Auth0-Express Mono Repo, containing SDKs for implementing user authentication in Express applications.
📚 Packages - 🔎 Features - 💬 Feedback
Two SDKs — pick the one that matches your application:
@auth0/auth0-express— for server-rendered web apps where users log in. Authenticates with a browser session cookie and handles login, logout, callback, and session management.@auth0/auth0-express-api— for APIs / resource servers consumed by SPAs, mobile, or services. Authenticates with anAuthorization: Bearer <access_token>and authorizes by scopes and claims.
Jump straight to the capability you need.
| Feature | What it does |
|---|---|
| Quick start | Mount Auth0 with createAuth0 in a few lines |
| Environment variables | Configure from AUTH0_* env vars instead of hardcoding |
Migrate from express-openid-connect |
Supported legacy env var aliases for an easier move |
| Built-in routes | /auth/login, /logout, /callback, back-channel logout |
| Custom login / logout / callback | Roll your own routes instead of the mounted ones |
| Configure mounted routes | Rename, re-path, or disable the built-in routes |
| Protect a route with a session | Gate server-rendered pages behind a login session |
| Get the current session / user | Read the authenticated user from req.auth0 |
Call an API (getAccessToken) |
Get an access token to call APIs as the user |
| Authorization with claims | Restrict routes with claimEquals, claimIncludes, claimCheck |
| Dynamic app base URLs | Infer the base URL per host or use an allow-list |
| Multiple Custom Domains (MCD) | Resolve the Auth0 domain per request |
Custom fetch |
Swap in your own fetch (proxies, retries, instrumentation) |
| Discovery cache | Control caching of OIDC discovery metadata |
| Feature | What it does |
|---|---|
| Quick start | Protect an API with createAuth0Api in a few lines |
| Environment variables | Configure from AUTH0_* env vars instead of hardcoding |
Protect an API route (requiresAuth) |
Require a valid bearer access token |
Read token claims (req.auth0.user) |
Access claims extracted from the verified token |
| Require specific scopes | Gate routes with scopesInclude (match any or all) |
| Authorization with claims | Restrict routes with claimEquals, claimIncludes, claimCheck |
| Custom token / user type | Type your custom claims via module augmentation |
Custom fetch |
Swap in your own fetch (proxies, retries, instrumentation) |
The following examples can be found in the examples directory:
Before running the examples, you need to install the dependencies for the monorepo and build all the packages.
- Install depedencies
$ npm install- Build all packages
$ npm run build- Follow example instructions
We appreciate feedback and contribution to this repo! Before you get started, please read the following:
- Auth0's general contribution guidelines
- Auth0's code of conduct guidelines
- This repo's contribution guide
To provide feedback or report a bug, please raise an issue on our issue tracker.
Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?
This project is licensed under the Apache License 2.0. See the LICENSE file for more info.