Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js
Latest commit 237646e Oct 24, 2016 @mjsalinger mjsalinger committed on GitHub Merge pull request #272 from mjsalinger/conditionally-promisify
Conditionally promisify all model functions

Complete, compliant and well tested module for implementing an OAuth2 server in node.js.

NPM Version Build Status NPM Downloads

Quick Start

The node-oauth2-server module is framework-agnostic but there are several wrappers available for popular frameworks such as express and koa.

Using the express wrapper (recommended):

var express = require('express');
var oauthServer = require('express-oauth-server');
var app = express();

var oauth = new oauthServer({ model: model });


app.get('/', function (req, res) {
  res.send('Hello World');


Using this module directly (for custom servers only):

var Request = require('oauth2-server').Request;
var oauthServer = require('oauth2-server');

var oauth = new oauthServer({ model: model });

var request = new Request({
  headers: { authorization: 'Bearer foobar' }

  .then(function(data) {
    // Request is authorized.
  .catch(function(e) {
    // Request is not authorized.

Note: see the documentation for the specification of what's required from the model.


  • Supports authorization_code (with scopes), client_credentials, password, refresh_token and custom extension grant types.
  • Can be used with node-style callbacks, promises and ES6 async/await.
  • Fully RFC6749 and RFC6750 compliant.
  • Implicitly supports any form of storage e.g. PostgreSQL, MySQL, Mongo, Redis, etc.
  • Full test suite.



Most users should refer to our express or koa examples. If you're implementing a custom server, we have many examples available:

  • A simple password grant authorization example.
  • A more complex password and refresh_token example.
  • An advanced password, refresh_token and authorization_code (with scopes) example.

Upgrading from 2.x

This module has been rewritten with a promise-based approach and introduced a few changes in the model specification.

Please refer to our 3.0 migration guide for more information.