npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@authgear/nestjs

v0.1.1

Published

Authgear SDK for NestJS — validate Authgear JWT access tokens and protect routes.

Downloads

303

Readme

Authgear SDK for NestJS

@authgear/nestjs @authgear/nestjs License

With Authgear SDK for NestJS, you can protect your NestJS resource server (API) with Authgear in just a few lines of code. It validates Authgear JWT access tokens offline using OIDC discovery and JWKS — no network round-trip to Authgear on every request — and provides a NestJS module, an auth guard, and decorators for reading the authenticated user.

Quick links — 📚 Documentation · 🏁 Getting Started · 🛠️ Troubleshooting · 👥 Contributing

What is Authgear?

Authgear is a highly adaptable identity-as-a-service (IDaaS) platform for web and mobile applications. Authgear makes user authentication easier and faster to implement by integrating it into various types of applications — from single-page web apps to mobile applications to API services.

Key Features

  • Zero-trust authentication architecture with OpenID Connect (OIDC) standard.
  • Easy-to-use interfaces for user registration and login, including email, phone, username as login ID, and password, OTP, magic links, etc.
  • Support for a wide range of identity providers, such as Google, Apple, and Azure Active Directory.
  • Support for Passkeys, biometric login, and Multi-Factor Authentication (MFA) such as SMS/email-based verification and authenticator apps with TOTP.

This SDK focuses on the resource server side: verifying the JWT access tokens that Authgear issues, so your NestJS API can trust the caller's identity.

Requirements

  • NestJS >= 10 (works with NestJS 10 and 11)
  • Node.js >= 18
  • "Issue JWT as access token" enabled for your Authgear application — this SDK validates JWT access tokens offline and does not support opaque tokens.

Installation

npm install @authgear/nestjs jose

Getting Started

1. Enable JWT access tokens in Authgear

In the Authgear Portal, open your application's settings and enable "Issue JWT as access token". Without this, Authgear issues opaque access tokens, which this SDK cannot validate offline.

2. Register the module

Register AuthgearModule.forRoot() in your root module. Setting global: true registers AuthgearAuthGuard as a global guard so every route is protected by default.

// app.module.ts
import { Module } from '@nestjs/common';
import { AuthgearModule } from '@authgear/nestjs';

@Module({
  imports: [
    AuthgearModule.forRoot({
      endpoint: 'https://my-project.authgear.cloud',
      global: true, // register AuthgearAuthGuard as a global guard
    }),
  ],
})
export class AppModule {}

Prefer to load configuration asynchronously (e.g. from ConfigService)? Use forRootAsync():

// app.module.ts
import { Module } from '@nestjs/common';
import { ConfigModule, ConfigService } from '@nestjs/config';
import { AuthgearModule } from '@authgear/nestjs';

@Module({
  imports: [
    ConfigModule.forRoot(),
    AuthgearModule.forRootAsync({
      global: true,
      imports: [ConfigModule],
      inject: [ConfigService],
      useFactory: (config: ConfigService) => ({
        endpoint: config.getOrThrow<string>('AUTHGEAR_ENDPOINT'),
        clientID: config.get<string>('AUTHGEAR_CLIENT_ID'),
      }),
    }),
  ],
})
export class AppModule {}

3. Protect your routes

When you register the module with global: true, every route requires a valid Bearer token by default. Use the @Public() decorator to opt a handler out of authentication:

// app.controller.ts
import { Controller, Get } from '@nestjs/common';
import { Public } from '@authgear/nestjs';

@Controller()
export class AppController {
  @Public()
  @Get('health')
  health() {
    return { ok: true };
  }
}

If you did not register the guard globally, protect individual routes (or controllers) with @UseGuards(AuthgearAuthGuard):

import { Controller, Get, UseGuards } from '@nestjs/common';
import { AuthgearAuthGuard } from '@authgear/nestjs';

@Controller('me')
@UseGuards(AuthgearAuthGuard)
export class MeController {
  @Get()
  me() {
    /* ... */
  }
}

4. Read the authenticated user

Use the @CurrentUser() parameter decorator to read the verified token claims in a protected handler:

// app.controller.ts
import { Controller, Get } from '@nestjs/common';
import { CurrentUser, AuthgearClaims } from '@authgear/nestjs';

@Controller()
export class AppController {
  @Get('me')
  me(@CurrentUser() user: AuthgearClaims) {
    return {
      userId: user.sub,
      isVerified: user.isVerified,
    };
  }
}

AuthgearClaims exposes the common claims (sub, iss, aud, clientID, isVerified, isAnonymous, canReauthenticate) plus the full decoded JWT payload as raw for any custom claims.

Usage

Callers must send the access token as a Bearer token:

Authorization: Bearer <jwt-access-token>

Module options

forRoot() and the object returned by the forRootAsync() factory accept the following options:

| Option | Type | Required | Default | Description | | --- | --- | --- | --- | --- | | endpoint | string | ✓ | — | Authgear project endpoint, e.g. https://my-project.authgear.cloud. Used for OIDC discovery and JWKS. | | clientID | string | | — | If set, the verifier also asserts the token's client_id claim equals this value. | | global | boolean | | false | Register AuthgearAuthGuard as a global APP_GUARD so all routes are protected. (forRoot/forRootAsync option.) | | jwksCacheMaxAge | number | | — | JWKS cache max age in milliseconds (passed through to jose). | | clockToleranceSeconds | number | | 0 | Leeway in seconds applied to exp/iat checks. |

You can also inject AuthgearTokenService directly if you need to verify a token outside of the guard.

Troubleshooting

Every request returns 401 Unauthorized.

  • Confirm "Issue JWT as access token" is enabled for the application in the Authgear Portal. Opaque tokens cannot be validated offline and will be rejected.
  • Make sure the client sends the token in the Authorization: Bearer <token> header.
  • If you set clientID, confirm the token's client_id claim matches it.
  • If tokens are rejected due to clock skew between your server and Authgear, set clockToleranceSeconds to a small value.

The application fails to start, or the first request errors with a discovery/JWKS error.

  • Check that endpoint is the correct Authgear project endpoint and is reachable from your server. The SDK fetches the OIDC discovery document and JWKS from this endpoint.

Contributing

Contributions — documentation, features, bug fixes, tests, or code reviews — are very much welcome.

git clone [email protected]:authgear/authgear-sdk-nestjs.git
cd authgear-sdk-nestjs
npm install
npm test
npm run build

A runnable NestJS app demonstrating the SDK lives in example/. The documentation site source lives in docs/ and is published to https://authgear.github.io/authgear-sdk-nestjs/.

To join the community, raise your hand on the Authgear Discord server or the GitHub discussions board.

License

Apache-2.0

Supported and maintained by