• Middleware that will return a 401 if a valid JWT bearer token is not provided in the request.

    Can be used in 2 ways:

    1. Pass in an {@Link AuthOptions.issuerBaseURL} (or define the env variable ISSUER_BASE_URL)
    issuerBaseURL: 'http://issuer.example.com',
    audience: 'https://myapi.com'

    This uses the {@Link AuthOptions.issuerBaseURL} to find the OAuth 2.0 Authorization Server Metadata to get the {@Link AuthOptions.jwksUri} and {@Link AuthOptions.issuer}.

    1. You can also skip discovery and provide the {@Link AuthOptions.jwksUri} (or define the env variable JWKS_URI) and {@Link AuthOptions.issuer} (or define the env variable ISSUER) yourself.
    jwksUri: 'http://issuer.example.com/well-known/jwks.json',
    issuer: 'http://issuer.example.com',
    audience: 'https://myapi.com'

    You must provide the audience argument (or AUDIENCE environment variable) used to match against the Access Token's aud claim.

    Successful requests will have the following properties added to them:

    app.get('/foo', auth(), (req, res, next) => {
    const auth = req.auth;
    auth.header; // The decoded JWT header.
    auth.payload; // The decoded JWT payload.
    auth.token; // The raw JWT token.


    Returns Handler