These instructions assume you already have a Kinde account. You can register for free here (no credit card required).

They also assume you are building with ExpressJS and have the relevant express packages already installed.

Set up your app

Link to this section

Add Kinde ExpressJS SDK as a dependency

Link to this section

The easiest way to install the SDK is via npm or yarn

npm i @kinde-oss/kinde-node-express

Integrate with your app

Link to this section

You’ll need to import our Kinde helpers into your project. We recommend you do this in the entry point of your application, typically index.js or app.js

const express = require("express");

const {
} = require("@kinde-oss/kinde-node-express");

const app = express();

const config = {
  clientId: <YOUR_CLIENT_ID>,
  issuerBaseUrl: https://<YOUR_SUBDOMAIN>,
  siteUrl: "http://localhost:3000",
  redirectUrl: "http://localhost:3000",

setupKinde(config, app);
  1. In Kinde, go to Settings > Applications > [Your app] > View details.
  2. Replace the placeholders in the code block above with the the values from the App Keys section.
  3. Replace http://localhost:3000 with the url of wherever your app is running.

As part of your development process, we highly recommend you create a development environment within your Kinde account. In this case, you’d use the Environment subdomain and app key values in the code block above.

Set your callback and logout URLs

Link to this section

Kinde will redirect your user to authenticate. They’ll be redirected back to your Express app after signing in or signing up.

To authenticate your app, you need to specify which URL Kinde should redirect your user.

  1. In Kinde, go to Settings > Applications > [Your app] > View details.
  2. Set the Allowed callback URLs (redirect URIs) to the URL of your app. This is where your application is served. For local development this could be http://localhost:3000. This is required for your users to sign in to your app successfully. This should match the redirectUrl you set in the config in the previous step.
  3. Set the URLs they’ll be redirected to after signing out, by adding Allowed logout redirect URLs to your JavaScript applications logout page. For local development this could be http://localhost:3000. This should match the siteUrl you set in the config in the previous step.
  4. Select Save.

Notehttp://localhost:3000 is an example of a commonly used local development URL. It should be replaced with the URL where your app is running.

Sign in / register

Link to this section

Kinde provides sign in / register methods that are easy to implement. Here’s an example of adding buttons to your HTML:

<div id="logged_out_view">
    <a href="/login">Login</a>
    <a href="/register">Register</a>

Clicking either of these buttons redirects your user to Kinde, where they authenticate before being redirected back to your site.

Handle redirect

Link to this section

Once your user is redirected back to your site from Kinde, you can set a callback to take place. The callback automatically passes in the user object and any application state you set prior to the redirect.

app.get("/", (req, res) => {
    if (req.session && req.session.kindeAccessToken) {
        res.send("You are authenticated!");
    } else {
        res.send("You are not");

Protecting routes

Link to this section

The protectRoute middleware included in the SDK allows you to tell Express which routes are for authorized users only.

app.get("/admin", protectRoute, (req, res) => {
    res.send("Welcome to the admin area");

You can pass an unAuthorisedUrl into the setupKinde configuration object which will to tell Kinde where you would like the user to be redirected in the case of protectRoute identifying the user is not yet authenticated.

Access the user object

Link to this section

The getUser middleware included in the SDK allows you to add the user object to the request.

app.get("/admin", protectRoute, getUser, (req, res) => {
    res.send(`Hello, ${req.user.given_name}`);

This is implemented in much the same way as signing in or registering. The Kinde SDK already comes with a /logout method.

<a href="/logout">Sign out</a>

Register your first user by signing up yourself. You’ll see your newly registered user on the Users page of the relevant organization in Kinde.

This SDK also contains a library for verifying JWTs signed by Kinde. used as a layer of protect API endpoints.

Initialize the library as follows

const {jwtVerify} = require("@kinde-oss/kinde-node-express");

const verifier = jwtVerify("https://<your_kinde_subdomain>");

Replace <your_kinde_subdomain> above with the subdomain you registered on Kinde. The step above caches your JWKS for Kinde in your Express application.

Protect endpoints

Link to this section

If you add the verifier middleware to an endpoint it will validate the token. If valid the users Kinde id is added to the request, otherwise a 403 error is thrown.

app.get("/some-route", verifier, (req, res) => {
    console.log(req.user); // {id: kp:the-users-kinde-id}

SDK API Reference

Link to this section
PropertyTypeIs requiredDefaultDescription
clientIdstringYesThe id of your application - get this from the Kinde admin area
issuerBaseUrlstringYesEither your Kinde instance URL or your custom domain. e.g
redirectUrlstringYesThe URL that the user will be returned to after authentication
secretstringYesThe secret for your application - get this from the Kinde admin area
siteUrlstringYesWhere your user will be redirected upon logout
unAuthorisedUrlstringNoThe URL the user will be redirected to if protectRoute finds the user is not authenticated

Reach out to if you need help getting Kinde connected.

Talk to us

If you can’t find what you’re looking for in our help center — email our team

Contact us