Hapi authentication plugin for bearer token validation
Clone or download
Latest commit 3ce25f4 Sep 12, 2018
Failed to load latest commit information.
lib update deps closes #54 Aug 17, 2016
test fix(package): update deps Sep 12, 2018
.gitignore init commit Nov 18, 2014
.travis.yml fix(package): require node >=8 Sep 12, 2018
LICENSE Initial commit Nov 18, 2014
Readme.md chore(deps): fix hapi version Jul 10, 2017
package-lock.json 5.0.7 Sep 12, 2018
package.json 5.0.7 Sep 12, 2018


Build Status dep dev peer Code Climate

Hapi authentication plugin

hapi Bearer Token Authentication Scheme


The plugin requires validating a token passed in by the bearer authorization header or via the access_token query param. The validation function is something you have to provide to the plugin.


var validateFunction = function (token, callback) {

    // Use a real strategy here to check if the token is valid
    if (token === 'abc456789') {
        callback(null, true, userCredentials);
    else {
        callback(null, false, userCredentials);

server.register(require('hapi-auth-bearer-simple'), function (err) {

    if (err) {
        throw err;

    server.auth.strategy('bearer', 'bearerAuth', {
        validateFunction: validateFunction

    // Add a standard route here as example
        method: 'GET',
        path: '/',
        handler: function (request, reply) {

            reply({ success: true });
        config: {
            auth: {
                strategy: 'bearer',
                scope: 'user' // or [ 'user', 'admin' ]

    server.start(function (err) {

        if (err) {
            throw err;

        server.log([],'Server started at: ' + server.info.uri);
  • validateFunction - (required) a token lookup and validation function with the signature function (token, callback)
    • token - the auth token received from the client.
    • callback - a callback function with the signature function (err, isValid, credentials) where:
      • err - any error.
      • isValid - true if both the username was found and the password matched, otherwise false.
      • credentials - an object passed back to the plugin and which will become available in the requestobject as request.auth.credentials. Normally credentials are only included when isValidis true.
  • exposeRequest - (optional / advanced) If set to true the validateFunction's this will be set to the request. This can be usefull if you have plugins that expose certain functions/objects on the request object and you want to use them in your validateFunction.


  • 100% code coverage!
  • You can chain strategies see .
  • If you have any problems and/or questions make a new issue.
  • If you want to contribute feel free to fork and add a pull request or again make an issue.