> ## Documentation Index > Fetch the complete documentation index at: https://auth0-docs-event-stream-action-templates.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Add Login to Your Express Application > This guide demonstrates how to integrate Auth0, add authentication, and display user profile information in an Express.js web application using the @auth0/auth0-express SDK (Beta). export const CreateInteractiveApp = ({placeholderText = 'Auth0', appType = 'regular_web', allowedCallbackUrls = ['localhost:3000'], allowedLogoutUrls = ['localhost:3000'], allowedOriginUrls = ['localhost:3000']}) => { const [isAuthenticated, setIsAuthenticated] = useState(false); const [storeReady, setStoreReady] = useState(false); const [displayForm, setDisplayForm] = useState(true); useEffect(() => { const init = () => setStoreReady(true); if (window.rootStore) { window.rootStore.clientStore.setSelectedClient(null); window.rootStore.clientStore.setSelectedClientSecret(undefined); init(); } else { window.addEventListener('adu:storeReady', init); } return () => { window.removeEventListener('adu:storeReady', init); }; }, []); useEffect(() => { if (!storeReady) return; const disposer = autorun(() => { const rootStore = window.rootStore; setIsAuthenticated(rootStore.sessionStore.isAuthenticated); }); return () => { disposer(); }; }, [storeReady]); if (!storeReady || typeof window === 'undefined' || !displayForm) { return <>; } const login = () => { const baseUrl = window.rootStore.config.apiBaseUrl; const returnTo = encodeURIComponent(window.location.href); window.location.href = `${baseUrl}/auth/user/login?returnTo=${returnTo}`; }; const Card = ({className = '', children}) => { return

{children}

; }; const Button = ({children, ...props}) => { return ; }; const CreateApplicationForm = () => { const [name, setName] = useState(''); const [isLoading, setIsLoading] = useState(false); const [error, setError] = useState(''); const handleSubmit = async () => { if (!name.trim()) { setError('Application name is required'); return; } setIsLoading(true); setError(null); try { await window.rootStore.clientStore.createClient({ name: name.trim(), app_type: appType, callbacks: allowedCallbackUrls, allowed_logout_urls: allowedLogoutUrls, web_origins: allowedOriginUrls, client_metadata: { created_by: 'quickstart-docs-app-creation-component' } }); setDisplayForm(false); } catch (err) { console.error('Error creating client:', err); const errorMessage = err instanceof Error ? err.message : 'Failed to create application'; setError(errorMessage); } finally { setIsLoading(false); } }; return Create Auth0 App

setName(e.target.value)} />

{error &&

{error}

} ; }; const SignInForm = () => { return to create the app ; }; return isAuthenticated ? : ; }; export const AuthCodeGroup = ({children, dropdown}) => { const [processedChildren, setProcessedChildren] = useState(children); useEffect(() => { let unsubscribe = null; function init() { unsubscribe = window.autorun(() => { const processChildren = node => { if (typeof node === "string") { let processedNode = node; for (const [key, value] of window.rootStore.variableStore.values.entries()) { const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`); processedNode = processedNode.replaceAll(new RegExp(escapedKey, "g"), value); } return processedNode; } else if (Array.isArray(node)) { return node.map(processChildren); } else if (node && node.props && node.props.children) { return { ...node, props: { ...node.props, children: processChildren(node.props.children) } }; } return node; }; setProcessedChildren(processChildren(children)); }); } if (window.rootStore) { init(); } else { window.addEventListener("adu:storeReady", init); } return () => { window.removeEventListener("adu:storeReady", init); unsubscribe?.(); }; }, [children]); return {processedChildren}; }; export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => { const [displayText, setDisplayText] = useState(children); const [copyText, setCopyText] = useState(children); const wrapperRef = React.useRef(null); useEffect(() => { let unsubscribe = null; function init() { if (!window.autorun || !window.rootStore) { return; } unsubscribe = window.autorun(() => { let processedChildrenForDisplay = children; let processedChildrenForCopy = children; for (const [key, value] of window.rootStore.variableStore.values.entries()) { const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`); let displayValue = value; if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") { displayValue = value.substring(0, 3) + "*****MASKED*****"; } processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue); processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value); } setDisplayText(processedChildrenForDisplay); setCopyText(processedChildrenForCopy); }); } if (window.rootStore) { init(); } else { window.addEventListener("adu:storeReady", init); } return () => { window.removeEventListener("adu:storeReady", init); unsubscribe?.(); }; }, [children]); useEffect(() => { if (!wrapperRef.current) return; const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard); let isOverriding = false; const handleClick = e => { const button = e.target.closest('[data-testid="copy-code-button"]'); if (!button || !wrapperRef.current.contains(button)) return; isOverriding = true; navigator.clipboard.writeText = text => { if (isOverriding) { isOverriding = false; navigator.clipboard.writeText = originalWriteText; return originalWriteText(copyText); } return originalWriteText(text); }; setTimeout(() => { if (isOverriding) { isOverriding = false; navigator.clipboard.writeText = originalWriteText; } }, 100); }; const wrapper = wrapperRef.current; wrapper.addEventListener('click', handleClick, true); return () => { wrapper.removeEventListener('click', handleClick, true); if (navigator.clipboard.writeText !== originalWriteText) { navigator.clipboard.writeText = originalWriteText; } }; }, [copyText]); return

{displayText}

; }; export const HowToSchema = () => ; export const envSnippet = `AUTH0_DOMAIN={yourDomain} AUTH0_CLIENT_ID={yourClientId} AUTH0_CLIENT_SECRET={yourClientSecret} APP_BASE_URL=http://localhost:3000 AUTH0_SESSION_SECRET=use-a-long-random-string-at-least-32-characters`; export const envSnippetDashboard = `AUTH0_DOMAIN=YOUR_AUTH0_DOMAIN AUTH0_CLIENT_ID=YOUR_AUTH0_CLIENT_ID AUTH0_CLIENT_SECRET=YOUR_AUTH0_CLIENT_SECRET APP_BASE_URL=http://localhost:3000 AUTH0_SESSION_SECRET=use-a-long-random-string-at-least-32-characters`; This Quickstart is currently in **Beta**. We'd love to hear your feedback! **Prerequisites:** Before you begin, ensure you have the following installed: * [Node.js](https://nodejs.org/) 22 LTS or newer * [npm](https://www.npmjs.com/) 10+ or [yarn](https://yarnpkg.com/) 1.22+ ## Get Started This guide demonstrates how to integrate Auth0, add authentication, and display user profile information in an Express.js web application using the `@auth0/auth0-express` SDK. Create a new directory for your Express application and initialize a Node.js project. ```shellscript Mac theme={null} mkdir auth0-express-app && cd auth0-express-app npm init -y touch server.js .env ``` ```shellscript Windows theme={null} mkdir auth0-express-app; cd auth0-express-app npm init -y New-Item server.js, .env ``` Update your `package.json` to use ES modules and add start scripts: ```json theme={null} { "name": "auth0-express-app", "version": "1.0.0", "type": "module", "main": "server.js", "scripts": { "start": "node server.js", "dev": "node --watch server.js" } } ``` Install `@auth0/auth0-express` along with `express` and `dotenv`: ```shell theme={null} npm install @auth0/auth0-express@beta express dotenv ``` You need to create a new application on your Auth0 tenant and configure your environment variables. Once your app is created, add these values to your `.env` file: Generate a secure session secret: ```shell theme={null} node -e "console.log(require('crypto').randomBytes(32).toString('hex'))" ``` Copy the output and use it as the `AUTH0_SESSION_SECRET` value. On macOS or Linux you can also run `openssl rand -hex 32`. The Node command works on every platform, since Node is already a prerequisite. Run the following command in your project root to create an Auth0 application: ```shellscript Mac theme={null} AUTH0_APP_NAME="My Express App" && \ auth0 apps create \ -n "${AUTH0_APP_NAME}" \ -t regular \ --callbacks http://localhost:3000/auth/callback \ --logout-urls http://localhost:3000 \ --json | jq -r '"AUTH0_DOMAIN=\(.domain)\nAUTH0_CLIENT_ID=\(.client_id)\nAUTH0_CLIENT_SECRET=\(.client_secret)\nAPP_BASE_URL=http://localhost:3000\nAUTH0_SESSION_SECRET='$(node -e "console.log(require('crypto').randomBytes(32).toString('hex'))")'"' > .env ``` ```powershell Windows theme={null} $appName = "My Express App" $secret = [System.Convert]::ToBase64String([System.Security.Cryptography.RandomNumberGenerator]::GetBytes(32)) auth0 apps create -n $appName -t regular ` --callbacks http://localhost:3000/auth/callback ` --logout-urls http://localhost:3000 ` --json | ConvertFrom-Json | ForEach-Object { "AUTH0_DOMAIN=$($_.domain)`nAUTH0_CLIENT_ID=$($_.client_id)`nAUTH0_CLIENT_SECRET=$($_.client_secret)`nAPP_BASE_URL=http://localhost:3000`nAUTH0_SESSION_SECRET=$secret" } | Out-File .env -Encoding utf8 ``` If you haven't installed the Auth0 CLI yet, run: ```shell theme={null} brew tap auth0/auth0-cli && brew install auth0 ``` Then authenticate with `auth0 login`. 1. Go to [Auth0 Dashboard](https://manage.auth0.com/) → **Applications > Applications** 2. Select **Create Application** 3. Enter a name (e.g., "My Express App") and select **Regular Web Applications** 4. Click **Create** 5. In the **Application Settings** tab, configure: | Field | Value | | --------------------- | ------------------------------------- | | Allowed Callback URLs | `http://localhost:3000/auth/callback` | | Allowed Logout URLs | `http://localhost:3000` | 6. Click **Save Changes** 7. Copy your **Domain**, **Client ID**, and **Client Secret** from **Basic Information** Create your `.env` file: Replace `YOUR_AUTH0_DOMAIN`, `YOUR_AUTH0_CLIENT_ID`, and `YOUR_AUTH0_CLIENT_SECRET` with the values from your Auth0 Application Settings. Generate a secure session secret and replace the placeholder value: ```shell theme={null} node -e "console.log(require('crypto').randomBytes(32).toString('hex'))" ``` On macOS or Linux you can also run `openssl rand -hex 32`. The Node command works on every platform, since Node is already a prerequisite. Add the `createAuth0()` middleware to your Express application. The SDK automatically mounts `/auth/login`, `/auth/logout`, `/auth/callback`, and `/auth/backchannel-logout` routes. ```javascript server.js theme={null} import 'dotenv/config'; import express from 'express'; import { createAuth0 } from '@auth0/auth0-express'; const app = express(); const port = process.env.PORT || 3000; app.use(createAuth0()); app.get('/', async (req, res) => { const session = await req.auth0.client.getSession(); res.send(session ? 'Logged in' : 'Logged out'); }); app.listen(port, () => { console.log(`Server running at http://localhost:${port}`); }); ``` **What this does:** * `createAuth0()` reads credentials from environment variables (`AUTH0_DOMAIN`, `AUTH0_CLIENT_ID`, etc.) automatically * Mounts four auth routes under `/auth/` * Attaches `req.auth0.client` to every request for session and token access Protect routes using the `requiresAuth` middleware from the SDK, and display user profile data via `getUser()`. ```javascript server.js theme={null} import 'dotenv/config'; import express from 'express'; import { createAuth0, requiresAuth } from '@auth0/auth0-express'; const app = express(); const port = process.env.PORT || 3000; app.use(createAuth0()); // Public home route app.get('/', async (req, res) => { const session = await req.auth0.client.getSession(); const isAuthenticated = !!session; res.send(` Auth0 Express (Beta) Quickstart

Auth0 Express (Beta) Quickstart

${isAuthenticated ? '✓ You are logged in' : '✗ You are logged out'}

`); }); // Protected profile route — requiresAuth redirects unauthenticated users to /auth/login app.get('/profile', requiresAuth(), async (req, res) => { const user = await req.auth0.client.getUser(); res.send(` Profile

User Profile

${user.picture ? ` Profile

` : ''}

${user.name || user.nickname || 'User'}

Email: ${user.email || 'N/A'}

Full Profile

${JSON.stringify(user, null, 2)}

← Back | Logout `); }); app.listen(port, () => { console.log(`Server running at http://localhost:${port}`); }); ``` **Key points:** * `requiresAuth()` from `@auth0/auth0-express` protects routes — unauthenticated users are redirected to `/auth/login` * `req.auth0.client.getUser()` returns the authenticated user's profile * Login link points to `/auth/login`, logout to `/auth/logout` — both are automatically mounted Start the development server: ```shell theme={null} npm run dev ``` Open your browser to [http://localhost:3000](http://localhost:3000). **Checkpoint** You should now have a fully functional Auth0 login flow. When you: 1. Click **Login** — you're redirected to Auth0's Universal Login page 2. Complete authentication — you're redirected back to your app at `/auth/callback` 3. Visit `/profile` — you see your user information 4. Click **Logout** — your session is cleared and you're logged out of Auth0 *** ## Advanced Usage Configure the SDK with an `audience` to request an access token for your API, then retrieve it with `getAccessToken()`. Add your API audience to `.env`: ```shell .env theme={null} AUTH0_AUDIENCE=https://your-api.example.com ``` Retrieve the token in a protected route: ```javascript server.js theme={null} app.get('/api-data', requiresAuth(), async (req, res) => { const { accessToken } = await req.auth0.client.getAccessToken(); const response = await fetch('https://your-api.example.com/data', { headers: { Authorization: `Bearer ${accessToken}` }, }); res.json(await response.json()); }); ``` The SDK handles token refresh automatically when the access token expires. Redirect users back to a specific page after login using the `returnTo` parameter: ```javascript server.js theme={null} app.get('/dashboard', async (req, res) => { const session = await req.auth0.client.getSession(); if (!session) { return res.redirect('/auth/login?returnTo=/dashboard'); } res.send('Welcome to your dashboard!'); }); ``` Build your own authorization logic on top of the session: ```javascript server.js theme={null} async function requireAdmin(req, res, next) { const user = await req.auth0.client.getUser(); if (!user) return res.redirect('/auth/login'); if (!user['https://myapp.com/roles']?.includes('admin')) { return res.status(403).send('Forbidden'); } next(); } app.get('/admin', requireAdmin, (req, res) => { res.send('Admin panel'); }); ``` The `https://myapp.com/roles` claim is not present by default — add it to the ID token with an [Action](https://auth0.com/docs/customize/actions) and use a namespaced claim name. *** ## Troubleshooting **Cause:** `createAuth0()` middleware was not registered before your route handler. **Fix:** Ensure `app.use(createAuth0())` appears before any route that accesses `req.auth0`: ```javascript theme={null} // ✅ Correct app.use(createAuth0()); app.get('/profile', requiresAuth(), handler); // ❌ Wrong app.get('/profile', requiresAuth(), handler); app.use(createAuth0()); ``` **Cause:** The callback URL in your Auth0 Application Settings does not match `http://localhost:3000/auth/callback`. **Fix:** 1. Go to [Auth0 Dashboard](https://manage.auth0.com/) → **Applications > Applications** → your app → **Application Settings** 2. Add `http://localhost:3000/auth/callback` to **Allowed Callback URLs** 3. Add `http://localhost:3000` to **Allowed Logout URLs** 4. Click **Save Changes** Note: the `@auth0/auth0-express` SDK uses `/auth/callback` (not `/callback` as in `express-openid-connect`). **Cause:** `dotenv/config` is not imported, or the `.env` file is missing required values. **Fix:** 1. Ensure `import 'dotenv/config'` (or `require('dotenv').config()`) is at the top of your entry file 2. Verify your `.env` contains all five required variables: `AUTH0_DOMAIN`, `AUTH0_CLIENT_ID`, `AUTH0_CLIENT_SECRET`, `APP_BASE_URL`, `AUTH0_SESSION_SECRET` 3. Debug missing values: ```javascript theme={null} console.log({ domain: !!process.env.AUTH0_DOMAIN, clientId: !!process.env.AUTH0_CLIENT_ID, clientSecret: !!process.env.AUTH0_CLIENT_SECRET, appBaseUrl: !!process.env.APP_BASE_URL, sessionSecret: !!process.env.AUTH0_SESSION_SECRET, }); ``` **Cause:** Session cookie is not being set correctly, or the callback URL is accessed directly. **Fix:** 1. Ensure `APP_BASE_URL` matches the URL you access in your browser (e.g., `http://localhost:3000`) 2. Clear your browser cookies and try again 3. In production, ensure you are using HTTPS *** ## Next Steps * **[Protect an Express API](/docs/quickstart/backend/express-api-beta)** — Use `@auth0/auth0-express-api` to validate access tokens in your API * **[Add Authorization](https://auth0.com/docs/manage-users/access-control/rbac)** — Implement role-based access control * **[Customize Universal Login](https://auth0.com/docs/customize/universal-login-pages)** — Brand your login experience * **[Add Social Connections](https://auth0.com/docs/connections/social)** — Enable Google, GitHub, and other social logins * **[Implement MFA](https://auth0.com/docs/secure/multi-factor-authentication)** — Add multi-factor authentication *** ## Resources * **[auth0/auth0-express GitHub](https://github.com/auth0/auth0-express/tree/main/packages/auth0-express)** — Source code and examples * **[Auth0 Community](https://community.auth0.com/)** — Get help from the community