Skip to main content

Use AI to integrate Auth0

If you use an AI coding assistant like Claude Code, Cursor, or GitHub Copilot, you can add Auth0 API authentication automatically in minutes using agent skills.Install:
Then ask your AI assistant:
Your AI assistant will automatically create your Auth0 API, fetch credentials, install @auth0/auth0-fastify-api, configure the plugin, and protect your API endpoints with JWT validation. Full agent skills documentation →
Prerequisites: Before you begin, ensure you have the following installed:Verify installation: node --version && npm --versionFastify Version Compatibility: This quickstart works with Fastify 5.x and newer.

Get Started

This quickstart demonstrates how to protect Fastify API endpoints using JWT access tokens. You’ll build a secure API that validates Auth0 access tokens and grants access to protected resources.
1

Create a new project

Create a new directory for your Fastify API and initialize a Node.js project.
Initialize the project
Create the project structure
2

Install the Auth0 Fastify API SDK

Install the required dependencies
Update your package.json to add start scripts:
package.json
3

Setup your Auth0 API

Next, you need to create a new API on your Auth0 tenant and add the environment variables to your project.You have two options to set up your Auth0 API: use a CLI command or configure manually via the Dashboard:
Run the following command in your project’s root directory to create an Auth0 API:
After creation, copy the Identifier and your Domain values, then create your .env file:
.env
This command will:
  1. Check if you’re authenticated (and prompt for login if needed)
  2. Create an Auth0 API with the specified identifier
  3. Display the API details including the domain and identifier
Verify your .env file exists: cat .env (Mac/Linux) or type .env (Windows)
4

Configure the Auth0 API plugin

Create your Fastify server and register the Auth0 API plugin:
server.js
What this does:
  • Registers the Auth0 API plugin with your Auth0 domain and API audience
  • Configures JWT validation for incoming requests
  • Makes the requireAuth() preHandler available for protecting routes
5

Create API routes

Add public and protected routes to your server.js:
server.js
Key points:
  • Public routes don’t require authentication
  • Protected routes use preHandler: fastify.requireAuth() to require a valid JWT
  • request.user contains the decoded JWT claims for authenticated requests
  • The sub claim contains the user’s unique identifier
6

Run your API

Start the development server:
Your API is now running at http://localhost:3001.
The --watch flag in Node.js 20+ automatically restarts the server when files change.
7

Test your API

Test the public endpoint (no authentication required):
You should see:
Test the protected endpoint without a token (should fail):
You should see a 401 Unauthorized error:
To test with a valid token, you need to:
  1. Create a client application (web or mobile app) that authenticates users
  2. Configure the client to request an access token for your API (using the audience parameter)
  3. Use that access token in the Authorization header
Example with a token:
CheckpointYou should now have a protected API. Your API:
  1. Accepts requests to public endpoints without authentication
  2. Rejects requests to protected endpoints without a valid token
  3. Validates JWT tokens against your Auth0 domain and audience
  4. Provides user information from the token claims via request.user

Advanced Usage

Extend the Token interface to add type safety for custom claims in your access tokens:
server.ts
Now TypeScript will recognize your custom claims:
server.ts
Custom claims must use namespaced URLs (e.g., https://myapp.com/roles) unless they’re standard OIDC claims. Learn more about custom claims.
Check for specific permissions in the access token:
server.js
Permissions must be configured in your Auth0 API settings and granted to clients. Learn more about API permissions.
Implement role-based access control using custom claims:
server.js
Roles must be added to tokens using Auth0 Actions. Learn how to add roles to tokens.
Enable CORS to allow requests from web applications:
server.js
For production, specify exact origins:
server.js
Add comprehensive error handling for authentication errors:
server.js
Protect your API from abuse with rate limiting:
server.js

Troubleshooting

”No authorization token was found”

Problem: The API cannot find the access token in the request.Solutions:
  1. Ensure the Authorization header is present: Authorization: Bearer YOUR_TOKEN
  2. Check that “Bearer” is included before the token
  3. Verify the token is not expired

”Invalid token” or “jwt malformed”

Problem: The token format is invalid.Solutions:
  1. Ensure you’re using an access token, not an ID token
  2. The token should be obtained with your API’s audience parameter
  3. Check that the token is a valid JWT (should have three parts separated by dots)

“Invalid signature”

Problem: The token signature doesn’t match.Solutions:
  1. Verify AUTH0_DOMAIN matches the domain that issued the token
  2. Ensure you’re using RS256 signing algorithm (default)
  3. Check that the token hasn’t been modified

”Invalid audience”

Problem: The token’s audience doesn’t match your API.Solution: The client application must request a token with the correct audience:

CORS errors in browser

Problem: Browser blocks API requests due to CORS policy.Solution: Install and configure @fastify/cors:

Next Steps

Now that you have a protected API, consider exploring:

Resources