Authentication configuration controls how users authenticate with your Feathers application. It supports JWT tokens, local authentication (email/password), and OAuth providers.
Configuration Location Authentication settings are stored in config/default.json and generated when you run the authentication generator:
feathers generate authentication
Authentication Schema The authentication configuration can be validated using schemas:
import { Type } from '@feathersjs/typebox' export const authenticationSettingsSchema = Type . Object ({ secret: Type . String ({ description: 'The JWT signing secret' }), entity: Type . Optional ( Type . Union ([ Type . String ({ description: 'The name of the authentication entity (e.g. user)' }), Type . Null () ]) ), entityId: Type . Optional ( Type . String ()), service: Type . Optional ( Type . String ()), authStrategies: Type . Array ( Type . String ()), jwtOptions: Type . Optional ( Type . Object ({})), local: Type . Optional ( Type . Object ({ usernameField: Type . String (), passwordField: Type . String () }) ) })
Core Settings The secret key used to sign and verify JWT tokens. This should be a long, random string. Environment Variable: FEATHERS_SECRETSecurity: Never commit this to version control. Always use environment variables in production.Example: Generated automatically as a 32-character base64 string
The name of the entity (e.g., ‘user’) that is authenticated. Set to null for no entity. Default: The service name (e.g., user)
The name of the id property on the entity. Default: id (or _id for MongoDB)
The path of the service that provides the authentication entity. Example: users
authentication.authStrategies
List of authentication strategy names that are allowed to create JWT access tokens. Default: ['jwt', 'local']Common values: jwt, local, google, github, facebook, twitter, auth0
authentication.parseStrategies
List of strategy names that should parse HTTP headers for authentication information. Default: Same as authStrategies
JWT Settings authentication.jwtOptions
Options passed to the JWT library for token generation and verification. Header claims for the JWT token. Token type. Default: access
authentication.jwtOptions.audience
The intended audience for the token. Example: https://yourdomain.com
authentication.jwtOptions.algorithm
The signing algorithm to use. Default: HS256Options: HS256, HS384, HS512, RS256, etc.
authentication.jwtOptions.expiresIn
How long the token is valid. Default: 1d (1 day)Format: Use strings like 2h, 7d, 30m
Configuration for JWT parsing from HTTP headers. The HTTP header containing the JWT. Default: Authorization
authentication.jwt.schemes
Array of authentication schemes to support. Default: ['Bearer', 'JWT']
Local Authentication Settings Configuration for email/password authentication. authentication.local.usernameField
The field name for the username (typically email). Default: email
authentication.local.passwordField
The field name for the password. Default: password
authentication.local.hashSize
The BCrypt salt length for password hashing. Default: 10
authentication.local.errorMessage
The error message returned on authentication failure. Default: Invalid login
authentication.local.entityUsernameField
Name of the username field on the entity if different from the request field. Use case: When the entity stores email but authentication expects username
authentication.local.entityPasswordField
Name of the password field on the entity if different from the request field.
OAuth Settings Configuration for OAuth providers (Google, GitHub, Facebook, etc.). authentication.oauth.redirect
The URL to redirect to after successful OAuth authentication. Example: http://localhost:3030/
authentication.oauth.origins
Allowed origins for OAuth redirects. Example: ['http://localhost:3030']
authentication.oauth.defaults
Default configuration for all OAuth providers. authentication.oauth.defaults.key
Default OAuth client ID (can be overridden per provider).
authentication.oauth.defaults.secret
Default OAuth client secret (can be overridden per provider).
Provider-Specific Settings Each OAuth provider (google, github, facebook, twitter, auth0) has the same configuration structure:
authentication.oauth.<provider>
Configuration for a specific OAuth provider. authentication.oauth.<provider>.key
The OAuth client ID from the provider. Example: <Client ID>
authentication.oauth.<provider>.secret
The OAuth client secret from the provider. Example: <Client secret>
Configuration Examples JWT + Local Authentication
JWT + OAuth Providers
custom-environment-variables.json
{ "authentication" : { "entity" : "user" , "service" : "users" , "secret" : "your-secret-here" , "authStrategies" : [ "jwt" , "local" ], "jwtOptions" : { "header" : { "typ" : "access" }, "audience" : "https://yourdomain.com" , "algorithm" : "HS256" , "expiresIn" : "1d" }, "local" : { "usernameField" : "email" , "passwordField" : "password" } } }
Usage in Application The authentication service is automatically configured:
import { AuthenticationService , JWTStrategy } from '@feathersjs/authentication' import { LocalStrategy } from '@feathersjs/authentication-local' import { oauth , OAuthStrategy } from '@feathersjs/authentication-oauth' import type { Application } from './declarations' declare module './declarations' { interface ServiceTypes { authentication : AuthenticationService } } export const authentication = ( app : Application ) => { const authentication = new AuthenticationService ( app ) authentication . register ( 'jwt' , new JWTStrategy ()) authentication . register ( 'local' , new LocalStrategy ()) authentication . register ( 'google' , new OAuthStrategy ()) authentication . register ( 'github' , new OAuthStrategy ()) app . use ( 'authentication' , authentication ) app . configure ( oauth ()) }
Testing Authentication Test your authentication configuration:
// Local authentication const { accessToken } = await app . service ( 'authentication' ). create ({ strategy: 'local' , email: 'user@example.com' , password: 'password123' }) // JWT authentication const { user } = await app . service ( 'authentication' ). create ({ strategy: 'jwt' , accessToken })
Best Practices
Generate strong, random secrets for JWT signing. Use at least 32 characters and store them in environment variables.
Set appropriate token expiration
Balance security and user experience. Short-lived tokens (1-7 days) are more secure but may require more frequent logins.
Never commit OAuth client IDs and secrets. Use environment variables and restrict access to production credentials.
Always use HTTPS for authentication endpoints in production to prevent token interception.
Set the audience field in JWT options to your application’s domain to prevent token misuse.
Use BCrypt with appropriate salt rounds (10-12). Never store plain-text passwords.