后端安装
- 作者仓库星标 0
- 许可证 Apache-2.0
- 作者更新于 实时读取
- 作者仓库 skills-registry
- 领域
- AI 智能
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 94 / 100 · 已通过审计
- 作者 / 版本 / 许可
- @tomevault-io · Apache-2.0
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需手动接入
- 是否需要外部 API Key
- 需要 · Vendor-specific
- 兼容的系统
- macOS · Linux · Windows
- 底层运行要求
- Node.js · Python
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- 读取环境变量
- 网络行为
- 允许外网请求
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: express-oauth2-jwt-bearer
description: Use when adding Auth0 token validation to Express or Node.js APIs - integrates express-oauth2-jw…
category: AI 智能
runtime: Node.js / Python
---
# express-oauth2-jwt-bearer 输出预览
## PART A: 任务判断
- 适用问题:提示词、Agent 工作流、模型评估或自动化推理。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Prerequisites / When NOT to Use / Quick Start Workflow”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于提示词、Agent 工作流、模型评估或自动化推理,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Prerequisites / When NOT to Use / Quick Start Workflow”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、读取环境变量、会按任务需要访问外部网络、需要准备 Vendor-specific API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、读取环境变量;会按任务需要访问外部网络;需要准备 Vendor-specific API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、读取环境变量。
先用一个小任务确认它会围绕“Prerequisites / When NOT to Use / Quick Start Workflow”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: express-oauth2-jwt-bearer
description: Use when adding Auth0 token validation to Express or Node.js APIs - integrates express-oauth2-jw…
category: AI 智能
source: tomevault-io/skills-registry
---
# express-oauth2-jwt-bearer
## 什么时候使用
- 把 AI / Agent方向的常用动作沉淀成 Agent 可调用的技能 适合处理AI Agent、提示词、模型评估与自动化推理,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查…
- 面向提示词、Agent 工作流、模型评估或自动化推理,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Prerequisites / When NOT to Use / Quick Start Workflow」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、读取环境变量;会按任务需要访问外部网络;需要准备 Vendor-specific API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "express-oauth2-jwt-bearer" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Prerequisites / When NOT to Use / Quick Start Workflow
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Node.js / Python | 读取文件、写入/修改文件、读取环境变量 | 会按任务需要访问外部网络
安全层 -> 需要准备 Vendor-specific API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Node OAuth2 JWT Bearer Integration
The express-oauth2-jwt-bearer package provides Express middleware for validating Auth0 JWT Bearer access tokens. It handles token extraction, signature verification, audience and issuer validation, and expiry checks per RFC 6750 — letting you focus on business logic rather than JWT parsing.
Agent instruction: Before providing SDK setup instructions, fetch the latest release version by running:
gh api repos/auth0/node-oauth2-jwt-bearer/releases/latest --jq '.tag_name'Use the returned version in all
package.jsondependency lines instead of any hardcoded version below.
Prerequisites
- Node.js 18+ (20+ recommended; required for bootstrap script automation)
- Express 4.x or 5.x
- npm or yarn
- An Auth0 account with a configured API (Resource Server)
- Auth0 CLI (for automatic setup):
npm install -g @auth0/auth0-cli
When NOT to Use
| Use Case | Recommended Skill |
|---|---|
| Building a server-side web app with login UI (Express sessions) | auth0-express |
| Building a Next.js app with server-side auth | auth0-nextjs |
| Building a React/Angular/Vue SPA | auth0-react, auth0-angular, auth0-vue |
| Building a React Native or mobile app | auth0-react-native, auth0-android, auth0-swift |
| ASP.NET Core Web API | auth0-aspnetcore-api |
| Go API with JWT middleware | go-jwt-middleware |
| Python API (Flask/FastAPI) | auth0-api-python |
Node.js API using the older express-jwt package |
express-jwt |
Quick Start Workflow
Agent instruction: Follow these steps to integrate
express-oauth2-jwt-bearerinto the user's Node.js API project.
Fetch latest version (see instruction above).
Install the SDK:
npm install express-oauth2-jwt-bearerConfigure Auth0 — follow
references/setup.md. If the user already provided their Auth0 Domain and API Audience in the prompt, use them directly — skip the bootstrap script and do NOT callAskUserQuestionto re-confirm. Otherwise, offer automatic setup via bootstrap script or manual setup.Set up middleware — add to
app.jsorserver.js:import { auth } from 'express-oauth2-jwt-bearer'; const checkJwt = auth({ issuerBaseURL: `https://${process.env.AUTH0_DOMAIN}`, audience: process.env.AUTH0_AUDIENCE, }); app.use(checkJwt); // apply globally, or per-routeProtect endpoints — apply middleware globally or to specific routes:
// Global protection app.use(checkJwt); // Or per-route app.get('/api/private', checkJwt, (req, res) => { res.json({ sub: req.auth.payload.sub }); });Add RBAC (optional) — use
requiredScopes()orclaimIncludes()for permission-based access:import { auth, requiredScopes, claimIncludes } from 'express-oauth2-jwt-bearer'; app.get('/api/messages', checkJwt, requiredScopes('read:messages'), (req, res) => { res.json({ messages: [] }); });Important:
requiredScopesaccepts a single argument — a space-separated string or an array. Do NOT pass multiple string arguments:requiredScopes('read:msg', 'write:msg')silently ignores everything after the first. UserequiredScopes('read:msg write:msg')orrequiredScopes(['read:msg', 'write:msg'])instead.Verify the integration — build and test:
node server.js curl http://localhost:3000/api/private # should return 401 curl -H "Authorization: Bearer <token>" http://localhost:3000/api/private # should return 200Failcheck: If the server fails to start or tokens are rejected unexpectedly, check
references/api.mdfor common issues. After 5-6 failed iterations, useAskUserQuestionto ask the user for more details about their environment.
Detailed Documentation
- Setup Guide — Auth0 API registration, .env configuration, bootstrap script for automated setup, and secret management
- Integration Patterns — Protected endpoints, RBAC with scopes and claims, DPoP, CORS setup, error handling, and testing with curl
- API Reference & Testing — Full configuration options, claims reference, complete code example, testing checklist, and common issues
Common Mistakes
| Mistake | Symptom | Fix |
|---|---|---|
| Created an Application instead of an API in Auth0 Dashboard | Token validation fails; wrong audience | Create a new API (Resource Server) in Auth0 Dashboard → APIs |
| Audience doesn't match API identifier exactly | 401 Unauthorized — "Audience mismatch" |
Copy the exact API Identifier string from Auth0 Dashboard → APIs |
Domain includes https:// prefix |
Error: Invalid URL at startup |
Use hostname only: your-tenant.us.auth0.com, not https://... |
Checking scope claim instead of permissions for RBAC |
403 always returned or permissions ignored | Use requiredScopes() for scope-based RBAC; use claimIncludes('permissions', 'read:data') for Auth0 RBAC permission claims |
| CORS not configured before auth middleware | Preflight OPTIONS requests return 401 | Add cors() middleware before auth() in the middleware chain |
.env file not loaded |
undefined for domain/audience |
Add import 'dotenv/config' at the top of the entry file |
req.auth is undefined |
TypeError: Cannot read properties of undefined |
Verify checkJwt middleware runs before the handler |
Related Skills
- auth0-express — For Express web apps with login UI (sessions, cookies)
- auth0-nextjs — For Next.js server-side web apps
- auth0-aspnetcore-api — BACKEND_API reference implementation for .NET
- go-jwt-middleware — JWT middleware for Go APIs
- auth0-api-python — JWT validation for Python APIs (Flask/FastAPI)
- auth0-cli — Manage Auth0 resources from the terminal
Quick Reference
Core Middleware
| Function | Description | Returns |
|---|---|---|
auth(options?) |
JWT Bearer validation middleware | Handler — 401 if token invalid/missing |
requiredScopes(scopes) |
Validates token has all required scopes | Handler — 403 if scopes missing |
scopeIncludesAny(scopes) |
Validates token has at least one scope | Handler — 403 if no match |
claimEquals(claim, value) |
Validates a claim equals a value | Handler — 401 if mismatch |
claimIncludes(claim, ...values) |
Validates claim includes all values | Handler — 401 if incomplete |
claimCheck(fn, desc?) |
Custom claim validation function | Handler — 401 if fn returns false |
Configuration Options
| Option | Type | Description |
|---|---|---|
issuerBaseURL |
string |
Auth0 domain with https:// (required unless using env vars) |
audience |
string |
API Identifier from Auth0 Dashboard (required unless using env vars) |
tokenSigningAlg |
string |
Signing algorithm (default: RS256; use HS256 for symmetric) |
authRequired |
boolean |
Set false to make authentication optional (default: true) |
clockTolerance |
number |
Clock skew tolerance in seconds (no default; undefined unless set) |
dpop |
DPoPOptions |
DPoP configuration (see integration.md) |
Environment Variables
| Variable | Description |
|---|---|
ISSUER_BASE_URL |
Auth0 domain with https:// (auto-detected by SDK) |
AUDIENCE |
API Identifier (auto-detected by SDK) |
Request Object
After successful validation, req.auth contains:
req.auth.payload // Decoded JWT payload (sub, iss, aud, exp, permissions, etc.)
req.auth.header // JWT header (alg, typ, kid)
req.auth.token // Raw JWT string
SDK Architecture
The node-oauth2-jwt-bearer monorepo contains three packages:
| Package | Purpose |
|---|---|
express-oauth2-jwt-bearer |
Main package. Express middleware for JWT Bearer validation. Published to npm. |
access-token-jwt |
Low-level JWT verification utilities (used internally). |
oauth2-bearer |
RFC 6750 Bearer token extraction (used internally). |
In practice, you only install and import express-oauth2-jwt-bearer.
Auth Flow Comparison
| Auth Pattern | SDK | When to Use |
|---|---|---|
| JWT Bearer (stateless) | express-oauth2-jwt-bearer |
APIs called by SPAs, mobile apps, M2M clients |
| Session-based (stateful) | @auth0/express-openid-connect |
Web apps with login UI and server-side sessions |
Testing Quick Reference
# Get test token from Auth0 Dashboard → APIs → your API → Test tab
# Copy the token, then:
# 1. Verify 401 on protected route (no token)
curl -v http://localhost:3000/api/private
# 2. Verify 200 with valid token
curl -H "Authorization: Bearer <paste-token-here>" http://localhost:3000/api/private
# 3. Verify 403 with valid token but missing scope
curl -H "Authorization: Bearer <paste-token-here>" http://localhost:3000/api/admin
# 4. Verify CORS preflight
curl -v -X OPTIONS http://localhost:3000/api/private \
-H "Origin: http://localhost:5173" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: Authorization"
References
- express-oauth2-jwt-bearer on npm
- GitHub: auth0/node-oauth2-jwt-bearer
- Auth0 Node.js API Quickstart
- Auth0 APIs Dashboard
- RFC 6750 — Bearer Token Usage
Source: auth0/agent-skills — distributed by TomeVault.
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核