4.0.0-rc.5 • Public • Published


Simple authentication middleware for integrating Auth0 with Express-based applications.

⚠️ Warning! This is a release candidate of a new major version of express-auth0-simple! Some things may not work properly. Install express-auth0-simple@3.0.2 for the latest stable version!


This NodeJS package abstracts away most of the boilerplate code needed to integrate a NodeJS web application with the oauth authentication provider Auth0.

The code is based on Auth0's own setup guide and should work fine with any application using versions of the Express framework in the 4.x.x version range.

This package is written in ES6 but transpiles down to ES5 or whatever subset of ES6 your runtime supports at installation time.


Here is a quickstart guide on how to setup this middleware.

Install Package

Add this package to your NodeJS project:

npm install --save express-auth0-simple

Use Package

The package is typically used wherever you configure your express middleware (becase that's what it is). This is normally in the main index.js file for small projects.

Add dependencies

For this middleware to work you'll need to make sure your express app has session and cookie functionality. You might have this functionality already, but if not you can use these middleware to provide this:

  • cookie-parser (we've tested against version 1.4.x)

  • express-session (we've tested against version 1.13.x)

  • You'll also need to install passport-js (passport, we've tested against version 0.3.x)

Configure Auth0

So that your app can authenticate with Auth0, you'll need to provide your Auth0 client credentials. You need to provide your Auth0 Client ID, your Auth0 Client Secret and your Auth0 Domain. These values differ from app to app and you can find the values for your app in its settings page in the dashboard.

The easiest secure way of supplying these credentials to your app is via environment variables and this package will do that by default. Make sure the following environment variables have been set and are accessible to the process running the app:


You can also set these values via the auth0Options argument of the middleware constructor, but if you are doing this it is highly recommended that these are not stored in source code.

You'll also need to set your client's callbackURL. This is not automatically loaded by default, so you'll have to pass this yourself in the auth0Options argument of the middleware constructor, along with any other additional options supported by Auth0.

Import it

// ES5
var expressAuth0Simple = require('express-auth0-simple');
var passport = require('passport');
// you might need these middleware aswell
var cookieParser = require('cookie-parser');
var session = require('express-session');
// ES6
import ExpressAuth0Middleware from 'express-auth0-simple';
import passport from 'passport';
// you might need these middleware aswell
import cookieParser from 'cookie-parser';
import session from 'express-session';

Configure dependent middleware

// register cookie and session middlewares
      secret: uuid.v4(),
      resave: false,
      saveUninitialized: false
// register passportjs middlewares

Instantiate it

Make sure your Auth0 environment variables are set before you do this, or provide the Auth0 config as arguments to the middleware constructor.

// ES5
var auth = new expressAuth0Simple.ExpressAuth0Middleware(
  { callbackURL: '/auth/callback' }
// ES6
let auth = new ExpressAuth0Middleware(
  { callbackURL: '/auth/callback' }

Enable it

Attach the Auth0 callback handler to whatever route you'd like this to be mounted on.

// this is the login route
app.get('/auth/callback', auth.authCallbackMiddleware, auth.authCallbackHandler);

Protect your stuff

You can either protect your whole app from unauthenticated access or just specific routes:

// any additional routes declared below this point require login to access


// only this route requires login to access
  function(req,res) {
    res.send('This is publicly accessible');


You can log out an authenticated user during any request by calling req.logout()

Additional Config

The middleware constructor also supports a second argument, which if provided should be an object with either of the following keys:

  • loginPath - the URL a user goes to to login (this is set to the Auth0 callback URL by default but can be changed if needed). Unauthenticated requests to protected routes will be redirected to this URL, so make sure it's correct if you override it.
  • failurePath - the URL a user is redirected to if their authentication attempt fails. This is also set to the Auth0 callback URL by default. Unlike loginPath, changing it will not cause any problems as long as the page redirected to is publicly accessible. This can be used for you to show a custom 'forbidden' page.

Package Sidebar


npm i express-auth0-simple

Weekly Downloads






Last publish


  • decoded-ltd