This guide connects server-side application code to AuthOS. It assumes an operator has already installed and configured the platform.
Prerequisites
- A reachable AuthOS base URL stored as server-side configuration
- Node.js 18 or newer and npm for the Node.js path
- A registered organization and service
- A clear choice between verifying interactive-user access tokens and acting as a non-interactive service
Choose the backend boundary
Use @drmhse/authos-node when a Node.js
server needs token verification or Express middleware. Use the Service API SDK
module and Service API HTTP
reference for workloads that act
without an interactive browser session.
Connect the backend
- Store the AuthOS base URL in server-side configuration such as
AUTHOS_BASE_URL. - Follow the selected package or service reference to install and initialize the client. Keep API keys and client secrets out of browser bundles and version control.
- For user-facing APIs, protect one test route and require a valid AuthOS access token.
- For service-to-service access, request only the scopes the workload needs and call one permitted endpoint.
- Exercise a denied request as well as a successful request so the boundary is proven rather than merely configured.
Completion check
- A valid token or service credential can call the intended test endpoint.
- A missing, invalid, or insufficiently scoped credential is rejected.
- Verified claims or service scopes are available to authorization code.
- Secrets exist only in an approved server-side store.