Mozilla Persona integration for Express
Switch branches/tags
Pull request Compare This branch is 40 commits behind jbuck:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

express-persona Build Status

Mozilla Persona integration for Express. express-persona is designed to quickly get Persona authentication working in your Express application, while following Persona security best practices.

Quick start

Install using npm: npm install express-persona

Include the module inside your Express application:

var express = require("express"),
    app = express.createServer();

  	secret: "mozillapersona"

require("express-persona")(app, {
  audience: "http://localhost:8888" // Must match your browser's address bar

Add the Persona login to a web page, and send the assertion to your Express application:

loginButton.addEventListener("click", function() { {
    if (!assertion) {

    var xhr = new XMLHttpRequest();"POST", "/persona/verify", true);
    xhr.setRequestHeader("Content-Type", "application/json");
    xhr.addEventListener("loadend", function(e) {
      try {
        var data = JSON.parse(this.response);
        if (data.status === "okay") {
          // the email address the user logged in with
        } else {
          console.log("Login failed because " + data.reason);
      } catch (ex) {
        // oh no, we didn't get valid JSON from the server
    }, false);
      assertion: assertion
}, false);

By default, express-persona adds the users email address to when their email is validated.

This library will handle 3 of 4 essential practices for [Persona security considerations] ( but you should implement CSRF protection as well. I recommend the built-in express csrf middleware.



  • require('express-persona') returns function(express, options)
    • express is an instance of the express server that you want to add routes to
    • options is an object. It has one required parameter, audience.

Required options

  • audience - The URL of your express app when viewed in a browser. Must include the protocol, hostname, and port.
    • Example:,

Optional options

  • verifyPath - The URL that clients use to verify credentials.
    • Default: /persona/verify
    • Examples: /browserid/verify, /api/verify
  • logoutPath - The URL that clients use to logout.
    • Default: /persona/logout
    • Examples: /browserid/logout, /api/logout
  • sessionKey - The session key to store the validated email in.
    • Default: email
    • Example: user, username
  • verifierURI - The URI of the Persona Remote Verification API
    • Default:
    • You probably don't want to touch this unless you have a good reason, like testing.

Verify route

  • On success:
  "status": "okay"
  "email": ""
  • On failure
  "status": "failure"
  "reason": "request failed"

Logout route

  • Always returns:
  "status": "okay"


Running Tests

Run tests using npm test from the root of the repository.