Express.js quickstart
Add Wocha authentication to an Express.js API with JWT access token validation on incoming requests and the Management SDK for admin tasks.
Add Wocha authentication to an Express.js API: validate JWT access tokens on incoming requests and use the Management SDK for admin tasks.
Prerequisites
- Node.js 18+
- A Wocha project with an OAuth application (Wocha Console)
- An API audience configured if your tenant requires it (optional for basic JWT validation)
What you'll build
An Express API that validates Wocha JWTs on protected routes and uses the Management SDK for admin operations.
Welcome back
After sign-in
✓ Session stored securely
✓ User profile available in your app
✓ Organisation context ready for multi-tenant features
Installation
pnpm add @wocha/sdk express express-oauth2-jwt-bearernpx @wocha/cli init --framework expressexpress-oauth2-jwt-bearer validates bearer tokens against your Wocha issuer JWKS.
Environment variables
Create a .env file:
Register your API as a resource in the Console if you use audience-scoped tokens.
JWT validation middleware
Create src/middleware/wocha.ts:
This middleware:
- Extracts the
Authorization: Bearerheader - Fetches signing keys from
{WOCHA_ISSUER}/.well-known/jwks.json - Validates signature, issuer, expiry, and audience
Protected route example
Create src/index.ts:
Testing the integration
-
Start your API:
-
Obtain an access token — sign in via your frontend app or request a token from the hosted login flow.
-
Call the protected endpoint:
-
Confirm you receive the user claims. A missing or expired token returns
401 Unauthorized.
Next steps
- SDK reference — hooks, server helpers, and configuration options
- Webhooks overview — receive user and session lifecycle events
- Common patterns — protect routes, org switching, and role-based UI