Skip to main content

Build a Server-Side Web App with Ory

Ory supports server-side web apps natively. To get building, pick the technology you are using:

Before you get started, please install the Ory CLI on your system, and have a running Ory Project and a Personal Access Token ready.

For more information on the Ory Cloud SDK and Services and please see the Services & APIs docs.

ExpressJS / NodeJS#

This example uses NodeJS with TypeScript support and ExpressJS to set up an app with two endpoints:

  • /: can be accessed without an active Ory Session;
  • /public: can be accessed without an active Ory Session;
  • /protected: can only be accessed after registration / login - with an active Ory Session.

To get started open a new terminal and set the environment variables:

  • ORY_ACCESS_TOKEN: Use a personal access token here
export ORY_ACCESS_TOKEN=...# e.g.# export ORY_ACCESS_TOKEN=2123l8jJhSIYQZvfasd53YoRvcseg1

To get started, check out the example's source code, install the node packages, and run the app:

git clone docs/examples/typescript-expressnpm i
export ORY_ACCESS_TOKEN=...# e.g.# export ORY_ACCESS_TOKEN=2123l8jJhSIYQZvfasd53YoRvcseg1
## ATTENTION ### Node, similar to Firefox, does not use the Operating System Certificate store.# To get the self-signed SSL certificates working, we need to disable TLS Verification.# NEVER, EVER do this in a live system.export NODE_TLS_REJECT_UNAUTHORIZED=0
npm start

Open another terminal and copy set the ORY_ACCESS_TOKEN env var to your Personal Access Token:


Next, run the Ory Proxy with

  • --port 4000: the port on which the proxy should listen on;
  • http://localhost:8000/: the host and port of the NodeJS app you are protecting.
ory proxy local --port 4000 http://localhost:8000/

Your operating system will prompt you for your administrative password. The Ory Proxy sets up a temporary SSL certificate in your operating system's certificate store to enable HTTPS integration.


The registration of the self-signed SSL certificate works only in Chrome and Safari but not yet in Firefox. Also, programming languages like Golang, NodeJS, and others often do not respect the operating system certificate store. In those cases, you must disable TLS verification. This is not an issue in production!

To see what the app can do, open it at the original endpoints:

The second URL /protected will greet you with an error because no Ory Session is available.

NodeJS route is not available without authentication

However, if you open the URL through the proxy at https://localhost:4000/protected, your browser will be redirected to a login screen! Once you created an account or signed in, the application will show information about the session:

NodeJS route is not available without authentication

Code Examples#

To get the app integrated with Ory, we use the following npm dependencies:

  • @ory/client contains the Ory SDK. While not needed, the app includes an example of how to set up the SDK and use it;
  • dotenv loads environment variables from a .env file;
  • express-jwt is an express middleware for JWTs;
  • jwks-rsa a library to load the cryptographic keys for verifying JWTs using a remote URL.

Let's take a look at the annotated code!

Root App#

All you need is a plain ExpressJS skeleton:


The Ory Session Cookie is converted to a JSON Web Token by ory proxy local. The cryptographic key to verify the JSON Web Token is available at https://<proxy>/.ory/proxy/.well-known.

If the JSON Web Token is not available, or not valid, we redirect to the login:

Protected Page#

The protected page is doing a few extra things, such as fetching the identity from Ory Cloud's Administrative APIs, and also creates a logout URL for the user:


Great! You've made it! Integrating Ory is easy and straight forward. There are many more things to come, and we are excited to have you on board!