Authentication And Security

All About Authentication in Xano

Authentication is one of the most important aspects of building a secure backend, and Xano makes it straightforward to implement. In this guide, you'll learn how JWE tokens work, how to create authenticated endpoints, and how to extend tokens with extra claims data.

Understanding JWE Tokens

Xano uses JWE (JSON Web Encryption) tokens to handle authentication. A JWE token has five parts: a header, an encrypted key, randomness, cipher text, and a tag that ensures the token hasn't been tampered with. When a user authenticates, this token represents their record ID and acts as a pass key for accessing private endpoints. Public endpoints are open to anyone, while private endpoints require a valid token — without one, the request returns an error.

Setting Up Your User Table

To get started, navigate to your database and create a user table with fields like name, email, and password. Then go to the table settings and enable authentication. Once that's done, head to your API group and look for the authentication endpoints — login, signup, and "me" (MI). If they aren't there, you can add them manually by creating an API group and selecting the authentication option when adding new endpoints.

How Signup and Login Work

In the signup endpoint, Xano accepts a name, email, and password, checks if the user already exists, and if not, creates the record. It then generates an authentication token tied to that user's record ID and the user table. You can set an expiration on the token — one day is a reasonable default. The login endpoint follows a similar pattern, locating the user by email and returning a token upon successful password verification.

The MI endpoint is set to private, meaning it requires a valid token. When you pass a token in, it looks up the user record associated with that token and returns their data.

Storing Extra Data with Claims

One powerful feature is the ability to store additional information inside your token using the "extras" field. You can add key-value pairs — for example, a user role or a permission flag — that get embedded in the token. You can then access this claims data in any authenticated endpoint using the auth panel's extras object. This is especially useful for role-based access control and permission logic throughout your app.

Securing Your Endpoints

To lock down any endpoint, open its settings and select the authentication option, then choose the appropriate user table. Once set, requests to that endpoint will fail unless a valid token is provided. You can quickly apply this to all your endpoints one by one, ensuring that sensitive data stays protected.

Authenticating Against Multiple Tables

Xano also supports authentication against multiple tables. If you have an applicants table, for example, you can enable authentication on it just like you did for users. This lets different types of records authenticate independently, giving you fine-grained control over who can access what in your backend.

Recommended videos

View all videos

Pairing Xano and n8n with the official Xano node!
Integration

Pairing Xano and n8n with the official Xano node!

Full-Stack AI Travel App: Xano + Cursor + Lovable
Artificial Intelligence

Full-Stack AI Travel App: Xano + Cursor + Lovable

Meta’s Rule of Two: The Simple Fix for Prompt Injection
Artificial Intelligence

Meta’s Rule of Two: The Simple Fix for Prompt Injection

Sign up for Xano

Join 100,000+ people already building with Xano.
Start today and scale to millions.

Start building for free