Node.js Login

Sample Project

Download a sample project specific to this tutorial configured with your Auth0 API Keys.

System Requirements
  • NodeJS 4.3 or higher
  • Express 4.11
Show requirements

This integration guide will walk you through setting up and managing authentication and authorization in your Node.js apps using Auth0.

Get Your Application Keys

When you signed up for Auth0, you were invited to create a new client.

There are some details about this client that your application needs to know about to properly communicate with Auth0, including your Client ID and Domain. You can retrieve these values from the settings area for your client in the Auth0 dashboard.

Please note that if you download the samples available for this tutorial, these keys will be pre-populated for you. If you have created more than one client in your account, the sample will come with the values for your Default App.

App Dashboard

Configure Callback URLs

A callback URL is a URL in your application where Auth0 redirects to after the user has authenticated. You need to whitelist a callback URL for your app in the Callback URLs field in your Client Settings. If no callback URLs are set, a mismatch error will be displayed when a user logs in.

If you are following along with the downloadable sample projects for this tutorial directly, the Callback URL should be set to


Install the Middleware Dependencies

Install the necessary middelwares.

# installation with npm
npm install passport passport-auth0 connect-ensure-login --save

# installation with yarn
yarn add passport passport-auth0 connect-ensure-login

Configure the Middleware

Provide your Auth0 client details as configuration values for an instance of Auth0Strategy. Tell passport to use the strategy.

// app.js

const passport = require('passport');
const Auth0Strategy = require('passport-auth0');

// Configure Passport to use Auth0
const strategy = new Auth0Strategy(
    domain: 'YOUR_AUTH0_DOMAIN',
    clientID: 'YOUR_CLIENT_ID',
    clientSecret: 'YOUR_CLIENT_SECRET',
    callbackURL: 'http://localhost:3000/callback'
  (accessToken, refreshToken, extraParams, profile, done) => {
    return done(null, profile);


// This can be used to keep a smaller payload
passport.serializeUser(function(user, done) {
  done(null, user);

passport.deserializeUser(function(user, done) {
  done(null, user);

// ...

Trigger Authentication

Auth0's hosted login page can be used to allow users to log in.

Add a route called /login and use the env object to set the Client ID, Domain, and Callback URL for your client. This route will instantiate auth0.WebAuth and call the authorize method to redirect the user to Auth0's hosted login page.

This snippet sets the audience to ensure an OIDC conformant response, this can also be achieved by enabling the OIDC conformant switch in your Auth0 dashboard under Client / Settings / Advanced OAuth. For more information please check this documentation.

// routes/index.js

const express = require('express');
const passport = require('passport');
const router = express.Router();

const env = {
  AUTH0_CALLBACK_URL: 'http://localhost:3000/callback'

/* GET home page. */
router.get('/', function(req, res, next) {

// Perform the login
  passport.authenticate('auth0', {
    clientID: env.AUTH0_CLIENT_ID,
    domain: env.AUTH0_DOMAIN,
    redirectUri: env.AUTH0_CALLBACK_URL,
    audience: 'https://' + env.AUTH0_DOMAIN + '/userinfo',
    responseType: 'code',
    scope: 'openid'
  function(req, res) {

// Perform session logout and redirect to homepage
router.get('/logout', (req, res) => {

// Perform the final stage of authentication and redirect to '/user'
  passport.authenticate('auth0', {
    failureRedirect: '/'
  function(req, res) {
    res.redirect(req.session.returnTo || '/user');

hosted login

Embedded Login

Auth0's hosted login page provides the fastest, most secure, and most feature-rich way to implement authentication in your app. If required, the Lock widget can also be embedded directly into your application, but certain features such as single sign-on won't be accessible. It is highly recommended that you use the hosted login page (as covered in this tutorial), but if you wish to embed the Lock widget directly in your application, follow the Embedded Login sample.

Next Tutorial
2. User Profile
Use Auth0 for FREECreate free Account