Please inspect the code sample with an interactive REST inspector like Fiddler, Postman or an adequate browser plugin (e.g. Firefox's RESTClient). After running it with nodemon (or node app.js) it should be listening under http://localhost:1337.

1. After performing the login (GET on /auth), intercept the token (in the response's body/payload)
2. Next, decode it manually by pasting it into the input area on jwt.io. Which claims does it provide?
   
3. Finally perform a GET request to the protected /user resource. This will not work unless you manage to pass the token as HTTP Authorization header prefixed by the keyword Bearer.
   

Reference: https://medium.com/front-end-weekly/learn-using-jwt-with-passport-authentication-9761539c4314

Final notice: for the sake of simplicity this demo does not contain any XSRF (Cross Site Request Forgery) protection measures on the login form.