npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@japikey/express

v0.4.0

Published

Express endpoints for JAPIKey authentication

Readme

@japikey/express

This package generates express routes and middleware to fully integrate japikeys into your app. You can create api keys, view, or delete them, and validate they are valid. This package is part of the larger @japikey ecosystem. See @japikey/japikey for more information.

Prerequisites

Have an existing express() application, that has some other mechanism for authentication. When a user creates an API key, we only want to grant access for that user, after all! You'll also need a database to store the API key information. This quickstart assumes you're using sqlite, but you can use a different adapter to suit your needs

Installing japikey

npm install --save "@japikey/japikey"
npm install --save "@japikey/express"
npm install --save "@japikey/sqlite"

Adding the router

When you're setting up your app(), you just need to add code like this:

import { UnauthorizedError } from '@japikey/japikey';
import SqliteDriver from '@japikey/sqlite';
import {
  createApiKeyRouter,
  createJWKSRouter,
  type ApiKeyRouterOptions,
  type CreateApiKeyData,
} from '@japikey/express';
const app = express();
app.use(yourMiddlewareForAuthentication);
app.use('/', yourUsualAppEndpoints);

function getUserId(request: Request): Promise<string> {
  if (!request.user) {
    // Your auth middleware didn't set a user,
    // let's say because their access_token was wrong
    throw new UnauthorizedError();
  }
}

function parseCreateApiKeyRequest(request: Request): Promise<CreateApiKeyData> {
  const { expiresAt, scopes } = request.body;
  // Add extra validation as desired
  return {
    expiresAt: new Date(expiresAt),
    claims: { scopes }, // Any claims you want encoded in the token
    databaseMetadata: {}, // Any extra things you want to store in the database
  };
}
const db = new SqliteDriver(process.env.SQLITE_PATH);
const options: ApiKeyRouterOptions = {
  getUserId,
  parseCreateApiKeyRequest,
  issuer: new URL('https://example.com/'),
  aud: 'api-key',
  db,
};

const apiKeyRouter = createApiKeyRouter(options);
const jwksRouter = createJWKSRouter({ db, maxAgeSeconds: 300 }); // Set the cache-control to invalidate after 5 minutes
app.use('/api-keys', apiKeyRouter);
app.use('/', jwksRouter);

Details about the configuration

There are two separate endpoint banks to implement. The apiKeyRouter handles the CRUD operations to create, list, and delete an api key.

The jwksRouter handles any client that wants to validate the API key. It provides the public key data via the .well-known/jwks.json endpoint. These two endpoints do need to be configured in a compatible way, specifically around the issuer URL.

The issuer passed into createApiKeyRouter MUST be the full URL corresponding to the root of the jwksRouter.

For example, if your domain is https://example.com and you use app.use('/', jwksRouter), your issuer MUST be https://example.com. If instead you do app.use('//my-subpath', jwksRouter), then the issuer MUST be https://example.com/my-subpath

The issuer URL does not necessarily have anything to do with the URL that the apiKeyRouter is on. Your apiKeyRoute could be https://example.com/api-keys or https://example.com/my/long/subpath or https://susu.dev and that doesn't have any impact on the JWKS endpoint.

Besides the issuer, the other critical parameter passed in is the getUserId function. That function MUST integrate with your existing authentication system. It MUST raise an exception if the user is not authenticated.

You can throw any error that you want from the method. If you throw one of the errors provided by japikeys (such as UnauthorizedError), the router will make sure it gets converted to the proper HTTP status code, with a JSON body for clients. If you throw a different error, it's up to you to have an appropriate errorHandler to ensure the server returns something other than a generic 500 error.

Lastly, the parseCreateApiKeyRequest lets you specify what the payload is to the CREATE endpoint (POST /api-keys). You at least need to pass back an expiredAt parameter. (You could always hardcode this to e.g. Date.now() + one year) for example. Any other data is up to your application needs. claims get encoded in the token themselves, and metadata goes in the database for any of your business logic later

Validating an API key

Whether you're in the backend, or even on the browser frontend, verifying an API key is a simple process.

For express, there's a helpful middleware:

npm install --save "@japikey/authenticate"
import { createGetJWKS } from '@japikey/authenticate';
import { authenticateApiKey } from '@japikey/express';

const issuer = new URL('https://example.com');
const getJWKS = createGetJWKS(issuer);

const authenticateOptions: AuthenticateOptions = {
  baseIssuer: issuer,
  getJWKS,
};
app.use('/', authenticateApiKey(authenticateOptions));

and on the frontend side, you can call authenticate() directly wherever needed:

import { createGetJWKS, authenticate } from '@japikey/authenticate';
const issuer = new URL('https://example.com');
const getJWKS = createGetJWKS(issuer);
await authenticate(my_auth_token, { getJWKS, baseIssuer });