@auth0/auth0-api-js
Advanced tools
The @auth0/auth0-api-js library allows for securing API's running on a JavaScript runtime.
Using this SDK as-is in your API may not be trivial, as it is not a plug-and-play library for your framework. Instead, it is designed to be used as a building block for building framework-specific SDKs.
📚 Documentation - 🚀 Getting Started - 💬 Feedback
npm i @auth0/auth0-api-js
This library requires Node.js 20 LTS and newer LTS versions.
Create an instance of the ApiClient. This instance will be imported and used anywhere we need access to the methods.
import { ApiClient } from '@auth0/auth0-api-js';
const apiClient = new ApiClient({
domain: '<AUTH0_DOMAIN>',
audience: '<AUTH0_AUDIENCE>',
});
The AUTH0_DOMAIN can be obtained from the Auth0 Dashboard once you've created an application.
The AUTH0_AUDIENCE is the identifier of the API. You can find this in the API section of the Auth0 dashboard.
The SDK's verifyAccessToken method can be used to verify the access token.
const apiClient = new ApiClient({
domain: '<AUTH0_DOMAIN>',
audience: '<AUTH0_AUDIENCE>',
});
const accessToken = '...';
const decodedAndVerifiedToken = await apiClient.verifyAccessToken({
accessToken,
});
The SDK automatically validates claims like iss, aud, exp, and nbf. You can also pass additional claims to be required by configuring requiredClaims:
const apiClient = new ApiClient({
domain: '<AUTH0_DOMAIN>',
audience: '<AUTH0_AUDIENCE>',
});
const accessToken = '...';
const decodedAndVerifiedToken = await apiClient.verifyAccessToken({
accessToken,
requiredClaims: ['my_custom_claim'],
});
The SDK supports OAuth 2.0 Protected Resource Metadata as defined in RFC 9728:
import {
ProtectedResourceMetadataBuilder,
BearerMethod,
SigningAlgorithm,
} from '@auth0/auth0-api-js';
const resourceServerUrl = 'https://api.example.com';
const authServers = ['https://your-tenant.us.auth0.com'];
const metadata = new ProtectedResourceMetadataBuilder(resourceServerUrl, authServers)
.withBearerMethodsSupported([BearerMethod.HEADER])
.withResourceSigningAlgValuesSupported(
SigningAlgorithm.RS256,
SigningAlgorithm.ES256,
)
.withScopesSupported(['read', 'write', 'admin'])
.build();
// Serve metadata from the standard RFC 9728 endpoint
app.get('/.well-known/oauth-protected-resource', (req, res) => {
res.json(metadata.toJSON());
});
We appreciate feedback and contribution to this repo! Before you get started, please read the following:
To provide feedback or report a bug, please raise an issue on our issue tracker.
Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?
This project is licensed under the MIT license. See the LICENSE file for more info.
FAQs
Auth0 Authentication SDK for API's on JavaScript runtimes
We found that @auth0/auth0-api-js demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 44 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
175 malicious npm packages (26k+ downloads) used unpkg CDN to host redirect scripts for a credential-phishing campaign targeting 135+ organizations worldwide.
Security News
Python 3.14 adds template strings, deferred annotations, and subinterpreters, plus free-threaded mode, an experimental JIT, and Sigstore verification.
Security News
Former RubyGems maintainers have launched The Gem Cooperative, a new community-run project aimed at rebuilding open governance in the Ruby ecosystem.