Switch branches/tags
Nothing to show
Find file
Fetching contributors…
Cannot retrieve contributors at this time
68 lines (49 sloc) 2.3 KB


Access token authentication middleware for Express, NodeJS. Makes it easy to add access token authentication to any API.

Add to your node package

Add to dependencies:

"authenticate": "*"

Installing via npm

npm install authenticate


var authenticate = require("authenticate");

// Inside of app.configure
    encrypt_key: "", // Add any key for encrypting data
    validate_key: "" // Add any key for signing data

And then...

The access token can be passed to a frontend client after the client is authenticated via some form of login. For example, making a POST to /login with email and password, verifying email and password are correct, and then passing the access token to the client. Here is some javascript for passing an access token to the client in JSON.

client_id is mainly for ownership of access.

var authenticate = require("authenticate");

app.get('/login', function(req, res) {
	// Insert user auth logic here
	res.writeHead(200, {
	    "Content-Type": "application/json"
	    "access_token": authenticate.serializeToken(client_id, user_id, extra_data) // extra data is optional

An access token embeds data into the request. You can then check whether the user and client have access to a resource or not.

Your API can then take a request with the access token as a query string parameter, part of the request body, or headers. In the request body and the query string parameters, access_token is passed (e.g. http://localhost?access_token=123). However, for headers you want to pass "x-access-token".

In calls with an access token, the middleware auths against the token automatically. An example of using this would be:

app.get("/restricted", function(req, res) {
	if(!req.user.user_id) {
		// No auth, redirect or show error page
		res.writeHead(200, {
			"Content-Type": "application/json"
		res.write('{error:"Authentication Error"}');
	req.user.user_id // user id
	req.user.client_id // A client id // date access token was created
	req.user.extra_data // extra data passed in when serialized
	req.user.access_token // Access token being passed in
	// etc.