Express Quickstart

Use this guide to add ThunderID authentication to an Express app with sign-in, sign-out, and route protection.

What You Will Learn

• Create a new Express app

• Install the @thunderid/express package

• Add working sign-in and sign-out routes

• Protect routes and access the signed-in user

Prerequisites

• About 15 minutes

• Steps 1–3 complete: ThunderID running, an application registered, and a sign-in flow built. Start at Get ThunderID if you haven't already.

• Node.js installed on your system

• npm, yarn, or pnpm

• Your preferred code editor

1

Create an Application in ThunderID

Before integrating ThunderID with your Express app, you need to create an application in ThunderID.

Using the ThunderID Console

1. Sign into the ThunderID Console at https://localhost:8090/console
2. Navigate to Applications → New Application
3. Under Technology Stack, select Express
4. Enter the application name my-express-app, then continue to create the application
5. Copy the Client ID and Client Secret from the application

info

For Express applications, the default authorized redirect URL is http://localhost:3000/login. This URL points to the callback route used in this guide. You can update it later from the application settings if your callback route changes.

2

Create an Express App

Create your new Node.js application:

npm

mkdir my-express-app
cd my-express-app
npm init -y
npm install express cookie-parser

Yarn

mkdir my-express-app
cd my-express-app
yarn init -y
yarn add express cookie-parser

pnpm

mkdir my-express-app
cd my-express-app
pnpm init
pnpm add express cookie-parser

3

Install the SDK and Dependencies

Install the ThunderID Express SDK:

npm

npm install @thunderid/express

Yarn

yarn add @thunderid/express

pnpm

pnpm add @thunderid/express

4

Add Authentication Middleware and Routes

Create an index.js file with ThunderID middleware and auth routes:

index.js

const express = require('express');
const cookieParser = require('cookie-parser');
const {thunderID, handleSignIn, handleSignOut, protect} = require('@thunderid/express');

const app = express();
const port = 3000;

app.use(cookieParser());
app.use(express.json());

app.use(
  thunderID({
    baseUrl: 'https://localhost:8090',
    clientId: '<your-client-id>',
    clientSecret: '<your-client-secret>',
    afterSignInUrl: 'http://localhost:3000/login',
    afterSignOutUrl: 'http://localhost:3000/logout',
  }),
);

app.get('/', (_req, res) => {
  res.send('<a href="/protected">Go to protected page</a>');
});

app.get('/login', handleSignIn());
app.get('/logout', handleSignOut());

app.get(
  '/protected',
  protect((res) => res.redirect('/login')),
  (_req, res) => {
    res.send('You are signed in and can access this protected route.');
  },
);

app.get('/me', protect(), async (req, res) => {
  const user = await req.thunderIDAuth.getUserFromRequest(req);
  res.json(user);
});

app.listen(port, () => {
  console.log(`Server running on http://localhost:${port}`);
});

Configuration

Replace <your-client-id> and <your-client-secret> with values from your ThunderID application.

5

Run Your App

Start the server:

npm

node index.js

Yarn

yarn node index.js

pnpm

pnpm node index.js

Open http://localhost:3000/protected.

You should be redirected to ThunderID sign-in. After successful login, you'll return to your app and access the protected route. Then open http://localhost:3000/me to inspect the signed-in user profile.

You're Done

You have completed the full getting started sequence:

1. ✅ ThunderID running
2. ✅ Application registered with Client ID and Client Secret
3. ✅ Sign-in flow built in the Flow Designer
4. ✅ Express app integrated and authenticating

What's Next

Upgrade the sign-in flow

Add MFA, passkeys, or social login to your flow without changing your route wiring.

Flow Designer →

Tune application settings

Manage callback URLs, token behavior, and other app-level configuration.

Application settings →