This sample demonstrates how to protect endpoints in an Express API by verifying an incoming JWT access token signed by Auth0. The token must be signed with the RS256 algorithm and must be verified against your Auth0 JSON Web Key Set.
If you haven't already done so, sign up for your free Auth0 account and create a new client in the dashboard.
Clone the repo or download it from the Express API quickstart page in Auth0's documentation.
If you download this sample from the Express API quickstart page, a .env file will come pre-populated with your API identifier and Auth0 domain. If you clone the repo from GitHub, you will need to rename .env.example to .env and provide these values manually.
npm install
npm startThe API will be served at http://localhost:3010.
The sample includes these endpoints:
GET /api/public
- An unprotected endpoint which returns a message on success. Does not require a valid JWT access token.
GET /api/private
- A protected endpoint which returns a message on success. Requires a valid JWT access token with a
scopeofread:messages.
Auth0 helps you to:
- Add authentication with multiple authentication sources, either social like Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce, amont others, or enterprise identity systems like Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider.
- Add authentication through more traditional username/password databases.
- Add support for linking different user accounts with the same user.
- Support for generating signed Json Web Tokens to call your APIs and flow the user identity securely.
- Analytics of how, when and where users are logging in.
- Pull data from other sources and add it to the user profile, through JavaScript rules.
- Go to Auth0 and click Sign Up.
- Use Google, GitHub or Microsoft Account to login.
This project is licensed under the MIT license. See the LICENSE file for more info.