In order to understand how authorization works, let's implement a basic Admin API that will be accessed only by the administrator of our site. Our application has two principal types of users:

• Normal: This user is able to see the featured matches and the score
• Admin: This user is responsible to create new matches and update the score

We will use two open source NPM modules to manage the restriction workflow in our backend. The following diagram explains this flow in more detail:

Everything starts with a user request that tries to access a restricted endpoint. The backend first validates whether a valid token is present in the HTTP request; this validation is performed by the express-jwt module. Secondly, if the request has a valid token, the flow will check whether the token has valid permissions to access the restricted endpoint; this validation is performed by express-jwt-permissions. If the request has a valid token and has permissions, the user request will be able to access the restricted endpoint and perform the action.