node package manager
Share your code. npm Orgs help your team discover, share, and reuse code. Create a free org »


Complete, compliant and well tested module for implementing an OAuth2 server in node.js.

NPM Version Build Status NPM Downloads

Quick Start

The node-oauth2-server module is framework-agnostic but there are several wrappers available for popular frameworks such as express and koa.

Using the express wrapper (recommended):

var express = require('express');
var oauthserver = require('express-oauth-server');
var app = express();
var oauth = new oauthServer({ model: model });
app.get('/', function (req, res) {
  res.send('Hello World');

Using this module directly (for custom servers only):

var Request = require('oauth2-server').Request;
var oauthServer = require('oauth2-server');
var oauth = new oauthServer({ model: model });
var request = new Request({
  headers: { authorization: 'Bearer foobar' }
  .then(function(data) {
    // Request is authorized. 
  .catch(function(e) {
    // Request is not authorized. 

Note: see the documentation for the specification of what's required from the model.


  • Supports authorization_code (with scopes), client_credentials, password, refresh_token and custom extension grant types.
  • Can be used with node-style callbacks, promises and ES6 async/await.
  • Fully RFC6749 and RFC6750 compliant.
  • Implicitly supports any form of storage e.g. PostgreSQL, MySQL, Mongo, Redis, etc.
  • Full test suite.



Most users should refer to our express or koa examples. If you're implementing a custom server, we have many examples available:

  • A simple password grant authorization example.
  • A more complex password and refresh_token example.
  • An advanced password, refresh_token and authorization_code (with scopes) example.

Upgrading from 2.x

This module has been rewritten with a promise-based approach and introduced a few changes in the model specification.

Please refer to our 3.0 migration guide for more information.