Auth0 Home Blog Docs

Node.js and Express Tutorial: Building and Securing RESTful APIs

How to easily develop and build RESTful APIs with Node.js and Express, while securing it with Auth0. Build a demo that allows third-party clients to make requests to API and manipulate resources.

Read on :green_heart:>> https://auth0.com/blog/node-js-and-express-tutorial-building-and-securing-restful-apis

1 Like

Tell us what you think of this post.

Is there a similar tutorial for restify? Specifically the auth part of it. Haven’t yet seen one for restify

1 Like

Great overview article on getting started. I’d like to see more on the Auth0 aspect of this process, such as managing access tokens for users accessing the API.

1 Like

How to validate the actual third-party applications that are calling the API ? Like API Keys.

Only thru logging in users ? what about the actual application ?

I want to verify that the third party apps accessing the API are part of a particular account, and respond with data from their account.

Howdy, @johnxy84! I am working on some Node posts and I plan to cover Restify along with Express! Is there anything in particular you’d like to learn about Auth0, Node, and Restify?

Thank you for your feedback!

Thanks for the feedback, @mietwise-storm! I’ll add it to my list of ideas on what to cover for the Node ecosystem :slight_smile:

Are there any other specific topics related to Node and Auth0 or Node in general that you’d like to see covered?

Yes Dan. Basic Authentication for an API using restify

1 Like

You got it, @johnxy84. Adding it to the pipeline :slight_smile:
I’ll ping you here when it’s live.

1 Like

When I test the github example, after getting my test token, and sending any request other than GET (i.e. POST, PUT) with the authorization header set to “Bearer {token}” (replacing {token} with the one on the test section of my API, the server says this:

SyntaxError: Unexpected token t in JSON at position 3
    at JSON.parse (<anonymous>)
    at parse (C:\Users\esteb\Desktop\auth0-express-master\node_modules\body-parser\lib\types\json.js:89:19)
    at C:\Users\esteb\Desktop\auth0-express-master\node_modules\body-parser\lib\read.js:121:18
    at invokeCallback (C:\Users\esteb\Desktop\auth0-express-master\node_modules\raw-body\index.js:224:16)
    at done (C:\Users\esteb\Desktop\auth0-express-master\node_modules\raw-body\index.js:213:7)
    at IncomingMessage.onEnd (C:\Users\esteb\Desktop\auth0-express-master\node_modules\raw-body\index.js:273:7)
    at IncomingMessage.emit (events.js:194:15)
    at endReadableNT (_stream_readable.js:1125:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)

When i send a DELETE request to the ID created before starting the express server, it returns the “Ad removed” response, but then i send a GET request to / and there is the ad (not deleted).

I was searching for a solution everywhere but couldn’t find it :confused:

Ooooooook, the problem was a missing “” on title,
I was sending the JSON body as:
{
title: “Something”
}

And now that im sending:
{
“title”: “something”
}

Its working, im sorry, and thanks for the tutorial.

1 Like

Welcome to the Auth0 Community, @estebi.r!
I am glad that everything worked out fine :slight_smile:

Hi, @mietwise-storm. Somehow I missed the messages on this post.

What do you mean by “managing access tokens”? I mean, the API that the article teaches how to build just validate tokens that are embedded into requests (more specifically on the Authorization header). Fetching access tokens (and managing their lifecycle) would pretty much depend on what type of client you are developing to consume this API.

For example, if you were building a server-side rendered app with Next.js and React, you would use Passport to authenticate users and to fetch tokens. Then, inside this app, you would store access tokens and, if needed, refresh tokens.

Does that help? Or what have I missed?

This article focusing on the API/Server rather than mixing creation of client and API in one article was helpful to me. Would be good to have a similar article to build a SPA client for this API.

Agreed, I expected the article to continue on and show how to use the set up from the client side (I can see why it might not have been done that way).

Can someone at Auth0 point out the ‘right’ follow on article for Angular or SPA please?

Hi @liamgsmith, welcome to the Auth0 Community! We’re still updating the Angular tutorial for the new SPA SDK, but, in the meantime, have a look at the Angular QuickStart.

Hope that helps!

Cheers,
Sam Julien