Developing a Secure API with NestJS

Thanks for the feedback @Aninda1234!

Also, along with Mongoose ODM can you include a chapter on TypeORM. If I am not wrong TypeORM is actually both ORM & ODM, fits well with MongoDB and is in typescript so in one tutorial a person can learn how to build complete backend solution.


Thanks for the suggestions! Right now, we are finalizing the review of a new tutorial for NestJS Authorization using a new approach :scream: NestJS guards! I really like it much more than using Passport!

1 Like

Hi @dan-auth0, great write-up, very helpful. One thing I am struggling with is the next step: how to keep you app-db in sync with the auth0 users. This is a more generic application question, but I think it would complement this tutorial.

If you have a (sql) app-db with

  • {users} (id, auth0Id, …fields),
  • {items}(id, …fields, userId)

How would you keep local users and auth0 users in sync? What would be the preferred way to store user information such as profile-fields, account-status etc.

1 Like

Howdy, Arn! This is a good topic to explore in a general way. I am going to bring it up to my team for future ideas. Thank you for your feedback on the blog post. I am going to be publishing a new version soon! :eyes:

1 Like

BTW this remark confuses me:

:warning: While the access token is a byproduct of the authentication process, it does not prove user identity or authentication.

Isn’t the access token the result of the authn process, proving identity

Hello again, Arn! That’s a great question. What happens is that the access token is a bearer token. Whoever has it on their “hands” can use it to access resources.

The access token is like a movie theater ticket. If I were to find a valid ticket on the floor, I could use it to get past the usher and watch that movie. The usher has no idea if I am the person who actually bought the ticket. The usher only checks if the ticket is valid or not.

1 Like

hey @dan-auth0 any news on this? Looking forward to it!

1 Like

Due to bandwidth and illness :mask:, there had been some delays but I am resuming work on it this week. Something that’s important for me is to provide y’all with an easy way to test making API requests from the Client in a realistic way. I plan to provide three sample apps that y’all can choose to make protected API calls from the client: Angular, React, Vue.

I am finishing up the Vue app this week :slight_smile:

Thanks, stay safe! Looking forward to the updates, especially the updated version for NestJS (without the passport requirement)

@dan-auth0 Great tutorial.
Do you have the source code for client:, need to learn how to call it from the client.


1 Like

Howdy, Visionarylab! Thanks for your feedback :slight_smile:

Currently working on that. That app was a big undertaking :grimacing: I am going to make it available soon in React. My goal is to also provide it in Vue and Angular. Which frontend framework are you the most familiar with?

1 Like

Great, React and Vue is da best.

Wish your blog’s prospect.

@arn I am guessing access token basically formatted in jwt and like cookie in the past I am guessing, If any frequent token update, can be setup, it would be great tutorial too on spa side. Thanks.

I am got this : invalid_request : The specified redirect_uri ‘’ does not have a registered origin.
If i change to ‘…’ it opens e close.

Some tip? Ty