Auth0-Fastify Mono Repo, containing SDKs for implementing user authentication in Fastify applications.
📚 Packages - 🔎 Features - 💬 Feedback
Two SDKs — pick the one that matches your application:
@auth0/auth0-fastify— for server-rendered web apps where users log in. Authenticates with an encrypted browser session cookie and handles login, logout, callback, and session management.@auth0/auth0-fastify-api— for APIs / resource servers consumed by SPAs, mobile, or services. Authenticates with anAuthorization: Bearer <access_token>and authorizes by scopes and claims.
Jump straight to the capability you need.
| Feature | What it does |
|---|---|
| Quick start | Register the Auth0 plugin with fastify.register in a few lines |
| Built-in routes | /auth/login, /auth/logout, /auth/callback, back-channel logout |
| Custom login / logout / callback | Roll your own routes instead of the mounted ones |
| Configure mounted routes | Disable the built-in routes or add account-linking routes |
| Protect a route with a session | Gate server-rendered pages behind a login session |
| Get the current session / user | Read the authenticated user with getUser() / getSession() |
Call an API (getAccessToken) |
Get an access token to call APIs as the user |
| Custom Token Exchange | Create a session from an external token without a browser login |
| Multiple Custom Domains (MCD) | Resolve the Auth0 domain per request |
Custom fetch |
Swap in your own fetch (proxies, retries, instrumentation) |
| Discovery cache | Control caching of OIDC discovery metadata and JWKS |
| Feature | What it does |
|---|---|
| Quick start | Protect an API with fastify.register in a few lines |
Protect an API route (requireAuth) |
Require a valid bearer access token in a preHandler |
Read token claims (request.user) |
Access claims extracted from the verified token |
| Custom token / user type | Type your custom claims via module augmentation |
| DPoP (proof-of-possession) | Bind access tokens to a client key pair (RFC 9449) |
| On-Behalf-Of Token Exchange | Exchange the caller's token for a downstream API token |
| Multiple Custom Domains (MCD) | Accept tokens from multiple issuer domains of one tenant |
Custom fetch |
Swap in your own fetch (proxies, retries, instrumentation) |
| Discovery cache | Control caching of discovery metadata and signing keys |
The following examples can be found in the examples directory:
Before running the examples, you need to install the dependencies for the monorepo and build all the packages.
- Install depedencies
$ npm install- Build all packages
$ npm run build- Follow example instructions
We appreciate feedback and contribution to this repo! Before you get started, please read the following:
- Auth0's general contribution guidelines
- Auth0's code of conduct guidelines
- This repo's contribution guide
To provide feedback or report a bug, please raise an issue on our issue tracker.
Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?
This project is licensed under the MIT license. See the LICENSE file for more info.