Express

Authentication for Express backends

Protect your Node.js backend with session middleware, a requireAuth gate, and a logout handler. Key parsing, cookies, and the trusted-host allowlist are handled for you.

Start building Read the docs

Attach the session

server.ts

// server.ts
import { createAuthdog } from "@authdog/express"
 
const authdog = createAuthdog({
  publicKey: process.env.PK_AUTHDOG!,
})
 
app.use(authdog.attachSession())

Node backend native

Everything Express APIs need

Session middleware, an auth gate, and a logout handler that drop into any Express 4 or 5 app.

Session middleware

attachSession() resolves the session for every request and decorates req.authdog with the token, user, and isAuthenticated flag.

requireAuth gate

Protect any route with the requireAuth guard — the real enforcement point that rejects requests without a valid, verified session.

Secure by default

The public key is parsed once at startup and bearer tokens are only ever sent to a trusted, https identity host — enforced for you.

Tune the userinfo call

attachSession({ fetchUser: false }) skips the per-request user lookup for high-throughput services that validate tokens elsewhere.

Logout handler

A built-in logout handler clears the session cookie and redirects to a sanitized target — no session teardown to write yourself.

Batteries included

Public-key parsing, cookie handling, and the trusted-host allowlist are shared with the rest of the Authdog Web SDK — and fully typed.

Gate routes in one line

Protect a route with requireAuth

Add the requireAuth middleware to any route and Authdog rejects requests without a valid session before your handler runs. Inside, req.authdog gives you the verified user — and a built-in logout handler tears the session down.

routes.ts

// routes.ts
app.get("/me", authdog.requireAuth, (req, res) => {
  res.json(req.authdog.user)
})
 
app.get("/logout", authdog.logout)

Ship secure APIs, not boilerplate

Authdog's Express SDK resolves the session per request and enforces auth at a single guard, with secure defaults baked in.

1 line

To attach sessions to every request

app.use(authdog.attachSession()) decorates req.authdog with a verified session — no per-route setup.

requireAuth

The single enforcement point

Drop requireAuth onto a route and unauthenticated requests are rejected before your handler runs.

1×

Public key parsed at startup

A malformed or untrusted key throws immediately at boot rather than failing per request, so misconfig surfaces fast.

Add auth to your Express API.

Install the SDK, attach the session middleware, and gate your routes with requireAuth today. Free to start, with secure defaults built in.

Start Building