Encrypted JSON Web Token authentication

About Karma Volunteering

Karma Volunteering is a free platform that was created to find people power to support meaningful causes. Before and after COVID-19, communities have been coming together to support each other, including those who are the most vulnerable in our neighbourhoods. Karma was built with a simple mission: to make it easy to do good.


Karma Volunteering started life as a student project at King's College London, conceived and designed by Danielle Dodoo and built by King's College Informatics students as the second-year major software engineering group project of their BSc programme.

Authentication & authorisation flow

I was responsible for the design and development of the user authentication and authorisation for the backend of Karma. This involved building both REST API endpoints with appropriate user access validation and logic modules for handling more advanced operations such as password resets and temporary access tokens.

Choice of Encrypted JSON Web tokens

As the development was part of our BSc software engineering project, it was encouraged to use methodologies that require R&D. I implemented the Karma server-side authentication and authorisation via serialised Encrypted JSON Web Tokens, i.e. via JWEs & JWTs.

Features of serialised JSON Web Encryption

JWEs provide a highly secure, lightweight and scalable communication channel. By utilising asymmetric encryption it is ensured that only the target client is able to access a token's contents as well as that the authenticity of the token remains intact. Furthermore, malicious users are unable to access, among other things, their database identifier or the structure and name of our authentication objects, providing an additional layer of security for the internal Karma system.


I was responsible for the design, development & testing of the server-side authentication and authorisation of users, including the Slack-like sign-up flow for new clients.

Technical specifications

• serialised Encrypted JSON Web Tokens (JWE & JWT)
• server & client JSON Web Signatures (JWS)
• session preservation controllable by admins
• token blacklisting
• HTTP request path based authorisation
• JSON Web Keystore (JWKS)
• switchable encryption method (symmetric vs asymmetric)

Used technologies

NodeJS, PostgreSQL, REST


• Sample Open Source project showing server-side implementation of JWE authentication: https://github.com/almasen/encrypted-jwt-on-server

Download links

Disclaimer: The Karma project Copyright © 2020 Karma Volunteering.
• Official project website: https://www.karmavolunteering.org
• To download the app from Google Play, visit the Play Store
• To download the app onto an Apple device, visit the App Store

Tags About Role Specs Tech stack References Date Jan - Apr 20 References Template GitHub repository