DiscordSign up
SKILLS.SH

auth0-express

Use when adding authentication (login, logout, protected routes) to Express.js web applications - integrates express-openid-connect for session-based auth.

INSTALLATION
npx skills add https://github.com/auth0/agent-skills --skill auth0-express
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

Auth0 Express Integration

Add authentication to Express.js web applications using express-openid-connect.

Prerequisites

  • Express.js application
  • Auth0 account and application configured
  • If you don't have Auth0 set up yet, use the auth0-quickstart skill first

When NOT to Use

  • Single Page Applications - Use auth0-react, auth0-vue, or auth0-angular for client-side auth
  • Next.js applications - Use auth0-nextjs skill which handles both client and server
  • Mobile applications - Use auth0-react-native for React Native/Expo
  • Stateless APIs - Use JWT validation middleware instead of session-based auth
  • Microservices - Use JWT validation for service-to-service auth

Quick Start Workflow

1. Install SDK

npm install express-openid-connect dotenv

2. Configure Environment

For automated setup with Auth0 CLI, see Setup Guide for complete scripts.

For manual setup:

Create .env:

SECRET=<openssl-rand-hex-32>

BASE_URL=http://localhost:3000

CLIENT_ID=your-client-id

CLIENT_SECRET=your-client-secret

ISSUER_BASE_URL=https://your-tenant.auth0.com

Generate secret: openssl rand -hex 32

3. Configure Auth Middleware

Update your Express app (app.js or index.js):

require('dotenv').config();

const express = require('express');

const { auth, requiresAuth } = require('express-openid-connect');

const app = express();

// Configure Auth0 middleware

app.use(auth({

  authRequired: false,  // Don't require auth for all routes

  auth0Logout: true,    // Enable logout endpoint

  secret: process.env.SECRET,

  baseURL: process.env.BASE_URL,

  clientID: process.env.CLIENT_ID,

  issuerBaseURL: process.env.ISSUER_BASE_URL,

  clientSecret: process.env.CLIENT_SECRET

}));

app.listen(3000, () => {

  console.log('Server running on http://localhost:3000');

});

This automatically creates:

  • /login - Login endpoint
  • /logout - Logout endpoint
  • /callback - OAuth callback

4. Add Routes

// Public route

app.get('/', (req, res) => {

  res.send(req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out');

});

// Protected route

app.get('/profile', requiresAuth(), (req, res) => {

  res.send(`

    <h1>Profile</h1>

    <p>Name: ${req.oidc.user.name}</p>

    <p>Email: ${req.oidc.user.email}</p>

    <pre>${JSON.stringify(req.oidc.user, null, 2)}</pre>

    <a href="/logout">Logout</a>

  `);

});

// Login/logout links

app.get('/', (req, res) => {

  res.send(`

    ${req.oidc.isAuthenticated() ? `

      <p>Welcome, ${req.oidc.user.name}!</p>

      <a href="/profile">Profile</a>

      <a href="/logout">Logout</a>

    ` : `

      <a href="/login">Login</a>

    `}

  `);

});

5. Test Authentication

Start your server:

node app.js

Visit http://localhost:3000 and test the login flow.

Detailed Documentation

  • Setup Guide - Automated setup scripts, environment configuration, Auth0 CLI usage
  • API Reference - Complete middleware API, configuration options, request properties

Common Mistakes

Mistake

Fix

Forgot to add callback URL in Auth0 Dashboard

Add /callback path to Allowed Callback URLs (e.g., http://localhost:3000/callback)

Missing or weak SECRET

Generate secure secret with openssl rand -hex 32 and store in .env as SECRET

Setting authRequired: true globally

Set to false and use requiresAuth() middleware on specific routes

App created as SPA type in Auth0

Must be Regular Web Application type for server-side auth

Session secret exposed in code

Always use environment variables, never hardcode secrets

Wrong baseURL for production

Update BASE_URL to match your production domain

Not handling logout returnTo

Add your domain to Allowed Logout URLs in Auth0 Dashboard

Related Skills

  • auth0-quickstart - Basic Auth0 setup
  • auth0-migration - Migrate from another auth provider
  • auth0-mfa - Add Multi-Factor Authentication
  • auth0-cli - Manage Auth0 resources from the terminal

Quick Reference

Middleware Options:

  • authRequired - Require auth for all routes (default: false)
  • auth0Logout - Enable /logout endpoint (default: false)
  • secret - Session secret (required)
  • baseURL - Application URL (required)
  • clientID - Auth0 client ID (required)
  • issuerBaseURL - Auth0 tenant URL (required)

Request Properties:

  • req.oidc.isAuthenticated() - Check if user is logged in
  • req.oidc.user - User profile object
  • req.oidc.accessToken - Access token for API calls
  • req.oidc.idToken - ID token
  • req.oidc.refreshToken - Refresh token

Common Use Cases:

  • Protected routes → Use requiresAuth() middleware (see Step 4)
  • Check auth status → req.oidc.isAuthenticated()
  • Get user info → req.oidc.user

References

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

find-skills
2/3

Discover and install specialized agent skills from the open ecosystem when users need extended capabilities. Helps identify relevant skills by domain and task when users ask "how do I do X" or "find a skill for X" Integrates with the Skills CLI ( npx skills find , npx skills add ) to search, verify, and install packages from the skills.sh directory Recommends skills based on install count, source reputation, and GitHub stars to ensure quality before suggesting installation Presents skill options with install commands and links to skills.sh for user review and one-click installation

Verified authorvercel-labs
SKILLS.SH
1.5M19.6K
2026-05-22
vercel-react-best-practices
3/3

React and Next.js performance optimization guide with 64 prioritized rules across 8 categories. Organized by impact level, from critical waterfalls and bundle optimization down to advanced patterns, each rule includes incorrect/correct code examples and explanations Covers eight domains: async patterns, bundle size, server-side caching, client-side data fetching, re-render optimization, rendering performance, JavaScript efficiency, and advanced patterns Designed for use during component writing, code review, refactoring, and performance audits on React and Next.js applications Each rule has a prefix code (e.g., async-parallel , bundle-barrel-imports ) for easy reference in automated tooling and documentation

Verified authorvercel-labs
SKILLS.SH
389K26.9K
2026-05-22
azure-validate
2/3

Pre-deployment validation for Azure infrastructure, configuration, and permissions before deployment. Requires .azure/plan.md from a prior azure-prepare run; stops immediately if the plan is missing Executes recipe-specific validation commands (azd provision, bicep build, terraform validate) and records proof in the plan document Performs build verification, configuration checks, and permission validation; blocks deployment if any check fails Only authorized method to set plan status to Validated ; must be followed by azure-deploy skill to execute the actual deployment

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22
appinsights-instrumentation
3/3

Guidance and reference material for instrumenting webapps with Azure Application Insights. Covers SDK setup, telemetry patterns, and configuration for ASP.NET Core and Node.js applications hosted in Azure Distinguishes between this skill (reference and guidance) and azure-prepare (actual implementation); invoke azure-prepare when the user wants to add instrumentation to their project Provides auto-instrumentation guidance for C# ASP.NET Core apps in Azure App Service, plus manual instrumentation paths for creating App Insights resources via Bicep templates or Azure CLI Includes language-specific code modification guides for ASP.NET Core, Node.js, and Python, plus quick references for OpenTelemetry SDKs and exporters

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card