How to save JWT token recieved from auth0 login securely (nodejs express)

am new to Auth0 and trying to implement it in my regular express web application. I need to protect/validate the user before they access some of my endpoints. My understanding is that i can do this with the JWT that is returned from the login callback. I have gotten that far, but when I login, it redirects, and I’m unsure of how to pass in the access token/store it securely on the client side.

this is what my callback endpoint looks like after logging in. It returns the authorization code but I am lost from here.

I return this on login:


// Perform the final stage of authentication and redirect to previously requested URL or '/user'
router.get('/callback', function (req, res, next) {     
  passport.authenticate('auth0', function (err, user, info) {
    if (err) { return next(err); }
    if (!user) { return res.redirect('/login'); }
    req.logIn(user, function (err) {
      if (err) { return next(err); }
      const returnTo = req.session.returnTo;
      delete req.session.returnTo;  
  })(req, res, next);

where do i go from here?

this is a regular web application, and cannot be an SPA

Hi @grf,

Welcome to the Auth0 Community Forum!

Do you need the access token on your client side? If not, you can store it securely in your backend. Could you describe your case more if this does not solve it.

Hope this helps!


I can do it entirely on the back end if need be. All i need is a way to authenticate a logged in user is attempting to access a specific endpoint.

ie. Say i have an api endpoint on my express app that returns a json string of item information like serial number, weight, etc. and I only want the users of the site to be able to see this/use this endpoint. What should i do to protect this endpoint, and still only send the json.

If you are making requests to the endpoint from a client side app like a spa, then you will want to handle authentication from the spa. Otherwise, the backend will make the requests securely by sending the token.

This doc is helpful if you aren’t sure where your applications fit in:

Generally, if you are making requests to an api from the front end, you are using a spa + api and need to request tokens there. If you are using templates to generate web pages from the back end, then you will not need tokens client side.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.