Coming back to this many months later. In case it’s helpful to anyone, express-jwt is built on top of the jsonwebtoken package and does a bunch of additional cool things. You still use jsonwebtoken to sign and verify your JWTs, but express-jwt helps you protect routes, checks JWTs against a secret, and creates a req.user from the payload of the token if it can verify it.
tl;dr: express-jwt uses jsonwebtoken in its own code and adds additional neatness.