Skip to main content

api-auth-hono

@rtorcato/api-auth-hono provides two Hono middleware functions that verify a JWT and attach the decoded payload to the request context. Failures throw an UnauthorizedError — pair with api-errors-hono for automatic JSON 401 responses. It's the Hono counterpart to api-auth-express, built on the same api-auth core.

Install

pnpm add @rtorcato/api-auth @rtorcato/api-auth-hono hono

hono is a peer dependency (^4) — you bring your own version.

authMiddleware

Requires a valid token. Throws UnauthorizedError (missing_token / invalid_token) when the token is absent or invalid.

Type the app with { Variables: AuthVariables } to get a typed c.get('user'):

import { Hono } from 'hono'
import { authMiddleware, type AuthVariables } from '@rtorcato/api-auth-hono'
import { errorHandler } from '@rtorcato/api-errors-hono'

const app = new Hono<{ Variables: AuthVariables }>()

app.use(authMiddleware(process.env.JWT_SECRET))

app.get('/me', (c) => c.json({ user: c.get('user') }))

app.onError(errorHandler())

The token is read from Authorization: Bearer <token> first, then from a cookie named token. Customise the cookie name:

app.use(authMiddleware(process.env.JWT_SECRET, { cookieName: 'access_token' }))

Pass verifyOptions to control JWT verification (algorithm, audience, issuer, etc.):

app.use(authMiddleware(secret, {
verifyOptions: { algorithms: ['HS256'], audience: 'my-api' },
}))

optionalAuthMiddleware

Tries to verify the token but never blocks the request. If a valid token is present c.get('user') is set; if not (missing, expired, malformed), the request continues with user undefined.

import { optionalAuthMiddleware } from '@rtorcato/api-auth-hono'

app.use(optionalAuthMiddleware(process.env.JWT_SECRET))

app.get('/feed', (c) => {
const user = c.get('user')
return c.json(user ? personalFeed(user.sub) : publicFeed())
})