Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 400,000 packages pre-installed, including csrf-tokens with all npm packages installed. Try it out:

var csrfTokens = require("csrf-tokens")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

csrf-tokens v2.0.0

primary logic behind csrf tokens

CSRF Tokens

Logic behind CSRF token creation and verification. Read Understanding-CSRF for more information on CSRF. Use this module to create custom CSRF middleware and what not.


var tokens = require('csrf-tokens')(options)

var secret = tokens.secretSync()
var token = tokens.create(secret)
var valid = tokens.verify(secret, token)


  • secretLength: 24 - the byte length of the secret key
  • saltLength: 8 - the string length of the salt
  • tokensize: (secret, salt) => token - a custom token creation function


Asynchronously create a new secret of length secretLength. If cb is not defined, a promise is returned. You don't have to use this.

tokens.secret().then(function (secret) {


tokens.secret(function (err, secret) {


var secret = tokens.secretSync()

Synchronous version of tokens.secret()

var token = tokens.token(secret)

Create a CSRF token based on a secret. This is the token you pass to clients.

var valid = tokens.verify(secret, token)

Check whether a CSRF token is valid based on a secret. If it's not valid, you should probably throw a 403 error.


RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free