Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 400,000 packages pre-installed, including express-stormpath with all npm packages installed. Try it out:

var expressStormpath = require("express-stormpath")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

express-stormpath v4.0.0

Build simple, secure web applications with Stormpath and Express!

#Stormpath is Joining Okta We are incredibly excited to announce that Stormpath is joining forces with Okta. Please visit the Migration FAQs for a detailed look at what this means for Stormpath users.

We're available to answer all questions at


NPM Version NPM Downloads Build Status Coverage Status Slack Status

Express-Stormpath is an extension for Express.js that makes it incredibly simple to add user authentication to your application, such as login, signup, authorization, and social login.

Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.

Getting Started

Follow these steps to add Stormpath user authentication to your Express.js app.

  1. Download Your Key File

Downlaod your API Key file by logging in to and clicking the “Create API Key” button under the “Developer Tools” section.

  1. Store Your Key As Environment Variables

Open your key file and grab the API Key ID and API Key Secret, then run these commands to save them as environment variables:


On Windows, use the set or setx command instead of export.

  1. Get Your Stormpath App HREF

Login to the Stormpath Console and grab the HREF (called REST URL in the UI) of your Application. It should look something like this:

  1. Store Your Stormpath App HREF In an Environment Variable

On Windows, use the set or setx command instead of export.

  1. Install The SDK
$ npm install --save express-stormpath
  1. Include It In Your App
var stormpath = require('express-stormpath');
  1. Initialize It

You need to initialize the middlware and use it with your application. We have options for various use cases.

If your app is a traditional website:

Initialize the Stormpath module, and pass an empty set of options:

app.use(stormpath.init(app, { }));

This will enable the default features, such as login and registration pages.

If your app is a single page application (Angular, React)

You will need to tell our library where the root file is. For example, if your Angular app is in the client/ folder in your project:

app.use(stormpath.init(app, {
  web: {
    spa: {
      enabled: true,
      view: path.join(__dirname, 'client', 'index.html')

Read more about the initialization in the documentation →

  1. Wait For The SDK

Wait for the SDK to get ready, then start the web server:

app.on('stormpath.ready', function () {
  app.listen(3000, function () {
  1. Protect Your Routes

For websites and Single-Page Apps, use stormpath.authenticationRequired as a middleware to protect your routes:

app.get('/secret', stormpath.authenticationRequired, function (req, res) {

For API services that use HTTP Basic Auth, use stormpath.apiAuthenticationRequired:

app.get('/secret', stormpath.apiAuthenticationRequired, function (req, res) {

If the user tries to access this route without being logged in, they will be redirected to the login page.

  1. Login

To access a protected route, the user must first login.

Traditional Websites:

You can login by visiting the /login URL and submitting the login form.

Single Page Apps:

Your front-end client should POST this data to the /login endpoint:

  "username": "",
  "password": "myPassword"

Note: make sure that your client is setting the Accept: application/json header on the request.

Using AngularJS? Try our Stormpath Angular SDK

API Services

If your app is an API service that uses our client_credentials workflow, your API consumers can obtain access tokens by making this POST to your server:

POST /oauth/token
Authorization: Basic <Base64Endoded(ACCOUNT_API_KEY_ID:ACCOUNT_API_KEY_SECRET)>;
Content-Type: application/x-www-form-urlencoded


Read more about login in the documentation →

  1. Register

To be able to login, your users first need an account.

Traditional Websites:

Users can register by visiting the /register URL and submitting the registration form.

Single Page Applications:

Your front-end client should POST this data to the /register endpoint:

  "email": "",
  "password": "mySuper3ecretPAssw0rd"

If the user was created successfully, you will receive a 200 response and the body will contain the account that was created. If an error occurred, we will send a 400 status with an error message in the body.

Note: make sure that your client is setting the Accept: application/json header on the request.

Using AngularJS? Try our Stormpath Angular SDK

Read more about registration in the documentation →

  1. That's It!

You just added user authentication to your app with Stormpath. See the documentation for further information on how Stormpath can be used with your Express.js app.


For a full documentation of this library, see the documentation.


Contact us via email at or visit our support center.


For an example app, see the Stormpath SPA Development Server.


Below are some resources you might find useful.


Apache 2.0, see LICENSE.


RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free