Auth

This auth configuration in noonjs defines authentication settings for your application. The collection is set to "users", meaning user credentials are stored in the users collection of your database. The secret is "your-primary-secret", used to sign JWT access tokens, while refreshsecret is "your-secondary-secret", used for signing refresh tokens. If refreshsecret is not provided, the application will use secret for both access and refresh tokens, which is not recommended for security reasons. The username field is "username", which represents the user's login identifier, and password is "password", referring to the field storing hashed passwords. The access token expires in 900 seconds (15 minutes), and the refresh token expires in 31,536,000 seconds (1 year), allowing users to obtain new access tokens without re-authenticating. 
{
"auth": {
        "collection": "users",
        "secret": "your-primary-secret", 
        "refreshsecret": "your-secondary-secret", 
        "username": "username", 
        "password": "password",
        "access": 900,
        "refresh": 31536000
        }
}

Important

If your frontend and backend are on different domains, subdomains, or ports, and you want to use authentication, make sure to define the CORS origin and enable credentials in the config.json or environment variables. Want to learn more? Check out the CORS docs.

Important

The auth collection must include a permissions field, which should be an array with a default value.

Environment variables

For authentication, you can specify the environment variables for the primary secret, refresh secret, access token expiration, and refresh token expiration. If they are not already included in the configuration file, you can pass them directly in the environment like this:

AUTH_SECRET sets the primary secret key for authentication.

AUTH_REFRESH_SECRET sets the secret key used for refreshing tokens.

AUTH_ACCESS sets the expiration time for the access token in seconds

AUTH_REFRESH sets the expiration time for the refresh token in seconds

These values are essential for managing token authentication and ensuring secure communication between the client and server.

SECRET=your-primary-secret 
REFRESH_SECRET=your-secondary-secret
ACCESS=900
REFRESH=31536000

Important

Use long string for secret(access token), ideally at least 32 characters, to enhance security.

For refresh tokens, a length of at least 64 characters (preferably 128+ characters) is recommended. This ensures strong entropy and makes it significantly harder to guess or brute-force.

Edit this page on Github© 2025 kav3.com. Crafted with and dedication.