Can't really debug as I don't know your app, but if there's a stack trace, it'll show the problem, likely. Also you probably want to set the cookie after passport does its local authentication, otherwise a malicious user can attempt to log into an account using a wrong password, but still get a valid jwt, and then log into the nodebb forum under that account.