> For the complete documentation index, see [llms.txt](https://authdocs.skill-mine.com/licentio-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://authdocs.skill-mine.com/licentio-documentation/protect-your-api/protect-your-api-on-node-express.md).

# Protect your API on Node(Express)

### **Extract the Bearer Token from the request header**[**​**](https://docs.logto.io/docs/recipes/protect-your-api/node#extract-the-bearer-token-from-request-header)

An authorized request should contain an Authorization header with Bearer \<access\_token> as its content. Extract the Authorization Token from the request header:

```
// auth_middleware.ts

import { IncomingHttpHeaders } from 'http';

const extractBearerTokenFromHeaders = ({ authorization }: IncomingHttpHeaders) => {
 if (!authorization) {
   throw new Error({ code: 'auth.authorization_header_missing', status: 401 });
 }

 if (!authorization.startsWith('Bearer')) {
   throw new Error({ code: 'auth.authorization_token_type_not_supported', status: 401 });
 }

 return authorization.slice(bearerTokenIdentifier.length + 1);
};

```

### **Token validation**[**​**](https://docs.logto.io/docs/recipes/protect-your-api/node#token-validation)

For demonstration, we use the jose package to validate the token's signature, expiration status, and required claims.

#### **Install jose as your dependency**[**​**](https://docs.logto.io/docs/recipes/protect-your-api/node#install-jose-as-your-dependency)

```
npm i jose --save
```

#### **Retrieve Auth’s OIDC configurations**[**​**](https://docs.logto.io/docs/recipes/protect-your-api/node#retrieve-logtos-oidc-configurations)

You will need a JWK public key set and the token issuer to verify the signature and source of the received JWS token. All the public Auth Authorization Configurations can be found at <https://your-auth-domain/.well-known/openid-configuration>.

e.g. Call <https://nightly-accounts-api.complyment.com/.well-known/openid-configuration>. And locate the following two fields in the response body:

```
{
 "jwks_uri": "https://nightly-accounts-api.complyment.com/.well-known/jwks.json",
 "issuer": "https://nightly-accounts-api.complyment.com"
}

```

#### **Add auth middleware**[**​**](https://docs.logto.io/docs/recipes/protect-your-api/node#add-auth-middleware)

Jose's jwtVerify method may help you to verify the token's JWS format, token signature, issuer, audience and the expiration status. An exception will be thrown if validation fails.

```
// auth-middleware.ts
import { createRemoteJWKSet, jwtVerify } from 'jose';
//...
export const verifyAuthFromRequest = async (req, res, next) => {
 // Extract the token
 const token = extractBearerTokenFromHeaders(req.headers);
 const { payload } = await jwtVerify(
   token, // The raw Bearer Token extracted from the request header
   createRemoteJWKSet('https://<your-auth-domain>/oidc/jwks'), // generate a jwks using jwks_uri inquired from Auth server
   {
     // expected issuer of the token, should be issued by the Auth server
     issuer: 'https://<your-auth-domain>',
     // expected audience token, should be the resource indicator of the current API
     audience: '<your request listener resource indicator>',
   }
 );
 // custom payload logic
 userId = payload.sub;
 return next();
};

```

### **Apply middleware to your API**[**​**](https://docs.logto.io/docs/recipes/protect-your-api/node#apply-middleware-to-your-api)

```
import { verifyAuthFromRequest } from '/middleware/auth-middleware.ts';

app.get('/user/:id', verifyAuthFromRequest, (req, res, next) => {
 // Custom code
});

```

###


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://authdocs.skill-mine.com/licentio-documentation/protect-your-api/protect-your-api-on-node-express.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.