Middleware
Protect Express routes with one line. The middleware verifies the user's token and populates req.autherUser.
Setup
You need cookie-parser so Express can read the auther_access HTTP-only cookie set by the frontend SDK.
bash
npm install cookie-parser @types/cookie-parsertypescript
import express from 'express';
import cookieParser from 'cookie-parser';
import { auther } from './auther'; // your initialised instance
const app = express();
app.use(express.json());
app.use(cookieParser());Protect a route
typescript
app.get('/me', auther.protect(), (req, res) => {
// req.autherUser is populated here
res.json({ user: req.autherUser });
});Protect a whole router
typescript
const privateRouter = express.Router();
privateRouter.use(auther.protect());
privateRouter.get('/profile', (req, res) => res.json(req.autherUser));
privateRouter.get('/settings', (req, res) => res.json({ id: req.autherUser!.id }));
app.use('/api', privateRouter);req.autherUser shape
typescript
interface AutherUser {
id: string; // End-user UUID
email: string;
emailVerified: boolean;
createdAt: string; // ISO timestamp
projectId: string; // Auther project UUID
}Token extraction order
The middleware reads the token from these sources, in order:
1stAuthorization headerAuthorization: Bearer <token>
2ndauther_access cookieSet automatically by the frontend SDK
Error responses
When verification fails, the middleware responds — it does not call next().
json
// 401 — no token or invalid/expired
{ "success": false, "message": "Invalid or expired token" }
// 403 — token valid but user is suspended
{ "success": false, "message": "User is suspended" }
// 503 — Auther backend unreachable
{ "success": false, "message": "Auther backend unreachable: ..." }Real-time verification
Every request hits the Auther backend to validate the token. Revoked sessions are rejected immediately with no caching delay.