How to easily develop and build RESTful APIs with Node.js and Express, while securing it with Auth0. Build a demo that allows third-party clients to make requests to API and manipulate resources.
This blog post has been deprecated.
Find the latest guidance on how to implement authorization in Express.js applications by following our “Node.js API Authorization By Example” guides from the Auth0 Developer Center Resources. You can find the guidance on both JavaScript and TypeScript!
Tell us what you think of this post.
Is there a similar tutorial for restify? Specifically the auth part of it. Haven’t yet seen one for restify
Great overview article on getting started. I’d like to see more on the Auth0 aspect of this process, such as managing access tokens for users accessing the API.
How to validate the actual third-party applications that are calling the API ? Like API Keys.
Only thru logging in users ? what about the actual application ?
I want to verify that the third party apps accessing the API are part of a particular account, and respond with data from their account.
Howdy, @johnxy84! I am working on some Node posts and I plan to cover Restify along with Express! Is there anything in particular you’d like to learn about Auth0, Node, and Restify?
Thank you for your feedback!
Thanks for the feedback, @mietwise-storm! I’ll add it to my list of ideas on what to cover for the Node ecosystem 
Are there any other specific topics related to Node and Auth0 or Node in general that you’d like to see covered?
Yes Dan. Basic Authentication for an API using restify
When I test the github example, after getting my test token, and sending any request other than GET (i.e. POST, PUT) with the authorization header set to “Bearer {token}” (replacing {token} with the one on the test section of my API, the server says this:
SyntaxError: Unexpected token t in JSON at position 3
at JSON.parse (<anonymous>)
at parse (C:\Users\esteb\Desktop\auth0-express-master\node_modules\body-parser\lib\types\json.js:89:19)
at C:\Users\esteb\Desktop\auth0-express-master\node_modules\body-parser\lib\read.js:121:18
at invokeCallback (C:\Users\esteb\Desktop\auth0-express-master\node_modules\raw-body\index.js:224:16)
at done (C:\Users\esteb\Desktop\auth0-express-master\node_modules\raw-body\index.js:213:7)
at IncomingMessage.onEnd (C:\Users\esteb\Desktop\auth0-express-master\node_modules\raw-body\index.js:273:7)
at IncomingMessage.emit (events.js:194:15)
at endReadableNT (_stream_readable.js:1125:12)
at process._tickCallback (internal/process/next_tick.js:63:19)
When i send a DELETE request to the ID created before starting the express server, it returns the “Ad removed” response, but then i send a GET request to / and there is the ad (not deleted).
I was searching for a solution everywhere but couldn’t find it 
Ooooooook, the problem was a missing “” on title,
I was sending the JSON body as:
{
title: “Something”
}
And now that im sending:
{
“title”: “something”
}
Its working, im sorry, and thanks for the tutorial.
Hi, @mietwise-storm. Somehow I missed the messages on this post.
What do you mean by “managing access tokens”? I mean, the API that the article teaches how to build just validate tokens that are embedded into requests (more specifically on the Authorization header). Fetching access tokens (and managing their lifecycle) would pretty much depend on what type of client you are developing to consume this API.
For example, if you were building a server-side rendered app with Next.js and React, you would use Passport to authenticate users and to fetch tokens. Then, inside this app, you would store access tokens and, if needed, refresh tokens.
Does that help? Or what have I missed?
This article focusing on the API/Server rather than mixing creation of client and API in one article was helpful to me. Would be good to have a similar article to build a SPA client for this API.
Agreed, I expected the article to continue on and show how to use the set up from the client side (I can see why it might not have been done that way).
Can someone at Auth0 point out the ‘right’ follow on article for Angular or SPA please?
Hi @liamgsmith, welcome to the Auth0 Community! We’re still updating the Angular tutorial for the new SPA SDK, but, in the meantime, have a look at the Angular QuickStart.
Hope that helps!
Cheers,
Sam Julien
I love the tutorial but I’m still having an issue trying to wrap my head around how this would be built with something like Electron Builder. All my research I’ve seen of Electron apps with a backend the backend was built within root and not two completely different directories. It seemed a chained command or the usage of prestart in scripts would be used to start the server.
After building I also question the security aspect of it after reading this from Using OAuth in an Electron application on Medium. Sorry if this seems like noob questions just want to make sure I’m considering the security and end process if I want to use Auth0 for a desktop application.
Hi there, @codingChewie. Welcome to our community.
Regarding your questions, I have the impression that I answer all of them here: Build and Secure an Electron App - OpenID, OAuth, Node.js, and Express
In this article, you will see that I create an Electron desktop application and I also bootstrap a Node.js/Express API. I do not use Electron Builder, but I don’t think this matters.
To be honest, I didn’t really understand what you said about being a chained command. I mean, the Electron app is something that runs on desktop (users’ devices). The API (Node.js and Express in this case, but it can be anything you like) , runs on servers that belong to the developers or the company that own the app.
That is, I would treat them as two completely separate projects and the API would be client-agnostic. In other words, the Electron app would depend and consume the API, but any other client built for different platforms (SPAs running on browsers, iOS apps, etc) could consume it too. Let me know if that helps.
When I read and follow the tutorial it works great. Only issues I have is the backend has to be fired prior to the frontend so that the electron application will work correctly. If that is the case, how is the electron application to be deployed (or known as production distribution ready) if the server side is not incorporated into electron?
The best example I can use to demonstrate what I’m referring to is how Matt Raible demonstrated Okta with Electron.
What I’m trying to learn here is how to refactor the backend into Electron and secure all env variables which is why I posted the links above so that this could be built as a production ready application.
After installing the mongo dependencies, creating the mongo.js file, the ads.js, and updating the index.js file, I tried running the server using “node src” and keep getting this error:
(node:14776) UnhandledPromiseRejectionWarning: TypeError: mongo.getConnectionString is not a function at startDatabase (express-ads-api\src\database\mongo.js:9:36)
Is there a workaround or an alternative to using mongo.getConnectionString?