all http communication with backend apis for the application, each service encapsulates the api calls for a content type (e.g. users) and exposes methods for performing various operations (e.g. CRUD operations). Services can also have methods that don't wrap http calls, for example the userService.logout() method just removes an item from local storage.

I like wrapping http calls and implementation details in a services layer, it provides a clean separation of concerns and simplifies the vuex modules that use the services.


Vue User Service

Path: /src/_services/user.service.js

The user service encapsulates all backend api calls for performing CRUD operations on user data, as well as logging and out of the example application. The service methods are exported via the userService object at the top of the file, and the implementation of each method is located in the functions below.

In the handleResponse method the service checks if the http response from the api is 401 Unauthorized and automatically logs the user out. This handles if the JWT token expires or is no longer valid for any reason.

import config from 'config';
import { authHeader } from '../_helpers';

export const userService = {

function login(username, password) {
    const requestOptions = {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({ username, password })

    return fetch(`${config.apiUrl}/users/authenticate`, requestOptions)
        .then(user => {
            // login successful if there's a jwt token in the response
            if (user.token) {
                // store user details and jwt token in local storage to keep user logged in between page refreshes
                localStorage.setItem('user', JSON.stringify(user));

            return user;

function logout() {
    // remove user from local storage to log user out

function getAll() {
    const requestOptions = {
        method: 'GET',
        headers: authHeader()

    return fetch(`${config.apiUrl}/users`, requestOptions).then(handleResponse);

function handleResponse(response) {
    return response.text().then(text => {
        const data = text && JSON.parse(text);
        if (!response.ok) {
            if (response.status === 401) {
                // auto logout if 401 response returned from api

            const error = (data && data.message) || response.statusText;
            return Promise.reject(error);

        return data;

Vue Services Index

Path: /src/_services/index.js

The services index file groups all service exports together so they can be imported in other parts of the app using only the folder path, and enables importing multiple services in a single statement (e.g. import { service1, service2, ... } from '../_services').

export * from './user.service';

Vuex Store Folder

Path: /src/_store

The vuex store folder contains all vuex modules and everything relating to the vuex store, if you're new to vuex you can find out all about it at https://vuex.vuejs.org/.

In a nutshell: Vuex manages a centralised state store for the tutorial application, mutations are committed to update sections of the state, and actions are dispatched to perform more complex operations that can include async calls and multiple mutations.


Vuex Alert Module

Path: /src/_store/alert.module.js

The vuex alert module is in charge of the alert section of the centralised state store, it contains actions and mutations for setting a success or error alert message, and for clearing the alert.

In this module each alert action just commits a single mutation so it would be possible to commit the mutations directly from your vue components and get rid of the actions. However I prefer to dispatch actions from everywhere for consistency rather than dispatching actions for some things and committing mutations for others. This way also provides a bit more flexibility if you decide to expand an action to do more than just committing a mutation.

export const alert = {
    namespaced: true,
    state: {
        type: null,
        message: null
    actions: {
        success({ commit }, message) {
            commit('success', message);
        error({ commit }, message) {
            commit('error', message);
        clear({ commit }, message) {
            commit('success', message);
    mutations: {
        success(state, message) {
            state.type = 'alert-success';
            state.message = message;
        error(state, message) {
            state.type = 'alert-danger';
            state.message = message;
        clear(state) {
            state.type = null;
            state.message = null;

Vuex Authentication Module

Path: /src/_store/authentication.module.js

The vuex authentication module is in charge of the authentication section of the centralised state store. It contains actions for logging in and out of the tutorial application, and mutations for each of the lower level state changes involved for each action.

The initial logged in state of the user is set by checking if the user is saved in local storage, which keeps the user logged in if the browser is refreshed and between browser sessions.

import { userService } from '../_services';
import { router } from '../_helpers';

const user = JSON.parse(localStorage.getItem('user'));
const initialState = user
    ? { status: { loggedIn: true }, user }
    : { status: {}, user: null };

export const authentication = {
    namespaced: true,
    state: initialState,
    actions: {
        login({ dispatch, commit }, { username, password }) {
            commit('loginRequest', { username });

            userService.login(username, password)
                    user => {
                        commit('loginSuccess', user);
                    error => {
                        commit('loginFailure', error);
                        dispatch('alert/error', error, { root: true });
        logout({ commit }) {
    mutations: {
        loginRequest(state, user) {
            state.status = { loggingIn: true };
            state.user = user;
        loginSuccess(state, user) {
            state.status = { loggedIn: true };
            state.user = user;
        loginFailure(state) {
            state.status = {};
            state.user = null;
        logout(state) {
            state.status = {};
            state.user = null;

Vuex Users Module

Path: /src/_store/users.module.js

The vuex users module is in charge of the users section of the centralised state store. It contains a single action for fetching all users from the api, and mutations for each of the lower level state changes involved for the action.

import { userService } from '../_services';

export const users = {
    namespaced: true,
    state: {
        all: {}
    actions: {
        getAll({ commit }) {

                    users => commit('getAllSuccess', users),
                    error => commit('getAllFailure', error)
    mutations: {
        getAllRequest(state) {
            state.all = { loading: true };
        getAllSuccess(state, users) {
            state.all = { items: users };
        getAllFailure(state, error) {
            state.all = { error };

Vuex Store

Path: /src/_store/index.js

This is the main vuex store file that configures the store with all of the above vuex modules.

import Vue from 'vue';
import Vuex from 'vuex';

import { alert } from './alert.module';
import { authentication } from './authentication.module';
import { users } from './users.module';


export const store = new Vuex.Store({
    modules: {

Vue App Feature Folder

Path: /src/app

The app folder is for vue components and other code that is used only by the app component in the tutorial application.


Vue App Component

Path: /src/app/App.vue

The app component is the root component for the vue tutorial application, it contains the outer html, routes and global alert notification for the tutorial app.

    <div class="jumbotron">
        <div class="container">
            <div class="row">
                <div class="col-sm-6 offset-sm-3">
                    <div v-if="alert.message" :class="`alert ${alert.type}`">{{alert.message}}</div>

export default {
    name: 'app',
    computed: {
        alert () {
            return this.$store.state.alert
        $route (to, from){
            // clear alert on location change

Vue Home Feature Folder

Path: /src/home

The home folder is for vue components and other code that is used only by the home page component in the tutorial application.


Vue Home Page Component

Path: /src/home/HomePage.vue

The home page component is displayed after signing in to the application, it shows the signed in user's name plus a list of all users in the tutorial app. The users are loaded into the vuex state by dispatching the vuex action this.$store.dispatch('users/getAll'); from the created() vue lifecycle hook.

        <h1>Hi {{user.firstName}}!</h1>
        <p>You're logged in with Vue + Vuex & JWT!!</p>
        <h3>Users from secure api end point:</h3>
        <em v-if="users.loading">Loading users...</em>
        <span v-if="users.error" class="text-danger">ERROR: {{users.error}}</span>
        <ul v-if="users.items">
            <li v-for="user in users.items" :key="user.id">
                {{user.firstName + ' ' + user.lastName}}
            <router-link to="/login">Logout</router-link>

export default {
    computed: {
        user () {
            return this.$store.state.authentication.user;
        users () {
            return this.$store.state.users.all;
    created () {

Vue Login Feature Folder

Path: /src/login

The login folder is for vue components and other code that is used only by the login page component in the tutorial application.


Vue Login Page Component

Path: /src/login/LoginPage.vue

The login page component renders a login form with username and password fields. It displays validation messages for invalid fields when the user attempts to submit the form. If the form is valid, submitting it causes the 'authentication/login' vuex action to be dispatched.

In the created() function the 'authentication/logout' vuex action is dispatched which logs the user out if they're logged in, this enables the login page to also be used as the logout page.

        <div class="alert alert-info">
            Username: test<br />
            Password: test
        <form @submit.prevent="handleSubmit">
            <div class="form-group">
                <label for="username">Username</label>
                <input type="text" v-model="username" name="username" class="form-control" :class="{ 'is-invalid': submitted && !username }" />
                <div v-show="submitted && !username" class="invalid-feedback">Username is required</div>
            <div class="form-group">
                <label htmlFor="password">Password</label>
                <input type="password" v-model="password" name="password" class="form-control" :class="{ 'is-invalid': submitted && !password }" />
                <div v-show="submitted && !password" class="invalid-feedback">Password is required</div>
            <div class="form-group">
                <button class="btn btn-primary" :disabled="loggingIn">Login</button>

export default {
    data () {
        return {
            username: '',
            password: '',
            submitted: false
    computed: {
        loggingIn () {
            return this.$store.state.authentication.status.loggingIn;
    created () {
        // reset login status
    methods: {
        handleSubmit (e) {
            this.submitted = true;
            const { username, password } = this;
            const { dispatch } = this.$store;
            if (username && password) {
                dispatch('authentication/login', { username, password });

Vue Main Index HTML

Path: /src/index.html

The main index html file contains the outer html for the whole tutorial application. When the app is started with npm start, Webpack bundles up all of the vue + vuex code into a single javascript file and injects it into the body of the page.

<!DOCTYPE html>
<html lang="en">
    <meta charset="UTF-8">
    <title>Vue + Vuex - JWT Authentication Example & Tutorial</title>
    <link href="//netdna.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" />
        a { cursor: pointer; }
    <div id="app"></div>

Vue App Entrypoint

Path: /src/index.js

The root index.js file bootstraps the vue + vuex tutorial application by rendering the App component into the #app div element defined in the main index html file above.

The tutorial app uses a fake / mock backend that stores data in browser local storage, to switch to a real backend api simply remove the fake backend code below the comment // setup fake backend.

import Vue from 'vue';

import { store } from './_store';
import { router } from './_helpers';
import App from './app/App';

// setup fake backend
import { configureFakeBackend } from './_helpers';

new Vue({
    el: '#app',
    render: h => h(App)

Babel Config / Run Commands File

Path: /.babelrc

The babel config file defines the presets used by babel to transpile the ES6 code. The babel transpiler is run by webpack via the babel-loader module configured in the webpack.config.js file below.

  "presets": [

npm package.json

Path: /package.json

The package.json file contains project configuration information including package dependencies which get installed when you run npm install. Full documentation is available on the npm docs website.

  "name": "vue-vuex-jwt-authentication-example",
  "version": "1.0.0",
  "repository": {
    "type": "git",
    "url": "https://github.com/cornflourblue/vue-vuex-jwt-authentication-example.git"
  "license": "MIT",
  "scripts": {
    "start": "webpack-dev-server --open"
  "dependencies": {
    "vue": "^2.5.16",
    "vue-router": "^3.0.1",
    "vuex": "^3.0.1"
  "devDependencies": {
    "babel-core": "^6.26.0",
    "babel-loader": "^7.1.5",
    "babel-preset-env": "^1.6.1",
    "babel-preset-stage-0": "^6.24.1",
    "babel-preset-vue": "^2.0.2",
    "css-loader": "^0.28.11",
    "html-webpack-plugin": "^3.2.0",
    "path": "^0.12.7",
    "vue-loader": "^14.2.3",
    "vue-template-compiler": "^2.5.16",
    "webpack": "^4.15.0",
    "webpack-cli": "^3.0.8",
    "webpack-dev-server": "^3.1.3"

Vue Webpack Config

Path: /webpack.config.js

Webpack is used to compile and bundle all the project files so they're ready to be loaded into a browser, it does this with the help of loaders and plugins that are configured in the webpack.config.js file. For more info about webpack check out the webpack docs.

The webpack config file also defines a global config object for the application using the externals property, you can also use this to define different config variables for your development and production environments.

var path = require('path');
var HtmlWebpackPlugin = require('html-webpack-plugin');

module.exports = {
    mode: 'development',
    resolve: {
        extensions: ['.js', '.vue']
    module: {
        rules: [
                test: /\.vue?$/,
                exclude: /(node_modules)/,
                use: 'vue-loader'
                test: /\.js?$/,
                exclude: /(node_modules)/,
                use: 'babel-loader'
    plugins: [new HtmlWebpackPlugin({
        template: './src/index.html'
    devServer: {
        historyApiFallback: true
    externals: {
        // global app config object
        config: JSON.stringify({
            apiUrl: 'http://localhost:4000'


Web Development Sydney

Feel free to contact me if you're looking for a web developer in Sydney, I also provide remote contracting services for clients outside Sydney.


Sponsored by