{"id":15195042,"url":"https://github.com/auth0/express-oauth2-bearer","last_synced_at":"2025-10-02T10:31:34.938Z","repository":{"id":33831379,"uuid":"159180289","full_name":"auth0/express-oauth2-bearer","owner":"auth0","description":"Experimental Middleware for express.js to validate access tokens.","archived":true,"fork":false,"pushed_at":"2023-07-19T05:14:20.000Z","size":207,"stargazers_count":40,"open_issues_count":0,"forks_count":12,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-09-28T23:05:52.875Z","etag":null,"topics":["dx-sdk"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/auth0.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null}},"created_at":"2018-11-26T14:13:44.000Z","updated_at":"2024-07-29T07:34:39.000Z","dependencies_parsed_at":"2023-01-15T02:49:57.264Z","dependency_job_id":null,"html_url":"https://github.com/auth0/express-oauth2-bearer","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0%2Fexpress-oauth2-bearer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0%2Fexpress-oauth2-bearer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0%2Fexpress-oauth2-bearer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0%2Fexpress-oauth2-bearer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/auth0","download_url":"https://codeload.github.com/auth0/express-oauth2-bearer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234974935,"owners_count":18916144,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dx-sdk"],"created_at":"2024-09-27T23:06:02.066Z","updated_at":"2025-10-02T10:31:34.586Z","avatar_url":"https://github.com/auth0.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003e **Please Note:** This repository is experimental and will reach end-of-life on **June 30, 2023**. To protect Express.js APIs with JWT Bearer Tokens, we recommend [express-oauth2-jwt-bearer](https://github.com/auth0/node-oauth2-jwt-bearer/tree/main/packages/express-oauth2-jwt-bearer). See the [Migration Guide](./MIGRATION_GUIDE.md) and the [blog post](https://auth0.com/blog/introducing-oauth2-express-sdk-protecting-api-with-jwt/#What-s-Happening-to--express-jwt----express-jwt-authz---and--jwks-rsa-) for more details).\n\nAuthentication middleware for Express.js that validates access tokens following [RFC 6750](https://tools.ietf.org/html/rfc6750). The purpose of this library is to protect OAuth 2.0 resources.\n\n## Table of Contents\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fexpress-oauth2-bearer.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fexpress-oauth2-bearer?ref=badge_shield)\n\n\n- [Installation](#installation)\n- [Getting Started](#getting-started)\n- [Contributing](#contributing)\n- [Support + Feedback](#support--feedback)\n- [Vulnerability Reporting](#vulnerability-reporting)\n- [What is Auth0](#what-is-auth0)\n- [License](#license)\n\n## Installation\n\nThis library is installed with [npm](https://npmjs.org/package/express-oauth2-bearer):\n\n```\nnpm i express-oauth2-bearer --save\n```\n\n## Getting Started\n\nThe library needs the following values to authroize requests:\n\n- **Issuer Base URL**: The base URL of the authorization server. If you're using Auth0, this is your tenant **Domain** pre-pended with `https://` (like `https://tenant.auth0.com`) found on the **Settings** tab for your Application in the [Auth0 dashboard](https://manage.auth0.com).\n- **Allowed Audiences**: Audience identifier (or multiple separated by a comma) allowed for the access token. If you're using Auth0, this is the **Identifier** found on the **Settings** tab for your API in the [Auth0 dashboard](https://manage.auth0.com/#/apis).\n\nThese can be configured in a `.env` file in the root of your application:\n\n```text\n# .env\n\nISSUER_BASE_URL=https://YOUR_DOMAIN\nALLOWED_AUDIENCES=https://api.yourapplication.com\n```\n\n... or in your application code:\n\n```js\nconst { auth } = require('express-oauth2-bearer');\n\napp.use(auth({\n  issuerBaseURL: 'https://tenant.auth0.com',\n  allowedAudiences: 'https://api.yourapplication.com'\n}));\n```\n\nThe OpenID strategy is the default strategy for token validation. With the configuration values set in the `.env` file, the following code will restrict requests to all proceeding routes to ones that have a valid access token with the `https://api.yourapplication.com` audience and the `read:products` scope:\n\n```javascript\nconst { auth, requiredScopes } = require('express-oauth2-bearer');\n\napp.use(auth());\n\napp.get('/products',\n  requiredScopes('read:products'),\n  (req, res) =\u003e {\n    console.dir(req.auth.claims);\n    res.sendStatus(200);\n  });\n```\n\nIf access tokens are not expected to be signed like OpenID Connect ID tokens, add the `auth` middleware with a callback to validate as follows:\n\n```javascript\nconst { auth, requiredScopes } = require('express-oauth2-bearer');\n\nconst validateAccesToken = async (token) =\u003e {\n  const token = await db.tokens.find(token);\n  if (token.expired) { return; }\n  return token;\n};\n\napp.use(auth(validateAcessToken)));\n\napp.get('/products',\n  requiredScopes('read:products'),\n  (req, res) =\u003e {\n    console.dir(req.auth.claims);\n    res.sendStatus(200);\n  });\n```\n\n### API Documentation:\n\n`auth()` accepts an asynchronous function receiving an access token and returning a set of claims.\n\n`requiredScopes()` accepts either a string or an array of strings.\n\n`strategies.openid` accepts the following parameters:\n\n\n| Name                | Default                            | Description                                                          |\n|---------------------|------------------------------------|----------------------------------------------------------------------|\n| issuerBaseURL       | `env.ISSUER_BASE_URL`              | URL for the token issuer.                                            |\n| allowedAudiences    | `env.ALLOWED_AUDIENCES.split(',')` | Allowed audiences for the token.                                     |\n| clockTolerance      | `5`                                | Clock tolerance in seconds for token verification, aka leeway.       |\n| clientSecret        | `env.CLIENT_SECRET`                | Client secret, required for tokens signed with symmetric algorithms. |\n\n## Contributing\n\nWe appreciate feedback and contribution to this repo! Before you get started, please see the following:\n\n- [Auth0's general contribution guidelines](https://github.com/auth0/.github/blob/master/CONTRIBUTING.md)\n- [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)\n\nContributions can be made to this library through PRs to fix issues, improve documentation or add features. Please fork this repo, create a well-named branch, and submit a PR with a complete template filled out.\n\nCode changes in PRs should be accompanied by tests covering the changed or added functionality. Tests can be run for this library with:\n\n```bash\nnpm install\nnpm test\n```\n\nWhen you're ready to push your changes, please run the lint command first:\n\n```bash\nnpm run lint\n```\n\n## Support + Feedback\n\nPlease use the [Issues queue](https://github.com/auth0/express-oauth2-bearer/issues) in this repo for questions and feedback.\n\n## Vulnerability Reporting\n\nPlease do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.\n\n## What is Auth0?\n\nAuth0 helps you to easily:\n\n- implement authentication with multiple identity providers, including social (e.g., Google, Facebook, Microsoft, LinkedIn, GitHub, Twitter, etc), or enterprise (e.g., Windows Azure AD, Google Apps, Active Directory, ADFS, SAML, etc.)\n- log in users with username/password databases, passwordless, or multi-factor authentication\n- link multiple user accounts together\n- generate signed JSON Web Tokens to authorize your API calls and flow the user identity securely\n- access demographics and analytics detailing how, when, and where users are logging in\n- enrich user profiles from other data sources using customizable JavaScript rules\n\n[Why Auth0?](https://auth0.com/why-auth0)\n\n## License\n\nThis project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.\n\n\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fexpress-oauth2-bearer.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fexpress-oauth2-bearer?ref=badge_large)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauth0%2Fexpress-oauth2-bearer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fauth0%2Fexpress-oauth2-bearer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauth0%2Fexpress-oauth2-bearer/lists"}