back
loading skill details...
Use when adding authentication (login, logout, protected routes) to Express.js web applications - integrates express-openid-connect for session-based auth.
Auth0 Express Integration
Add authentication to Express.js web applications using express-openid-connect.
Prerequisites
Express.js application
Auth0 account and application configured
If you don't have Auth0 set up yet, use the auth0-quickstart skill first
When NOT to Use
Single Page Applications - Use auth0-react, auth0-vue, or auth0-angular for client-side auth
Next.js applications - Use auth0-nextjs skill which handles both client and server
Mobile applications - Use auth0-react-native for React Native/Expo
Stateless APIs - Use JWT validation middleware instead of session-based auth
Microservices - Use JWT validation for service-to-service auth
Quick Start Workflow
1. Install SDK
npm install express-openid-connect dotenv
2. Configure Environment
For automated setup with Auth0 CLI, see Setup Guide for complete scripts.
For manual setup:
Create .env:
SECRET=<openssl-rand-hex-32>
BASE_URL=http://localhost:3000
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret
ISSUER_BASE_URL=https://your-tenant.auth0.com
Generate secret: openssl rand -hex 32
3. Configure Auth Middleware
Update your Express app (app.js or index.js):
require('dotenv').config();
const express = require('express');
const { auth, requiresAuth } = require('express-openid-connect');
const app = express();
// Configure Auth0 middleware
app.use(auth({
authRequired: false, // Don't require auth for all routes
auth0Logout: true, // Enable logout endpoint
secret: process.env.SECRET,
baseURL: process.env.BASE_URL,
clientID: process.env.CLIENT_ID,
issuerBaseURL: process.env.ISSUER_BASE_URL,
clientSecret: process.env.CLIENT_SECRET
}));
app.listen(3000, () => {
console.log('Server running on http://localhost:3000');
});
This automatically creates:
/login - Login endpoint
/logout - Logout endpoint
/callback - OAuth callback
4. Add Routes
// Public route
app.get('/', (req, res) => {
res.send(req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out');
});
// Protected route
app.get('/profile', requiresAuth(), (req, res) => {
res.send(`
<h1>Profile</h1>
<p>Name: ${req.oidc.user.name}</p>
<p>Email: ${req.oidc.user.email}</p>
<pre>${JSON.stringify(req.oidc.user, null, 2)}</pre>
<a href="/logout">Logout</a>
`);
});
// Login/logout links
app.get('/', (req, res) => {
res.send(`
${req.oidc.isAuthenticated() ? `
<p>Welcome, ${req.oidc.user.name}!</p>
<a href="/profile">Profile</a>
<a href="/logout">Logout</a>
` : `
<a href="/login">Login</a>
`}
`);
});
5. Test Authentication
Start your server:
node app.js
Visit http://localhost:3000 and test the login flow.
Detailed Documentation
Setup Guide - Automated setup scripts, environment configuration, Auth0 CLI usage
Integration Guide - Protected routes, sessions, API integration, error handling
API Reference - Complete middleware API, configuration options, request properties
Common Mistakes
Mistake
Fix
Forgot to add callback URL in Auth0 Dashboard
Add /callback path to Allowed Callback URLs (e.g., http://localhost:3000/callback)
Missing or weak SECRET
Generate secure secret with openssl rand -hex 32 and store in .env as SECRET
Setting authRequired: true globally
Set to false and use requiresAuth() middleware on specific routes
App created as SPA type in Auth0
Must be Regular Web Application type for server-side auth
Session secret exposed in code
Always use environment variables, never hardcode secrets
Wrong baseURL for production
Update BASE_URL to match your production domain
Not handling logout returnTo
Add your domain to Allowed Logout URLs in Auth0 Dashboard
Related Skills
auth0-quickstart - Basic Auth0 setup
auth0-migration - Migrate from another auth provider
auth0-mfa - Add Multi-Factor Authentication
auth0-cli - Manage Auth0 resources from the terminal
Quick Reference
Middleware Options:
authRequired - Require auth for all routes (default: false)
auth0Logout - Enable /logout endpoint (default: false)
secret - Session secret (required)
baseURL - Application URL (required)
clientID - Auth0 client ID (required)
issuerBaseURL - Auth0 tenant URL (required)
Request Properties:
req.oidc.isAuthenticated() - Check if user is logged in
req.oidc.user - User profile object
req.oidc.accessToken - Access token for API calls
req.oidc.idToken - ID token
req.oidc.refreshToken - Refresh token
Common Use Cases:
Protected routes → Use requiresAuth() middleware (see Step 4)
Check auth status → req.oidc.isAuthenticated()
Get user info → req.oidc.user
Call APIs → Integration Guide
References
Express OpenID Connect Documentation
Auth0 Express Quickstart
SDK GitHub Repositorydon't have the plugin yet? install it then click "run inline in claude" again.