Express SDK
JWT validation, encrypted session cookies, SpiceDB permission checks, and webhook verification for Express APIs.
@wocha/express is the Express.js middleware for Wocha authentication and authorisation. It validates JWT access tokens against your issuer JWKS, resolves encrypted BFF session cookies, checks SpiceDB permissions via the Customer API, and verifies webhook signatures.
Installation
pnpm add @wocha/expressnpx @wocha/cli init --framework expressPeer dependency: Express 4.18+ or 5.0+.
Environment variables
WOCHA_ISSUER is accepted as an alias for WOCHA_ISSUER_URL.
Protect API routes
When env vars are set, you can omit the config object:
JWT validation
Access tokens are validated with jose against your issuer JWKS. The middleware:
- Fetches OIDC discovery from
{issuer}/.well-known/openid-configuration - Caches JWKS keys for five minutes
- Verifies signature, issuer, expiry, and optional audience
Use validateAccessToken() directly when you need claims outside middleware:
Call clearJwksCache() after key rotation if validation fails unexpectedly.
Session cookies
The middleware resolves authentication from two sources:
Authorization: Bearer— validates the JWT directly- Encrypted session cookie — compatible with
@wocha/nextjsand@wocha/remixBFF cookies
When a cookie session is near expiry, tokens are refreshed automatically and a new Set-Cookie header is returned.
Permission middleware
requirePermission(resourceType, permission, options?) calls the Customer API /permissions/check endpoint using the authenticated user's access token:
Returns 401 when unauthenticated, 403 when denied, and 400 when no resource ID can be resolved.
requireOrg(orgId?) ensures the user belongs to an organisation — optionally a specific org ID.
Webhook middleware
Register the webhook route before express.json() and use a raw body parser so the signature can be verified:
Lower-level helpers are also exported: verifyWebhookSignature(), parseWebhookEvent().
req.wocha context
After auth.middleware() runs, each request exposes:
| Field | Type | Description |
|---|---|---|
user | GreetUser | null | Authenticated user claims |
session | GreetSession | null | Access token and expiry |
org | GreetOrganisation | null | Active organisation |
permissions | string[] | Permissions embedded in the access token |
featureFlags | Record<string, unknown> | Feature flags from the access token |
isAuthenticated | boolean | Whether a valid session was resolved |
Learn more
- Express quickstart
- TypeScript SDK — Management API client for admin tasks
- Webhooks overview