Passport.js — Simple Authentication Middleware for Node.js

Introduction

Passport.js is a middleware-based authentication framework for Express and Connect-compatible Node.js applications. Its strategy pattern lets developers plug in any authentication mechanism without changing application code.

What Passport.js Does

• Authenticates requests via a pluggable strategy architecture
• Supports 500+ community strategies (OAuth 2.0, SAML, LDAP, JWT, local, and more)
• Serializes and deserializes user objects into server-side sessions
• Integrates natively with Express middleware pipelines
• Handles login, logout, and session persistence out of the box

Architecture Overview

Passport attaches itself to the Express request pipeline as middleware. When passport.authenticate('strategy') is called on a route, it delegates to the named strategy instance, which validates credentials (checking a database, calling an OAuth provider, etc.) and returns a user object or an error. The framework then serializes the user into the session via serializeUser and deserializes on subsequent requests.

Self-Hosting & Configuration

• Install passport plus one or more strategy packages (e.g., passport-local, passport-google-oauth20)
• Configure each strategy with a verify callback that checks credentials and calls done(null, user)
• Define serializeUser and deserializeUser to control what is stored in the session
• Mount passport.initialize() and passport.session() middleware in your Express app
• Protect routes by adding passport.authenticate('strategy') as route middleware

Key Features

• Strategy pattern decouples authentication logic from application code
• Over 500 official and community strategies covering virtually every provider
• Lightweight core with no forced dependencies on any database or template engine
• Single sign-on via OAuth 2.0, OpenID Connect, and SAML strategies
• Works with any session store compatible with express-session

Comparison with Similar Tools

• Auth.js (NextAuth) — full-stack auth for Next.js with built-in providers; Passport.js is framework-agnostic middleware
• Keycloak — standalone identity server with admin UI; Passport.js embeds directly into your Node app
• SuperTokens — managed or self-hosted auth with pre-built UI; Passport.js gives lower-level control
• Firebase Auth — hosted auth by Google; Passport.js runs entirely in your own backend
• Lucia — modern session-based auth library; Passport.js has a far larger strategy ecosystem

FAQ

Q: Does Passport.js work with frameworks other than Express? A: It works with any Connect-compatible framework (Koa via adapters, Fastify via plugins). Native Express integration is the best supported.

Q: How do I use JWT instead of sessions? A: Use passport-jwt strategy and disable sessions by passing { session: false } to passport.authenticate.

Q: Is Passport.js still actively maintained? A: Yes. Passport 0.7+ receives updates, and the ecosystem of strategies is maintained by individual authors.

Q: Can I combine multiple strategies on one route? A: Yes. Pass an array of strategy names to passport.authenticate or chain middleware to try strategies in order.

Sources

• https://github.com/jaredhanson/passport
• https://www.passportjs.org/