
Simple Bearer authentication scheme plugin for hapi, accepts token by Header, Cookie or Query parameter.

Downloads in past


8.0.04 years ago10 years agoMinified + gzip package size for hapi-auth-bearer-token in KB


hapi auth bearer token

Build Status
Release Notes @hapi/hapi, joi, and @hapi/boom are all now peer dependencies to allow maximum flexibility. A reference to joi is now required as opposed to the older @hapi/joi.
For hapi 17.x and above used in combination with the new joi v17.x package. Requires Node 12 or greater.
Note: For hapi v17 and above implementations using @hapi/joi, it is recommended to use Version 6.x.x of this module.
Note: For hapi versions below v17, you must use versions v5.x.x of this module.
Lead Maintainer: John Brett
Bearer authentication requires validating a token passed in by bearer authorization header or query parameter.
This module creates a 'bearer-access-token' scheme takes the following options:
  • validate - (required) a token validation function with the signature [async] function(request, token, h) where:
- `request` - is the hapi request object of the request which is being authenticated.
- `token` - the auth token received from the client.
- `h` - the response toolkit.
- Returns an object `{ isValid, credentials, artifacts }` where:
    - `isValid` - `true` if token is valid, otherwise `false`.
    - `credentials` - a credentials object passed back to the application in `request.auth.credentials`. Note that due to underlying Hapi expectations, this value must be defined even if `isValid` is `false`. We recommend it be set to `{}` if `isValid` is `false` and you have no other value to provide.
    - `artifacts` - optional [authentication](http://hapijs.com/tutorials/auth) related data that is not part of the user's credential.
  • options - (optional)
- `accessTokenName` (Default: `'access_token'`) - Rename token key e.g. 'new_name' would rename the token query parameter to `/route1?new_name=1234`.
- `allowQueryToken` (Default: `false`) - Accept token via query parameter.
- `allowCookieToken` (Default: `false`) - Accept token via cookie.
- `allowMultipleHeaders` (Default: `false`) - Accept multiple authorization headers, e.g. `Authorization: FD AF6C74D1-BBB2-4171-8EE3-7BE9356EB018; Bearer 12345678`.
- `tokenType` (Default: `'Bearer'`) - Accept a custom token type e.g. `Authorization: Basic 12345678`.
- `allowChaining` (Default: `false`) - Allow attempt of additional authentication strategies.
- `unauthorized` (Default: `Boom.unauthorized`) - A function to call when unauthorized with signature `function([message], [scheme], [attributes])`. [More details](https://github.com/hapijs/boom#boomunauthorizedmessage-scheme-attributes)

    If using a custom `unauthorized` function, it is recommended you read hapi's documentation on authentication schemes, especially in the case of using multiple strategies: [Authentication scheme](https://hapijs.com/api#authentication-scheme).
const Hapi = require('hapi');
const AuthBearer = require('hapi-auth-bearer-token');

const server = Hapi.server({ port: 8080 });

const start = async () => {

    await server.register(AuthBearer)

    server.auth.strategy('simple', 'bearer-access-token', {
        allowQueryToken: true,              // optional, false by default
        validate: async (request, token, h) => {

            // here is where you validate your token
            // comparing with token from your database for example
            const isValid = token === '1234';

            const credentials = { token };
            const artifacts = { test: 'info' };

            return { isValid, credentials, artifacts };


        method: 'GET',
        path: '/',
        handler: async function (request, h) {

            return { info: 'success!' };

    await server.start();

    return server;

    .then((server) => console.log(`Server listening on ${server.info.uri}`))
    .catch(err => {


 * To test this example, from your terminal try:
 *  curl localhost:8080
 *     response: {"statusCode":401,"error":"Unauthorized","message":"Missing authentication"}
 *  curl localhost:8080?access_token=abc
 *     response: {"statusCode":401,"error":"Unauthorized","message":"Bad token","attributes":{"error":"Bad token"}}
 *  curl curl localhost:8080?access_token=1234
 *     response: {"info":"success!"}

License MIT @ John Brett and other contributors 2018