> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# Add Login to Your Hono Application
> This Quickstart demonstrates how to secure your Hono applications using Auth0 authentication. Follow the steps to add login, logout, and protected routes to a Hono app.
export const HowToSchema = () => ;
export const AuthCodeGroup = ({children, dropdown}) => {
const [processedChildren, setProcessedChildren] = useState(children);
useEffect(() => {
let unsubscribe = null;
function init() {
unsubscribe = window.autorun(() => {
const processChildren = node => {
if (typeof node === "string") {
let processedNode = node;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
processedNode = processedNode.replaceAll(new RegExp(escapedKey, "g"), value);
}
return processedNode;
} else if (Array.isArray(node)) {
return node.map(processChildren);
} else if (node && node.props && node.props.children) {
return {
...node,
props: {
...node.props,
children: processChildren(node.props.children)
}
};
}
return node;
};
setProcessedChildren(processChildren(children));
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
return {processedChildren};
};
This Quickstart is currently in **Beta**. We'd love to hear your feedback!
**Prerequisites:**
* **Node.js** 20 LTS or newer
* **npm** 10+ or **yarn** 1.22+ or **pnpm** 8+
* Optional: **[jq](https://jqlang.org/)** - for Auth0 CLI setup and **openssl** to generate secure secrets
* Hono projects should use Hono >= 3.x (peer dependency)
## Get Started
This quickstart shows the minimal, recommended way to secure a Hono application using `@auth0/auth0-hono`. It follows the repository's recommended patterns: environment-driven configuration, `app.use(auth0(...))` middleware, and `requiresAuth()` for selective protection.
Create a new Hono application using create-hono utility.
```shellscript theme={null}
npm create hono@latest auth0-hono-app && cd auth0-hono-app
```
Select `nodejs` template
Install the Auth0 middleware.
```shellscript theme={null}
npm install @auth0/auth0-hono
```
This quickstart uses `dotenv` package to load environment variables from a `.env` file.
To install `dotenv` locally:
```shellscript theme={null}
npm install -D dotenv
```
Alternatively, if you prefer not to add a dependency, you can load an env file at process start using node's `--env-file` flag, which lets you omit installing and importing `dotenv`.
Modify the `start` script in `package.json` to:
```json theme={null}
"scripts": {
"start": "node --env-file=.env dist/index.js"
}
```
Create an Auth0 Application in your Auth0 tenant (Regular Web Application) and record the **Domain**, **Client ID**, and **Client Secret** in environment variables to your project.
You can choose to set up your Auth0 app automatically by running a CLI command, or do it manually via the Dashboard:
Run the following shell command on your project’s root directory to create an Auth0 app and generate a `.env` file:
```shellscript Mac theme={null}
# Install Auth0 CLI (if not already installed)
brew tap auth0/auth0-cli && brew install auth0
# Set up Auth0 app and generate .env file
auth0 qs setup --app --type regular --framework hono --port 3000 --name "My Hono App"
```
```powershell Windows theme={null}
# Install Auth0 CLI (if not already installed)
scoop bucket add auth0 https://github.com/auth0/scoop-auth0-cli.git
scoop install auth0
# Set up Auth0 app and generate .env file
auth0 qs setup --app --type regular --framework hono --port 3000 --name "My Hono App"
```
This command will:
1. Check if you’re authenticated (and prompt for login if needed)
2. Create an Auth0 Regular Web Application configured for `http://localhost:3000`
3. Generate a `.env` file with `AUTH0_DOMAIN`, `AUTH0_CLIENT_ID`, `AUTH0_CLIENT_SECRET`, `AUTH0_SESSION_ENCRYPTION_KEY`, and `BASE_URL`
Manual steps:
1. Go to the [Auth0 Dashboard](https://manage.auth0.com/dashboard/)
2. Applications → Create Application → **Regular Web Application**
3. In the app settings set:
**Allowed Callback URLs**
```
http://localhost:3000/auth/callback
```
**Allowed Logout URLs**
```
http://localhost:3000
```
4. Create a `.env` file at your project root and populate these values:
```env theme={null}
AUTH0_DOMAIN=YOUR_AUTH0_DOMAIN
AUTH0_CLIENT_ID=YOUR_AUTH0_CLIENT_ID
AUTH0_CLIENT_SECRET=YOUR_AUTH0_CLIENT_SECRET
APP_BASE_URL=http://localhost:3000
AUTH0_SESSION_ENCRYPTION_KEY=your_32_char_min_secret
# Optional for APIs
AUTH0_AUDIENCE=YOUR_API_IDENTIFIER
```
Note: `AUTH0_SESSION_ENCRYPTION_KEY` must be at least 32 characters. Use `openssl rand -hex 32` to generate one.
Replace the initial template in `index.ts` file with the following example. The code demonstrates zero-config setup where environment variables are automatically read, creating an `auth0()` middleware with public routes by default and protected routes using `requiresAuth()`.
```typescript ./src/index.ts wrap lines theme={null}
// src/index.ts
import { serve } from '@hono/node-server';
import { Hono } from 'hono';
import { auth0, requiresAuth, Auth0Error, type OIDCEnv } from '@auth0/auth0-hono';
const app = new Hono();
// Zero-config: reads AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET,
// APP_BASE_URL, AUTH0_SESSION_ENCRYPTION_KEY from environment
app.use(
auth0({
authRequired: false, // Public by default, protect specific routes
})
);
// Public route
app.get('/', (c) => c.text('Public — no login required'));
// Protected routes
app.use('/profile/*', requiresAuth());
app.get('/profile', (c) => {
const user = c.var.auth0.user;
return c.json({ message: 'Protected profile', user });
});
// Error handling
app.onError((err, c) => {
if (err instanceof Auth0Error) {
return c.json({ error: err.code, error_description: err.description }, err.status);
}
return c.json({ error: 'Internal server error' }, 500);
});
const port = Number(process.env.PORT) || 3000;
serve({ fetch: app.fetch, port }, (info) => {
console.log(`Server is running on http://localhost:${info.port}`);
});
```
Start the server and open `http://localhost:3000`.
```shellscript theme={null}
npm run dev
```
**Checkpoint**
Your Hono app should be running on [http://localhost:3000](http://localhost:3000). The `/` route is public. Visiting `/profile` should redirect you to login (if not authenticated) and then return profile data after successful authentication.
## Troubleshooting
Cause: The callback URL configured in the Auth0 Dashboard does not exactly match `APP_BASE_URL` + the callback route (e.g., `http://localhost:3000/auth/callback`).
Fix:
1. Verify `.env` `APP_BASE_URL` value.
2. Ensure Allowed Callback URLs in Auth0 Dashboard contain `http://localhost:3000/auth/callback`.
3. Restart dev server after changes.
Cause: `AUTH0_SESSION_ENCRYPTION_KEY` is missing or too short, or you changed it while cookies from an old secret remain.
Fix:
* Ensure `AUTH0_SESSION_ENCRYPTION_KEY` is at least 32 characters.
* Clear browser cookies for localhost after changing the key.
* Restart dev server.
Cause: Middleware not installed or placed after route registration.
Fix:
* Ensure `app.use(auth0(...))` runs before routes that depend on authentication.
* Confirm package installed: `npm ls @auth0/auth0-hono`.
Cause: Deployment platform not providing environment variables or using different names.
Fix:
* Map environment variables in your hosting provider dashboard to the names used in this quickstart.
* For Cloudflare Workers, verify session/cookie handling is compatible with the platform.
## Advanced Usage
* Selective protection: use `app.use(auth0({ authRequired: false }))` to make routes public by default and `app.use('/private/*', requiresAuth())` to protect specific paths.
* Silent login: use `attemptSilentLogin()` middleware to try silent authentication for better UX.
* Custom login flow: call `login({...})` to customize forwarded query params, `redirectAfterLogin`, or silent login options.
* Token management: the middleware exposes access and ID tokens via the session; follow least-privilege for scopes and rotate refresh tokens safely.
## Best Practices & Security
* Keep secrets out of source control — use environment variables.
* Use a 32+ character `AUTH0_SESSION_ENCRYPTION_KEY`.
* Set cookie `secure` to `true` in production and set appropriate `sameSite` policy.
* Limit token scopes; use audience only when requesting access tokens for APIs.
* Catch `Auth0Error` in `app.onError` to handle auth-specific errors cleanly.
***