Run ThunderID

Register an app

Build a flow

4

Connect your app

Express Quickstart

Use this guide to add ThunderID authentication to an Express app with sign-in, sign-out, and route protection.

What You Will Learn

• Create a new Express app

• Install the @thunderid/express package

• Add working sign-in and sign-out routes

• Protect routes and access the signed-in user

Prerequisites

• About 15 minutes

• Steps 1–3 complete: ThunderID running, an application registered, and a sign-in flow built. Start at Get ThunderID if you haven't already.

• Node.js installed on your system

• npm, yarn, or pnpm

• Your preferred code editor

1

Create an Express App

Create your new Node.js application:

npm

mkdir my-express-app
cd my-express-app
npm init -y
npm install express cookie-parser

Yarn

mkdir my-express-app
cd my-express-app
yarn init -y
yarn add express cookie-parser

pnpm

mkdir my-express-app
cd my-express-app
pnpm init
pnpm add express cookie-parser

2

Install the SDK and Dependencies

Install the ThunderID Express SDK:

npm

npm install @thunderid/express

Yarn

yarn add @thunderid/express

pnpm

pnpm add @thunderid/express

3

Add Authentication Middleware and Routes

Create an index.js file with ThunderID middleware and auth routes:

index.js

const express = require('express');
const cookieParser = require('cookie-parser');
const {thunderID, handleSignIn, handleSignOut, protect} = require('@thunderid/express');

const app = express();
const port = 3000;

app.use(cookieParser());
app.use(express.json());

app.use(
  thunderID({
    baseUrl: 'https://localhost:8090',
    clientId: '<your-client-id>',
    clientSecret: '<your-client-secret>',
    afterSignInUrl: 'http://localhost:3000/login',
    afterSignOutUrl: 'http://localhost:3000/logout',
  }),
);

app.get('/', (_req, res) => {
  res.send('<a href="/protected">Go to protected page</a>');
});

app.get('/login', handleSignIn());
app.get('/logout', handleSignOut());

app.get(
  '/protected',
  protect((res) => res.redirect('/login')),
  (_req, res) => {
    res.send('You are signed in and can access this protected route.');
  },
);

app.get('/me', protect(), async (req, res) => {
  const user = await req.thunderIDAuth.getUserFromRequest(req);
  res.json(user);
});

app.listen(port, () => {
  console.log(`Server running on http://localhost:${port}`);
});

Configuration

Replace <your-client-id> and <your-client-secret> with values from your ThunderID application. Make sure the authorized redirect URL in your application settings is set to http://localhost:3000/login.

4

Run Your App

Start the server:

npm

node index.js

Yarn

yarn node index.js

pnpm

pnpm node index.js

Open http://localhost:3000/protected.

You should be redirected to ThunderID sign-in. After successful login, you'll return to your app and access the protected route. Then open http://localhost:3000/me to inspect the signed-in user profile.

You're Done

You have completed the full getting started sequence:

1. ✅ ThunderID running
2. ✅ Application registered with Client ID and Client Secret
3. ✅ Sign-in flow built in the Flow Designer
4. ✅ Express app integrated and authenticating

What's Next

Upgrade the sign-in flow

Add MFA, passkeys, or social login to your flow without changing your route wiring.

Flow Designer →

Tune application settings

Manage callback URLs, token behavior, and other app-level configuration.

Application settings →