Express

Add authentication to your Express app with Clowk

Install

pnpm add @clowk/express @clowk/core

Configure

app.ts
import express from 'express'
import { clowkMiddleware, requireAuth } from '@clowk/express'

const app = express()

Protect all routes

Apply the middleware globally. The decoded JWT is available on req.auth:

app.use(clowkMiddleware({
  secretKey: process.env.CLOWK_SECRET_KEY,
}))

app.get('/dashboard', (req, res) => {
  res.json({ user: req.auth })
})

Protect specific routes

Use requireAuth() to gate individual routes — returns 401 if no valid token:

app.get('/public', (req, res) => {
  res.json({ message: 'This is public' })
})

app.get('/protected', requireAuth(), (req, res) => {
  res.json({ user: req.auth })
})

How it works

The middleware extracts and verifies the JWT from (in order):

  1. Query parameter?token=eyJ...
  2. Authorization headerBearer eyJ...
  3. Cookieclowk_token

With clowkMiddleware, req.auth is null if no token is found (soft auth). With requireAuth, the request is rejected with 401 before reaching your handler.

Next steps

Next.js

Add authentication to your Next.js app with Clowk

Hono

Add authentication to your Hono app with Clowk

On this page

Install
Configure
Protect all routes
Protect specific routes
How it works
Next steps