express-oauth2-jwt-bearer

Use when adding Auth0 token validation to Express or Node.js APIs - integrates express-oauth2-jwt-bearer SDK to protect Node.js API endpoints with JWT Bearer authentication, scope-based RBAC, claim validation, and optional DPoP support

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "express-oauth2-jwt-bearer" with this command: npx skills add Auth0 <support@auth0.com>/express-oauth2-jwt-bearer

Node OAuth2 JWT Bearer Integration

The express-oauth2-jwt-bearer package provides Express middleware for validating Auth0 JWT Bearer access tokens. It handles token extraction, signature verification, audience and issuer validation, and expiry checks per RFC 6750 — letting you focus on business logic rather than JWT parsing.

Agent instruction: Before providing SDK setup instructions, fetch the latest release version by running:

gh api repos/auth0/node-oauth2-jwt-bearer/releases/latest --jq '.tag_name'

Use the returned version in all package.json dependency lines instead of any hardcoded version below.

Prerequisites

  • Node.js 18+ (20+ recommended; required for bootstrap script automation)
  • Express 4.x or 5.x
  • npm or yarn
  • An Auth0 account with a configured API (Resource Server)
  • Auth0 CLI (for automatic setup): npm install -g @auth0/auth0-cli

When NOT to Use

Use CaseRecommended Skill
Building a server-side web app with login UI (Express sessions)auth0-express
Building a Next.js app with server-side authauth0-nextjs
Building a React/Angular/Vue SPAauth0-react, auth0-angular, auth0-vue
Building a React Native or mobile appauth0-react-native, auth0-android, auth0-swift
ASP.NET Core Web APIauth0-aspnetcore-api
Go API with JWT middlewarego-jwt-middleware
Python API (Flask/FastAPI)auth0-api-python
Node.js API using the older express-jwt packageexpress-jwt

Quick Start Workflow

Agent instruction: Follow these steps to integrate express-oauth2-jwt-bearer into the user's Node.js API project.

  1. Fetch latest version (see instruction above).

  2. Install the SDK:

    npm install express-oauth2-jwt-bearer

  3. Configure Auth0 — follow references/setup.md. If the user already provided their Auth0 Domain and API Audience in the prompt, use them directly — skip the bootstrap script and do NOT call AskUserQuestion to re-confirm. Otherwise, offer automatic setup via bootstrap script or manual setup.

  4. Set up middleware — add to app.js or server.js:

    import { auth } from 'express-oauth2-jwt-bearer';

const checkJwt = auth({
  issuerBaseURL: `https://${process.env.AUTH0_DOMAIN}`,
  audience: process.env.AUTH0_AUDIENCE,
});

app.use(checkJwt); // apply globally, or per-route

  5. Protect endpoints — apply middleware globally or to specific routes:

    // Global protection
app.use(checkJwt);

// Or per-route
app.get('/api/private', checkJwt, (req, res) => {
  res.json({ sub: req.auth.payload.sub });
});

  6. Add RBAC (optional) — use requiredScopes() or claimIncludes() for permission-based access:

    import { auth, requiredScopes, claimIncludes } from 'express-oauth2-jwt-bearer';

app.get('/api/messages', checkJwt, requiredScopes('read:messages'), (req, res) => {
  res.json({ messages: [] });
});

    Important: requiredScopes accepts a single argument — a space-separated string or an array. Do NOT pass multiple string arguments: requiredScopes('read:msg', 'write:msg') silently ignores everything after the first. Use requiredScopes('read:msg write:msg') or requiredScopes(['read:msg', 'write:msg']) instead.

  7. Verify the integration — build and test:

    node server.js
curl http://localhost:3000/api/private         # should return 401
curl -H "Authorization: Bearer <token>" http://localhost:3000/api/private  # should return 200

  8. Failcheck: If the server fails to start or tokens are rejected unexpectedly, check references/api.md for common issues. After 5-6 failed iterations, use AskUserQuestion to ask the user for more details about their environment.

Detailed Documentation

  • Setup Guide — Auth0 API registration, .env configuration, bootstrap script for automated setup, and secret management
  • Integration Patterns — Protected endpoints, RBAC with scopes and claims, DPoP, CORS setup, error handling, and testing with curl
  • API Reference & Testing — Full configuration options, claims reference, complete code example, testing checklist, and common issues

Common Mistakes

MistakeSymptomFix
Created an Application instead of an API in Auth0 DashboardToken validation fails; wrong audienceCreate a new API (Resource Server) in Auth0 Dashboard → APIs
Audience doesn't match API identifier exactly401 Unauthorized — "Audience mismatch"Copy the exact API Identifier string from Auth0 Dashboard → APIs
Domain includes https:// prefixError: Invalid URL at startupUse hostname only: your-tenant.us.auth0.com, not https://...
Checking scope claim instead of permissions for RBAC403 always returned or permissions ignoredUse requiredScopes() for scope-based RBAC; use claimIncludes('permissions', 'read:data') for Auth0 RBAC permission claims
CORS not configured before auth middlewarePreflight OPTIONS requests return 401Add cors() middleware before auth() in the middleware chain
.env file not loadedundefined for domain/audienceAdd import 'dotenv/config' at the top of the entry file
req.auth is undefinedTypeError: Cannot read properties of undefinedVerify checkJwt middleware runs before the handler

Related Skills

Quick Reference

Core Middleware

FunctionDescriptionReturns
auth(options?)JWT Bearer validation middlewareHandler — 401 if token invalid/missing
requiredScopes(scopes)Validates token has all required scopesHandler — 403 if scopes missing
scopeIncludesAny(scopes)Validates token has at least one scopeHandler — 403 if no match
claimEquals(claim, value)Validates a claim equals a valueHandler — 401 if mismatch
claimIncludes(claim, ...values)Validates claim includes all valuesHandler — 401 if incomplete
claimCheck(fn, desc?)Custom claim validation functionHandler — 401 if fn returns false

Configuration Options

OptionTypeDescription
issuerBaseURLstringAuth0 domain with https:// (required unless using env vars)
audiencestringAPI Identifier from Auth0 Dashboard (required unless using env vars)
tokenSigningAlgstringSigning algorithm (default: RS256; use HS256 for symmetric)
authRequiredbooleanSet false to make authentication optional (default: true)
clockTolerancenumberClock skew tolerance in seconds (no default; undefined unless set)
dpopDPoPOptionsDPoP configuration (see integration.md)

Environment Variables

VariableDescription
ISSUER_BASE_URLAuth0 domain with https:// (auto-detected by SDK)
AUDIENCEAPI Identifier (auto-detected by SDK)

Request Object

After successful validation, req.auth contains:

req.auth.payload    // Decoded JWT payload (sub, iss, aud, exp, permissions, etc.)
req.auth.header     // JWT header (alg, typ, kid)
req.auth.token      // Raw JWT string

SDK Architecture

The node-oauth2-jwt-bearer monorepo contains three packages:

PackagePurpose
express-oauth2-jwt-bearerMain package. Express middleware for JWT Bearer validation. Published to npm.
access-token-jwtLow-level JWT verification utilities (used internally).
oauth2-bearerRFC 6750 Bearer token extraction (used internally).

In practice, you only install and import express-oauth2-jwt-bearer.

Auth Flow Comparison

Auth PatternSDKWhen to Use
JWT Bearer (stateless)express-oauth2-jwt-bearerAPIs called by SPAs, mobile apps, M2M clients
Session-based (stateful)@auth0/express-openid-connectWeb apps with login UI and server-side sessions

Testing Quick Reference

# Get test token from Auth0 Dashboard → APIs → your API → Test tab
# Copy the token, then:

# 1. Verify 401 on protected route (no token)
curl -v http://localhost:3000/api/private

# 2. Verify 200 with valid token
curl -H "Authorization: Bearer <paste-token-here>" http://localhost:3000/api/private

# 3. Verify 403 with valid token but missing scope
curl -H "Authorization: Bearer <paste-token-here>" http://localhost:3000/api/admin

# 4. Verify CORS preflight
curl -v -X OPTIONS http://localhost:3000/api/private \
  -H "Origin: http://localhost:5173" \
  -H "Access-Control-Request-Method: GET" \
  -H "Access-Control-Request-Headers: Authorization"

References

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

BigA

A股智能分析与选股工具。维护动态股票池(最多30支),按高科技×中小市值×好业绩原则筛选,推送买卖信号。含独立技术面择时分(-10~+10)用于判断买入卖出时机。

Registry SourceRecently Updated
3381kobenfang
General

SkillPick

装了一堆Skill没几个好用的?这里帮你挑。29000+款横向对比,告诉你哪个值得装、为什么值得装。

Registry SourceRecently Updated
2240huangjihua007-rgb
General

AI短信发送工具

通过创蓝短信平台发送模板短信

Registry SourceRecently Updated
00chuanglanyunzhi
General

Dota2-skill

Query Dota 2 player records, match data, hero statistics, pro scene, teams, leagues and live games via OpenDota API. Supports 27 commands covering all API en...

Registry SourceRecently Updated
260ssunk