Description

Use when adding authentication (login, logout, protected routes) to Express.js web applications - integrates express-openid-connect for session-based auth.

README (SKILL.md)

Auth0 Express Integration

Name: Auth0 Express
Author: auth0

Add authentication to Express.js web applications using express-openid-connect.

Prerequisites

Express.js application
Auth0 account and application configured
If you don't have Auth0 set up yet, use the auth0-quickstart skill first

When NOT to Use

Single Page Applications - Use auth0-react, auth0-vue, or auth0-angular for client-side auth
Next.js applications - Use auth0-nextjs skill which handles both client and server
Mobile applications - Use auth0-react-native for React Native/Expo
Stateless APIs - Use JWT validation middleware instead of session-based auth
Microservices - Use JWT validation for service-to-service auth

Quick Start Workflow

1. Install SDK

npm install express-openid-connect dotenv

2. Configure Environment

For automated setup with Auth0 CLI, see Setup Guide for complete scripts.

For manual setup:

Create .env:

SECRET=\x3Copenssl-rand-hex-32>
BASE_URL=http://localhost:3000
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret
ISSUER_BASE_URL=https://your-tenant.auth0.com

Generate secret: openssl rand -hex 32

3. Configure Auth Middleware

Update your Express app (app.js or index.js):

require('dotenv').config();
const express = require('express');
const { auth, requiresAuth } = require('express-openid-connect');

const app = express();

// Configure Auth0 middleware
app.use(auth({
  authRequired: false,  // Don't require auth for all routes
  auth0Logout: true,    // Enable logout endpoint
  secret: process.env.SECRET,
  baseURL: process.env.BASE_URL,
  clientID: process.env.CLIENT_ID,
  issuerBaseURL: process.env.ISSUER_BASE_URL,
  clientSecret: process.env.CLIENT_SECRET
}));

app.listen(3000, () => {
  console.log('Server running on http://localhost:3000');
});

This automatically creates:

/login - Login endpoint
/logout - Logout endpoint
/callback - OAuth callback

4. Add Routes

// Public route
app.get('/', (req, res) => {
  res.send(req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out');
});

// Protected route
app.get('/profile', requiresAuth(), (req, res) => {
  res.send(`
    \x3Ch1>Profile\x3C/h1>
    \x3Cp>Name: ${req.oidc.user.name}\x3C/p>
    \x3Cp>Email: ${req.oidc.user.email}\x3C/p>
    \x3Cpre>${JSON.stringify(req.oidc.user, null, 2)}\x3C/pre>
    \x3Ca href="/logout">Logout\x3C/a>
  `);
});

// Login/logout links
app.get('/', (req, res) => {
  res.send(`
    ${req.oidc.isAuthenticated() ? `
      \x3Cp>Welcome, ${req.oidc.user.name}!\x3C/p>
      \x3Ca href="/profile">Profile\x3C/a>
      \x3Ca href="/logout">Logout\x3C/a>
    ` : `
      \x3Ca href="/login">Login\x3C/a>
    `}
  `);
});

5. Test Authentication

Start your server:

node app.js

Visit http://localhost:3000 and test the login flow.

Detailed Documentation

Setup Guide - Automated setup scripts, environment configuration, Auth0 CLI usage
Integration Guide - Protected routes, sessions, API integration, error handling
API Reference - Complete middleware API, configuration options, request properties

Common Mistakes

Mistake	Fix
Forgot to add callback URL in Auth0 Dashboard	Add `/callback` path to Allowed Callback URLs (e.g., `http://localhost:3000/callback`)
Missing or weak SECRET	Generate secure secret with `openssl rand -hex 32` and store in .env as `SECRET`
Setting authRequired: true globally	Set to false and use `requiresAuth()` middleware on specific routes
App created as SPA type in Auth0	Must be Regular Web Application type for server-side auth
Session secret exposed in code	Always use environment variables, never hardcode secrets
Wrong baseURL for production	Update BASE_URL to match your production domain
Not handling logout returnTo	Add your domain to Allowed Logout URLs in Auth0 Dashboard

Related Skills

auth0-quickstart - Basic Auth0 setup
auth0-migration - Migrate from another auth provider
auth0-mfa - Add Multi-Factor Authentication

Quick Reference

Middleware Options:

authRequired - Require auth for all routes (default: false)
auth0Logout - Enable /logout endpoint (default: false)
secret - Session secret (required)
baseURL - Application URL (required)
clientID - Auth0 client ID (required)
issuerBaseURL - Auth0 tenant URL (required)

Request Properties:

req.oidc.isAuthenticated() - Check if user is logged in
req.oidc.user - User profile object
req.oidc.accessToken - Access token for API calls
req.oidc.idToken - ID token
req.oidc.refreshToken - Refresh token

Common Use Cases:

Protected routes → Use requiresAuth() middleware (see Step 4)
Check auth status → req.oidc.isAuthenticated()
Get user info → req.oidc.user
Call APIs → Integration Guide

References

Usage Guidance

This skill appears coherent for adding Auth0 session-based auth to an Express app. Before running the automated setup: 1) Inspect the install commands (especially the curl | sh install path) instead of piping blindly. 2) Confirm any prompt that will append to a .env or .env.local file and ensure that file is in .gitignore. 3) Never paste your CLIENT_SECRET or other secrets into public places; replace the placeholder in the env file with the real secret locally. If you prefer more control, skip the automated script and run the manual steps (npm install, create .env, configure middleware) yourself.

Capability Analysis

Type: OpenClaw Skill Name: auth0-express Version: 1.0.0 The skill bundle provides legitimate documentation and automation for integrating Auth0 authentication into Express.js applications. It includes security-conscious instructions in references/setup.md that explicitly forbid the AI agent from reading existing environment files to prevent secret leakage into the LLM context and mandate user confirmation before modifying files. The automated setup script uses the official Auth0 CLI (auth0/auth0-cli) and follows standard development practices.

Capability Tags

requires-oauth-tokenrequires-sensitive-credentials

Capability Assessment

✓ Purpose & Capability

Name/description (Auth0 + Express) match the content: installing express-openid-connect, configuring middleware, and creating protected routes are exactly what the skill documents. The optional use of the Auth0 CLI and generating a session secret are appropriate for the stated goal.

ℹ Instruction Scope

The runtime instructions include automated steps that check for and append credentials to local env files (.env or .env.local). The docs explicitly instruct the agent not to read env file contents and require explicit user confirmation before writing — that limits exfiltration risk, but the skill does instruct file modification which users should be aware of. The rest of the guidance (installing npm packages, middleware configuration, usage examples) stays within the expected scope.

ℹ Install Mechanism

The skill is instruction-only (no packaged install). The provided automated setup script may install the Auth0 CLI; it falls back to either Homebrew (macOS) or piping an install script from raw.githubusercontent.com. Using an install script piped to sh is common but higher-risk than a packaged/verified installer — it's acceptable here given the official Auth0 repo is referenced, but users should inspect the script before running.

✓ Credentials

The skill metadata requests no environment variables or credentials. The instructions ask the developer to create local secrets (SECRET, CLIENT_SECRET, CLIENT_ID, ISSUER_BASE_URL) which are necessary for any server-side Auth0 integration; these are reasonable and proportionate. The skill does not demand unrelated credentials.

✓ Persistence & Privilege

The skill is not force-installed (always: false) and does not modify other skills or global agent settings. It will append to a local .env/.env.local file only after explicit user confirmation per its own instructions.

Version History

v1.0.0

- Initial release of auth0-express skill for adding authentication to Express.js apps using express-openid-connect. - Provides step-by-step setup for login, logout, and protected routes with session-based authentication. - Includes troubleshooting tips, common mistakes and fixes, and links to further documentation. - Highlights when to use (or not use) this integration and lists related skills for different frameworks and use cases.

Metadata

Slug auth0-express

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Auth0 Express?

Use when adding authentication (login, logout, protected routes) to Express.js web applications - integrates express-openid-connect for session-based auth. It is an AI Agent Skill for Claude Code / OpenClaw, with 90 downloads so far.

How do I install Auth0 Express?

Run "/install auth0-express" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Auth0 Express free?

Yes, Auth0 Express is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Auth0 Express support?

Auth0 Express is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Auth0 Express?

It is built and maintained by Auth0 (@auth0); the current version is v1.0.0.

More Skills

Auth0 Express