Use when adding authentication (login, logout, protected routes) to Fastify web applications - integrates @auth0/auth0-fastify for session-based auth. For stateless Fastify APIs use auth0-fastify-api instead.
npx @senso-ai/shipables install auth0/auth0-fastifyAdd authentication to Fastify web applications using @auth0/auth0-fastify.
auth0-quickstart skill firstauth0-react, auth0-vue, or auth0-angular for client-side authauth0-nextjs skill which handles both client and serverauth0-react-native for React Native/Expo@auth0/auth0-fastify-api instead for JWT validation without sessionsnpm install @auth0/auth0-fastify fastify @fastify/view ejs dotenv
Create .env:
AUTH0_DOMAIN=your-tenant.auth0.com
AUTH0_CLIENT_ID=your-client-id
AUTH0_CLIENT_SECRET=your-client-secret
SESSION_SECRET=<openssl-rand-hex-64>
APP_BASE_URL=http://localhost:3000
Generate secret: openssl rand -hex 64
Create your Fastify server (server.js):
import 'dotenv/config';
import Fastify from 'fastify';
import fastifyAuth0 from '@auth0/auth0-fastify';
import fastifyView from '@fastify/view';
import ejs from 'ejs';
const fastify = Fastify({ logger: true });
// Register view engine
await fastify.register(fastifyView, {
engine: { ejs },
root: './views',
});
// Configure Auth0 plugin
await fastify.register(fastifyAuth0, {
domain: process.env.AUTH0_DOMAIN,
clientId: process.env.AUTH0_CLIENT_ID,
clientSecret: process.env.AUTH0_CLIENT_SECRET,
appBaseUrl: process.env.APP_BASE_URL,
sessionSecret: process.env.SESSION_SECRET,
});
fastify.listen({ port: 3000 });
This automatically creates:
/auth/login - Login endpoint/auth/logout - Logout endpoint/auth/callback - OAuth callback// Public route
fastify.get('/', async (request, reply) => {
const session = await fastify.auth0Client.getSession({ request, reply });
return reply.view('views/home.ejs', {
isAuthenticated: !!session,
});
});
// Protected route
fastify.get('/profile', {
preHandler: async (request, reply) => {
const session = await fastify.auth0Client.getSession({ request, reply });
if (!session) {
return reply.redirect('/auth/login');
}
}
}, async (request, reply) => {
const user = await fastify.auth0Client.getUser({ request, reply });
return reply.view('views/profile.ejs', { user });
});
Start your server:
node server.js
Visit http://localhost:3000 and test the login flow.
| Mistake | Fix |
|---|---|
| Forgot to add callback URL in Auth0 Dashboard | Add /auth/callback path to Allowed Callback URLs (e.g., http://localhost:3000/auth/callback) |
| Missing or weak SESSION_SECRET | Generate secure 64-char secret with openssl rand -hex 64 and store in .env |
| App created as SPA type in Auth0 | Must be Regular Web Application type for server-side auth |
| Session secret exposed in code | Always use environment variables, never hardcode secrets |
| Wrong appBaseUrl for production | Update APP_BASE_URL to match your production domain |
| Not awaiting fastify.register | Fastify v4+ requires awaiting plugin registration |
auth0-quickstart - Basic Auth0 setupauth0-migration - Migrate from another auth providerauth0-mfa - Add Multi-Factor AuthenticationPlugin Options:
domain - Auth0 tenant domain (required)clientId - Auth0 client ID (required)clientSecret - Auth0 client secret (required)appBaseUrl - Application URL (required)sessionSecret - Session encryption secret (required, min 64 chars)audience - API audience (optional, for calling APIs)Client Methods:
fastify.auth0Client.getSession({ request, reply }) - Get user sessionfastify.auth0Client.getUser({ request, reply }) - Get user profilefastify.auth0Client.getAccessToken({ request, reply }) - Get access tokenfastify.auth0Client.logout(options, { request, reply }) - Logout userCommon Use Cases:
preHandler to check session (see Step 4)!!sessiongetUser({ request, reply })getAccessToken({ request, reply })