Falcor API Authentication

Community maintained

Sample Project

Download a sample project specific to this tutorial configured with your Auth0 API Keys.

System Requirements
  • Falcor 0.1.17
  • Express 4.15.2
Show requirements

To restrict access to the resources served by your API, a check needs to be made to determine whether the incoming request contains valid authorization information. There are various methods for including authorization information in a request, but for integration with Auth0, your API needs to check for a valid JSON Web Token (JWT). When users log into your application, they will receive an id_token and an access_token which are both JWTs. The specific JWT that needs to be sent to your API is the access_token.

Add the Dependencies

Add express-jwt, express-jwt-authz, falcor-express, and falcor-router to your project.

npm install express-jwt express-jwt-authz falcor-express falcor-router --save


By default, your API will be set up to use RS256 as the algorithm for signing tokens. Since RS256 works by using a private/public keypair, tokens can be verified against the public key for your Auth0 account. This public key is accessible at https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json.

Configure the express-jwt middleware to use the remote JWKS for your Auth0 account.

// server.js

const express = require('express');
const app = express();
const jwt = require('express-jwt');
const jwksRsa = require('jwks-rsa');
const falcorExpress = require('falcor-express');
const Router = require('falcor-router');

// Authentication middleware. When used, the
// access token must exist and be verified against
// the Auth0 JSON Web Key Set
const authenticate = jwt({
  // Dynamically provide a signing key
  // based on the kid in the header and 
  // the singing keys provided by the JWKS endpoint.
  secret: jwksRsa.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json`

  // Validate the audience and the issuer.
  audience: '{YOUR_API_IDENTIFIER}',
  issuer: `https://YOUR_AUTH0_DOMAIN/`,
  algorithms: ['RS256']

Secure your API

Individual routes can be configured to look for a particular scope by setting up another middleware with the express-jwt-authz package. To do so, provide an array of required scopes and apply the middleware to any routes you wish to add authorization to.

const checkScopes = jwtAuthz([ 'read:messages' ]);

app.use('/api/model.json', authenticate, checkScopes, falcorExpress.dataSourceRoute(function(req, res) 
    return new Router([

Send Authorization Header from the Front End

When you send a request to the Falcor model, you need to include the user's access_token as an Authorization header.

const token = localStorage.getItem('access_token');

const model = new falcor.Model({
  source: new falcor.HttpDataSource('/api/model.json', {
    // Send the token as an Authorization header
    headers: {
      'Authorization': 'Bearer ' + token

Don't forget to include falcor.browser to your front end:

<!-- Do _not_  rely on this URL in production. Use only during development.  -->
<script src="https://netflix.github.io/falcor/build/falcor.browser.js"></script>
<!-- For production use. -->
<!-- <script src="https://cdn.jsdelivr.net/falcor/{VERSION}/falcor.browser.min.js"></script> -->

Optional steps

Configuring CORS

If you want to configure CORS, add this code to your Falcor app (assuming your Falcor app is hosted on http://localhost:3000):

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "http://localhost:3000");
  res.header("Access-Control-Allow-Headers", "Authorization, Origin, X-Requested-With, Content-Type, Accept");
  res.header("Access-Control-Allow-Credentials", "true");
Previous Tutorial
1. Getting Started
Use Auth0 for FREECreate free Account