auth0-express

Use when adding authentication to Express.js server-rendered web applications with session management - integrates express-openid-connect for traditional web apps

Install with Tessl CLI

npx tessl i github:auth0/agent-skills --skill auth0-express

What are skills?

1.25x

Review — 78%

Does it follow best practices?

If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:

npx tessl skill review --optimize ./path/to/skill

Learn more

Evaluation — 98%

↑ 1.25x

Agent success when using this skill

Validation — 11 / 11 Passed

Validation for skill structure

SKILL.md

Review

Evals

Auth0 Express Integration

Name: auth0-express
Rating: 0.86 (1 reviews)
Author: auth0

Add authentication to Express.js web applications using express-openid-connect.

Prerequisites

Express.js application
Auth0 account and application configured
If you don't have Auth0 set up yet, use the auth0-quickstart skill first

When NOT to Use

Single Page Applications - Use auth0-react, auth0-vue, or auth0-angular for client-side auth
Next.js applications - Use auth0-nextjs skill which handles both client and server
Mobile applications - Use auth0-react-native for React Native/Expo
Stateless APIs - Use JWT validation middleware instead of session-based auth
Microservices - Use JWT validation for service-to-service auth

Quick Start Workflow

1. Install SDK

npm install express-openid-connect dotenv

2. Configure Environment

For automated setup with Auth0 CLI, see Setup Guide for complete scripts.

For manual setup:

Create .env:

SECRET=<openssl-rand-hex-32>
BASE_URL=http://localhost:3000
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret
ISSUER_BASE_URL=https://your-tenant.auth0.com

Generate secret: openssl rand -hex 32

3. Configure Auth Middleware

Update your Express app (app.js or index.js):

require('dotenv').config();
const express = require('express');
const { auth, requiresAuth } = require('express-openid-connect');

const app = express();

// Configure Auth0 middleware
app.use(auth({
  authRequired: false,  // Don't require auth for all routes
  auth0Logout: true,    // Enable logout endpoint
  secret: process.env.SECRET,
  baseURL: process.env.BASE_URL,
  clientID: process.env.CLIENT_ID,
  issuerBaseURL: process.env.ISSUER_BASE_URL,
  clientSecret: process.env.CLIENT_SECRET
}));

app.listen(3000, () => {
  console.log('Server running on http://localhost:3000');
});

This automatically creates:

/login - Login endpoint
/logout - Logout endpoint
/callback - OAuth callback

4. Add Routes

// Public route
app.get('/', (req, res) => {
  res.send(req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out');
});

// Protected route
app.get('/profile', requiresAuth(), (req, res) => {
  res.send(`
    <h1>Profile</h1>
    <p>Name: ${req.oidc.user.name}</p>
    <p>Email: ${req.oidc.user.email}</p>
    <pre>${JSON.stringify(req.oidc.user, null, 2)}</pre>
    <a href="/logout">Logout</a>
  `);
});

// Login/logout links
app.get('/', (req, res) => {
  res.send(`
    ${req.oidc.isAuthenticated() ? `
      <p>Welcome, ${req.oidc.user.name}!</p>
      <a href="/profile">Profile</a>
      <a href="/logout">Logout</a>
    ` : `
      <a href="/login">Login</a>
    `}
  `);
});

5. Test Authentication

Start your server:

node app.js

Visit http://localhost:3000 and test the login flow.

Detailed Documentation

Setup Guide - Automated setup scripts, environment configuration, Auth0 CLI usage
Integration Guide - Protected routes, sessions, API integration, error handling
API Reference - Complete middleware API, configuration options, request properties

Common Mistakes

Mistake	Fix
Forgot to add callback URL in Auth0 Dashboard	Add `/callback` path to Allowed Callback URLs (e.g., `http://localhost:3000/callback`)
Missing or weak SECRET	Generate secure secret with `openssl rand -hex 32` and store in .env as `SECRET`
Setting authRequired: true globally	Set to false and use `requiresAuth()` middleware on specific routes
App created as SPA type in Auth0	Must be Regular Web Application type for server-side auth
Session secret exposed in code	Always use environment variables, never hardcode secrets
Wrong baseURL for production	Update BASE_URL to match your production domain
Not handling logout returnTo	Add your domain to Allowed Logout URLs in Auth0 Dashboard

Related Skills

auth0-quickstart - Basic Auth0 setup
auth0-migration - Migrate from another auth provider
auth0-mfa - Add Multi-Factor Authentication

Quick Reference

Middleware Options:

authRequired - Require auth for all routes (default: false)
auth0Logout - Enable /logout endpoint (default: false)
secret - Session secret (required)
baseURL - Application URL (required)
clientID - Auth0 client ID (required)
issuerBaseURL - Auth0 tenant URL (required)

Request Properties:

req.oidc.isAuthenticated() - Check if user is logged in
req.oidc.user - User profile object
req.oidc.accessToken - Access token for API calls
req.oidc.idToken - ID token
req.oidc.refreshToken - Refresh token

Common Use Cases:

Protected routes → Use requiresAuth() middleware (see Step 4)
Check auth status → req.oidc.isAuthenticated()
Get user info → req.oidc.user
Call APIs → Integration Guide

References

Repository: auth0/agent-skills
Commit: 8a541a4
Last updated: about 6 hours ago
Created: about 6 hours ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.