Skip to main content
This Quickstart is currently in Beta. We’d love to hear your feedback!
Prerequisites: Before you begin, ensure you have the following installed:

Get Started

This guide demonstrates how to integrate Auth0, add authentication, and display user profile information in an Express.js web application using the @auth0/auth0-express SDK.
1

Create a new project

Create a new directory for your Express application and initialize a Node.js project.Update your package.json to use ES modules and add start scripts:
2

Install the SDK

Install @auth0/auth0-express along with express and dotenv:
3

Configure Auth0

You need to create a new application on your Auth0 tenant and configure your environment variables.
Once your app is created, add these values to your .env file:Generate a secure session secret:
Copy the output and use it as the AUTH0_SESSION_SECRET value.
On macOS or Linux you can also run openssl rand -hex 32. The Node command works on every platform, since Node is already a prerequisite.
4

Configure the middleware

Add the createAuth0() middleware to your Express application. The SDK automatically mounts /auth/login, /auth/logout, /auth/callback, and /auth/backchannel-logout routes.
server.js
What this does:
  • createAuth0() reads credentials from environment variables (AUTH0_DOMAIN, AUTH0_CLIENT_ID, etc.) automatically
  • Mounts four auth routes under /auth/
  • Attaches req.auth0.client to every request for session and token access
5

Add login, logout, and a protected profile route

Protect routes using the requiresAuth middleware from the SDK, and display user profile data via getUser().
server.js
Key points:
  • requiresAuth() from @auth0/auth0-express protects routes — unauthenticated users are redirected to /auth/login
  • req.auth0.client.getUser() returns the authenticated user’s profile
  • Login link points to /auth/login, logout to /auth/logout — both are automatically mounted
6

Run your application

Start the development server:
Open your browser to http://localhost:3000.
CheckpointYou should now have a fully functional Auth0 login flow. When you:
  1. Click Login — you’re redirected to Auth0’s Universal Login page
  2. Complete authentication — you’re redirected back to your app at /auth/callback
  3. Visit /profile — you see your user information
  4. Click Logout — your session is cleared and you’re logged out of Auth0

Advanced Usage

Configure the SDK with an audience to request an access token for your API, then retrieve it with getAccessToken().Add your API audience to .env:
.env
Retrieve the token in a protected route:
server.js
The SDK handles token refresh automatically when the access token expires.
Redirect users back to a specific page after login using the returnTo parameter:
server.js
Build your own authorization logic on top of the session:
server.js
The https://myapp.com/roles claim is not present by default — add it to the ID token with an Action and use a namespaced claim name.

Troubleshooting

Cause: createAuth0() middleware was not registered before your route handler.Fix: Ensure app.use(createAuth0()) appears before any route that accesses req.auth0:
Cause: The callback URL in your Auth0 Application Settings does not match http://localhost:3000/auth/callback.Fix:
  1. Go to Auth0 DashboardApplications > Applications → your app → Application Settings
  2. Add http://localhost:3000/auth/callback to Allowed Callback URLs
  3. Add http://localhost:3000 to Allowed Logout URLs
  4. Click Save Changes
Note: the @auth0/auth0-express SDK uses /auth/callback (not /callback as in express-openid-connect).
Cause: dotenv/config is not imported, or the .env file is missing required values.Fix:
  1. Ensure import 'dotenv/config' (or require('dotenv').config()) is at the top of your entry file
  2. Verify your .env contains all five required variables: AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, APP_BASE_URL, AUTH0_SESSION_SECRET
  3. Debug missing values:
Cause: Session cookie is not being set correctly, or the callback URL is accessed directly.Fix:
  1. Ensure APP_BASE_URL matches the URL you access in your browser (e.g., http://localhost:3000)
  2. Clear your browser cookies and try again
  3. In production, ensure you are using HTTPS

Next Steps


Resources