DEV Community: Edouard Maleix The latest articles on DEV Community by Edouard Maleix (@getlarge). https://dev.to/getlarge https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg DEV Community: Edouard Maleix https://dev.to/getlarge en Securing MCP Servers with OAuth2: Ory Hydra + Claude Code + ChatGPT Edouard Maleix Fri, 30 Jan 2026 15:18:26 +0000 https://dev.to/playfulprogramming/securing-mcp-servers-with-oauth2-ory-hydra-claude-code-chatgpt-58hm https://dev.to/playfulprogramming/securing-mcp-servers-with-oauth2-ory-hydra-claude-code-chatgpt-58hm <p>A client asked me to secure their MCP server. Simple enough — throw in some API keys, right?</p> <p>But the Model Context Protocol spec had other ideas: OAuth2 with Dynamic Client Registration, Resource Indicators (RFC 8707), Protected Resource Metadata (RFC 9728)...</p> <p>One week and dozens of authentication bugs later, I have an MCP server that works with Claude and ChatGPT. Here's everything I learned — so you don't have to repeat the dance.</p> <h2> Why Not Just Use API Keys? </h2> <p>You're building an MCP server — an API that lets AI assistants like Claude and ChatGPT call external tools. Your first instinct: add a simple <code>Authorization: Bearer sk-...</code> header and call it a day.</p> <p>Then you read the <a href="https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization" rel="noopener noreferrer">MCP Authorization spec (2025-11-25 revision)</a> and realize<sup id="fnref1">1</sup>:</p> <ul> <li>OAuth 2.1 (<a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-14" rel="noopener noreferrer">draft-ietf-oauth-v2-1</a>) is <strong>MUST</strong> </li> <li>Client ID Metadata Documents (<a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00" rel="noopener noreferrer">draft-ietf-oauth-client-id-metadata-document</a>) is <strong>SHOULD</strong> </li> <li>Dynamic Client Registration (<a href="https://datatracker.ietf.org/doc/html/rfc7591" rel="noopener noreferrer">RFC 7591</a>) is <strong>MAY</strong> </li> <li>Resource Indicators (<a href="https://datatracker.ietf.org/doc/html/rfc8707" rel="noopener noreferrer">RFC 8707</a>) is <strong>MUST</strong> </li> <li>Protected Resource Metadata (<a href="https://datatracker.ietf.org/doc/html/rfc9728" rel="noopener noreferrer">RFC 9728</a>) is <strong>MUST</strong> </li> <li>Authorization Server Metadata (<a href="https://datatracker.ietf.org/doc/html/rfc8414" rel="noopener noreferrer">RFC 8414</a>) is <strong>MUST</strong> </li> </ul> <p>"This is overkill for my side project," you think.</p> <p>But here's the reality: <strong>major MCP clients already implement these specs</strong> — Claude, ChatGPT, LibreChat, and others. Your MCP server either speaks OAuth2 correctly, or it doesn't work with any of them.</p> <h3> Why OAuth2 Matters for MCP Servers </h3> <p>If you're new to OAuth2: think of it as a crowd of services dancing together — one misstep and the whole routine falls apart.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia2.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExdnZ5OGJudG44Y3I4N2M4Mm54NzhrbG84N2gzcGg1NG9jcHBncWU0YyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2F3ohjV6EaqkKjhQxlwk%2Fgiphy.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia2.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExdnZ5OGJudG44Y3I4N2M4Mm54NzhrbG84N2gzcGg1NG9jcHBncWU0YyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2F3ohjV6EaqkKjhQxlwk%2Fgiphy.gif" alt="Lone squirrel dancing" width="272" height="480"></a><br>You, when you implement OAuth2 for the first time </p> <p>In our setup, the crowd includes:</p> <ul> <li> <strong>Your MCP Server</strong> (the API you're protecting)</li> <li> <strong>Ory Network</strong> (the bouncer checking credentials)</li> <li> <strong>GitHub</strong> (proving who you are via social login)</li> <li> <strong>MCP clients like Claude, ChatGPT, or LibreChat</strong> (requesting access)</li> </ul> <p>Each dancer has a role, and OAuth2 is the choreography that makes them work together without your MCP server ever seeing passwords.</p> <p>Why go through this trouble instead of simple API keys? OAuth2 solves real security problems:</p> <h4> User Context </h4> <p>MCP servers need to know <em>who</em> is making requests. Without proper auth:</p> <ul> <li>All users share the same data (no privacy)</li> <li>No audit trail (who did what?)</li> <li>Can't implement rate limiting per user</li> <li>Resource ownership is impossible</li> </ul> <h4> Token Lifecycle </h4> <p>OAuth2 access tokens expire by design. API keys <em>can</em> have expiration dates too, but in practice most don't — and even when they do, rotation is manual and easy to forget. OAuth2 bakes this in:</p> <ul> <li>Short-lived access tokens limit the blast radius of a compromise</li> <li>Refresh tokens enable seamless rotation without user disruption</li> <li>Revocation is immediate (especially with opaque tokens + introspection)</li> </ul> <h4> Scope Limitation </h4> <p>OAuth2 tokens carry scopes (permissions):</p> <ul> <li> <code>openid</code> = identity information</li> <li> <code>offline_access</code> = refresh tokens</li> <li>Custom scopes = fine-grained access control</li> </ul> <p>A single API key is all-or-nothing. OAuth2 tokens can be scoped to specific operations.</p> <h4> Standard Protocol </h4> <p>MCP clients already implement OAuth2. If you use API keys:</p> <ul> <li>You need a custom authentication flow</li> <li>MCP clients won't auto-discover your server</li> <li>You're maintaining non-standard auth code</li> </ul> <p><strong>Security by simplicity</strong>: Using OAuth2 means following a proven standard instead of rolling your own authentication.</p> <blockquote> <p><em>Okay, I'm lying — OAuth2 is complicated.</em></p> </blockquote> <h2> Learning by Doing </h2> <p>To make sense of all this, let's build a minimal MCP server secured with OAuth2 using Ory Hydra and Kratos. By the end, you'll have:</p> <ul> <li>✅ OAuth2 authorization and consent (Hydra)</li> <li>✅ Social login via GitHub (Kratos)</li> <li>⚠️ Works with Claude Code CLI (with caveats - see Bug #2)</li> <li>✅ Works with Claude.ai Custom Connectors</li> <li>✅ Works with Claude Desktop</li> <li>✅ <strong>Works with ChatGPT Web App</strong> (tested - actually works better than Claude!)</li> <li>❌ Codex VSCode extension (OAuth not supported for custom servers)</li> <li>✅ User-scoped resource isolation (you only see your data)</li> </ul> <h3> The Stack: What Each Piece Does </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbv5o02d06swb6g11431q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbv5o02d06swb6g11431q.png" alt="Diagram of OAuth2 flow between Client, MCP Server, Ory Hydra, and Ory Kratos" width="800" height="701"></a></p> <p><strong>Why this stack?</strong></p> <ul> <li> <strong>Ory Kratos and Hydra</strong>: Identity management and OAuth2 server <a href="https://github.com/ory/hydra" rel="noopener noreferrer">trusted by companies like OpenAI</a> for scale and security</li> <li> <strong>Fastify MCP</strong>: Fastify plugin, forked from <a href="https://github.com/platformatic/mcp" rel="noopener noreferrer">@platformatic/mcp</a> with better OAuth2 support</li> </ul> <h2> Part 1: Setting Up Ory Network </h2> <p>I use <strong>Ory Network</strong> for this guide. It hosts your Hydra and Kratos instances so you don't have to manage infrastructure.<br> It's the same team behind Ory Hydra, Kratos, Keto, and Oathkeeper.</p> <blockquote> <p><em>Yes, they have a free Developer tier.</em></p> </blockquote> <h3> Step 1: Create Your Ory Network Project </h3> <ol> <li> <strong>Register account</strong>: Visit <a href="https://console.ory.sh" rel="noopener noreferrer">https://console.ory.sh</a> and sign up</li> <li> <strong>Create workspace</strong>: Click "New Workspace" (organizational container for projects)</li> <li> <strong>Create project</strong>: Within your workspace, click "New Project" <ul> <li>Name: "MCP Server Development"</li> <li>Region: Choose closest to you</li> </ul> </li> <li> <strong>Generate API key</strong>: Go to <strong>Developers</strong> tab → <strong>API Keys</strong> → "Create API Key" <ul> <li>Save the key securely (you'll need it for introspection auth)</li> </ul> </li> </ol> <blockquote> <p><em>I can feel your sarcasm: "We use an API key to avoid API keys?" Yes, but this key is for Ory Network management only, not for your MCP server clients.</em></p> </blockquote> <p><strong>Note your project details</strong>:</p> <ul> <li>Workspace ID: (in workspace settings)</li> <li>Project ID: (in project settings)</li> <li>Project slug: <code>{your-slug}.projects.oryapis.com</code> </li> </ul> <blockquote> <p><strong>Detailed setup guide</strong>: See <a href="https://dev.to/getlarge/deployment-to-ory-network-38ml">Deployment to Ory Network</a> for complete walkthrough including CLI setup.</p> <p><strong>Prefer running everything locally?</strong> Skip Ory Network and use Docker Compose. Your configuration is fully portable to self-hosted Hydra/Kratos later — I tested both, and the same JSON config works on either. This is the beauty of Ory.<br> This <a href="https://github.com/getlarge/ticketing/blob/main/docker-compose.yaml" rel="noopener noreferrer">compose file</a> is from an older project but demonstrates the full Ory stack (Hydra, Kratos, PostgreSQL, Self-Service UI).</p> </blockquote> <h3> Understanding OAuth2 Client Registration for MCP </h3> <p>Before configuring, let's understand <strong>why MCP needs Dynamic Client Registration (DCR)</strong>. (The spec looks over-engineered — until you realize it solves real problems.)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpp9ddi8qmowhf862bodm.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpp9ddi8qmowhf862bodm.gif" alt="Confused math lady meme" width="504" height="322"></a></p> <p><em>"I just want to call an API, why do I need to read so many RFCs?"</em></p> <h4> The Problem: Unknown Clients </h4> <p>Traditional OAuth2 assumes you know your clients upfront:</p> <ul> <li>Developer manually registers app in OAuth console</li> <li>Gets hardcoded <code>client_id</code> and <code>client_secret</code> </li> <li>Ships these credentials in the app</li> </ul> <p><strong>But with MCP</strong>: When someone discovers your server URL, their Claude client has <strong>never heard of your server</strong>. How do they get credentials? You can't expect every user to register manually in your OAuth console — that defeats the whole "seamless AI integration" promise.</p> <h4> Solution 1: Dynamic Client Registration (DCR - RFC 7591) </h4> <p>DCR lets clients register themselves <strong>at runtime</strong>:</p> <ol> <li>Client discovers MCP server</li> <li>Client reads <code>registration_endpoint</code> from OIDC discovery</li> <li>Client POSTs metadata to register: <code>{redirect_uris, grant_types, scopes}</code> </li> <li>Server returns new <code>client_id</code> (and maybe <code>client_secret</code>)</li> <li>Client proceeds with normal OAuth flow using the registered scopes</li> </ol> <h4> Solution 2: Client ID Metadata Documents (CIMD) </h4> <p>The <a href="https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents" rel="noopener noreferrer">November 2025 MCP spec</a> introduced CIMD as the <strong>SHOULD</strong> (recommended) approach, with DCR as <strong>MAY</strong> (optional fallback).</p> <p><strong>How it works</strong>: Clients publish metadata at an HTTPS URL they control. <strong>That URL becomes the client_id</strong>.</p> <p>Example metadata at <code>https://app.example.com/oauth/client-metadata.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://app.example.com/oauth/client-metadata.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"My MCP Client"</span><span class="p">,</span><span class="w"> </span><span class="nl">"grant_types"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"authorization_code"</span><span class="p">],</span><span class="w"> </span><span class="nl">"redirect_uris"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"http://localhost:3000/callback"</span><span class="p">],</span><span class="w"> </span><span class="nl">"token_endpoint_auth_method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"none"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>During OAuth flow</strong>:</p> <ol> <li>Client sends <code>client_id=https://app.example.com/oauth/client-metadata.json</code> </li> <li>Authorization server fetches that URL</li> <li>Server validates: <code>client_id</code> matches URL, <code>redirect_uri</code> is in allowed list</li> <li>Server caches metadata (respecting HTTP cache headers)</li> </ol> <p><strong>Comparison</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>DCR</th> <th>CIMD</th> </tr> </thead> <tbody> <tr> <td><strong>MCP Spec Status</strong></td> <td>MAY (optional)</td> <td>SHOULD (recommended)</td> </tr> <tr> <td><strong>Client ID</strong></td> <td>Server-minted UUID</td> <td>Client's HTTPS URL (e.g., <code>/client.json</code>)</td> </tr> <tr> <td><strong>Registration</strong></td> <td>POST to server</td> <td>Self-published JSON document</td> </tr> <tr> <td><strong>Server state</strong></td> <td>Stores records in database</td> <td>Fetches on-demand, caches via HTTP headers</td> </tr> <tr> <td><strong>Best for</strong></td> <td>Local agents without reliable URLs</td> <td>Web/hosted clients with stable domains</td> </tr> <tr> <td><strong>Localhost support</strong></td> <td>✅ Works fine</td> <td>⚠️ Risk: anyone can claim localhost URIs</td> </tr> </tbody> </table></div> <p><strong>For this guide</strong>: I use <strong>DCR</strong> because:</p> <ul> <li>Local agents (Claude CLI, CLI tools) don't have stable HTTPS URLs to host metadata</li> <li>Ory Hydra supports DCR out of the box</li> <li>DCR works for both localhost and production scenarios</li> </ul> <p><strong>CIMD note</strong>: Authorization servers advertise CIMD support via <code>client_id_metadata_document_supported: true</code> in their metadata. Ory Hydra <a href="https://github.com/ory/hydra/issues/4061" rel="noopener noreferrer">doesn't support this yet</a>, but if you're building a web-based MCP client with a stable domain, CIMD is the preferred approach per the MCP spec.</p> <h3> Ory Configuration Reference </h3> <p>Here are the key configurations you need. In Ory Network, the project config is a single JSON document that merges settings from all Ory services:</p> <ul> <li> <strong><code>services.oauth2</code></strong> → Ory Hydra (OAuth2/OIDC server)</li> <li> <strong><code>services.identity</code></strong> → Ory Kratos (Identity management, social login)</li> <li> <strong><code>services.permission</code></strong> → Ory Keto (Authorization, not used in this guide)</li> </ul> <p>There are <strong>two ways</strong> to apply these configs:</p> <ol> <li> <strong>Import JSON via CLI</strong> (fastest - paste the whole merged config)</li> <li> <strong>Configure via Console UI</strong> (guided, click-through for each service)</li> </ol> <h4> OAuth2 Configuration (Hydra) </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"services"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oauth2"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oauth2"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"pkce"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"enforced"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"enforced_for_public_clients"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"oidc"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dynamic_client_registration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"default_scope"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"openid"</span><span class="p">,</span><span class="w"> </span><span class="s2">"offline_access"</span><span class="p">],</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"strategies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"opaque"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"wildcard"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ttl"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1h0m0s"</span><span class="p">,</span><span class="w"> </span><span class="nl">"refresh_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"720h0m0s"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"webfinger"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oidc_discovery"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"auth_url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://{slug}.projects.oryapis.com/oauth2/auth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_registration_url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://{slug}.projects.oryapis.com/oauth2/register"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jwks_url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://{slug}.projects.oryapis.com/.well-known/jwks.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://{slug}.projects.oryapis.com/oauth2/token"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userinfo_url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://{slug}.projects.oryapis.com/userinfo"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Key settings explained</strong>:</p> <ul> <li> <code>access_token: "opaque"</code> - Use opaque tokens (revocable, secure)</li> <li> <code>dynamic_client_registration.enabled: true</code> - Enables DCR for MCP clients</li> <li> <code>pkce.enforced_for_public_clients: true</code> - Enforces PKCE for CLI clients like Claude Code</li> <li> <code>webfinger.oidc_discovery.client_registration_url</code> - Can override for DCR proxy (see Bug #1 workaround)</li> </ul> <blockquote> <p><strong>Why opaque tokens?</strong></p> <ul> <li>Immediate revocation (logout, compromised tokens)</li> <li>No JWT parsing vulnerabilities</li> <li>Token contents stay server-side</li> <li>Ory's introspection is fast and cached</li> </ul> </blockquote> <h4> Identity Configuration (Kratos - for GitHub login) </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"services"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"identity"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"selfservice"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"methods"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oidc"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"providers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_GITHUB_CLIENT_ID"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_secret"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_GITHUB_CLIENT_SECRET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github"</span><span class="p">,</span><span class="w"> </span><span class="nl">"provider"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"user:email"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>See "Part 2: GitHub Social Login" below for how to get GitHub OAuth credentials.</p> </blockquote> <h3> Step 2: Apply Configuration </h3> <h4> Option A: Import Config via Ory CLI (Fastest) </h4> <p>Save the merged config (OAuth2 + Identity sections) to a file and <a href="https://www.ory.com/docs/cli/ory-update-project" rel="noopener noreferrer">update your Ory project</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Save your config to ory-config.json</span> <span class="c"># (Merge the OAuth2 and Identity configs from above)</span> <span class="c"># Apply to your Ory project</span> ory update project &lt;project-id&gt; <span class="se">\</span> <span class="nt">--workspace</span> &lt;workspace-id&gt; <span class="se">\</span> <span class="nt">--file</span> ory-config.json </code></pre> </div> <blockquote> <p><strong>Hint</strong>: You can <a href="https://www.ory.com/docs/cli/ory-get-project" rel="noopener noreferrer">export</a> your current config with:<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ory get project &lt;project-id&gt; <span class="se">\</span> <span class="nt">--workspace</span> &lt;workspace-id&gt; <span class="se">\</span> <span class="nt">--output</span> json <span class="o">&gt;</span> current-ory-config.json </code></pre> </div> <p><strong>Done!</strong> Your Ory project is now MCP-ready.</p> <p> <strong>Option B: Configure via Console UI (Guided)</strong> <p>Prefer clicking through the UI? Each setting can be configured in the Ory Console:</p> <p><strong>2.1 Enable Dynamic Client Registration</strong>:</p> <ul> <li>Go to <strong>OAuth2 &amp; OpenID Connect</strong> → <strong>Configuration</strong> </li> <li>Enable <strong>Dynamic Client Registration</strong> </li> <li>Set <strong>Default Scopes</strong>: <code>openid</code>, <code>offline_access</code> </li> </ul> <p><strong>2.2 Set Token Strategy</strong>:</p> <ul> <li>Go to <strong>OAuth2 &amp; OpenID Connect</strong> → <strong>Advanced</strong> </li> <li> <strong>Access Token Strategy</strong>: Choose <strong>Opaque</strong> </li> </ul> <p><strong>2.3 Enable PKCE</strong>:</p> <ul> <li>Go to <strong>OAuth2 &amp; OpenID Connect</strong> → <strong>Security</strong> </li> <li>Enable <strong>PKCE for Public Clients</strong> </li> </ul> <p><strong>2.4 Set Token TTLs</strong>:</p> <ul> <li>Go to <strong>OAuth2 &amp; OpenID Connect</strong> → <strong>Token TTL</strong> </li> <li>Access Token: <code>1h</code> </li> <li>Refresh Token: <code>720h</code> (30 days)</li> </ul> <p><strong>2.5 Enable OIDC for Identity (Social Login)</strong>:</p> <ul> <li>Go to <strong>Identity</strong> → <strong>Social Sign-In</strong> </li> <li>Click <strong>Add Provider</strong> → <strong>GitHub</strong> (or your preferred provider)</li> <li>Enter Client ID and Client Secret (see GitHub setup)</li> <li>Set Scopes: <code>user:email</code> </li> <li>Save</li> </ul> </p> <h3> Step 3: Create a Static OAuth2 Client </h3> <p>Create a static OAuth2 client for testing and for use with Claude Desktop or Claude.ai. Even if you plan to use DCR in production, having a static client helps you debug the OAuth flow without worrying about DCR-specific issues (like Bug #1).</p> <p><strong>Via Ory Console</strong>:</p> <ol> <li>Go to <strong>OAuth2 &amp; OpenID Connect</strong> → <strong>OAuth2 Clients</strong> </li> <li>Click <strong>Create Client</strong> </li> <li>Fill in: <ul> <li>Name: "Manual Test Client"</li> <li>Grant Types: Authorization Code, Refresh Token</li> <li>Redirect URIs: <code>http://localhost:8000/oauth/callback</code> </li> <li>Scopes: <code>openid</code>, <code>offline_access</code> </li> </ul> </li> <li>Save and note the <code>client_id</code> and <code>client_secret</code> </li> </ol> <p><strong>Via Ory CLI</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ory create oauth2-client <span class="se">\</span> <span class="nt">--project</span> <span class="o">{</span>your-project-id<span class="o">}</span> <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"Manual Test Client"</span> <span class="se">\</span> <span class="nt">--grant-type</span> authorization_code,refresh_token <span class="se">\</span> <span class="nt">--response-type</span> code <span class="se">\</span> <span class="nt">--scope</span> openid,offline_access <span class="se">\</span> <span class="nt">--redirect-uri</span> <span class="s2">"http://localhost:8000/oauth/callback"</span> </code></pre> </div> <p>💡 <strong>Keep these credentials</strong> - you'll use them for testing in Part 4.</p> <h2> Part 2: GitHub Social Login (Optional but Recommended) </h2> <p> Expand GitHub Social Login setup <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fubeh5wxakijz6hhp4yji.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fubeh5wxakijz6hhp4yji.png" alt="GitHub Login Screenshot" width="800" height="918"></a></p> <h3> Why GitHub? </h3> <ul> <li>No password management to worry about</li> <li>Familiar login flow for developers</li> <li>One less thing to debug when testing</li> </ul> <h3> Step 1: Create GitHub OAuth App </h3> <ol> <li>Go to <a href="https://github.com/settings/developers" rel="noopener noreferrer">https://github.com/settings/developers</a> </li> <li>Click "New OAuth App"</li> <li> <p>Fill in:</p> <ul> <li> <strong>Application name</strong>: MCP Server (Dev)</li> <li> <strong>Homepage URL</strong>: <code>https://{your-slug}.projects.oryapis.com</code> </li> <li> <strong>Authorization callback URL</strong>: <code>https://{your-slug}.projects.oryapis.com/self-service/methods/oidc/callback/github</code> </li> </ul> </li> <li><p>Save <code>Client ID</code> and <code>Client Secret</code></p></li> </ol> <h3> Step 2: Add to Kratos Config </h3> <p><strong>Via Ory Console</strong>:</p> <ol> <li>Go to <strong>Identity</strong> → <strong>Social Sign-In</strong> </li> <li>Click <strong>Add Provider</strong> → <strong>GitHub</strong> </li> <li>Enter: <ul> <li>Client ID: (from GitHub)</li> <li>Client Secret: (from GitHub)</li> <li>Scopes: <code>user:email</code> </li> </ul> </li> <li>Save</li> </ol> <p><strong>Or update via JSON import</strong> (use the Identity config JSON above with your GitHub credentials).</p> </p> <h2> Part 3: Your MCP Server with OAuth2 </h2> <p>The MCP server is built using Fastify and a fork of <a href="https://github.com/platformatic/mcp" rel="noopener noreferrer"><code>@platformatic/mcp</code></a> that adds better OAuth2 support. This <a href="https://github.com/getlarge/fastify-mcp/tree/dev" rel="noopener noreferrer">fork</a> fixes:</p> <p><strong>OIDC Discovery &amp; OAuth Compliance</strong> (<a href="https://github.com/platformatic/mcp/pull/97" rel="noopener noreferrer">PR #97</a>):</p> <ul> <li>Original: Hardcoded <code>/oauth/*</code> paths didn't work with Ory Hydra's non-standard endpoints</li> <li>Fixed: Auto-discovers endpoints via <code>/.well-known/openid-configuration</code>, adds <code>redirect_uri</code> support, allows excluding paths from auth (e.g., <code>/health</code>)</li> </ul> <p><strong>Resource Subscriptions</strong> (<a href="https://github.com/platformatic/mcp/pull/98" rel="noopener noreferrer">PR #98</a>):</p> <ul> <li>Original: No support for MCP resource subscriptions</li> <li>Fixed: Adds subscription/unsubscription handlers and query parameter URI matching</li> </ul> <p><strong>DCR Proxy &amp; Token Introspection Auth</strong> (<a href="https://github.com/platformatic/mcp/pull/100" rel="noopener noreferrer">PR #100</a>):</p> <ul> <li>Original: <code>/oauth/register</code> endpoint required auth (chicken-egg problem), no way to authenticate introspection requests</li> <li>Fixed: DCR endpoint skips auth, adds <code>introspectionAuth</code> config for Ory admin API, adds DCR hooks for proxy pattern (needed for Bug #1 workaround)</li> </ul> <blockquote> <p><strong>Full disclosure</strong>: This is my fork, tested through building the <a href="https://github.com/getlarge/claude-api-care-plugins/tree/main/plugins/baume/mcp-server" rel="noopener noreferrer">Baume MCP server</a>. The upstream PRs await review, but you need these fixes now.</p> </blockquote> <h3> Step 1: Install Dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @getlarge/fastify-mcp fastify @sinclair/typebox @fastify/type-provider-typebox </code></pre> </div> <h3> Step 2: Create Your Server </h3> <h4> ⚠️ Common Pitfall: Schema Definition </h4> <p>Before you write any tools, know this: <code>@getlarge/fastify-mcp</code> (and <code>@platformatic/mcp</code>) require tool input schemas to be <strong>objects at the top level</strong>. If you need mutually exclusive inputs (e.g., <code>path</code> OR <code>url</code>), wrap the union inside an object property:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Won't work - Union at top level</span> <span class="nx">inputSchema</span><span class="p">:</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">Union</span><span class="p">([</span><span class="nx">Type</span><span class="p">.</span><span class="nc">Object</span><span class="p">({</span><span class="na">path</span><span class="p">:</span> <span class="p">...}),</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">Object</span><span class="p">({</span><span class="na">url</span><span class="p">:</span> <span class="p">...})])</span> <span class="c1">// ✅ Works - Union inside object property</span> <span class="nx">inputSchema</span><span class="p">:</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">Object</span><span class="p">({</span> <span class="na">spec</span><span class="p">:</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">Union</span><span class="p">([</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">Object</span><span class="p">({</span> <span class="na">path</span><span class="p">:</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">String</span><span class="p">()</span> <span class="p">}),</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">Object</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">String</span><span class="p">({</span> <span class="na">format</span><span class="p">:</span> <span class="dl">'</span><span class="s1">uri</span><span class="dl">'</span> <span class="p">})</span> <span class="p">})</span> <span class="p">])</span> <span class="p">})</span> </code></pre> </div> <p>This also improves clarity for AI clients (ChatGPT, Claude) that sometimes struggle with flat union schemas. Thank me later.</p> <p><strong>File</strong>: <code>src/server.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">Fastify</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fastify</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">mcpPlugin</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@getlarge/fastify-mcp</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Type</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sinclair/typebox</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fastify</span> <span class="o">=</span> <span class="nc">Fastify</span><span class="p">({</span> <span class="na">logger</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ok</span><span class="dl">'</span> <span class="p">}));</span> <span class="c1">// Register MCP plugin with OAuth2 config</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">mcpPlugin</span><span class="p">,</span> <span class="p">{</span> <span class="na">authorization</span><span class="p">:</span> <span class="p">{</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">authorizationServers</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">https://{your-slug}.projects.oryapis.com</span><span class="dl">'</span><span class="p">],</span> <span class="na">resourceUri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:8000</span><span class="dl">'</span><span class="p">,</span> <span class="na">excludedPaths</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">],</span> <span class="na">tokenValidation</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// Using introspection for opaque tokens</span> <span class="na">introspectionEndpoint</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://{your-slug}.projects.oryapis.com/admin/oauth2/introspect</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// For Ory Network, authenticate introspection with API key:</span> <span class="na">introspectionAuth</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bearer</span><span class="dl">'</span><span class="p">,</span> <span class="na">token</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ORY_API_KEY</span><span class="p">,</span> <span class="p">},</span> <span class="na">validateAudience</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// See "Bug #4: Empty JWT Audience"</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">mcpAddTool</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hello</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Say hello with user context</span><span class="dl">'</span><span class="p">,</span> <span class="na">inputSchema</span><span class="p">:</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">Object</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">Type</span><span class="p">.</span><span class="nc">String</span><span class="p">(),</span> <span class="p">}),</span> <span class="p">},</span> <span class="k">async </span><span class="p">(</span><span class="nx">input</span><span class="p">,</span> <span class="nx">context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nx">authContext</span><span class="p">?.</span><span class="nx">userId</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`Hello </span><span class="p">${</span><span class="nx">input</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">! Your user ID: </span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">};</span> <span class="p">},</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">listen</span><span class="p">({</span> <span class="na">port</span><span class="p">:</span> <span class="mi">8000</span><span class="p">,</span> <span class="na">host</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">🚀 MCP Server running on http://localhost:8000</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h3> Step 3: Start Your Server </h3> <div class="ltag_asciinema"> </div> <h2> The Five Bugs I Hit (And Their Fixes) </h2> <blockquote> <p><strong>War stories section</strong> — I'm listing these in order of severity, so if you're blocked, start from the top.</p> <ul> <li> <strong>Bug #1</strong> blocks <em>all</em> Claude clients (DCR validation)</li> <li> <strong>Bug #2</strong> blocks Claude Code CLI specifically (scope parameter)</li> <li> <strong>Bugs #3-5</strong> are configuration issues you'll hit along the way</li> </ul> </blockquote> <h3> Bug #1: All Claude Clients Reject DCR Responses with Empty URI Fields </h3> <p>This was the first wall I hit. Dynamic Client Registration succeeds on Hydra's side — the client gets created, logs look fine. Then every Claude client (Code CLI, Claude.ai, Claude Desktop) crashes with a validation error: <code>client_uri</code>, <code>logo_uri</code>, <code>tos_uri</code>, or <code>contacts</code> must be parseable/valid.</p> <p>I dug into Hydra's DCR response and found the problem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_secret"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Empty</span><span class="w"> </span><span class="err">string</span><span class="w"> </span><span class="err">fails</span><span class="w"> </span><span class="err">Claude's</span><span class="w"> </span><span class="err">Zod</span><span class="w"> </span><span class="err">schema</span><span class="w"> </span><span class="nl">"contacts"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Null</span><span class="w"> </span><span class="err">fails</span><span class="w"> </span><span class="err">array</span><span class="w"> </span><span class="err">validation</span><span class="w"> </span><span class="nl">"logo_uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"policy_uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"tos_uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Claude's Zod schema expects these fields to be either valid URLs (for <code>*_uri</code> fields), arrays (for <code>contacts</code>), or omitted entirely — not empty strings or null.</p> <p><strong>Status</strong>: <a href="https://github.com/anthropics/claude-code/issues/13685" rel="noopener noreferrer">Open issue #13685</a></p> <p>This affects <strong>all Claude clients</strong>, not just Claude Code CLI. That makes it different from Bug #2 (scope parameter), which only hits the CLI.</p> <p>The frustrating part: you can't configure Ory Hydra to omit these fields. They're part of the DCR spec, and Hydra includes them even when empty. So I built a workaround.</p> <p><strong>Solution: DCR Proxy</strong></p> <p>A lightweight proxy between Claude and Hydra that strips the problematic fields before Claude sees them. <code>@getlarge/fastify-mcp</code> supports this as a built-in hook, so the proxy runs in the same process as your MCP server — no separate deployment needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// DCR Proxy hook in @getlarge/fastify-mcp</span> <span class="c1">// Registered as client_registration_url in your Ory OIDC discovery config</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/oauth2/register</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Forward DCR request to Hydra</span> <span class="kd">const</span> <span class="nx">hydraResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="dl">'</span><span class="s1">https://{slug}.projects.oryapis.com/oauth2/register</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">),</span> <span class="p">},</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">hydraResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Remove fields that are empty strings or null</span> <span class="kd">const</span> <span class="nx">cleanedClient</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">fromEntries</span><span class="p">(</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">client</span><span class="p">).</span><span class="nf">filter</span><span class="p">(([</span><span class="nx">_</span><span class="p">,</span> <span class="nx">value</span><span class="p">])</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Keep non-empty strings, non-null values</span> <span class="k">return</span> <span class="nx">value</span> <span class="o">!==</span> <span class="dl">''</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span> <span class="o">!==</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span> <span class="o">!==</span> <span class="kc">undefined</span><span class="p">;</span> <span class="p">}),</span> <span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">cleanedClient</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><strong>Configure Ory to use the proxy</strong>:</p> <p>In your Ory project config, set the DCR endpoint to your MCP server's proxy endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"webfinger"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oidc_discovery"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"client_registration_url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://your-mcp-server.com/oauth2/register"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p><strong>Note</strong>: Ory Network allows customizing the <code>client_registration_url</code> in the OIDC discovery document. Set it to <code>undefined</code> to hide DCR entirely (if you only use static clients).</p> </blockquote> <p><strong>Why this works</strong>: Claude never sees the empty URI fields, so Zod validation passes 🫢.</p> <p><strong>Implementation reference</strong>: See the <a href="https://github.com/getlarge/fastify-mcp/blob/main/src/routes/auth-routes.ts#L308" rel="noopener noreferrer">DCR proxy hook in fastify-mcp</a> or its <a href="https://github.com/getlarge/claude-api-care-plugins/blob/main/plugins/baume/mcp-server/src/server.ts#L148-L164" rel="noopener noreferrer">usage in the Baume MCP server</a></p> <blockquote> <p>You could also consider using placeholder URLs (e.g., <code>https://example.com</code>) instead of omitting fields, but omitting is cleaner and avoids confusion.</p> </blockquote> <h3> Bug #2: Claude Code CLI Missing Scope Parameter </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fly0y25w1eam5kv73io39.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fly0y25w1eam5kv73io39.png" alt="Where the scopes' at" width="800" height="1131"></a></p> <p>As of January 2026, Claude Code (CLI) has a <a href="https://github.com/anthropics/claude-code/issues/4540" rel="noopener noreferrer">known bug</a> (since July 2025, tagged <code>oncall</code>) where it doesn't send the <code>scope</code> parameter during OAuth2 authorization, causing the flow to fail entirely. <strong>Use Claude.ai or Claude Desktop instead</strong> until Anthropic fixes this.</p> <p><strong>Server-side mitigation attempts</strong> (all failed):</p> <ul> <li>Injecting scopes in DCR response → Claude Code ignores it</li> <li>Using WWW-Authenticate scope parameter → Requires initial token (chicken-egg problem)</li> <li>Ory <a href="https://github.com/ory/hydra/issues/1618" rel="noopener noreferrer">default scopes</a> → Only works with <strong>client_credentials</strong> grant, not <strong>authorization_code</strong> </li> </ul> <blockquote> <p><em>How ironic, Anthropic wrote the MCP Authorization spec that requires proper scope handling, but Claude Code CLI doesn't implement it.</em></p> </blockquote> <h3> Bug #3: Token Validation Configuration Mismatch </h3> <p>I kept getting this error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>The token is malformed. (error code: FAST_JWT_MALFORMED) </code></pre> </div> <p>It took me some time to realize my MCP server was trying to parse an opaque token as a JWT (using JWKS token validation). Opaque is Hydra's default strategy — and I'd forgotten that when configuring the server.</p> <h4> Understanding Token Validation Options </h4> <p>Hydra supports two token strategies:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Strategy</th> <th>Token Format</th> <th>Validation Method</th> <th>Trade-offs</th> </tr> </thead> <tbody> <tr> <td> <strong>opaque</strong> (recommended)</td> <td>Random string (<code>ory_at_...</code>)</td> <td>Introspection endpoint</td> <td>✅ Immediate revocation<br>✅ Better security<br>❌ Network call per request</td> </tr> <tr> <td><strong>jwt</strong></td> <td>JSON Web Token (<code>eyJhbGci...</code>)</td> <td>JWKS (signature verification)</td> <td>✅ Fast (JWKS response is cached)<br>❌ Can't revoke before expiry<br>❌ Exposed claims</td> </tr> </tbody> </table></div> <p><strong>For this guide and production</strong>, I recommend <strong>opaque tokens</strong> because:</p> <ul> <li>You can revoke tokens immediately (logout, compromised tokens)</li> <li>Ory's introspection is fast</li> <li>No JWT parsing vulnerabilities</li> <li>Token contents stay server-side</li> </ul> <p>Your MCP server must use the <strong>matching validation method</strong>:</p> <p><strong>If using opaque tokens (recommended)</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">authorization</span><span class="p">:</span> <span class="p">{</span> <span class="nl">tokenValidation</span><span class="p">:</span> <span class="p">{</span> <span class="na">introspectionEndpoint</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://{project}.projects.oryapis.com/admin/oauth2/introspect</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// For Ory Network, authenticate with API key:</span> <span class="na">introspectionAuth</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bearer</span><span class="dl">'</span><span class="p">,</span> <span class="na">token</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ORY_API_KEY</span> <span class="p">}</span> <span class="c1">// Local Hydra: no auth needed if admin API is on localhost</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p><strong>If using JWT tokens</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">authorization</span><span class="p">:</span> <span class="p">{</span> <span class="nl">tokenValidation</span><span class="p">:</span> <span class="p">{</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://{project}.projects.oryapis.com/.well-known/jwks.json</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Validates JWT signature locally - no network call</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p><strong>Setting Hydra's token strategy</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># For opaque tokens (recommended)</span> ory patch oauth2-config <span class="se">\</span> <span class="nt">--project</span> &lt;project-id&gt; <span class="se">\</span> <span class="nt">--replace</span> <span class="s2">"/strategies/access_token=opaque"</span> <span class="c"># For JWT tokens (if you prefer local validation)</span> ory patch oauth2-config <span class="se">\</span> <span class="nt">--project</span> &lt;project-id&gt; <span class="se">\</span> <span class="nt">--replace</span> <span class="s2">"/strategies/access_token=jwt"</span> </code></pre> </div> <h3> Bug #4: Empty JWT Audience (RFC 8707 Missing) </h3> <p>Token validation kept failing with this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Audience validation failed: expected [http://localhost:8000], got [] </code></pre> </div> <p>The MCP spec is clear — clients <a href="https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization" rel="noopener noreferrer">MUST implement Resource Indicators</a> (RFC 8707). That means sending a <code>resource</code> parameter during authorization:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /oauth2/auth?...&amp;resource=http://localhost:8000 </span></code></pre> </div> <p>This binds the token to a specific MCP server via the JWT <code>aud</code> claim. Except Claude.ai doesn't send it (as of Jan 2026). So the audience comes back empty, and validation fails.</p> <p><strong>Workaround</strong>: Disable audience validation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">tokenValidation</span><span class="p">:</span> <span class="p">{</span> <span class="nl">validateAudience</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// Until Claude.ai implements RFC 8707</span> <span class="p">}</span> </code></pre> </div> <p><strong>⚠️ Security warning for multi-tenant deployments</strong>: Tokens issued by your Ory instance can technically be used against <em>any</em> MCP server using the same issuer. For single-tenant deployments, this is acceptable. For multi-tenant, you <strong>must</strong> add validation (e.g., check <code>client_id</code> against known registrations, or validate custom claims).</p> <p><strong>Status</strong>: Pending Claude.ai update to support RFC 8707.</p> <h3> Bug #5: Ory Elements Consent Error (False Positive) </h3> <p>This one wasted my time because the real blocker was Bug #3 (token validation). I didn't know that yet. After clicking "Accept" on the consent screen, Ory Elements throws:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">Unhandled</span> <span class="nb">Promise</span> <span class="nx">Rejection</span><span class="p">:</span> <span class="nb">Error</span><span class="p">:</span> <span class="p">[</span><span class="nx">Ory</span><span class="o">/</span><span class="nx">Elements</span><span class="p">]:</span> <span class="nx">OAuth2</span> <span class="nx">consent</span> <span class="nx">flow</span> <span class="nx">not</span> <span class="nx">completed</span><span class="p">.</span> </code></pre> </div> <p>Except... the flow actually succeeds. Claude receives a valid authorization code, tokens work fine, everything is functional. The UI just shows an error because Ory Elements doesn't handle the redirect properly.</p> <p>Ory fixed the <a href="https://github.com/ory/elements/issues/587" rel="noopener noreferrer">issue #587</a>, so it should not get in your way in future releases.</p> <h2> Part 4: Testing the Full OAuth2 Flow </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fovek8ocluk1jhxsxuj2z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fovek8ocluk1jhxsxuj2z.png" alt="OAuth2 Consent UI" width="800" height="1528"></a></p> <h3> Programmatic Testing with Hydra's Admin API </h3> <p>You <em>could</em> test manually: generate a PKCE challenge, open the auth URL in a browser, click through GitHub login, copy the code from the callback, exchange it with curl... but that gets old fast.</p> <p>A better approach: use Hydra's Admin API to accept login and consent programmatically — no browser, no identities, no clicking. This is what I use in my <a href="https://github.com/getlarge/claude-api-care-plugins/blob/main/plugins/baume/mcp-server/src/auth/auth.oauth2-e2e-test.ts" rel="noopener noreferrer">e2e tests</a>.</p> <p>The flow looks like this:</p> <ol> <li> <strong>Start the auth flow</strong> — <code>GET /oauth2/auth?client_id=...&amp;scope=openid+offline_access&amp;...</code> </li> <li> <strong>Accept login via Admin API</strong> — <code>PUT /admin/oauth2/auth/requests/login/accept</code> with a synthetic <code>subject</code> (no real user needed)</li> <li> <strong>Accept consent via Admin API</strong> — <code>PUT /admin/oauth2/auth/requests/consent/accept</code> granting the requested scopes</li> <li> <strong>Exchange the code</strong> — <code>POST /oauth2/token</code> as usual</li> </ol> <p>Steps 2 and 3 are the trick — Hydra's Admin API lets you skip the browser entirely. You get a real authorization code and real tokens, without any identity provider involved.</p> <p>Here's the full flow against Ory Network — client creation, PKCE auth code exchange, token introspection, and authenticated MCP calls:</p> <div class="ltag_asciinema"> </div> <blockquote> <p><strong>Want the test script?</strong> Hit me up — I have a standalone Node.js script that runs this entire flow against Ory Network's Admin API, no browser needed.</p> </blockquote> <p>If you see your user ID in the response, OAuth2 is working.</p> <h3> What About Token Refresh? </h3> <p>In our Ory Hydra setup, access tokens expire after 1 hour. The <a href="https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#token-handling" rel="noopener noreferrer">MCP spec</a> says the <strong>client</strong> handles refresh — your server returns 401 on expiry, and the client uses its refresh token to obtain a new access token from Hydra. A <a href="https://modelcontextprotocol.io/specification/draft/basic/authorization#token-refresh" rel="noopener noreferrer">draft section</a> formalizes this, but it's not in the released 2025-11-25 spec yet.</p> <p>In practice, <strong>don't count on it working smoothly</strong>. The Python SDK has a <a href="https://github.com/modelcontextprotocol/python-sdk/issues/1250" rel="noopener noreferrer">P0 bug</a> where <code>get_access_token()</code> returns stale tokens after refresh, and ChatGPT enters a <a href="https://community.openai.com/t/stateless-streamable-http-mcp-server-token-refresh-works-after-short-idle-but-reconnect-loop-after-long-idle/1367543" rel="noopener noreferrer">reconnect loop</a> instead of refreshing after long idle periods. <code>@getlarge/fastify-mcp</code> handles the server side (proper 401s with <code>WWW-Authenticate</code> headers), but whether each client refreshes correctly is out of your hands.</p> <h3> Security Checklist </h3> <p>Before going live:</p> <p><strong>Ory Network</strong>:</p> <ul> <li>[ ] Configure CORS properly (don't use <code>*</code> in production)</li> <li>[ ] Set token TTLs appropriate for your use case</li> </ul> <p><strong>MCP Server</strong>:</p> <ul> <li>[ ] Enable HTTPS</li> <li>[ ] Re-enable audience validation once Claude.ai implements RFC 8707</li> <li>[ ] Rate limit the DCR proxy endpoint (anyone can register unlimited clients)</li> <li>[ ] Add rate limiting per user</li> <li>[ ] Set up request logging and error monitoring</li> <li>[ ] Add health checks and uptime monitoring</li> <li>[ ] Rotate your Ory API key periodically</li> </ul> <h2> What About ChatGPT? </h2> <p>I wasn't planning to test ChatGPT, but after hitting so many bugs with Claude's OAuth2 implementation, I got curious. Turns out ChatGPT Web App handles OAuth2 <strong>better</strong> than Claude Code.</p> <h3> ChatGPT Web App (Tested 2026-01-29) </h3> <p>Full OAuth2.1 with DCR just works. DCR flow is clean — no phantom scopes, proper scope handling, no false errors on redirect. It even surfaces rich tool metadata (<code>PUBLIC WRITE</code>, <code>OPEN WORLD</code>, <code>DESTRUCTIVE</code> annotations) with per-tool auth support.</p> <p>To try it yourself: go to ChatGPT web, enable Developer Mode in settings, add your MCP server URL, and the OAuth flow triggers automatically. Complete login + consent via Ory Hydra, and ChatGPT manages token storage and refresh from there — though after long idle periods it can <a href="https://community.openai.com/t/stateless-streamable-http-mcp-server-token-refresh-works-after-short-idle-but-reconnect-loop-after-long-idle/1367543" rel="noopener noreferrer">break into a reconnect loop</a> instead of refreshing.</p> <p>Your server doesn't need any ChatGPT-specific config. It just needs <code>/.well-known/oauth-protected-resource</code> and proper <code>WWW-Authenticate</code> errors on unauthorized requests — same as Claude, and <code>@getlarge/fastify-mcp</code> handles both.</p> <h3> Codex VSCode Extension (Tested 2026-01-29) </h3> <p>No luck here. Codex has a two-tier system: recommended servers (Linear, Notion, Figma) get full OAuth with an "Install and authenticate" button, but custom servers only get a toggle — no OAuth flow.</p> <p>You can work around it with bearer tokens in <code>~/.codex/config.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[mcp_servers.your-server]</span> <span class="py">url</span> <span class="p">=</span> <span class="s">"https://your-server.com/mcp"</span> <span class="py">bearer_token_env_var</span> <span class="p">=</span> <span class="s">"YOUR_SERVER_TOKEN"</span> </code></pre> </div> <p>Then manually obtain a token via Hydra and set <code>export YOUR_SERVER_TOKEN="ory_at_..."</code>. But the token expires after 1 hour with no auto-refresh, rotation is manual, and there's no multi-user support. Not great.</p> <h3> Comparison </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>ChatGPT Web App</th> <th>Claude Code</th> <th>Codex VSCode</th> </tr> </thead> <tbody> <tr> <td><strong>DCR</strong></td> <td>✅ Works cleanly</td> <td>⚠️ Works with bugs</td> <td>❌ Not for custom</td> </tr> <tr> <td><strong>Scope handling</strong></td> <td>✅ Respects scopes</td> <td>❌ Adds phantom</td> <td>N/A</td> </tr> <tr> <td><strong>Redirect flow</strong></td> <td>✅ Proper</td> <td>⚠️ UI error (bug)</td> <td>N/A</td> </tr> <tr> <td><strong>Tool metadata</strong></td> <td>✅ Rich annotations</td> <td>❌ Basic</td> <td>✅ Basic</td> </tr> <tr> <td><strong>Custom servers</strong></td> <td>✅ Full OAuth</td> <td>✅ Full OAuth</td> <td>❌ Bearer only</td> </tr> <tr> <td><strong>Per-tool auth</strong></td> <td>✅ Yes</td> <td>❌ All-or-nothing</td> <td>❌ All-or-nothing</td> </tr> </tbody> </table></div> <p>For OAuth2 testing today: ChatGPT Web App &gt; Claude.ai/Desktop &gt; Claude Code CLI &gt; Codex VSCode.</p> <blockquote> <p>This hurts my feelings as a Claude fanboy (paying for Claude Pro Max 20x), but when OpenAI's ChatGPT Web App handles the OAuth2 specs better than Anthropic's own Claude Code — which literally references the MCP spec Anthropic wrote — something's off. The missing scope parameter bug (<a href="https://github.com/anthropics/claude-code/issues/4540" rel="noopener noreferrer">#4540</a>) has been open since July 2025, tagged <code>oncall</code>, still unfixed. Meanwhile ChatGPT just... works.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg1x1p0vo5txl5v3utw19.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg1x1p0vo5txl5v3utw19.gif" alt="Pigeon following for chips" width="281" height="500"></a></p> <p>Still, I love Claude's tools and ecosystem — when they work!</p> </blockquote> <h2> Resources </h2> <h3> Official Documentation </h3> <ul> <li><a href="https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization" rel="noopener noreferrer">MCP Authorization Specification (2025-11-25)</a></li> <li><a href="https://www.ory.com/docs/hydra" rel="noopener noreferrer">Ory Hydra Documentation</a></li> <li><a href="https://www.ory.com/docs/kratos" rel="noopener noreferrer">Ory Kratos Documentation</a></li> </ul> <h3> GitHub Repositories </h3> <ul> <li> <strong>This guide's code</strong>: <a href="https://github.com/getlarge/claude-api-care-plugins/tree/main/plugins/baume/mcp-server" rel="noopener noreferrer">getlarge/claude-api-care-plugins</a> </li> <li> <strong>Fastify MCP plugin (OAuth2-ready)</strong>: <a href="https://github.com/getlarge/fastify-mcp" rel="noopener noreferrer">getlarge/fastify-mcp</a> </li> <li> <strong>Ory Hydra</strong>: <a href="https://github.com/ory/hydra" rel="noopener noreferrer">ory/hydra</a> </li> <li> <strong>Ory Kratos</strong>: <a href="https://github.com/ory/kratos" rel="noopener noreferrer">ory/kratos</a> </li> </ul> <h3> RFCs and Standards Referenced </h3> <p> Full list of referenced specifications <ul> <li> <a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13" rel="noopener noreferrer">OAuth 2.1 (draft-ietf-oauth-v2-1-13)</a> - Core authorization framework</li> <li> <a href="https://datatracker.ietf.org/doc/html/rfc7591" rel="noopener noreferrer">RFC 7591 - Dynamic Client Registration</a> - Runtime client registration</li> <li> <a href="https://datatracker.ietf.org/doc/html/rfc8414" rel="noopener noreferrer">RFC 8414 - Authorization Server Metadata</a> - AS endpoint discovery</li> <li> <a href="https://datatracker.ietf.org/doc/html/rfc8707" rel="noopener noreferrer">RFC 8707 - Resource Indicators</a> - Token audience binding</li> <li> <a href="https://datatracker.ietf.org/doc/html/rfc9728" rel="noopener noreferrer">RFC 9728 - Protected Resource Metadata</a> - Resource server discovery</li> <li> <a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00" rel="noopener noreferrer">OAuth Client ID Metadata Document (draft-ietf-oauth-client-id-metadata-document-00)</a> - CIMD</li> </ul> </p> <h3> Open Issues </h3> <p> Issues I've encountered or created during this journey <p><strong>Ory Hydra</strong>:</p> <ul> <li> <a href="https://github.com/ory/hydra/discussions/2300" rel="noopener noreferrer">ory/hydra#2300</a> - Partial scopes in consent</li> <li> <a href="https://github.com/ory/hydra/issues/1618" rel="noopener noreferrer">ory/hydra#1618</a> - Default scopes discussion</li> <li> <a href="https://github.com/ory/hydra/issues/4061" rel="noopener noreferrer">ory/hydra#4061</a> - CIMD support request</li> </ul> <p><strong>Ory Elements</strong>:</p> <ul> <li> <a href="https://github.com/ory/elements/issues/587" rel="noopener noreferrer">ory/elements#587</a> - Consent error despite successful flow</li> </ul> <p><strong>Anthropic / Claude</strong>:</p> <ul> <li> <a href="https://github.com/anthropics/claude-code/issues/4540" rel="noopener noreferrer">claude-code#4540</a> - Missing scope parameter (main issue)</li> <li> <a href="https://github.com/anthropics/claude-code/issues/7744" rel="noopener noreferrer">claude-code#7744</a> - Related scopes_supported issue</li> <li> <a href="https://github.com/anthropics/claude-code/issues/13685" rel="noopener noreferrer">claude-code#13685</a> - <code>client_uri</code>, <code>logo_uri</code>, <code>tos_uri</code> must be parseable</li> <li> <a href="https://github.com/anthropics/claude-code/issues/2527" rel="noopener noreferrer">claude-code#2527</a> - Azure AD/Entra ID integration complex due to DCR requirement</li> </ul> <p><strong>Platformatic MCP</strong>:</p> <ul> <li> <a href="https://github.com/platformatic/mcp/issues/95" rel="noopener noreferrer">platformatic/mcp#95</a> - OAuth2 subscription handling</li> <li> <a href="https://github.com/platformatic/mcp/issues/96" rel="noopener noreferrer">platformatic/mcp#96</a> - CORS configuration issues</li> <li> <a href="https://github.com/platformatic/mcp/issues/99" rel="noopener noreferrer">platformatic/mcp#99</a> - Authorization configuration limitations</li> </ul> </p> <h2> Acknowledgments </h2> <ul> <li> <a href="https://isabellakohout.eu" rel="noopener noreferrer"><strong>Isabella Kohout</strong></a> for the article cover</li> <li> <strong>Ory team</strong> for building excellent open-source auth tooling</li> <li> <strong>Anthropic</strong> for the MCP specification (and for eventually fixing the bugs 😅)</li> <li> <strong>Platformatic team</strong> for the original MCP server implementation for Fastify</li> <li> <strong>Community</strong> who reported issues and tested edge cases</li> </ul> <p><em>I spent a week debugging OAuth2 flows so you could skip that week. If it worked, pass it on.</em></p> <p>Building something with this? Need help securing your MCP server? → <a href="https://getlarge.eu" rel="noopener noreferrer">getlarge.eu</a></p> <div class="ltag__user ltag__user__id__1253749"> <a href="/getlarge" class="ltag__user__link profile-image-link"> <div class="ltag__user__pic"> <img src="https://media2.dev.to/dynamic/image/width=150,height=150,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg" alt="getlarge image"> </div> </a> <div class="ltag__user__content"> <h2> <a class="ltag__user__link" href="/getlarge">Edouard Maleix</a>Follow </h2> <div class="ltag__user__summary"> <a class="ltag__user__link" href="/getlarge">I am a Senior Software Engineer, focusing on distributed systems, application security and developer productivity/creativity. Based in Vienna 🥐, Austria.</a> </div> </div> </div> <ol> <li id="fn1"> <p>The MCP spec is a protocol revision maintained by the MCP project, not a ratified IETF standard — requirements may change between revisions. OAuth 2.1 itself is still an IETF draft. I reference the 2025-11-25 revision throughout this article. ↩</p> </li> </ol> oauth2 mcp claude chatgpt Ever felt like your authorization code could be easier to maintain and more flexible? How confident are you that only authorized users can access your API? When in doubt, have a look at OpenFGA! 👇 Edouard Maleix Wed, 18 Jun 2025 04:53:39 +0000 https://dev.to/getlarge/ever-felt-like-your-authorization-code-could-be-easier-to-maintain-and-more-flexible-how-4maa https://dev.to/getlarge/ever-felt-like-your-authorization-code-could-be-easier-to-maintain-and-more-flexible-how-4maa <div class="ltag__link"> <a href="/this-is-learning" class="ltag__link__link"> <div class="ltag__link__org__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F3314%2Fdc73eb74-08f9-4592-b599-c08f2bb14b4d.png" alt="This is Learning" width="192" height="192"> <div class="ltag__link__user__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg" alt="" width="800" height="800"> </div> </div> </a> <a href="https://dev.to/this-is-learning/how-to-protect-your-api-with-openfga-from-rebac-concepts-to-practical-usage-4n9j" class="ltag__link__link"> <div class="ltag__link__content"> <h2>How to Protect Your API with OpenFGA: From ReBAC Concepts to Practical Usage</h2> <h3>Edouard Maleix for This is Learning ・ Jun 15</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#tutorial</span> <span class="ltag__link__tag">#openfga</span> <span class="ltag__link__tag">#authorization</span> <span class="ltag__link__tag">#security</span> </div> </div> </a> </div> tutorial openfga authorization security How to Protect Your API with OpenFGA: From ReBAC Concepts to Practical Usage Edouard Maleix Sun, 15 Jun 2025 19:12:59 +0000 https://dev.to/playfulprogramming/how-to-protect-your-api-with-openfga-from-rebac-concepts-to-practical-usage-4n9j https://dev.to/playfulprogramming/how-to-protect-your-api-with-openfga-from-rebac-concepts-to-practical-usage-4n9j <p>Another story, another article. A client asked me recently:</p> <blockquote> <p>🗣️ <em>Can we add temporary permissions for a group of users assigned to a maintenance task, while it's ongoing?</em></p> </blockquote> <p>It should be simple enough, right? Yes, until I examined the authorization code behind the API and found a <strong>500-line</strong> function checking user roles and groups, time windows, resource ownership, and various business rules. 😶‍🌫️</p> <p>Unlike <strong>authentication</strong> (who is accessing the system), where we have OIDC, JWT, and other established standards and patterns, <strong>authorization</strong> (what they can do) often forces us into custom implementations.</p> <blockquote> <p>🫷<em>You might argue that OAuth 2.0 cover authorization, but they focus on third-party access, not complex and dynamic authorization patterns.</em></p> </blockquote> <p>The <a href="https://owasp.org/API-Security/editions/2023/en/0x11-t10/" rel="noopener noreferrer">OWASP Top 10 API Security Risks</a> lists <strong>Broken Object Level Authorization</strong> as the #1 risk, showing us how common it is to expose sensitive data due to poor authorization checks.<br> Is it far-fetched to think that the complexity of authorization logic contributes to this risk?</p> <p>Each new policy adds another <strong>conditional branch</strong>, another <strong>database join</strong>, another <strong>custom role</strong>, another <strong>edge case that breaks</strong> during the next feature request. The authorization flow becomes a spaghetti bowl and even experienced developers hesitate before touching it.</p> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F09cwef7zad5jqr7grjz7.png" alt="this is fine" width="500" height="771"> <p>Traditional approaches quickly hit walls:</p> <ul> <li> <strong>RBAC</strong> works until you need "sometimes" permissions</li> <li> <strong>ABAC</strong> offers flexibility but becomes a rule engine nightmare</li> <li> <strong>Database queries</strong> slow to a crawl as your permission matrix grows</li> </ul> <p>What if there is a better way? A way that lets you express complex relationships without messy code or performance hits? 🤔</p> <p>My exploration for a better paradigm started with <a href="https://www.ory.sh/keto" rel="noopener noreferrer"><strong>Ory Keto</strong></a>:</p> <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/getlarge/integrate-ory-in-a-nestjs-application-4llo" class="crayons-story__hidden-navigation-link">Integrate Ory in a NestJS application</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a href="/getlarge" class="crayons-avatar crayons-avatar--l "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg" alt="getlarge profile" class="crayons-avatar__image" width="800" height="800"> </a> </div> <div> <div> <a href="/getlarge" class="crayons-story__secondary fw-medium m:hidden"> Edouard Maleix </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> Edouard Maleix <div id="story-author-preview-content-1823184" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/getlarge" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg" class="crayons-avatar__image" alt="" width="800" height="800"> </span> <span class="crayons-link crayons-subtitle-2 mt-5">Edouard Maleix</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> </div> <a href="https://dev.to/getlarge/integrate-ory-in-a-nestjs-application-4llo" class="crayons-story__tertiary fs-xs"><time>May 16 '24</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/getlarge/integrate-ory-in-a-nestjs-application-4llo" id="article-link-1823184"> Integrate Ory in a NestJS application </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/tutorial"><span class="crayons-tag__prefix">#</span>tutorial</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/javascript"><span class="crayons-tag__prefix">#</span>javascript</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/nestjs"><span class="crayons-tag__prefix">#</span>nestjs</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/ory"><span class="crayons-tag__prefix">#</span>ory</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/getlarge/integrate-ory-in-a-nestjs-application-4llo" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="24" height="24"> </span> </span> <span class="aggregate_reactions_counter">1<span class="hidden s:inline"> reaction</span></span> </div> </a> <a href="https://dev.to/getlarge/integrate-ory-in-a-nestjs-application-4llo#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> Comments <span class="hidden s:inline">Add Comment</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 32 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> <p>It introduced me to <a href="https://storage.googleapis.com/gweb-research2023-media/pubtools/5068.pdf" rel="noopener noreferrer">Google's Zanzibar paper</a> and the concept of <strong>Relation-Based Access Control (ReBAC)</strong>.</p> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__cover"> <a href="https://www.zanzibar.academy/" class="c-link align-middle" rel="noopener noreferrer"> <img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn.auth0.com%2Fwebsite%2Fzanzibar%2Fshare-asset.png" height="420" class="m-0" width="800"> </a> </div> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://www.zanzibar.academy/" rel="noopener noreferrer" class="c-link"> Zanzibar: A Global Authorization System - Presented by Auth0 </a> </h2> <p class="truncate-at-3"> Zanzibar handles authorization for all of Google’s products, allows teams to specify their unique authorization models, globally replicates authorization data, and responds to access checks blazing fast. </p> <div class="color-secondary fs-s flex items-center"> <img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn.auth0.com%2Fwebsite%2Fzanzibar%2Ffavicon-v2.png" width="32" height="32"> zanzibar.academy </div> </div> </div> </div> <p>This time, I needed more flexibility to introduce <strong>contextual relationships</strong>. That "simple" feature request led me to <a href="https://openfga.dev" rel="noopener noreferrer"><strong>OpenFGA</strong></a> — a richer implementation of Zanzibar's principles that extends ReBAC with powerful features like contextual-based conditions, attribute-based access, and a simple query language.</p> <p>And since you might be familiar with this story, I'll share with you my <strong>learning journey</strong>, starting from the concepts and terminology, through practical examples and considerations, to real-world usage of OpenFGA.</p> <ol> <li>✅ The Authorization Problem</li> <li>📍 <strong>Why OpenFGA?</strong> ← You are here</li> <li>⬜ ReBAC and OpenFGA concepts </li> <li>⬜ OpenFGA in Action </li> <li>⬜ Testing permissions with OpenFGA CLI </li> <li>⬜ Adoption Challenges and Strategies </li> </ol> <h2> <a id="why-openfga"></a> Why OpenFGA [▓░░░░░░░] </h2> <p>Before I grab your attention and your brain 🧠 with the ReBAC concepts and how OpenFGA implements them, let me explain why I chose OpenFGA over other solutions.</p> <h3> It Matches How You Think </h3> <h4> Expressive Relationships </h4> <p>Cat owners own cats. Sitters sit cats. Admins administrate. The authorization model mirrors reality instead of forcing you into artificial role hierarchies. Demo</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbg7eguhsxco75yi6g9bi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbg7eguhsxco75yi6g9bi.png" alt="Cat owner relationship diagram" width="800" height="438"></a><br>Direct relations </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foqr497dzgub8p04mru1t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foqr497dzgub8p04mru1t.png" alt="Cat sitting scenario diagram" width="800" height="175"></a><br>Implied relations </p> <h4> Time Works Automatically </h4> <p>No more "grant permission at 9 AM, revoke at 5 PM" cron jobs. Time-based access happens naturally through conditions.<br> Grant permissions only when conditions are met—like during scheduled hours.<br> Demo</p> <blockquote> <p>🤝 <em>Yes! My client is going to love this.</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F030t1v1o7nix0ittkcvd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F030t1v1o7nix0ittkcvd.png" alt="Time-based conditions" width="800" height="902"></a></p> <h4> Status Drives Decisions </h4> <p>Your app's workflow probably includes some entities' states (e.g., pending, active, completed). OpenFGA uses these attributes directly for permissions instead of requiring separate access control flags. Demo</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftcsgc6v4mvlk58cnvxip.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftcsgc6v4mvlk58cnvxip.png" alt="Status-based conditions" width="800" height="1262"></a></p> <h3> Queries, Not Just Checks </h3> <p>Traditional systems answer "Can Alice do X?" OpenFGA also answers "What can Alice do?" and "Who can do X?" This opens opportunities for features like smart dashboards and permission audits.<br> Demo</p> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3gljlmtefso79v0rdas9.png" alt="Is user Jenny related to system development as an admin?" width="800" height="691">Tuple Queries from OpenFGA playground <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzmmkh9zd1uw4igfawse7.png" alt="Who is Romeo's owner?" width="800" height="693">Who has the right to feed Romeo? <h3> Scale Like Google </h3> <p>Google's <a href="https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/" rel="noopener noreferrer">Zanzibar</a> (which inspired OpenFGA) handles <strong>billions</strong> of authorization checks daily. Your application(s) probably won't hit those numbers, but it's nice to know you won't hit a wall due to a poorly performing authorization system.</p> <blockquote> <p>☝️ <em>In my <a href="https://github.com/getlarge/purrfect-sitter/blob/main/tools/scripts/benchmark-auth-strategies.ts" rel="noopener noreferrer">tests</a>, OpenFGA performed slightly better than custom database lookups for complex relationships (both based on PostgreSQL).</em></p> </blockquote> <h3> Great Documentation and CLI Tools </h3> <p>I can't deny it, OpenFGA has a steep learning curve, but its <a href="https://openfga.dev/docs" rel="noopener noreferrer">documentation</a> is complete and well-structured. It covers everything from basic concepts to advanced usage patterns until deployment strategies.</p> <p>The <a href="https://openfga.dev/docs/cli" rel="noopener noreferrer">CLI tools</a> make it easy to manage your authorization model and test your policies.</p> <h3> Business Backing </h3> <p>OpenFGA is open-source and Okta is funding it, this ensures a long-term viability and support. On one side, you can always deploy it on your own infrastructure, and the community is growing rapidly. On the other side, Okta has strong competitors like OSO, Ory Keto or AWS Cedar, so they have a vested interest in making OpenFGA a successful product extending what Auth0 has to offer.</p> <h3> Deployment Flexibility </h3> <p>OpenFGA can be deployed in various ways, depending on your needs:</p> <ul> <li> <strong>Self-hosted</strong>: Use <a href="https://openfga.dev/docs/getting-started/setup-openfga/docker" rel="noopener noreferrer">Docker Compose</a> to get started locally, <a href="https://artifacthub.io/packages/helm/openfga/openfga" rel="noopener noreferrer">Kubernetes</a> for full control and <a href="https://registry.terraform.io/providers/openfga/openfga/latest/docs" rel="noopener noreferrer">Terraform</a> to orchestrate your infrastructure.</li> <li> <strong>Managed service</strong>: Use Auth0's FGA offering for a hassle-free experience.</li> </ul> <h3> Observability and Debugging </h3> <p>You can configure:</p> <ul> <li> <a href="https://opentelemetry.io/" rel="noopener noreferrer">OpenTelemetry</a> for traces collection on the <a href="https://openfga.dev/docs/getting-started/configure-telemetry#enabling-telemetry" rel="noopener noreferrer">client</a> and the <a href="https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga#tracing" rel="noopener noreferrer">server</a> side.</li> <li> <a href="https://prometheus.io/docs/concepts/data_model/" rel="noopener noreferrer">Prometheus</a> for metrics collection.</li> </ul> <p>This makes it easier to monitor your authorization system with open standards and integrate with your existing observability stack.</p> <h3> Simpler Code To Maintain </h3> <p>To illustrate this, I'm using Typescript to check if a user can update a cat sitting arrangement with both approaches: a plain <strong>database lookup</strong> and an <strong>OpenFGA check</strong>.</p> <h4> Database Lookup </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">isSystemAdmin</span><span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userRepository</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">return</span> <span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">checkCatSittingUpdatePermission</span><span class="p">(</span> <span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">sittingId</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sitting</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">catSittingRepository</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">sittingId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sitting</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">cat</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">catRepository</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">sitting</span><span class="p">.</span><span class="nx">catId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">cat</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isOwner</span> <span class="o">=</span> <span class="nx">cat</span><span class="p">.</span><span class="nx">ownerId</span> <span class="o">===</span> <span class="nx">userId</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isSitter</span> <span class="o">=</span> <span class="nx">sitting</span><span class="p">.</span><span class="nx">sitterId</span> <span class="o">===</span> <span class="nx">userId</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isAdmin</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="k">await</span> <span class="nf">isSystemAdmin</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isPending</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">sitting</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">requested</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">sitting</span><span class="p">.</span><span class="nx">startTime</span><span class="p">)</span> <span class="o">&gt;</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="k">return</span> <span class="nx">isOwner</span> <span class="o">||</span> <span class="p">(</span><span class="nx">isSitter</span> <span class="o">&amp;&amp;</span> <span class="nf">isPending</span><span class="p">())</span> <span class="o">||</span> <span class="nf">isAdmin</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h4> OpenFGA Check </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">checkCatSittingUpdatePermission</span><span class="p">(</span> <span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">catSittingId</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">openfgaClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OpenFgaApi</span><span class="p">({</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OPENFGA_API_URL</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="na">request</span><span class="p">:</span> <span class="nx">CheckRequest</span> <span class="o">=</span> <span class="p">{</span> <span class="na">tuple_key</span><span class="p">:</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="s2">`user:</span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">relation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">can_update</span><span class="dl">'</span><span class="p">,</span> <span class="na">object</span><span class="p">:</span> <span class="s2">`cat_sitting:</span><span class="p">${</span><span class="nx">catSittingId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="na">context</span><span class="p">:</span> <span class="p">{</span> <span class="na">current_time</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">},</span> <span class="p">};</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">allowed</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">openfgaClient</span><span class="p">.</span><span class="nf">check</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_STORE_ID</span><span class="p">,</span> <span class="nx">request</span> <span class="p">);</span> <span class="k">return</span> <span class="o">!!</span><span class="nx">allowed</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Does it need a lot of explanation? The OpenFGA version is objectively cleaner, more maintainable, and scales better as your authorization logic grows.</p> <h2> <a id="rebac-and-openfga-concepts"></a> ReBAC and OpenFGA concepts [▓▓▓░░░░] </h2> <p>I'll walk you through ReBAC using PurrfectSitter ©, a cat sitting app where owners find sitters. Real problems, real solutions.<br> As trivial as it sounds, this example shows:</p> <ul> <li>Role-based access control (RBAC) for admins</li> <li>Attribute-based access control (status-driven permissions)</li> <li>Time-based access control</li> <li>Resource ownership and management</li> </ul> <h3> Three Building Blocks </h3> <p>ReBAC builds authorization from three simple pieces:</p> <h4> Types: Entities in Your App </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">type user</span> <span class="s">type system</span> <span class="s">type cat</span> <span class="s">type cat_sitting</span> <span class="s">type review</span> </code></pre> </div> <p>These map to your app's core entities:</p> <ul> <li> <code>user</code>: 👤 People using your app</li> <li> <code>system</code>: 🏢 Admin access controls</li> <li> <code>cat</code>: 🐱 Furry clients needing care</li> <li> <code>cat_sitting</code>: 🏠 A sitting arrangement</li> <li> <code>review</code>: 📝 Post-sitting feedback</li> </ul> <p>Each <strong>type</strong> will declare relationships with other types - in the <strong>type definition</strong>.</p> <blockquote> <p>ℹ️ <em>In Ory Keto, these are called <strong>namespaces</strong>.</em></p> </blockquote> <h4> Objects: Instances of Types </h4> <p>In OpenFGA, an <strong>object</strong> is an instance of a type. For example:</p> <ul> <li> <code>user:bob</code>: A specific user named Bob</li> <li> <code>cat:romeo</code>: A specific cat named Romeo</li> <li> <code>system:development</code>: The development environment</li> <li> <code>cat_sitting:1</code>: The first cat sitting arrangement</li> <li> <code>review:1</code>: The first review</li> </ul> <p>Objects are the concrete entities your users interact with.</p> <h4> Users: The Actors </h4> <p>A <strong>user</strong> is an entity that is related to objects in your system. In our app, users can be:</p> <ul> <li>People (like Bob)</li> <li>Systems (like the PurrfectSitter development environment)</li> <li>Cats (like Romeo)</li> </ul> <blockquote> <p>ℹ️ <em>In Ory Keto, these are called <strong>subjects</strong>. I believe subject is less ambiguous than user, but OpenFGA uses user, so we will too.</em></p> </blockquote> <h4> Relations: How Things Connect </h4> <p>A <strong>relation</strong> defines how users interact with objects. For example:</p> <ul> <li> <code>user:bob owner cat:romeo</code>: Bob is the owner of Romeo</li> <li> <code>user:anne sitter cat_sitting:1</code>: Anne is the sitter for the first cat sitting arrangement</li> </ul> <p>Each <strong>relation</strong> (e.g., <code>admin</code>) evaluation logic is defined in the <strong>relation definition</strong> (e.g., <code>[user]</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">type system</span> <span class="s">relations</span> <span class="s">define admin</span><span class="err">:</span> <span class="pi">[</span><span class="nv">user</span><span class="pi">]</span> <span class="s">type cat</span> <span class="s">relations</span> <span class="s">define owner</span><span class="err">:</span> <span class="pi">[</span><span class="nv">user</span><span class="pi">]</span> <span class="na">define admin</span><span class="pi">:</span> <span class="s">admin from system</span> <span class="na">define can_manage</span><span class="pi">:</span> <span class="s">owner or admin</span> <span class="na">define system</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">system</span><span class="pi">]</span> <span class="s">type cat_sitting</span> <span class="s">relations</span> <span class="s">define active_sitter</span><span class="err">:</span> <span class="pi">[</span><span class="nv">cat_sitting#sitter with is_active_timeslot</span><span class="pi">]</span> <span class="na">define can_post_updates</span><span class="pi">:</span> <span class="s">owner or active_sitter</span> <span class="na">define can_review</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">cat#owner with is_cat_sitting_completed</span><span class="pi">]</span> <span class="na">define cat</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">cat</span><span class="pi">]</span> <span class="na">define owner</span><span class="pi">:</span> <span class="s">owner from cat</span> <span class="na">define sitter</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">user</span><span class="pi">]</span> </code></pre> </div> <blockquote> <p>‼️ <em>For the sake of this example, we will assume that cats are owned by humans. We all know that, in reality, cats own us, not the other way around.</em></p> </blockquote> <p>OpenFGA computes relationships in several ways:</p> <ul> <li> <strong>Direct</strong>: <ul> <li> <code>system.admin</code> — A <em>user</em> can be an <strong>admin</strong> of the <em>system</em> </li> <li> <code>cat.owner</code> — A <em>user</em> can be a <em>cat</em> <strong>owner</strong> </li> <li> <code>cat.system</code> — A <em>system</em> can be assigned to a <em>cat</em> </li> <li> <code>cat_sitting.sitter</code> — A <em>user</em> can be a <strong>sitter</strong> for a <em>cat_sitting</em> </li> </ul> </li> <li> <strong>Implied</strong>: <ul> <li> <code>cat.admin: admin from system</code> — An <strong>admin</strong> is a <em>user</em> from the <em>system</em> </li> <li> <code>cat_sitting.owner: owner from cat</code> — The <em>cat_sitting</em> <strong>owner</strong> is the <em>cat</em> <strong>owner</strong> </li> </ul> </li> <li> <strong>Union</strong>: <ul> <li> <code>cat.can_manage</code> — either the <em>cat</em> <strong>owner</strong> or an <em>admin</em> from the <em>system</em> can manage the <em>cat</em> </li> <li> <code>cat_sitting.can_post_updates</code> — either the <em>cat_sitting</em> <strong>owner</strong> or an <em>active_sitter</em> can post updates</li> </ul> </li> <li> <strong>Conditional</strong>: <ul> <li> <code>cat_sitting.active_sitter</code> — Conditional relation between <em>user</em> and <em>cat_sitting</em> based on the outcome of the <code>is_active_timeslot</code> condition</li> <li> <code>cat_sitting.can_review</code> — Conditional relation between <em>user</em> and <em>cat_sitting</em> based on the outcome of the <code>is_cat_sitting_completed</code> condition</li> </ul> </li> </ul> <p>There are even more ways to express relationships, such as <strong>exclusion</strong>, <strong>intersection</strong> and <strong>nesting</strong>, you can find the complete <strong>configuration language</strong> reference in the <a href="https://openfga.dev/docs/configuration-language" rel="noopener noreferrer">OpenFGA documentation</a>.</p> <h3> The Complete Authorization Model </h3> <p>The ensemble of <strong>types</strong> and <strong>relations</strong> definitions forms the <strong>authorization model</strong>.<br> Here, the PurrfectSitter's authorization model in OpenFGA's configuration language (<strong>D</strong>omain-<strong>S</strong>pecific <strong>L</strong>anguage for the purist), defines how <strong>users</strong> interact with <strong>cats</strong>, <strong>cat sittings</strong>, and <strong>reviews</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">model</span> <span class="s">schema </span><span class="m">1.1</span> <span class="s">type user</span> <span class="s">type system</span> <span class="s">relations</span> <span class="s">define admin</span><span class="err">:</span> <span class="pi">[</span><span class="nv">user</span><span class="pi">]</span> <span class="s">type cat</span> <span class="s">relations</span> <span class="s">define admin</span><span class="err">:</span> <span class="s">admin from system</span> <span class="s">define can_manage</span><span class="err">:</span> <span class="s">owner or admin</span> <span class="s">define owner</span><span class="err">:</span> <span class="pi">[</span><span class="nv">user</span><span class="pi">]</span> <span class="na">define system</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">system</span><span class="pi">]</span> <span class="s">type cat_sitting</span> <span class="s">relations</span> <span class="s">define admin</span><span class="err">:</span> <span class="s">admin from system</span> <span class="s">define active_sitter</span><span class="err">:</span> <span class="pi">[</span><span class="nv">cat_sitting#sitter with is_active_timeslot</span><span class="pi">]</span> <span class="na">define pending_sitter</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">cat_sitting#sitter with is_pending_timeslot</span><span class="pi">]</span> <span class="na">define can_post_updates</span><span class="pi">:</span> <span class="s">owner or active_sitter</span> <span class="na">define can_delete</span><span class="pi">:</span> <span class="s">admin or owner or pending_sitter</span> <span class="na">define can_view</span><span class="pi">:</span> <span class="s">admin or owner or sitter</span> <span class="na">define can_update</span><span class="pi">:</span> <span class="s">admin or owner or pending_sitter</span> <span class="na">define can_review</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">cat#owner with is_cat_sitting_completed</span><span class="pi">]</span> <span class="na">define cat</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">cat</span><span class="pi">]</span> <span class="na">define owner</span><span class="pi">:</span> <span class="s">owner from cat</span> <span class="na">define sitter</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">user</span><span class="pi">]</span> <span class="na">define system</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">system</span><span class="pi">]</span> <span class="s">type review</span> <span class="s">relations</span> <span class="s">define admin</span><span class="err">:</span> <span class="s">admin from system</span> <span class="s">define author</span><span class="err">:</span> <span class="s">owner from cat_sitting</span> <span class="s">define can_delete</span><span class="err">:</span> <span class="s">admin or author</span> <span class="s">define can_edit</span><span class="err">:</span> <span class="s">admin or author</span> <span class="s">define can_view</span><span class="err">:</span> <span class="pi">[</span><span class="nv">user</span><span class="pi">,</span> <span class="nv">user</span><span class="pi">:</span><span class="err">*</span><span class="pi">]</span> <span class="na">define cat</span><span class="pi">:</span> <span class="s">cat from cat_sitting</span> <span class="na">define cat_sitting</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">cat_sitting</span><span class="pi">]</span> <span class="na">define subject</span><span class="pi">:</span> <span class="s">sitter from cat_sitting</span> <span class="na">define system</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">system</span><span class="pi">]</span> <span class="na">condition is_active_timeslot(current_time</span><span class="pi">:</span> <span class="s">timestamp, end_time</span><span class="err">:</span> <span class="s">timestamp, start_time</span><span class="err">:</span> <span class="s">timestamp) {</span> <span class="s">current_time &gt;= start_time &amp;&amp; current_time &lt;= end_time</span> <span class="err">}</span> <span class="na">condition is_pending_timeslot(current_time</span><span class="pi">:</span> <span class="s">timestamp, start_time</span><span class="err">:</span> <span class="s">timestamp) {</span> <span class="s">current_time &lt; start_time</span> <span class="err">}</span> <span class="na">condition is_cat_sitting_completed(cat_sitting_attributes</span><span class="pi">:</span> <span class="s">map&lt;string&gt;, completed_statuses</span><span class="err">:</span> <span class="s">list&lt;string&gt;) {</span> <span class="s">cat_sitting_attributes["status"] in completed_statuses</span> <span class="err">}</span> </code></pre> </div> <p>Notice how readable, yet compact, this is — no complex SQL joins or nested conditions. The model captures business logic naturally.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pr0ewnbahfpu06fc8ee.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pr0ewnbahfpu06fc8ee.gif" alt="Nice one Johnny" width="480" height="480"></a></p> <h2> ✅ Checkpoint: Can You Answer These? </h2> <p>Before moving on, make sure you can answer:</p> <ol> <li>What's the difference between a user and an object?</li> <li>How do relations differ from roles?</li> <li>When would you use indirect relationships?</li> </ol> <p> <strong>Answers</strong> <ol> <li> <strong>User vs Object</strong>: A user is an entity (like a person), while an object is an instance of a type (like a specific cat or cat sitting arrangement). Users interact with objects through relations.</li> <li> <strong>Relations vs Roles</strong>: Relations define how entities connect (like "owner of cat"), while roles are broader categories (like "admin" or "sitter") that can have multiple relations.</li> <li> <strong>Indirect Relationships</strong>: Use these when you want to derive permissions from other relationships, like "can a sitter post updates if they are also the owner?" This allows for more flexible and dynamic permission checks.</li> </ol> </p> <h2> <a id="openfga-in-action"></a> OpenFGA in Action [▓▓▓░░░░] </h2> <p>Let's test our model with real scenarios. I use the OpenFGA CLI to initialize the authorization model, create relation tuples, check the permissions and run some querie but you can use any <a href="https://openfga.dev/docs/getting-started/install-sdk" rel="noopener noreferrer">other client SDK</a>.</p> <p><a href="https://github.com/codespaces/new?template_repository=getlarge/purrfect-sitter" class="crayons-btn crayons-btn--primary" rel="noopener noreferrer">Save some time, create a GitHub codespace</a> </p> <p>It will provide you a ready-to-use environment with all dependencies installed and external services running, so you can focus on running the examples in this article.</p> <h3> Setup OpenFGA </h3> <h4> <a id="creating-a-store-and-a-model"></a> 1. Creating a Store and a Model </h4> <p>First, create a store:</p> <div class="ltag_asciinema"> </div> <p>Then create the authorization model in the new store:</p> <div class="ltag_asciinema"> </div> <blockquote> <p>⚠️ <em>If you are using Codespaces, specify the API path with</em></p> <ul> <li><em>the flag <code>--api-url http://openfga:8080</code></em></li> <li><em>the environment variable <code>FGA_API_URL=http://openfga:8080</code></em></li> </ul> </blockquote> <h4> <a id="create-basic-relationships"></a> 2. Creating Basic Relationships </h4> <p>Bob owns Romeo, Anne sits for him. Simple.</p> <div class="ltag_asciinema"> </div> <h4> <a id="create-admins"></a> 3. Admin Powers </h4> <p>Jenny becomes a system admin who can manage any cat — traditional RBAC within ReBAC.</p> <div class="ltag_asciinema"> </div> <h4> <a id="time-based-conditions"></a> 4. Time Magic </h4> <p>Anne's permissions activate and deactivate automatically based on time. No cron jobs, no cleanup code — the authorization system handles it.</p> <div class="ltag_asciinema"> </div> <h4> <a id="state-based-conditions"></a> 5. Status-Driven Access </h4> <p>Reviews only make sense after sitting ends. OpenFGA enforces this business rule automatically, ABAC style.</p> <div class="ltag_asciinema"> </div> <h4> <a id="check-permissions-and-query-relations"></a> 6. Creating and Checking Review Permissions </h4> <p>Create a review and check who can edit or delete it. OpenFGA's query language shines here, allowing you to check permissions and also list objects a user can interact with.</p> <div class="ltag_asciinema"> </div> <h4> <a id="making-an-object-public"></a> 7. Making the Review Public </h4> <p>Control visibility using wildcards.</p> <div class="ltag_asciinema"> </div> <h3> Explore Relationships with OpenFGA Playground </h3> <p>You can visualize the relations graph and run queries in the <a href="https://openfga.dev/docs/getting-started/setup-openfga/playground" rel="noopener noreferrer">OpenFGA's Playground</a>.<br> I find it a great way to discover and understand relationships in your model and test queries interactively.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foh2yxuh779j5yesvpbkd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foh2yxuh779j5yesvpbkd.png" alt="OpenFGA Playground generated from PurrfectSitter model" width="800" height="757"></a></p> <blockquote> <p>💡 <em>If you are using Codespaces, just open <code>http://localhost:8082/playground</code> in your browser.</em></p> </blockquote> <h2> <a id="testing-permissions-with-openfga-cli"></a> Testing permissions with OpenFGA CLI [▓▓▓▓░░░] </h2> <p>Another one of OpenFGA's strengths, is its built-in testing capabilities. The CLI provides a declarative way to test authorization models without writing application code.</p> <h3> Declarative Testing with YAML </h3> <p>Define tests in YAML and run with a single command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fga model <span class="nb">test</span> <span class="nt">--tests</span> store.fga.yml </code></pre> </div> <p>...and forget about all the commands above 🙂. The <code>store.fga.yml</code> file contains everything you need to create the model and tuples, and run the tests before writing application code!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0070607tzcn3ftm139yb.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0070607tzcn3ftm139yb.gif" alt="Thank goodness" width="480" height="360"></a></p> <p>Let's look at the <code>store.fga.yml</code> file that tests our PurrfectSitter model:</p> <h4> The authorization model </h4> <p>This is the model we defined earlier, but in YAML format for the OpenFGA CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">model</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">model</span> <span class="s">schema 1.1</span> <span class="s"># Our full model definition goes here...</span> </code></pre> </div> <blockquote> <p>ℹ️ <em>The model section is the same as the one we defined earlier, but in YAML format for the OpenFGA CLI.</em></p> </blockquote> <h4> The tuples </h4> <p>This section defines the relationships (tuples) in our model. Each tuple represents a relationship between a user and an object, along with the relation type.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">model</span><span class="pi">:</span> <span class="c1"># ...</span> <span class="na">tuples</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:jenny</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">object</span><span class="pi">:</span> <span class="s">system:development</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:bob</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">owner</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat:romeo</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">system:development</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">system</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat:romeo</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">cat:romeo</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">cat</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:anne</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">sitter</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">cat_sitting:1#sitter</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">active_sitter</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="na">condition</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">is_active_timeslot</span> <span class="na">context</span><span class="pi">:</span> <span class="na">start_time</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2023-01-01T00:00:00Z'</span> <span class="na">end_time</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2023-01-02T00:00:00Z'</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">cat:romeo#owner</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">can_review</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="na">condition</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">is_cat_sitting_completed</span> <span class="na">context</span><span class="pi">:</span> <span class="na">completed_statuses</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">completed'</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">system:development</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">system</span> <span class="na">object</span><span class="pi">:</span> <span class="s">review:1</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">cat_sitting</span> <span class="na">object</span><span class="pi">:</span> <span class="s">review:1</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:*</span> <span class="na">relation</span><span class="pi">:</span> <span class="s">can_view</span> <span class="na">object</span><span class="pi">:</span> <span class="s">review:1</span> </code></pre> </div> <h4> The tests </h4> <p>This section defines the tests that will be run against the model and tuples. Each test checks specific permissions or relationships.</p> <p>The example demonstrates several test types:</p> <ol> <li> <strong>Basic permission checks</strong>: Simple assertions about relationships</li> <li> <strong>Contextual checks</strong>: Testing time-based permissions</li> <li> <strong>Attribute-based checks</strong>: Testing permissions depending on object attributes</li> <li> <strong>List objects</strong>: Finding objects a user has relationships with</li> <li> <strong>List users</strong>: Finding users with relationships to an object </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">model</span><span class="pi">:</span> <span class="c1"># ...</span> <span class="na">tuples</span><span class="pi">:</span> <span class="c1"># ...</span> <span class="na">tests</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test basic relations</span> <span class="na">check</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:anne</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">sitter</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:bob</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">owner</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test role access</span> <span class="na">check</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:jenny</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat:romeo</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">can_manage</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:bob</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat:romeo</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">can_manage</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:anne</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat:romeo</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">can_manage</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test temporal access</span> <span class="na">check</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:anne</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="na">context</span><span class="pi">:</span> <span class="na">current_time</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2023-01-01T00:10:00Z'</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">active_sitter</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:anne</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="na">context</span><span class="pi">:</span> <span class="na">current_time</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2023-01-04T00:00:00Z'</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">active_sitter</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test attribute access</span> <span class="na">check</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:bob</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cat_sitting_attributes</span><span class="pi">:</span> <span class="na">status</span><span class="pi">:</span> <span class="s1">'</span><span class="s">completed'</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">can_review</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:bob</span> <span class="na">object</span><span class="pi">:</span> <span class="s">cat_sitting:1</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cat_sitting_attributes</span><span class="pi">:</span> <span class="na">status</span><span class="pi">:</span> <span class="s1">'</span><span class="s">in_progress'</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">can_review</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test the cat sitting that anne is sitting</span> <span class="na">list_objects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:anne</span> <span class="na">type</span><span class="pi">:</span> <span class="s">cat_sitting</span> <span class="na">context</span><span class="pi">:</span> <span class="na">current_time</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2023-01-01T00:00:01Z'</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">active_sitter</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cat_sitting:1</span> <span class="na">sitter</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cat_sitting:1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test the review that bob can edit</span> <span class="na">list_objects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">user</span><span class="pi">:</span> <span class="s">user:bob</span> <span class="na">type</span><span class="pi">:</span> <span class="s">review</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">can_edit</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">review:1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test that reviews are public</span> <span class="na">list_users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">object</span><span class="pi">:</span> <span class="s">review:1</span> <span class="na">user_filter</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">user</span> <span class="na">assertions</span><span class="pi">:</span> <span class="na">can_view</span><span class="pi">:</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">user:*</span> </code></pre> </div> <blockquote> <p>👋 <em>You can find <code>store.fga.yml</code> in the <a href="https://github.com/getlarge/purrfect-sitter/blob/main/store.fga.yml" rel="noopener noreferrer">demo repository</a>.</em></p> </blockquote> <div class="ltag_asciinema"> </div> <h3> Testing During Adoption </h3> <p>These testing capabilities help when adopting OpenFGA:</p> <ul> <li>Validate models against business rules</li> <li>Verify permissions match the old system during migration</li> <li>Compare results with your existing system in shadow mode</li> <li>Prevent regressions with CI pipeline tests</li> </ul> <p>Including tests in your workflow reduces authorization errors and builds confidence in your implementation.</p> <h2> ✅ Checkpoint II: Can You Answer These? </h2> <p>Have you read carefully the previous sections? If so, you should be able to answer:</p> <ol> <li>Can you list objects a user has relationships with?</li> <li>Can you list users with relationships to an object?</li> <li>Can you make an object public to all users?</li> </ol> <p> <strong>Answers</strong> <ol> <li><p><strong>List Objects</strong>: Yes, you can use the <a href="https://openfga.dev/docs/getting-started/perform-list-objects" rel="noopener noreferrer">list-objects</a> command to find objects a user has relationships with, like finding all cat sittings where a user is an active sitter.</p></li> <li><p><strong>List Users</strong>: Yes, if you have a relationship that connects users to objects, you can use the <a href="https://openfga.dev/docs/getting-started/perform-list-users" rel="noopener noreferrer">list-users</a> command to find users with relationships to an object, like finding all users who can view a specific review.</p></li> <li><p><strong>Public Objects</strong>: Make an object public by adding a relation that allows all users to access it, like granting <code>user:*</code> permission on the object as I showed you in this example</p></li> </ol> </p> <h2> <a id="adoption-challenges-and-strategies"></a> Adoption Challenges and Strategies [▓▓▓▓▓▓░] </h2> <p>As good as this tool is, adopting OpenFGA in existing systems presents challenges.</p> <h3> Mental Model Shift </h3> <p>ReBAC requires a paradigm shift for developers:</p> <ul> <li> <strong>Mental model adjustment</strong>: Developers familiar with RBAC or ABAC need time to think in relationships.</li> <li> <strong>Training investment</strong>: Workshops and examples help teams translate existing rules into relationship models.</li> </ul> <h3> Data Synchronization </h3> <p>This is probably the most challenging aspect of adopting OpenFGA, especially if you have an existing database with complex permissions.</p> <ul> <li> <strong>Dual writes</strong>: Applications must write to both their database and OpenFGA.</li> <li> <strong>Synchronization strategies</strong>: <ul> <li>Event-driven synchronization through message queues</li> <li>Centralized hooks for database operations</li> <li>Transactional outbox pattern for consistency</li> <li>Background jobs for existing data</li> </ul> </li> </ul> <p>Read this excellent article 👇 about dual writes in distributed systems. It will surely help you understand strategies for synchronizing data between your applications' DB and OpenFGA.</p> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__cover"> <a href="https://auth0.com/blog/handling-the-dual-write-problem-in-distributed-systems/" class="c-link align-middle" rel="noopener noreferrer"> <img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.ctfassets.net%2F23aumh6u8s0i%2F7opCVXMvjs6y4PKe74c34X%2Fd9a432edd8b4c5252dcf73c52fcbdb93%2FPasswordless-Authentication-hero.jpg" height="718" class="m-0" width="800"> </a> </div> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://auth0.com/blog/handling-the-dual-write-problem-in-distributed-systems/" rel="noopener noreferrer" class="c-link"> Handling the Dual-Write Problem in Distributed Systems | Auth0 </a> </h2> <p class="truncate-at-3"> The dual-write problem exists in distributed systems. Let's look at what it is and some of the most common strategies to mitigate it usin... </p> <div class="color-secondary fs-s flex items-center"> <img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn.auth0.com%2Fwebsite%2Fwebsite%2Ffavicons%2Fauth0-favicon.svg" width="32" height="32"> auth0.com </div> </div> </div> </div> <h3> Progressive Adoption </h3> <p>It's going to be hard (and unwise) to convince your team to rewrite the entire authorization logic in OpenFGA, big-bang refactoring style. Instead, consider a <strong>progressive adoption</strong> strategy:</p> <h4> 1. Start with Coarse-Grained Permissions </h4> <p>Begin with your existing structure:</p> <ul> <li>Replicate your current RBAC model</li> <li>Add organization-level permissions</li> <li>Gradually introduce finer-grained controls</li> </ul> <h4> 2. Shadow Mode Implementation </h4> <p>Before switching fully:</p> <ul> <li>Run existing authorization alongside OpenFGA</li> <li>Compare results to identify discrepancies</li> <li>Build confidence before making the switch</li> </ul> <h4> 3. Use Contextual Tuples for Hybrid Implementations </h4> <p>Reduce synchronization burden:</p> <ul> <li>Send data as contextual tuples initially</li> <li>Gradually move to persistent relationship tuples</li> <li>Use contextual tuples for frequently changing data</li> </ul> <blockquote> <p>ℹ️ <em>Read more about this technique in the <a href="https://openfga.dev/docs/best-practices/adoption-patterns#provide-request-level-data" rel="noopener noreferrer">OpenFGA documentation</a>.</em></p> </blockquote> <h3> Managing Organizational Adoption </h3> <p>For large organizations:</p> <ul> <li>Start with a single application where OpenFGA delivers immediate value</li> <li>Use modular models for independent team control</li> <li>Leverage access control for team-specific credentials</li> </ul> <h2> <a id="your-next-move"></a> Your Next Move [▓▓▓▓▓▓▓] </h2> <p>Complex policies doesn't have to mean complex code. OpenFGA's ReBAC model simplifies permissions into relationships, making your authorization logic more maintainable and scalable.</p> <p>Ready to get started? Here's your roadmap:</p> <ol> <li>Read in details the <a href="https://github.com/getlarge/purrfect-sitter/blob/main/purrfect-sitter-model.fga" rel="noopener noreferrer">PurrfectSitter's authorization model</a> </li> <li>Draw inspiration from the <a href="https://github.com/getlarge/purrfect-sitter/blob/main/apps/purrfect-sitter/src/main.ts" rel="noopener noreferrer">Purrfect Sitter Fastify API</a> </li> <li>Adapt it to your domain</li> <li>Watch complex permission logic become simple relationship definitions.</li> <li>Get in touch with me for some deep-dive into performance characteristics, monitoring, and production deployment patterns 😉</li> <li>If you want to show your appreciation, give those repositories a ⭐️ on GitHub. 👇</li> </ol> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/getlarge" rel="noopener noreferrer"> getlarge </a> / <a href="https://github.com/getlarge/purrfect-sitter" rel="noopener noreferrer"> purrfect-sitter </a> </h2> <h3> A cat sitting management application to showcase OpenFGA </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Purrfect Sitter</h1> </div> <p>A cat sitting application with dual authorization strategies This is the support project for the <a href="https://dev.to/this-is-learning/how-to-protect-your-api-with-openfga-from-rebac-concepts-to-practical-usage-4n9j" rel="nofollow">How to Protect Your API with OpenFGA</a> article.</p> <p><a rel="noopener noreferrer nofollow" href="https://camo.githubusercontent.com/8c64eba4153dba5f2c3b33d76ce10405802734e5c19069d2ca74a477b1f52300/68747470733a2f2f6465762d746f2d75706c6f6164732e73332e616d617a6f6e6177732e636f6d2f75706c6f6164732f61727469636c65732f66616f79626f6a3469686a726e336d73796e63342e706e67"><img src="https://camo.githubusercontent.com/8c64eba4153dba5f2c3b33d76ce10405802734e5c19069d2ca74a477b1f52300/68747470733a2f2f6465762d746f2d75706c6f6164732e73332e616d617a6f6e6177732e636f6d2f75706c6f6164732f61727469636c65732f66616f79626f6a3469686a726e336d73796e63342e706e67" alt="An anonymous developer surrounded by cats"></a></p> An anonymous developer surrounded by cats <div class="markdown-heading"> <h2 class="heading-element">Architecture</h2> </div> <div class="markdown-heading"> <h3 class="heading-element">Core Application</h3> </div> <ul> <li>Fastify-based API</li> <li>User authentication with Ory Kratos</li> <li>Core models: User, Cat, CatSitting, Review</li> <li>TypeBox for JSON Schema validation</li> <li>Drizzle ORM for database access</li> <li>OpenFGA for fine-grained authorization</li> </ul> <div class="markdown-heading"> <h3 class="heading-element">NX Workspace Structure</h3> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>apps/ purrfect-sitter/ # Main Fastify application purrfect-sitter-e2e/ # End-to-end tests libs/ # Domain-specific libraries database/ # Database schema and repositories models/ # DTOs and validation schemas auth/ # Authentication and authorization cats/ # Cats domain business logic cat-sittings/ # Cat sittings domain business logic reviews/ # Reviews domain business logic </code></pre></div> <div class="markdown-heading"> <h3 class="heading-element">Authorization Strategies</h3> </div> <p>This application implements two authorization strategies that can be toggled via environment variables:</p> <ol> <li> <p><strong>Database Lookups</strong> (<code>AUTH_STRATEGY=db</code>)</p> <ul> <li>Traditional database queries to check permissions</li> <li>Uses JOINs and WHERE clauses for relationship checks</li> <li>Direct SQL…</li> </ul> </li> </ol> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/getlarge/purrfect-sitter" rel="noopener noreferrer">View on GitHub</a></div> </div> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/openfga" rel="noopener noreferrer"> openfga </a> / <a href="https://github.com/openfga/openfga" rel="noopener noreferrer"> openfga </a> </h2> <h3> A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div> <p><a rel="noopener noreferrer" href="https://github.com/openfga/openfga/./openfga-logo.png"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fopenfga%2Fopenfga%2FHEAD%2F.%2Fopenfga-logo.png" alt="OpenFGA Logo"></a></p> <div class="markdown-heading"> <h1 class="heading-element">OpenFGA</h1> </div> <p><a href="https://openfga.dev/community" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/1af28927cb33d2f059334afe01927fc1085e1b381c44f63c02fe35dc07d7ef41/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f736c61636b2d636e63665f2532336f70656e6667612d3430616262382e7376673f6c6f676f3d736c61636b" alt="Join our community"></a> <a href="https://deepwiki.com/openfga/openfga" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/86bbe538660d18e0c28f8761215a0bee9d1bfc846c4ae9e4769db41d1a82450f/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4465657057696b692d6f70656e6667612532466f70656e6667612d626c75652e7376673f6c6f676f3d646174613a696d6167652f706e673b6261736536342c6956424f5277304b47676f414141414e53556845556741414143774141414179434159414141416e57446e714141414141584e535230494172733463365141414130354a52454655614550746d557479457a4551687457545179514c484e616b324142375a6e79585a4d456a584d47654b2f4149692b517548724d6e6243685959374d496838673031664a6f6f70466230756868457171636257547030362f7576317361454476344f336e33645636305266503934374d6d392f5351633049434651677a66633443595a6f545041737767534a4343554a556e41416f52484f41554f63415477626d564c5764476f482f2f5042386d6e4b71536341687344306b5950336a2f5974354c505165324b7663586d4776524863446e7078664c327a4f594a316d467772727957547a306164767631557434434a67663575684475446a3565556341556f61687264592f353665625257657261546a4d742f30305368335544746a674874514e48776352474f433938424a454145796d79636d596357774f70725467634236565a354a4b3554414a2b6658474c426d334644416d6e366f50506a5234724b43416f4a43616c326541695170327830767854504233414c4f3243526b776d447935576f687a4244775345464b527750626b6e4567674350422f696d77727963677858324e7a6f4d434868506b447771594d72397452635035714e724d5a486b566e4f6a524d57774c436372386f68425662314f4d6a784c774743766a54696b7273424f694136664e7943726d38563172503933695650707761452b674f305373576d506958422b6a696b64663653697a725435714b617378356a3841426248704654782b7646587039456e59516d4c7830326831515454726c36654471784c6e476a706f72786c334e4c336167457658645430576d456f737436343873514f5941654a53395137626655566f4d476e6a6f34415a64554d516b7535304d6344634d57634250767230537a625441464466764a71774c7a67787741546e43676e703477446c3641612b41783238336767686d6a2b766a37666545324b4242524d5733467a4f704c4f41446c3049736235353837682f55346747766b74357636305a31564c47384268596a627a527779515a656d77416436634352352f5846574c595a52494d70583339415230746a61474769477a4c5679687365354339524b433661693432707057504b694261674f7661596b386c4f3744616a657261624f5a5034364c627935774b6a77314843527837703973564d4f57477a622f7641316877695763366a6d334d765144546f67516b697149684a56306e42514254552b336f6b4b434644793957776665726b486a74786962377433784955517448786e49777478346d706732362f486677564e564462346f493952486d78355747656c52566c7274697734337a626f434c6178763436415a654233496c546b776f75656254723179324e6a5370487a3638574e466a487675707933713854466e33486f733249416b344a753564436f3842337750375650722f4647614b69472b542b762b54517149724f714d544c31566457563144646d63624f384b58427a3665736d5957594b5077444c35623546413161306877617048696f6d30722f634b616f71722b32372f58637253355577534d625141414141424a52553545726b4a6767673d3d" alt="DeepWiki"></a> <a href="https://pkg.go.dev/github.com/openfga/openfga" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/62311d24e520b1e4b51d3da006531713abc73b8341cbdaab1060efbbc80403c7/68747470733a2f2f706b672e676f2e6465762f62616467652f6769746875622e636f6d2f6f70656e6667612f6f70656e6667612e737667" alt="Go Reference"></a> <a rel="noopener noreferrer nofollow" href="https://camo.githubusercontent.com/45cddeca948720749c64633633de288d8f4f4f21edaa98299c906339d3411333/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f6f70656e6667612f6f70656e6667613f736f72743d73656d76657226636f6c6f723d677265656e"><img src="https://camo.githubusercontent.com/45cddeca948720749c64633633de288d8f4f4f21edaa98299c906339d3411333/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f6f70656e6667612f6f70656e6667613f736f72743d73656d76657226636f6c6f723d677265656e" alt="GitHub release (latest SemVer)"></a> <a href="https://hub.docker.com/r/openfga/openfga/tags" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/20068d834aa28f358bab4a77235bcc490d403b85530c060f903a1d506e6f2b29/68747470733a2f2f696d672e736869656c64732e696f2f646f636b65722f70756c6c732f6f70656e6667612f6f70656e666761" alt="Docker Pulls"></a> <a href="https://app.codecov.io/gh/openfga/openfga" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/3b804d3b9b2fe497663ae7c6c3fcbaa113a96784cd187e79d8584013e662204f/68747470733a2f2f696d672e736869656c64732e696f2f636f6465636f762f632f6769746875622f6f70656e6667612f6f70656e666761" alt="Codecov"></a> <a href="https://goreportcard.com/report/github.com/openfga/openfga" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/d38b039069e9f851f6fa7a7054574ba79b0728d8bbbf93650f8200639a0b04f6/68747470733a2f2f676f7265706f7274636172642e636f6d2f62616467652f6769746875622e636f6d2f6f70656e6667612f6f70656e666761" alt="Go Report"></a> <a href="https://bestpractices.coreinfrastructure.org/projects/6374" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/45419164499d5394f5a2c35e21c204c3333b312684c859549724fccf274e89f4/68747470733a2f2f626573747072616374696365732e636f7265696e6672617374727563747572652e6f72672f70726f6a656374732f363337342f6261646765" alt="CII Best Practices"></a> <a href="https://app.fossa.com/projects/git%2Bgithub.com%2Fopenfga%2Fopenfga?ref=badge_shield" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/bef4aa81afbc0cacc2aae993ff14f8c13b688533ec88cc6ffd9048df9275510e/68747470733a2f2f6170702e666f7373612e636f6d2f6170692f70726f6a656374732f6769742532426769746875622e636f6d2532466f70656e6667612532466f70656e6667612e7376673f747970653d736869656c64" alt="FOSSA Status"></a> <a href="https://artifacthub.io/packages/helm/openfga/openfga" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/60e76d2b195ead6429362291c1e810ff37f992e2fd592c647f64a95171061665/68747470733a2f2f696d672e736869656c64732e696f2f656e64706f696e743f75726c3d68747470733a2f2f61727469666163746875622e696f2f62616467652f7265706f7369746f72792f6f70656e666761" alt="Artifact HUB"></a> <a href="https://securityscorecards.dev/viewer/?uri=github.com/openfga/openfga" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/bc4da413504ba775667612ad1f09eda9581eda6fab9551ee8ca19e5621408f92/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e6667612f6f70656e6667612f6261646765" alt="OpenSSF Scorecard"></a> <a href="https://slsa.dev" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/dc294f15fb5f1c96307863a1e96860310be940504e7ee370cee94bf4400cbac9/68747470733a2f2f736c73612e6465762f696d616765732f67682d62616467652d6c6576656c332e737667" alt="SLSA 3"></a></p> </div> <p><strong>OpenFGA</strong> is a high-performance, flexible authorization/permission engine inspired by <a href="https://research.google/pubs/pub48190/" rel="nofollow noopener noreferrer">Google Zanzibar</a> It helps developers easily model and enforce fine-grained access control in their applications.</p> <div class="markdown-heading"> <h2 class="heading-element">Highlights</h2> </div> <ul> <li>⚡ High-performance, developer-friendly APIs (HTTP &amp; gRPC)</li> <li>🔌 Flexible storage backends (In-Memory, PostgreSQL, MySQL, SQLite beta)</li> <li>🧰 SDKs for <a href="https://central.sonatype.com/artifact/dev.openfga/openfga-sdk" rel="nofollow noopener noreferrer">Java</a>, <a href="https://www.npmjs.com/package/@openfga/sdk" rel="nofollow noopener noreferrer">Node.js</a>, <a href="https://github.com/openfga/go-sdk" rel="noopener noreferrer">Go</a>, <a href="https://github.com/openfga/python-sdk" rel="noopener noreferrer">Python</a>, <a href="https://www.nuget.org/packages/OpenFga.Sdk" rel="nofollow noopener noreferrer">.NET</a> </li> <li>🌐 Several additional SDKs and tools <a href="https://github.com/openfga/community#community-projects" rel="noopener noreferrer">contributed by the community</a> </li> <li>🧪 <a href="https://github.com/openfga/cli" rel="noopener noreferrer">CLI</a> for interacting with an OpenFGA server and <a href="https://openfga.dev/docs/modeling/testing" rel="nofollow noopener noreferrer">testing authorization models</a> </li> <li>🌿 <a href="https://github.com/openfga/terraform-provider-openfga" rel="noopener noreferrer">Terraform Provider</a> for configuring OpenFGA servers as code</li> <li>🎮 <a href="https://openfga.dev/docs/getting-started/setup-openfga/playground" rel="nofollow noopener noreferrer">Playground</a> for modeling and testing</li> <li>🛠 Can also be embedded as a <a href="https://pkg.go.dev/github.com/openfga/openfga/pkg/server#example-NewServerWithOpts" rel="nofollow noopener noreferrer">Go library</a> </li> <li>🤝 Adopted by <a href="https://fga.dev" rel="nofollow noopener noreferrer">Auth0</a>, <a href="https://grafana.com/" rel="nofollow noopener noreferrer">Grafana Labs</a>, <a href="https://canonical.com/" rel="nofollow noopener noreferrer">Canonical</a>, <a href="https://docker.com" rel="nofollow noopener noreferrer">Docker</a>, <a href="https://agicap.com" rel="nofollow noopener noreferrer">Agicap</a>, <a href="https://read.ai" rel="nofollow noopener noreferrer">Read.AI</a> and <a href="https://github.com/openfga/community/blob/main/ADOPTERS.md" rel="noopener noreferrer">others</a> </li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Table of Contents</h2> </div> <ul> <li><a href="https://github.com/openfga/openfga#quickstart" rel="noopener noreferrer">Quickstart</a></li> <li> <a href="https://github.com/openfga/openfga#installation" rel="noopener noreferrer">Installation</a> <ul> <li><a href="https://github.com/openfga/openfga#docker" rel="noopener noreferrer">Docker</a></li> <li><a href="https://github.com/openfga/openfga#docker-compose" rel="noopener noreferrer">Docker Compose</a></li> <li><a href="https://github.com/openfga/openfga#homebrew" rel="noopener noreferrer">Homebrew</a></li> <li><a href="https://github.com/openfga/openfga#precompiled-binaries" rel="noopener noreferrer">Precompiled Binaries</a></li> <li><a href="https://github.com/openfga/openfga#build-from-source" rel="noopener noreferrer">Build from Source</a></li> <li><a href="https://github.com/openfga/openfga#verify-installation" rel="noopener noreferrer">Verify Installation</a></li> </ul> </li> <li><a href="https://github.com/openfga/openfga#playground" rel="noopener noreferrer">Playground</a></li> <li><a href="https://github.com/openfga/openfga#next-steps" rel="noopener noreferrer">Next Steps</a></li> <li><a href="https://github.com/openfga/openfga#limitations" rel="noopener noreferrer">Limitations</a></li> <li><a href="https://github.com/openfga/openfga#production-readiness" rel="noopener noreferrer">Production Readiness</a></li> <li><a href="https://github.com/openfga/openfga#contributing--community" rel="noopener noreferrer">Contributing &amp; Community</a></li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Quickstart</h2> </div> <div class="markdown-alert markdown-alert-important"> <p class="markdown-alert-title">Important</p> <p>The following steps are meant…</p> </div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/openfga/openfga" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>Your future self will thank you for choosing relationships over nested IF statements.</p> <div class="ltag__user ltag__user__id__1253749"> <a href="/getlarge" class="ltag__user__link profile-image-link"> <div class="ltag__user__pic"> <img src="https://media2.dev.to/dynamic/image/width=150,height=150,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg" alt="getlarge image"> </div> </a> <div class="ltag__user__content"> <h2> <a class="ltag__user__link" href="/getlarge">Edouard Maleix</a>Follow </h2> <div class="ltag__user__summary"> <a class="ltag__user__link" href="/getlarge">I am a Senior Software Engineer, focusing on distributed systems, application security and developer productivity/creativity. Based in Vienna 🥐, Austria.</a> </div> </div> </div> <h2> References </h2> <ul> <li><a href="https://openfga.dev/docs" rel="noopener noreferrer">OpenFGA Documentation</a></li> <li><a href="https://github.com/openfga/openfga" rel="noopener noreferrer">OpenFGA GitHub Repository</a></li> <li><a href="https://zanzibar.academy" rel="noopener noreferrer">Zanzibar Academy</a></li> <li><a href="https://storage.googleapis.com/gweb-research2023-media/pubtools/5068.pdf" rel="noopener noreferrer">Google's Zanzibar Paper</a></li> <li><a href="https://www.ory.sh/keto/docs/" rel="noopener noreferrer">Ory Keto Documentation</a></li> <li><a href="https://openfga.dev/docs/best-practices/running-in-production" rel="noopener noreferrer">OpenFGA production best practices</a></li> </ul> tutorial openfga authorization security Building Single Executable Applications with Node.js Edouard Maleix Mon, 17 Mar 2025 10:50:00 +0000 https://dev.to/playfulprogramming/building-single-executable-applications-with-nodejs-16k3 https://dev.to/playfulprogramming/building-single-executable-applications-with-nodejs-16k3 <blockquote> <p><em>"Can we upgrade to the latest Node.js version?"</em></p> </blockquote> <p>A few months ago, I did not imagine that this seemingly innocent question from a client would bring me so <strong>deep</strong> into the world of single executable applications, a.k.a. SEA, a.k.a. executable binaries.</p> <p>Their team had been using <a href="https://github.com/vercel/pkg" rel="noopener noreferrer">PKG</a> to package Node.js applications into standalone executables, but then they hit a roadblock - PKG has been deprecated. While the community <a href="https://github.com/yao-pkg/pkg" rel="noopener noreferrer">fork</a> had kept pace with Node.js evolution (even working on Node.js v22), the constant changes to Node.js internals made maintaining these patches challenging. Each new <strong>Node.js version required adapting to internal changes</strong>, creating an ongoing maintenance effort that added complexity to their deployment pipeline.</p> <p>That's when I remembered hearing about Node.js <strong>Single Executable Applications (SEA)</strong> - a native feature. As someone who's spent years optimizing deployment pipelines and container strategies, I knew I had to explore this promising alternative.</p> <p>In this article, I'm sharing what I've learned about SEA, a feature that fundamentally shifts how we package and distribute Node.js applications. If you've encountered:</p> <ul> <li>Delays waiting for packaging tools to support new Node.js versions</li> <li>Complex configuration requirements for native modules</li> <li>The maintenance burden of keeping dependencies versions and build tools in sync with runtime</li> <li>The search for lighter, more portable deployment artifacts</li> </ul> <p>...then you'll find this exploration valuable.</p> <p>I'll take you through both the technical foundations and practical implementation of SEA, showing how it can simplify your deployment strategy while making your applications more portable and secure.</p> <h2> Table of contents </h2> <ol> <li>Two Worlds of Application Distribution</li> <li>Technical Foundation</li> <li>Practical Implementation</li> <li>Docker Integration</li> <li>Performance Benchmarks</li> <li>The Reality of Code Protection</li> <li>Conclusion</li> </ol> <h2> Two Worlds of Application Distribution </h2> <p>First, I want to distinguish between each distribution method.</p> <h3> Traditional Node.js Deployment </h3> <p>The conventional approach to Node.js deployment has several limitations:</p> <ul> <li> <strong>Fragmented Distribution</strong>: Source files, dependencies, and runtime are all separate pieces</li> <li> <strong>Environment Dependencies</strong>: Applications only work when the target environment has the exact right setup</li> <li> <strong>Configuration Fragility</strong>: Settings files must be correctly placed and formatted</li> <li> <strong>Version Constraints</strong>: The correct Node.js version must be present</li> </ul> <p>This creates a brittle deployment pipeline where one small misconfiguration can cause everything to fail.</p> <h3> Single Executable Applications Deployment </h3> <p>Single Executable Applications (SEA) represent a fundamental paradigm shift:</p> <ul> <li> <strong>Complete Self-Containment</strong>: Code, dependencies, assets, and runtime bundled in one binary</li> <li> <strong>Environment Independence</strong>: The application carries its environment with it</li> <li> <strong>Protected Configuration</strong>: Settings embedded and secured within the executable</li> <li> <strong>Deployment Simplicity</strong>: One file to deploy, one file to run</li> </ul> <p>This approach represents a <strong>shift-left</strong> in application delivery—moving deployment concerns from operations teams into the development process. With SEA, developers take ownership of packaging the entire application environment during development rather than leaving it to deployment time.</p> <p>The result? Applications that are more reliable, more secure, and significantly easier to deploy.</p> <h2> Technical Foundation </h2> <p>As a longtime Node.js developer, I was curious about how this feature was implemented. Let's peek under the hood!</p> <h3> The Anatomy of a SEA </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8uxdc8pfznc8zmjcfoas.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8uxdc8pfznc8zmjcfoas.png" alt="SEA Composition" width="800" height="301"></a></p> <p>A Single Executable Application builds in three distinct stages:</p> <ol> <li><strong>Collection Stage</strong></li> <li><strong>Virtual File System Stage</strong></li> <li><strong>Binary Integration Stage</strong></li> </ol> <h4> Collection Stage </h4> <p>This is where things start getting interesting! The SEA tooling gathers:</p> <ul> <li>JavaScript application code</li> <li>JSON configuration files</li> <li>Dependencies from <code>node_modules</code> </li> <li>Native add-ons</li> <li>Static assets</li> </ul> <h4> Virtual File System Stage </h4> <p>This is where the real magic happens. Instead of just bundling files, SEA creates a miniature in-memory filesystem that:</p> <ul> <li>Preserves directory structures exactly as they were</li> <li>Maintains file permissions</li> <li>Keeps symbolic links intact</li> <li>Retains original file paths</li> <li>Enables fast random access</li> </ul> <h4> Binary Integration Stage </h4> <p>The final step injects our virtual filesystem into the Node.js binary:</p> <ul> <li>Preserves execution ability</li> <li>Maintains code signing compatibility</li> <li>Enables runtime detection</li> <li>Supports cross-platform formats (Mach-O, PE, ELF)</li> </ul> <h2> Internals </h2> <p>The conductor behind the SEA orchestra is a small piece of C++ code in the Node.js source.</p> <blockquote> <p><strong>Note</strong> This is the nerdy part, feel free to jump to the Practical Implementation if you're more interested in hands-on examples.</p> </blockquote> <h3> SEA Configuration </h3> <p>The <a href="https://github.com/nodejs/node/blob/main/src/node_sea.cc" rel="noopener noreferrer"><code>node_sea.cc</code></a> evolves around the <code>SeaResource</code> structure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">class</span> <span class="nc">SeaResource</span> <span class="p">{</span> <span class="nl">public:</span> <span class="k">static</span> <span class="k">constexpr</span> <span class="kt">uint32_t</span> <span class="n">kMagic</span> <span class="o">=</span> <span class="mh">0x1EA</span><span class="p">;</span> <span class="c1">// SEA magic number</span> <span class="k">static</span> <span class="k">constexpr</span> <span class="kt">size_t</span> <span class="n">kHeaderSize</span> <span class="o">=</span> <span class="mi">8</span><span class="p">;</span> <span class="c1">// Size of header</span> <span class="n">SeaFlags</span> <span class="n">flags</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">string_view</span> <span class="n">code_path</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">string_view</span> <span class="n">main_code_or_snapshot</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">optional</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string_view</span><span class="o">&gt;</span> <span class="n">code_cache</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">unordered_map</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string_view</span><span class="p">,</span> <span class="n">std</span><span class="o">::</span><span class="n">string_view</span><span class="o">&gt;</span> <span class="n">assets</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <p>This structure shows us several critical design decisions:</p> <ol> <li>Use of a magic number (0x1EA) to identify the injected program during deserialization</li> <li>Support for both code and snapshots</li> <li>Optional location for code cache (we'll talk about it later)</li> <li>Asset storage in a key-value format</li> </ol> <h3> SEA Generation Process </h3> <p>The high-level process of the SEA creation is simple:</p> <ol> <li>Read the main (bundled) script</li> <li>Generate V8 snapshot if needed (I will talk about snapshot later)</li> <li>Generate code cache if requested (I will talk about cache later)</li> <li>Processes and includes assets</li> <li>Serialize everything into a single Blob </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">ExitCode</span> <span class="nf">GenerateSingleExecutableBlob</span><span class="p">(</span><span class="k">const</span> <span class="n">SeaConfig</span><span class="o">&amp;</span> <span class="n">config</span><span class="p">,</span> <span class="k">const</span> <span class="n">std</span><span class="o">::</span><span class="n">vector</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&gt;&amp;</span> <span class="n">args</span><span class="p">,</span> <span class="k">const</span> <span class="n">std</span><span class="o">::</span><span class="n">vector</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&gt;&amp;</span> <span class="n">exec_args</span><span class="p">)</span> <span class="p">{</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span> <span class="n">main_script</span><span class="p">;</span> <span class="n">ReadFileSync</span><span class="p">(</span><span class="o">&amp;</span><span class="n">main_script</span><span class="p">,</span> <span class="n">config</span><span class="p">.</span><span class="n">main_path</span><span class="p">.</span><span class="n">c_str</span><span class="p">());</span> <span class="k">if</span> <span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span><span class="p">(</span><span class="n">config</span><span class="p">.</span><span class="n">flags</span> <span class="o">&amp;</span> <span class="n">SeaFlags</span><span class="o">::</span><span class="n">kUseSnapshot</span><span class="p">))</span> <span class="p">{</span> <span class="n">GenerateSnapshotForSEA</span><span class="p">(...);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span><span class="p">(</span><span class="n">config</span><span class="p">.</span><span class="n">flags</span> <span class="o">&amp;</span> <span class="n">SeaFlags</span><span class="o">::</span><span class="n">kUseCodeCache</span><span class="p">))</span> <span class="p">{</span> <span class="n">GenerateCodeCache</span><span class="p">(</span><span class="n">config</span><span class="p">.</span><span class="n">main_path</span><span class="p">,</span> <span class="n">main_script</span><span class="p">);</span> <span class="p">}</span> <span class="n">std</span><span class="o">::</span><span class="n">unordered_map</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="p">,</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&gt;</span> <span class="n">assets</span><span class="p">;</span> <span class="n">BuildAssets</span><span class="p">(</span><span class="n">config</span><span class="p">.</span><span class="n">assets</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">assets</span><span class="p">);</span> <span class="n">SeaSerializer</span> <span class="n">serializer</span><span class="p">;</span> <span class="n">serializer</span><span class="p">.</span><span class="n">Write</span><span class="p">(</span><span class="n">sea</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Resource Injection </h3> <p>SEA uses the postject library to add our VFS as a new section in the binary file format.</p> <p>Different operating systems use different binary formats. Node.js support the following:</p> <ul> <li>macOS uses Mach-O</li> <li>Windows uses Portable Executable (PE)</li> <li>Linux uses ELF (Executable and Linkable Format) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">std</span><span class="o">::</span><span class="n">string_view</span> <span class="nf">FindSingleExecutableBlob</span><span class="p">()</span> <span class="p">{</span> <span class="cp">#ifdef __APPLE__ </span> <span class="n">postject_options</span> <span class="n">options</span><span class="p">;</span> <span class="n">postject_options_init</span><span class="p">(</span><span class="o">&amp;</span><span class="n">options</span><span class="p">);</span> <span class="n">options</span><span class="p">.</span><span class="n">macho_segment_name</span> <span class="o">=</span> <span class="s">"NODE_SEA"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">blob</span> <span class="o">=</span> <span class="k">static_cast</span><span class="o">&lt;</span><span class="k">const</span> <span class="kt">char</span><span class="o">*&gt;</span><span class="p">(</span> <span class="n">postject_find_resource</span><span class="p">(</span><span class="s">"NODE_SEA_BLOB"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">size</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">options</span><span class="p">));</span> <span class="cp">#else </span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">blob</span> <span class="o">=</span> <span class="k">static_cast</span><span class="o">&lt;</span><span class="k">const</span> <span class="kt">char</span><span class="o">*&gt;</span><span class="p">(</span> <span class="n">postject_find_resource</span><span class="p">(</span><span class="s">"NODE_SEA_BLOB"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">size</span><span class="p">,</span> <span class="nb">nullptr</span><span class="p">));</span> <span class="cp">#endif </span> <span class="k">return</span> <span class="p">{</span><span class="n">blob</span><span class="p">,</span> <span class="n">size</span><span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> Read-Only Assets </h3> <p>One important security feature is read-only asset access.<br> The implementation ensures assets remain read-only through careful API design:</p> <ol> <li>Assets are stored as immutable string_views</li> <li>The ArrayBuffer is created with a no-op deleter</li> <li>No API exists for modifying assets once bundled </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="kt">void</span> <span class="nf">GetAsset</span><span class="p">(</span><span class="k">const</span> <span class="n">FunctionCallbackInfo</span><span class="o">&lt;</span><span class="n">Value</span><span class="o">&gt;&amp;</span> <span class="n">args</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Validate input</span> <span class="n">CHECK_EQ</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">Length</span><span class="p">(),</span> <span class="mi">1</span><span class="p">);</span> <span class="n">CHECK</span><span class="p">(</span><span class="n">args</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">IsString</span><span class="p">());</span> <span class="n">Utf8Value</span> <span class="n">key</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">GetIsolate</span><span class="p">(),</span> <span class="n">args</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="n">SeaResource</span> <span class="n">sea_resource</span> <span class="o">=</span> <span class="n">FindSingleExecutableResource</span><span class="p">();</span> <span class="k">auto</span> <span class="n">it</span> <span class="o">=</span> <span class="n">sea_resource</span><span class="p">.</span><span class="n">assets</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="o">*</span><span class="n">key</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">it</span> <span class="o">==</span> <span class="n">sea_resource</span><span class="p">.</span><span class="n">assets</span><span class="p">.</span><span class="n">end</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="n">std</span><span class="o">::</span><span class="n">unique_ptr</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">BackingStore</span><span class="o">&gt;</span> <span class="n">store</span> <span class="o">=</span> <span class="n">ArrayBuffer</span><span class="o">::</span><span class="n">NewBackingStore</span><span class="p">(</span> <span class="k">const_cast</span><span class="o">&lt;</span><span class="kt">char</span><span class="o">*&gt;</span><span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">second</span><span class="p">.</span><span class="n">data</span><span class="p">()),</span> <span class="n">it</span><span class="o">-&gt;</span><span class="n">second</span><span class="p">.</span><span class="n">size</span><span class="p">(),</span> <span class="p">[](</span><span class="kt">void</span><span class="o">*</span><span class="p">,</span> <span class="kt">size_t</span><span class="p">,</span> <span class="kt">void</span><span class="o">*</span><span class="p">)</span> <span class="p">{},</span> <span class="c1">// No-op deleter prevents modifications</span> <span class="nb">nullptr</span><span class="p">);</span> <span class="n">Local</span><span class="o">&lt;</span><span class="n">ArrayBuffer</span><span class="o">&gt;</span> <span class="n">ab</span> <span class="o">=</span> <span class="n">ArrayBuffer</span><span class="o">::</span><span class="n">New</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">GetIsolate</span><span class="p">(),</span> <span class="n">std</span><span class="o">::</span><span class="n">move</span><span class="p">(</span><span class="n">store</span><span class="p">));</span> <span class="n">args</span><span class="p">.</span><span class="n">GetReturnValue</span><span class="p">().</span><span class="n">Set</span><span class="p">(</span><span class="n">ab</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Load the SEA </h3> <p>The final step is loading the SEA and executing the bundled code:</p> <ol> <li>Gets the current V8 context and environment</li> <li>Finds the SEA resource using <code>FindSingleExecutableResource()</code> </li> <li>Verifies it's not using a snapshot (<code>CHECK(!sea.use_snapshot())</code>)</li> <li>Converts the main code into a V8 value using <code>ToV8Value</code> </li> <li>Calls the CJS (CommonJS) run callback with the converted code (from this, you can guess that only CJS is supported!) </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">MaybeLocal</span><span class="o">&lt;</span><span class="n">Value</span><span class="o">&gt;</span> <span class="n">LoadSingleExecutableApplication</span><span class="p">(</span> <span class="k">const</span> <span class="n">StartExecutionCallbackInfo</span><span class="o">&amp;</span> <span class="n">info</span><span class="p">)</span> <span class="p">{</span> <span class="n">Local</span><span class="o">&lt;</span><span class="n">Context</span><span class="o">&gt;</span> <span class="n">context</span> <span class="o">=</span> <span class="n">Isolate</span><span class="o">::</span><span class="n">GetCurrent</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">GetCurrentContext</span><span class="p">();</span> <span class="n">Environment</span><span class="o">*</span> <span class="n">env</span> <span class="o">=</span> <span class="n">Environment</span><span class="o">::</span><span class="n">GetCurrent</span><span class="p">(</span><span class="n">context</span><span class="p">);</span> <span class="n">SeaResource</span> <span class="n">sea</span> <span class="o">=</span> <span class="n">FindSingleExecutableResource</span><span class="p">();</span> <span class="n">CHECK</span><span class="p">(</span><span class="o">!</span><span class="n">sea</span><span class="p">.</span><span class="n">use_snapshot</span><span class="p">());</span> <span class="n">Local</span><span class="o">&lt;</span><span class="n">Value</span><span class="o">&gt;</span> <span class="n">main_script</span> <span class="o">=</span> <span class="n">ToV8Value</span><span class="p">(</span><span class="n">env</span><span class="o">-&gt;</span><span class="n">context</span><span class="p">(),</span> <span class="n">sea</span><span class="p">.</span><span class="n">main_code_or_snapshot</span><span class="p">).</span><span class="n">ToLocalChecked</span><span class="p">();</span> <span class="k">return</span> <span class="n">info</span><span class="p">.</span><span class="n">run_cjs</span><span class="o">-&gt;</span><span class="n">Call</span><span class="p">(</span> <span class="n">env</span><span class="o">-&gt;</span><span class="n">context</span><span class="p">(),</span> <span class="n">Null</span><span class="p">(</span><span class="n">env</span><span class="o">-&gt;</span><span class="n">isolate</span><span class="p">()),</span> <span class="mi">1</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">main_script</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Practical Implementation </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx86gpq9mesddavn6uzrd.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx86gpq9mesddavn6uzrd.gif" alt="Practice" width="480" height="404"></a></p> <p>I built a file management service using Fastify to demonstrate SEA capabilities in the real world. The complete source code is available in the <a href="https://github.com/getlarge/node-sea-demo" rel="noopener noreferrer">Node-SEA Demo repository</a>.</p> <blockquote> <p>Hopefully, <a href="https://github.com/lirantal" rel="noopener noreferrer">Liran Tal</a> won't put the shame on me with this example app, no input validation, no rate limit, no auth, at least there's a path traversal check ;)</p> </blockquote> <h3> Project Structure </h3> <p>The project structure is simple, while representing a typical Node.js HTTP API application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">node</span><span class="o">-</span><span class="nx">sea</span><span class="o">-</span><span class="nx">demo</span><span class="o">/</span> <span class="err">├──</span> <span class="nx">src</span><span class="o">/</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">main</span><span class="p">.</span><span class="nx">ts</span> <span class="err">#</span> <span class="nx">Entry</span> <span class="nx">point</span> <span class="kd">with</span> <span class="nx">SEA</span> <span class="nx">detection</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">app</span><span class="o">/</span> <span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">app</span><span class="p">.</span><span class="nx">ts</span> <span class="err">#</span> <span class="nx">Fastify</span> <span class="nx">setup</span> <span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">helpers</span><span class="p">.</span><span class="nx">ts</span> <span class="err">#</span> <span class="nx">Utilities</span> <span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">routes</span><span class="o">/</span> <span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">root</span><span class="p">.</span><span class="nx">ts</span> <span class="err">#</span> <span class="nx">API</span> <span class="nx">handlers</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">assets</span><span class="o">/</span> <span class="err">#</span> <span class="nx">Static</span> <span class="nx">files</span> <span class="err">├──</span> <span class="nx">sea</span><span class="o">-</span><span class="nx">config</span><span class="p">.</span><span class="nx">json</span> <span class="err">#</span> <span class="nx">SEA</span> <span class="nx">configuration</span> <span class="err">└──</span> <span class="nx">project</span><span class="p">.</span><span class="nx">json</span> <span class="err">#</span> <span class="nx">Build</span> <span class="nx">configuration</span> </code></pre> </div> <h3> Key Implementation Details </h3> <p>The first challenge I encountered was detecting whether we're running in a SEA environment to override the <code>require</code> function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">sea</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:sea</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">sea</span><span class="p">.</span><span class="nf">isSea</span><span class="p">())</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">createRequire</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">node:module</span><span class="dl">'</span><span class="p">);</span> <span class="nx">require</span> <span class="o">=</span> <span class="nf">createRequire</span><span class="p">(</span><span class="nx">__filename</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nc">Fastify</span><span class="p">({</span> <span class="na">logger</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">trustProxy</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <blockquote> <p>When running as a SEA, <code>require.cache</code> is undefined! The bug is tracked <a href="https://github.com/nodejs/node/issues/49163" rel="noopener noreferrer">here</a>.</p> </blockquote> <p>Another pain point was managing Fastify plugins within the SEA environment. I found explicit registration works better than auto-loading, to avoid compilation issues:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">app</span><span class="p">(</span><span class="nx">fastify</span><span class="p">:</span> <span class="nx">FastifyInstance</span><span class="p">,</span> <span class="nx">opts</span><span class="p">:</span> <span class="nx">AppOptions</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">sensible</span><span class="p">);</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">fastifyMultipart</span><span class="p">,</span> <span class="p">{</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="nx">opts</span><span class="p">.</span><span class="nx">fileSize</span> <span class="o">??</span> <span class="mi">1048576</span> <span class="o">*</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// 10MB</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">assetsDir</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAssetsDir</span><span class="p">();</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">fastifyStatic</span><span class="p">,</span> <span class="p">{</span> <span class="na">root</span><span class="p">:</span> <span class="nx">assetsDir</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/assets/</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">routes</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Security was another concern. Since SEA applications might also run with elevated privileges, I implemented strict path safety:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// routes/root.ts</span> <span class="kd">const</span> <span class="nx">safePathResolve</span> <span class="o">=</span> <span class="p">(</span><span class="nx">userPath</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">baseDir</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userPath</span> <span class="o">||</span> <span class="sr">/</span><span class="se">[/\\]</span><span class="sr">/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">userPath</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">resolvedPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">baseDir</span><span class="p">,</span> <span class="nx">userPath</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">resolvedPath</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">baseDir</span><span class="p">)))</span> <span class="p">{</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nf">warn</span><span class="p">({</span> <span class="na">path</span><span class="p">:</span> <span class="nx">userPath</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">Path traversal attempt detected</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">resolvedPath</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">err</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="nx">userPath</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">Path resolution error</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> Build Process </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpe3ks4tqxixdqrbcmi3v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpe3ks4tqxixdqrbcmi3v.png" alt="Build process" width="800" height="174"></a></p> <p>The first step in creating an SEA is properly bundling your JavaScript. I explored several bundlers and found ESBuild offers the best balance of speed and ease of use.</p> <h4> Bundling with ESBuild </h4> <p>ESBuild prepares your application for SEA packaging through CLI or build tools.</p> <h4> Direct ESBuild Command </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx esbuild <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span>cjs <span class="se">\</span> <span class="nt">--platform</span><span class="o">=</span>node <span class="se">\</span> <span class="nt">--bundle</span> <span class="se">\</span> <span class="nt">--tsconfig</span><span class="o">=</span>apps/node-sea-demo/tsconfig.app.json <span class="se">\</span> <span class="nt">--outdir</span><span class="o">=</span>dist/apps/node-sea-demo <span class="se">\</span> <span class="nt">--out-extension</span>:.js<span class="o">=</span>.js <span class="se">\</span> <span class="nt">--outfile</span><span class="o">=</span>main.js <span class="se">\</span> apps/node-sea-demo/src/main.ts </code></pre> </div> <p>Each flag serves a specific purpose:</p> <ul> <li> <code>--format=cjs</code>: SEA only works with CommonJS (no ESM yet, remember?)</li> <li> <code>--platform=node</code>: Targets Node.js environment</li> <li> <code>--bundle</code>: Rolls up all imports into a single file</li> <li> <code>--outfile</code>: Specifies the output file for the bundled code</li> </ul> <h4> Nx ESBuild plugin Configuration </h4> <p>If you're using Nx (like I do), you can configure the build in your project's configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">project.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"executor"</span><span class="p">:</span><span class="w"> </span><span class="s2">"@nx/esbuild:esbuild"</span><span class="p">,</span><span class="w"> </span><span class="nl">"outputs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"{options.outputPath}"</span><span class="p">],</span><span class="w"> </span><span class="nl">"defaultConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="s2">"production"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"platform"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node"</span><span class="p">,</span><span class="w"> </span><span class="nl">"outputPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/apps/node-sea-demo"</span><span class="p">,</span><span class="w"> </span><span class="nl">"format"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"cjs"</span><span class="p">],</span><span class="w"> </span><span class="nl">"bundle"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"thirdParty"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"apps/node-sea-demo/src/main.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tsConfig"</span><span class="p">:</span><span class="w"> </span><span class="s2">"apps/node-sea-demo/tsconfig.app.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"assets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"apps/node-sea-demo/src/assets/**/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"generatePackageJson"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"esbuildOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sourcemap"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"outExtension"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">".js"</span><span class="p">:</span><span class="w"> </span><span class="s2">".js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Generating the Executable </h3> <p>After struggling with single executables builder tools like PKG, I was glad to discover Node.js's native SEA support. The configuration is refreshingly simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">sea-config.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/apps/node-sea-demo/main.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"output"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/apps/node-sea-demo/demo.blob"</span><span class="p">,</span><span class="w"> </span><span class="nl">"disableExperimentalSEAWarning"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"useCodeCache"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"assets"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"package.json"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/apps/node-sea-demo/package.json"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The executable generation process varies by platform, if you are using Nx, you can make your life easier by using my <a href="https://github.com/getlarge/nx-node-sea" rel="noopener noreferrer">plugin</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">nx.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">//...</span><span class="w"> </span><span class="nl">"plugins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"plugin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"@getlarge/nx-node-sea"</span><span class="p">,</span><span class="w"> </span><span class="nl">"include"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"apps/**/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"seaTargetName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sea-build"</span><span class="p">,</span><span class="w"> </span><span class="nl">"buildTarget"</span><span class="p">:</span><span class="w"> </span><span class="s2">"build"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>.. and then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nx run node-sea-demo:sea-build </code></pre> </div> <p>Otherwise, you can use the following commands for each platform, see the <a href="https://nodejs.org/api/single-executable-applications.html#single-executable-applications" rel="noopener noreferrer">Node.js SEA documentation</a> for more details:</p> <h4> Linux </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate blob</span> node <span class="nt">--experimental-sea-config</span> sea-config.json <span class="c"># Copy node binary</span> <span class="nb">cp</span> <span class="si">$(</span><span class="nb">command</span> <span class="nt">-v</span> node<span class="si">)</span> dist/app/node <span class="c"># Inject blob</span> npx postject dist/app/node NODE_SEA_BLOB dist/app/demo.blob <span class="se">\</span> <span class="nt">--sentinel-fuse</span> NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 </code></pre> </div> <h4> macOS </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate blob</span> node <span class="nt">--experimental-sea-config</span> sea-config.json <span class="c"># Copy node binary</span> <span class="nb">cp</span> <span class="si">$(</span><span class="nb">command</span> <span class="nt">-v</span> node<span class="si">)</span> dist/app/node <span class="c"># Remove signature</span> codesign <span class="nt">--remove-signature</span> dist/app/node <span class="c"># Inject blob</span> npx postject dist/app/node NODE_SEA_BLOB dist/app/demo.blob <span class="se">\</span> <span class="nt">--sentinel-fuse</span> NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 <span class="se">\</span> <span class="nt">--macho-segment-name</span> NODE_SEA <span class="c"># Re-sign binary</span> codesign <span class="nt">--sign</span> - dist/app/node </code></pre> </div> <h4> Windows </h4> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c"># Generate blob</span><span class="w"> </span><span class="n">node</span><span class="w"> </span><span class="nt">--experimental-sea-config</span><span class="w"> </span><span class="nx">sea-config.json</span><span class="w"> </span><span class="c"># Copy node binary</span><span class="w"> </span><span class="n">copy</span><span class="w"> </span><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">ProgramFiles</span><span class="nx">\nodejs\node.exe</span><span class="w"> </span><span class="o">.</span><span class="nx">\dist\app\node.exe</span><span class="w"> </span><span class="c"># Inject blob</span><span class="w"> </span><span class="n">npx</span><span class="w"> </span><span class="nx">postject</span><span class="w"> </span><span class="nx">dist/app/node.exe</span><span class="w"> </span><span class="nx">NODE_SEA_BLOB</span><span class="w"> </span><span class="nx">dist/app/demo.blob</span><span class="w"> </span><span class="err">^</span><span class="w"> </span><span class="nt">--sentinel-fuse</span><span class="w"> </span><span class="n">NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2</span><span class="w"> </span></code></pre> </div> <blockquote> <p><strong>Note</strong>: You can't just build once and run everywhere:</p> <ul> <li>Code cache and snapshots are platform-specific</li> <li>Native modules (still) require platform-specific compilation</li> </ul> </blockquote> <h2> Docker Integration </h2> <p>As someone who's built countless Docker images for Node.js apps, I couldn't wait to see how SEA could optimize container size.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxvc3krqupdyruw33h0p.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxvc3krqupdyruw33h0p.gif" alt="Size Matters" width="480" height="270"></a></p> <p>I experimented with three different approaches:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2atjvj6moz1aotls41kv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2atjvj6moz1aotls41kv.png" alt="Docker images comparison chart" width="500" height="400"></a></p> <ol> <li><strong>Full Image (235MB)</strong></li> </ol> <ul> <li>Uses complete Node.js runtime</li> <li>Includes OS dependencies</li> <li>Simplest to build and debug</li> </ul> <ol> <li> <strong>Minimal Image (156MB)</strong> <ul> <li>Uses scratch as base</li> <li>Includes only essential OS dependencies</li> <li>Smallest possible footprint</li> </ul> </li> </ol> <p>That 156MB image size might not seem impressive compared to Go or Rust applications' Docker image, but it's a dramatic improvement over the typical 800MB+ Node.js image!</p> <h3> Full image </h3> <ol> <li>Uses full Node.js runtime - Contains development dependencies (OS)</li> <li>Create dedicated user (always good)</li> <li>Copy ESBuild bundle and change permissions</li> <li>No need to install deps, dependencies are bundled</li> <li>Run the app with node </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> docker.io/node:lts-alpine</span> <span class="k">ENV</span><span class="s"> HOST=0.0.0.0</span> <span class="k">ENV</span><span class="s"> PORT=3000</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">RUN </span>addgroup <span class="nt">--system</span> node-sea-demo <span class="o">&amp;&amp;</span> <span class="se">\ </span> adduser <span class="nt">--system</span> <span class="nt">-G</span> node-sea-demo node-sea-demo <span class="k">COPY</span><span class="s"> dist/apps/node-sea-demo node-sea-demo/</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> node-sea-demo:node-sea-demo . <span class="k">CMD</span><span class="s"> [ "node", "node-sea-demo" ]</span> </code></pre> </div> <h3> Minimal image </h3> <ol> <li>alpine to start and dependencies to build</li> <li>Install glibc for proper library copying</li> <li>copy bundled code and SEA config</li> <li>Bundle and remove debugging information ( # Strip the binary to remove debug symbols)</li> <li>Uses scratch as a base image,</li> <li>Eliminates unnecessary OS files</li> <li>Include minimal OS dependencies (loader) and copy the Node.js SEA executable</li> <li>Run the standalone executable </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">node:lts-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">build</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> build-base python3 <span class="k">RUN </span>wget <span class="nt">-q</span> <span class="nt">-O</span> /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub <span class="o">&amp;&amp;</span> <span class="se">\ </span> wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r1/glibc-2.35-r1.apk <span class="o">&amp;&amp;</span> <span class="se">\ </span> apk add <span class="nt">--no-cache</span> glibc-2.35-r1.apk <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm </span>glibc-2.35-r1.apk <span class="k">COPY</span><span class="s"> dist/apps/node-sea-demo dist/apps/node-sea-demo</span> <span class="k">COPY</span><span class="s"> apps/node-sea-demo/sea-config.json .</span> <span class="c"># Create the SEA bundle and verify the file exists and is executable</span> <span class="k">RUN </span>node <span class="nt">--experimental-sea-config</span> sea-config.json <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">cp</span> <span class="si">$(</span><span class="nb">command</span> <span class="nt">-v</span> node<span class="si">)</span> dist/apps/node-sea-demo/node <span class="o">&amp;&amp;</span> <span class="se">\ </span> npx postject dist/apps/node-sea-demo/node NODE_SEA_BLOB dist/apps/node-sea-demo/node-sea-demo.blob <span class="nt">--sentinel-fuse</span> NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chmod</span> +x dist/apps/node-sea-demo/node <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="c"># # Strip the binary to remove debug symbols</span> strip dist/apps/node-sea-demo/node <span class="c"># Create directory structure for dependencies</span> <span class="k">RUN </span><span class="nb">mkdir</span> <span class="nt">-p</span> deps <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="c"># Copy all required shared libraries</span> ldd dist/apps/node-sea-demo/node | grep "=&gt; /" | awk '{print $3}' | \ xargs -I '{}' cp -L '{}' deps/ &amp;&amp; \ # Copy additional required files cp /lib/ld-linux-*.so.* deps/ &amp;&amp; \ # Create necessary symlinks mkdir -p deps/lib64 &amp;&amp; \ cp /lib/ld-linux-*.so.* deps/lib64/ <span class="k">FROM</span><span class="s"> scratch</span> <span class="k">COPY</span><span class="s"> --from=build /app/deps /lib/</span> <span class="c"># Ensure lib64 exists and has the loader</span> <span class="k">COPY</span><span class="s"> --from=build /app/deps/lib64 /lib64/</span> <span class="c"># Copy the Node.js SEA executable</span> <span class="k">COPY</span><span class="s"> --from=build /app/dist/apps/node-sea-demo/node /app/node</span> <span class="k">ENV</span><span class="s"> HOST=0.0.0.0</span> <span class="k">ENV</span><span class="s"> PORT=3000</span> <span class="k">EXPOSE</span><span class="s"> ${PORT}</span> <span class="k">ENTRYPOINT</span><span class="s"> [ "/app/node" ]</span> </code></pre> </div> <h2> Performance Benchmarks </h2> <p>Using the <code>useCodeCache</code> option offers a dual benefit of better performance and slightly improved code protection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">sea-config.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"useCodeCache"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Enable</span><span class="w"> </span><span class="err">code</span><span class="w"> </span><span class="err">caching</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>I ran some benchmarks to see how the application performs when:</p> <ul> <li>regular Node.js (no SEA)</li> <li>running with code cache enabled</li> <li>running without code cache</li> </ul> <p>Here's what I found:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fslm4p0oifv4dcur69rs4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fslm4p0oifv4dcur69rs4.png" alt="SEA performance benchmark chart" width="700" height="400"></a></p> <p>The results surprised me:</p> <ul> <li>Code cache improved startup time by ~7%</li> <li>Blob size increased by only ~7% with code cache enabled</li> <li>Cold starts showed significant variance (typical for any Node.js app)</li> <li>Hot starts were consistently faster with code cache</li> </ul> <h3> How Code Cache Works </h3> <p>When JavaScript code is executed, V8 (Node.js's JavaScript engine) compiles it to bytecode before execution. This compilation takes time. Code cache stores this pre-compiled bytecode, allowing V8 to skip the compilation step on subsequent runs.</p> <p>The performance improvement is most noticeable for:</p> <ul> <li>Application startup time (as shown in our benchmarks)</li> <li>Cold starts in serverless environments</li> <li>Complex codebase with many dependencies</li> </ul> <blockquote> <p>For most applications, I'd definitely recommend enabling code cache despite the slight size increase.</p> </blockquote> <h2> The Reality of Code Protection </h2> <p>One question that frequently comes up when discussing SEA is:</p> <blockquote> <p><em>"Are our source code and proprietary algorithms safe inside the executable?"</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiohp6sutygjn38gw7y74.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiohp6sutygjn38gw7y74.gif" alt="You have my attention" width="500" height="281"></a></p> <p>While SEA bundles your code inside the Node.js binary, it's important to understand that <strong>this is not true obfuscation</strong>. Let me demonstrate why.</p> <h3> Extracting Code from SEA Executables </h3> <p>As said already, a SEA is a Node.js binary with your code injected as a resource section. With the right tools, extracting this section is relatively straightforward.</p> <p>On macOS, extracting code from a SEA executable is a bit more involved than on Linux due to the Mach-O binary format. Here's a demo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. First, examine the Mach-O headers to locate the NODE_SEA segment</span> otool <span class="nt">-l</span> dist/apps/node-sea-demo/node | <span class="nb">grep</span> <span class="nt">-A</span> 20 NODE_SEA <span class="c"># 2. Note the offset, size, and address of the NODE_SEA segment</span> <span class="c"># The output will show something like:</span> segname NODE_SEA vmaddr 0x0000000104e20000 vmsize 0x0000000000254000 fileoff 81739776 filesize 2432242 maxprot 0x00000001 initprot 0x00000001 nsects 1 flags 0x0 Section sectname __NODE_SEA_BLOB segname NODE_SEA <span class="c"># ...</span> <span class="c"># 3. Extract the segment using dd, extract from the offset &lt;fileoff&gt; and size &lt;filesize&gt;</span> <span class="nb">dd </span><span class="k">if</span><span class="o">=</span>your-sea-app <span class="nv">of</span><span class="o">=</span>extracted.blob <span class="nv">bs</span><span class="o">=</span>1 <span class="nv">skip</span><span class="o">=</span>81739776 <span class="nv">count</span><span class="o">=</span>2432242 </code></pre> </div> <h3> Examining the Extracted Content </h3> <p>Once extracted, the blob contains the bundled JavaScript code in a readable format. Let's see what it actually looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Look for readable strings</span> strings extracted.blob | less <span class="c"># For function declarations</span> strings extracted.blob | <span class="nb">grep</span> <span class="nt">-A</span> 10 <span class="s2">"function"</span> | less <span class="c"># Targeting assets</span> strings extracted.blob | <span class="nb">grep</span> <span class="nt">-A</span> 10 <span class="s2">"assets"</span> | less </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5upowf3scvel7f0ow5sy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5upowf3scvel7f0ow5sy.png" alt="Code extraction screenshot" width="800" height="436"></a></p> <blockquote> <p>Amazing, right?</p> </blockquote> <p>As you can see, the original source code remains largely intact and readable. This is why relying solely on SEA for code protection is insufficient for truly sensitive intellectual property.</p> <h3> How can we protect our code? </h3> <p>For genuinely sensitive code, I recommend a multi-layered approach:</p> <ol> <li>Use SEA with Bytenode for basic protection (be aware it was already <a href="https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/" rel="noopener noreferrer">reversed engineered</a>)</li> <li>Keep truly sensitive algorithms on a secure server accessed via API</li> <li>Consider legal protections (contracts, terms of service)</li> </ol> <blockquote> <p><strong>Remember</strong>: no code shipped to a client's machine can ever be 100% protected against a determined adversary with sufficient resources and time.</p> </blockquote> <h2> Conclusion </h2> <p>Node.js Single Executable Applications have transformed how I deliver Node.js applications, offering:</p> <ul> <li>Improved deployment reliability</li> <li>Better security through bundling</li> <li>Reduced environmental dependencies</li> <li>Optimized resource usage</li> </ul> <p>After years of dubious deployment strategy, I can now distribute my Node.js applications as single files that "just work" on the target system.</p> <p>Want to try it yourself? Here are some next steps:</p> <ol> <li>Experiment with the provided example application</li> <li>Evaluate SEA for your specific use cases</li> <li>Implement in your CI/CD pipeline</li> <li>Join the Node.js SEA community and contribute!</li> </ol> <p>If you have questions or want to share your SEA experiences, drop a comment below or reach out to me on <a href="https://www.linkedin.com/in/edouard-maleix/" rel="noopener noreferrer">Linkedin</a> or <a href="https://github.com/getlarge" rel="noopener noreferrer">GitHub</a>.</p> <div class="ltag__user ltag__user__id__1253749"> <a href="/getlarge" class="ltag__user__link profile-image-link"> <div class="ltag__user__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg" alt="getlarge image"> </div> </a> <div class="ltag__user__content"> <h2> <a class="ltag__user__link" href="/getlarge">Edouard Maleix</a>Follow </h2> <div class="ltag__user__summary"> <a class="ltag__user__link" href="/getlarge">I am a Senior Software Engineer, focusing on distributed systems, application security and developer productivity/creativity. Based in Vienna 🥐, Austria.</a> </div> </div> </div> node tutorial devops docker Dynamic NestJS Listeners: Discover the Power of Lazy Loading Edouard Maleix Sun, 13 Oct 2024 11:46:34 +0000 https://dev.to/playfulprogramming/dynamic-nestjs-listeners-discover-the-power-of-lazy-loading-53i2 https://dev.to/playfulprogramming/dynamic-nestjs-listeners-discover-the-power-of-lazy-loading-53i2 <p>In this post, I will show you how to register HTTP routes and message consumers in NestJS applications <strong>dynamically</strong>.</p> <p>This demonstration will start by uncovering some NestJS internals, particularly an undocumented feature: the <code>DiscoveryModule</code> 🧐.</p> <blockquote> <p><em>By dynamic routes, I mean routes unknown at the time of development but defined at runtime, late in the boot process.</em></p> </blockquote> <p>If reading bores you, skip the talk and jump directly to the <a href="https://github.com/getlarge/nestjs-dynamic-routes-and-listeners" rel="noopener noreferrer">repository</a>.</p> <h2> Problem </h2> <p>The declarative approach is <strong>great</strong> but can also bring some <strong>limitations</strong>.<br> In the routing case, the decorators used to declare HTTP routes and microservices listeners (<code>@Get</code>, <code>@Post</code>, <code>@EventPattern</code>, <code>@MessagePattern</code>) require <strong>static</strong> values known during development time and cannot be <strong>late-bound</strong>.</p> <p><strong>Examples</strong>:</p> <ul> <li> <code>@Get('users')</code> defines a static route that can only change by modifying the code.</li> <li> <code>@MessagePattern('user.created')</code> is not adaptable to dynamic topic structures.</li> </ul> <h2> Use cases </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Business Impact</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Modular Plugin Architecture</td> <td>Allow developers to create modular plugins that can be easily integrated into a core application without modifying the underlying code.</td> <td>A web development platform allows users to install plugins that add new features, each with its own set of HTTP routes.</td> </tr> <tr> <td>White Labeling for E-commerce Platforms</td> <td>Enable e-commerce platforms to offer white-labeled application versions to different clients without modifying the underlying codebase.</td> <td>A popular e-commerce platform allows its clients (e.g., online retailers) to create custom platform versions with unique routes and listeners.</td> </tr> <tr> <td>Customizable Integration Layers</td> <td>Allow customers to customize the integration layer of an application based on their specific business needs without requiring code changes.</td> <td>A CRM system allows users to integrate it with various external services (e.g., email marketing platforms and sales tools).</td> </tr> <tr> <td>Feature Flags for Enterprise Applications</td> <td>Enable enterprise applications to easily toggle certain features on or off based on user roles or organizational policies.</td> <td>A large enterprise application allows administrators to toggle specific features (e.g., access to advanced analytics tools) on or off for different departments.</td> </tr> <tr> <td>Multi-Tenancy in SaaS Applications</td> <td>Allow Software-as-a-Service (SaaS) applications to support multiple tenants with their custom routes and listeners.</td> <td>A SaaS-based customer engagement platform allows clients to create custom application versions with unique routes and listeners.</td> </tr> </tbody> </table></div> <h2> NestJS scanning and registration lifecycle </h2> <p>Word to the wise: to declare dynamic routes and listeners, we must first understand how NestJS inspects modules and scans the metadata to register them.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzyb2t8toh2rhopw9qog8.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzyb2t8toh2rhopw9qog8.gif" alt="Cat explorer" width="800" height="400"></a></p> <p>For both HTTP routes and microservices listeners, NestJS will scan the metadata and register the routes and listeners during the initialization phase when <code>NestApplication.init</code> and <code>NestMicroservice.init</code> are called.</p> <p>However, each of them has its own registration process and components:</p> <h3> HTTP routes </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fozoy7o8uzsxjevtamag6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fozoy7o8uzsxjevtamag6.png" alt="NestJS HTTP routes scanning and registration process" width="800" height="621"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4aer6yp955yscrfket8f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4aer6yp955yscrfket8f.png" alt="NestJS HTTP server init" width="800" height="631"></a></p> <h3> Microservices listeners </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoobctdowqzidcz9scsr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoobctdowqzidcz9scsr.png" alt="NestJS microservices listeners scanning and registration" width="800" height="680"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvebru9vff9hcschlwsuc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvebru9vff9hcschlwsuc.png" alt="NestJS microservices consumers init" width="800" height="620"></a></p> <blockquote> <p><em>When calling <code>NestApplication.listen</code> and <code>NestMicroservice.listen</code>, the <code>init</code> methods will be called if they were not before.</em></p> </blockquote> <p>We have the following options to register dynamic routes and listeners:</p> <ol> <li>create custom explorers as providers that <strong>scan the metadata</strong> and replace the placeholders with actual values</li> <li>create custom adapters for HTTP API by implementing the <a href="https://github.com/nestjs/nest/blob/master/packages/common/interfaces/http/http-server.interface.ts" rel="noopener noreferrer"><code>HttpServer</code></a> interface</li> <li>create custom transport strategies for microservices by extending <a href="https://github.com/nestjs/nest/blob/master/packages/microservices/server/server.ts" rel="noopener noreferrer"><code>Server</code></a> </li> </ol> <p><strong>Option 1</strong> is the most straightforward and will be the focus of this article.</p> <h2> Create a Proof of Concept </h2> <p>The demonstration is a simple NestJS application with a <strong>single HTTP route</strong>, a <strong>single message consumer</strong>, and the following requirements:</p> <ol> <li>Enable lazy evaluation of routes or message patterns with custom decorators and metadata explorers</li> <li>Support for both HTTP routes and message consumers</li> <li>Use environment variables to define the route and message pattern prefixes</li> <li>Replace the placeholders pattern before registering the routes and listeners (before <a href="https://github.com/nestjs/nest/blob/v10.4.4/packages/core/nest-application.ts#L179" rel="noopener noreferrer"><code>NestJSApplication.init</code></a> and <a href="https://github.com/nestjs/nest/blob/v10.4.4/packages/core/nest-application.ts#L221C10-L221C29" rel="noopener noreferrer"><code>app.connectMicroservice</code></a>)</li> </ol> <p>Seems like a good plan, but how can we set up the placeholders and replace them with actual values?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq4vdazxkavb9u9qwflpj.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq4vdazxkavb9u9qwflpj.gif" alt="Good question" width="500" height="250"></a></p> <p>We could use the <a href="https://github.com/rbuckton/reflect-metadata" rel="noopener noreferrer">reflect-metadata</a> library to store the metadata and then scan it <strong>manually</strong> to replace the placeholders with actual values, but there is a better way.</p> <p>During my NestJS codebase review, I started following the <code>MetadataScanner</code> thread and noticed it was also used by the <code>DiscoveryModule</code>. This module provides a powerful tool for <strong>exploring and inspecting the providers, controllers, and modules</strong> in your NestJS application, and it turns out to be the perfect tool for our use case.</p> <blockquote> <p><em>Funny enough, it has been in the NestJS core for several years but is not used internally. One could think it is part of the public API, but surprisingly, it is still undocumented. Do you also get this treasure hunt feeling? 🏴‍☠️</em></p> </blockquote> <p>Since the approach is very similar for HTTP and microservices listeners, I only explain the registration process of HTTP routes. You can use the same approach to register the microservice listeners, as can be seen in this <a href="https://github.com/getlarge/nestjs-dynamic-routes-and-listeners/tree/main/libs/custom-message-pattern" rel="noopener noreferrer">internal library</a>.</p> <p>The approch is based on the following steps:</p> <ol> <li>Create a custom decorator</li> <li>Create the metadata scanner</li> <li>Declare the dynamic route</li> <li>Import the custom explorers</li> <li>Update ConfigService type and validator (optional)</li> <li>Testing (optional, or not 😏)</li> </ol> <h3> 1. Create a custom decorator </h3> <p>For the HTTP routes, the starting point is the custom decorator: <code>CustomHttpMethod</code>, which takes a <em>method</em> and a <em>path</em> as arguments:</p> <ul> <li>The <em>path</em> is a template string (e.g. ,<code>$HTTP_ROUTE_PREFIX/:id</code>) containing placeholders that actual values will replace.</li> <li>The <em>method</em> is one of the HTTP methods (e.g., <strong>GET</strong>, <strong>POST</strong>, etc).</li> </ul> <p>This decorator is used above the controller methods to define the dynamic routes (e.g., <code>@CustomHttpMethod({ method: 'GET', path: '$HTTP_ROUTE_PREFIX/:id' })</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">DiscoveryService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Method</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">CustomHttpMethod</span> <span class="o">=</span> <span class="nx">DiscoveryService</span><span class="p">.</span><span class="nx">createDecorator</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="nx">Method</span><span class="p">;</span> <span class="nl">path</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">();</span> </code></pre> </div> <blockquote> <p>You can also find an example using only the Reflect API from <code>reflect-metadata</code> library, in the <a href="https://github.com/getlarge/nestjs-dynamic-routes-and-listeners/blob/main/libs/custom-event-pattern/src/lib/custom-event-pattern.decorator.ts" rel="noopener noreferrer">example repository</a>.</p> </blockquote> <h3> 2. Create the metadata scanner </h3> <h4> Register the custom explorer </h4> <p>The scanner is exposed as a dynamic NestJS module—<code>CustomHttpMethodModule</code>—that can be imported into any module to enable dynamic HTTP routes.</p> <blockquote> <p><em>Dynamic module enhances reusability and allows for configuration from the outside.</em></p> </blockquote> <p>The module is configurable with:</p> <ul> <li>a <code>store</code>: a map of keys (placeholders) and values (replacements).</li> <li>a list of <code>modules</code> containing the controllers to scan for the custom decorators. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kr">interface</span> <span class="nx">ICustomHttpMethodModuleOptions</span> <span class="p">{</span> <span class="nl">store</span><span class="p">:</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">modules</span><span class="p">:</span> <span class="nx">Type</span><span class="o">&lt;</span><span class="nx">unknown</span><span class="o">&gt;</span><span class="p">[];</span> <span class="p">}</span> </code></pre> </div> <ol> <li>The module can be created using the <code>forRoot</code> and <code>forRootAsync</code> methods, which return a <code>DynamicModule</code> object containing the module configuration.</li> <li>The module will import the <code>DiscoveryModule</code> to enable the scanning of the controllers and methods.</li> <li>It provides and exports the <code>CustomHttpMethodExplorer</code> service, which injects the <code>DiscoveryService</code> and <code>MetadataScanner</code>. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Module</span><span class="p">({})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CustomHttpMethodModule</span> <span class="p">{</span> <span class="k">static</span> <span class="nf">forRoot</span><span class="p">(</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">ICustomHttpMethodModuleOptions</span><span class="p">,</span> <span class="nx">isGlobal</span><span class="p">?:</span> <span class="nx">boolean</span> <span class="p">):</span> <span class="nx">DynamicModule</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">module</span><span class="p">:</span> <span class="nx">CustomHttpMethodModule</span><span class="p">,</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span><span class="nx">DiscoveryModule</span><span class="p">],</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">provide</span><span class="p">:</span> <span class="nx">CustomHttpMethodModuleOptions</span><span class="p">,</span> <span class="na">useValue</span><span class="p">:</span> <span class="nx">options</span> <span class="p">},</span> <span class="nx">CustomHttpMethodExplorer</span><span class="p">,</span> <span class="p">],</span> <span class="na">exports</span><span class="p">:</span> <span class="p">[</span><span class="nx">CustomHttpMethodExplorer</span><span class="p">],</span> <span class="na">global</span><span class="p">:</span> <span class="nx">isGlobal</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">static</span> <span class="nf">forRootAsync</span><span class="p">(</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">CustomHttpMethodModuleAsyncOptions</span><span class="p">,</span> <span class="nx">isGlobal</span><span class="p">?:</span> <span class="nx">boolean</span> <span class="p">):</span> <span class="nx">DynamicModule</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">module</span><span class="p">:</span> <span class="nx">CustomHttpMethodModule</span><span class="p">,</span> <span class="na">imports</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">imports</span> <span class="p">?</span> <span class="p">[...</span><span class="nx">options</span><span class="p">.</span><span class="nx">imports</span><span class="p">,</span> <span class="nx">DiscoveryModule</span><span class="p">]</span> <span class="p">:</span> <span class="p">[</span><span class="nx">DiscoveryModule</span><span class="p">],</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="p">...</span><span class="k">this</span><span class="p">.</span><span class="nf">createAsyncProviders</span><span class="p">(</span><span class="nx">options</span><span class="p">),</span> <span class="nx">CustomHttpMethodExplorer</span><span class="p">,</span> <span class="p">],</span> <span class="na">exports</span><span class="p">:</span> <span class="p">[</span><span class="nx">CustomHttpMethodExplorer</span><span class="p">],</span> <span class="na">global</span><span class="p">:</span> <span class="nx">isGlobal</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">private</span> <span class="k">static</span> <span class="nf">createAsyncProviders</span><span class="p">(</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">CustomHttpMethodModuleAsyncOptions</span> <span class="p">):</span> <span class="nx">Provider</span><span class="p">[]</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">options</span><span class="p">.</span><span class="nx">useFactory</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="p">{</span> <span class="na">provide</span><span class="p">:</span> <span class="nx">CustomHttpMethodModuleOptions</span><span class="p">,</span> <span class="na">useFactory</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">useFactory</span><span class="p">,</span> <span class="na">inject</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">inject</span> <span class="o">??</span> <span class="p">[],</span> <span class="p">},</span> <span class="p">];</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid CustomHttpMethodModuleAsyncOptions</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Iterate over the controllers and methods </h4> <p>The <code>CustomHttpMethodExplorer</code> is a provider that will:</p> <ol> <li>retrieve the controllers attached to the <code>modules</code> provided in the options</li> <li>scan and iterate over each controller's methods</li> <li>search for methods that use the <code>CustomHttpMethod</code> decorator</li> <li>substitute the placeholders with actual values from the <code>store</code> </li> <li>decorate the method with the NestJS HTTP method decorator (e.g., <code>@Get</code>, <code>@Post</code>, etc.)</li> </ol> <p>One of the benefits of using the <a href="https://github.com/nestjs/nest/blob/master/packages/core/discovery/discovery-service.ts" rel="noopener noreferrer"><code>DiscoveryService</code></a> is that it provides methods to explore the metadata of the controllers and methods [<code>getProviders</code>, <code>getControllers</code>, <code>getAllMethodNames</code> and <code>getMetadataByDecorator</code>], without having to use low-level APIs like <code>Reflect</code>.</p> <p><strong>Bonus</strong>: the <code>discoveryService.getMetadataByDecorator</code> infers the type of the metadata.</p> <blockquote> <p><em>The <code>CustomHttpMethodExplorer</code> service is instantiated when the module is imported and will scan the controllers and methods to replace the placeholders with actual values.</em> &gt; <em>Alternatively, you can manually trigger the exploration in the <code>main.ts</code> file.</em><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CustomHttpMethodExplorer</span> <span class="p">{</span> <span class="k">readonly</span> <span class="nx">logger</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Logger</span><span class="p">(</span><span class="nx">CustomHttpMethodExplorer</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">methodsMap</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">(</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">({</span> <span class="na">GET</span><span class="p">:</span> <span class="nx">Get</span><span class="p">,</span> <span class="na">POST</span><span class="p">:</span> <span class="nx">Post</span><span class="p">,</span> <span class="na">PUT</span><span class="p">:</span> <span class="nx">Put</span><span class="p">,</span> <span class="na">DELETE</span><span class="p">:</span> <span class="nx">Delete</span><span class="p">,</span> <span class="na">PATCH</span><span class="p">:</span> <span class="nx">Patch</span><span class="p">,</span> <span class="na">OPTIONS</span><span class="p">:</span> <span class="nx">Options</span><span class="p">,</span> <span class="na">HEAD</span><span class="p">:</span> <span class="nx">Head</span><span class="p">,</span> <span class="p">}</span> <span class="k">as</span> <span class="kd">const</span><span class="p">)</span> <span class="p">);</span> <span class="nf">constructor</span><span class="p">(</span> <span class="p">@</span><span class="nd">Inject</span><span class="p">(</span><span class="nx">CustomHttpMethodModuleOptions</span><span class="p">)</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">CustomHttpMethodModuleOptions</span><span class="p">,</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">discoveryService</span><span class="p">:</span> <span class="nx">DiscoveryService</span><span class="p">,</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">metadataScanner</span><span class="p">:</span> <span class="nx">MetadataScanner</span> <span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">process</span><span class="p">();</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">store</span><span class="p">():</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">options</span><span class="p">.</span><span class="nx">store</span><span class="p">;</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">modules</span><span class="p">():</span> <span class="nx">Type</span><span class="o">&lt;</span><span class="nx">unknown</span><span class="o">&gt;</span><span class="p">[]</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">options</span><span class="p">.</span><span class="nx">modules</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">substituteValues</span><span class="p">(</span><span class="nx">input</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">input</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span> <span class="sr">/</span><span class="se">\$(\w</span><span class="sr">+</span><span class="se">)</span><span class="sr">/g</span><span class="p">,</span> <span class="p">(</span><span class="nx">match</span><span class="p">,</span> <span class="nx">p1</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">this</span><span class="p">.</span><span class="nx">store</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">p1</span><span class="p">)</span> <span class="o">||</span> <span class="nx">match</span> <span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">getMethodDecorator</span><span class="p">(</span> <span class="nx">method</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="p">(</span><span class="nx">path</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kr">string</span><span class="p">[])</span> <span class="o">=&gt;</span> <span class="nx">MethodDecorator</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">methodMap</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">method</span><span class="p">.</span><span class="nc">ToUpperCase</span><span class="p">())</span> <span class="o">||</span> <span class="nx">Get</span><span class="p">;</span> <span class="p">}</span> <span class="nf">process</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">instances</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">discoveryService</span><span class="p">.</span><span class="nf">getControllers</span><span class="p">({</span> <span class="na">include</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">modules</span><span class="p">,</span> <span class="p">});</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">wrapper</span> <span class="k">of</span> <span class="nx">instances</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">handlers</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">metadataScanner</span><span class="p">.</span><span class="nf">getAllMethodNames</span><span class="p">(</span> <span class="nx">wrapper</span><span class="p">.</span><span class="nx">metatype</span><span class="p">.</span><span class="nx">prototype</span> <span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">wrapper</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">:`</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">handler</span> <span class="k">of</span> <span class="nx">handlers</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">metadata</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">discoveryService</span><span class="p">.</span><span class="nf">getMetadataByDecorator</span><span class="p">(</span> <span class="nx">CustomHttpMethod</span><span class="p">,</span> <span class="nx">wrapper</span><span class="p">,</span> <span class="nx">handler</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">metadata</span><span class="p">)</span> <span class="p">{</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">method</span><span class="p">,</span> <span class="nx">path</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">metadata</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fulfilledPath</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">substituteValues</span><span class="p">(</span><span class="nx">path</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">decorator</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getMethodDecorator</span><span class="p">(</span><span class="nx">method</span><span class="p">);</span> <span class="nf">decorator</span><span class="p">(</span><span class="nx">fulfilledPath</span><span class="p">)(</span> <span class="nx">wrapper</span><span class="p">.</span><span class="nx">metatype</span><span class="p">,</span> <span class="nx">handler</span><span class="p">,</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">getOwnPropertyDescriptor</span><span class="p">(</span> <span class="nx">wrapper</span><span class="p">.</span><span class="nx">metatype</span><span class="p">.</span><span class="nx">prototype</span><span class="p">,</span> <span class="nx">handler</span> <span class="p">)</span> <span class="k">as</span> <span class="nx">PropertyDescriptor</span> <span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Mapped {</span><span class="p">${</span><span class="nx">method</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">fulfilledPath</span><span class="p">}</span><span class="s2">} route`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>If you like it more low level, you can also find an example using only Reflect API, in the <a href="https://github.com/getlarge/nestjs-dynamic-routes-and-listeners/blob/main/libs/custom-event-pattern/src/lib/custom-event-pattern.service.ts" rel="noopener noreferrer">example repository</a></p> </blockquote> <h3> 3. Declare the dynamic route </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Controller</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">appService</span><span class="p">:</span> <span class="nx">AppService</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">CustomHttpMethod</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">$HTTP_METHOD_PREFIX/:id</span><span class="dl">'</span> <span class="p">})</span> <span class="nf">getData</span><span class="p">(@</span><span class="nd">Param</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">)</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">appService</span><span class="p">.</span><span class="nf">getData</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="c1">//...</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Import the custom explorers </h3> <p>In <code>app.module.ts</code>, add the custom explorers to the imports array.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// ...</span> <span class="nx">CustomHttpMethodModule</span><span class="p">.</span><span class="nf">forRootAsync</span><span class="p">({</span> <span class="na">inject</span><span class="p">:</span> <span class="p">[</span><span class="nx">ConfigService</span><span class="p">],</span> <span class="na">useFactory</span><span class="p">:</span> <span class="p">(</span> <span class="na">configService</span><span class="p">:</span> <span class="nx">ConfigService</span><span class="o">&lt;</span><span class="nx">EnvironmentVariables</span><span class="p">,</span> <span class="kc">true</span><span class="o">&gt;</span> <span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span><span class="p">();</span> <span class="nx">store</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="dl">'</span><span class="s1">HTTP_METHOD_PREFIX</span><span class="dl">'</span><span class="p">,</span> <span class="nx">configService</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">HTTP_METHOD_PREFIX</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">store</span><span class="p">,</span> <span class="na">modules</span><span class="p">:</span> <span class="p">[</span><span class="nx">AppModule</span><span class="p">]</span> <span class="p">};</span> <span class="p">},</span> <span class="p">}),</span> <span class="c1">// ...</span> <span class="p">],</span> <span class="na">controllers</span><span class="p">:</span> <span class="p">[</span><span class="nx">AppController</span><span class="p">],</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span><span class="nx">AppService</span><span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <h3> 5. Update ConfigService type and validator </h3> <p>To provide a better developer experience, we can use the <code>class-transformer</code> and <code>class-validator</code> libraries to validate the configuration object and provide default values (any other validation library will do).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Expose</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">class-transformer</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">IsInt</span><span class="p">,</span> <span class="nx">IsPositive</span><span class="p">,</span> <span class="nx">IsString</span><span class="p">,</span> <span class="nx">IsUrl</span><span class="p">,</span> <span class="nx">Min</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">class-validator</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">EnvironmentVariables</span> <span class="p">{</span> <span class="c1">//...</span> <span class="p">@</span><span class="nd">Expose</span><span class="p">()</span> <span class="p">@</span><span class="nd">IsString</span><span class="p">()</span> <span class="nx">HTTP_METHOD_PREFIX</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">http-demo-1</span><span class="dl">'</span><span class="p">;</span> <span class="c1">//...</span> <span class="p">}</span> </code></pre> </div> <ol> <li>The <code>ConfigModule</code> is updated to use the <code>plainToInstance</code> function from <code>class-transformer</code> to transform the configuration object into an instance of the <code>EnvironmentVariables</code> class.</li> <li>The <code>validateSync</code> function from <code>class-validator</code> validates the instance of the <code>EnvironmentVariables</code> class.</li> <li>After this validation we can increase the <code>ConfigService</code> type safety by including the <code>EnvironmentVariables</code> class (e.g., <code>ConfigService&lt;EnvironmentVariables, true&gt;</code>). </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span> <span class="nx">ConfigModule</span><span class="p">.</span><span class="nf">forRoot</span><span class="p">({</span> <span class="na">cache</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">isGlobal</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">validate</span><span class="p">:</span> <span class="p">(</span><span class="nx">config</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">validatedConfig</span> <span class="o">=</span> <span class="nf">plainToInstance</span><span class="p">(</span><span class="nx">EnvironmentVariables</span><span class="p">,</span> <span class="nx">config</span><span class="p">,</span> <span class="p">{</span> <span class="na">excludeExtraneousValues</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">exposeDefaultValues</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">errors</span> <span class="o">=</span> <span class="nf">validateSync</span><span class="p">(</span><span class="nx">validatedConfig</span><span class="p">,</span> <span class="p">{</span> <span class="na">skipMissingProperties</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">errors</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">errors</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">validatedConfig</span><span class="p">;</span> <span class="p">},</span> <span class="p">}),</span> <span class="c1">//...</span> <span class="p">],</span> <span class="na">controllers</span><span class="p">:</span> <span class="p">[</span><span class="nx">AppController</span><span class="p">],</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span><span class="nx">AppService</span><span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <h3> 6. Testing </h3> <p>The workspace includes <a href="https://github.com/getlarge/nestjs-dynamic-routes-and-listeners/blob/main/apps/demo-1-e2e/src/demo-1/demo-1.spec.ts" rel="noopener noreferrer">E2E tests</a> that will send:</p> <ul> <li>HTTP request to the dynamic route</li> <li>MQTT message to the dynamic listener</li> </ul> <p>Feel free to run the tests to see the demonstration in action.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> npx nx run demo-1:serve <span class="c"># in another terminal</span> nx run demo-1-e2e:e2e </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fesfhyhnw11p5gp9092a9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fesfhyhnw11p5gp9092a9.png" alt="End to end tests results" width="800" height="400"></a></p> <h2> Going further </h2> <p>With this knowledge, you can implement the following scenarios:</p> <ul> <li>Replace the template string with a <code>printf</code>-like syntax</li> <li>Fetch routes and listeners from a remote service or a database</li> <li>Build your explorer modules to create a plugin system</li> <li>Create a reusable generic controller to avoid repeating decorators</li> <li><a href="https://dev.to/sfeircode/nestjs-discovery-15kd">Create groups of controllers/providers</a></li> <li><a href="https://dev.to/micalevisk/nestjs-tip-how-to-attach-decorators-to-all-controllers-without-at-once-bg7">Attach decorators to all controllers</a></li> </ul> <h2> Conclusion </h2> <p>I hope you enjoyed this demonstration and learned something new about NestJS internals.</p> <p>If you want to show your appreciation, you can find the code in this <a href="https://github.com/getlarge/nestjs-dynamic-routes-and-listeners" rel="noopener noreferrer">repository</a> and give it a star ⭐️.</p> <div class="ltag__user ltag__user__id__1253749"> <a href="/getlarge" class="ltag__user__link profile-image-link"> <div class="ltag__user__pic"> <img src="https://media2.dev.to/dynamic/image/width=150,height=150,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg" alt="getlarge image"> </div> </a> <div class="ltag__user__content"> <h2> <a class="ltag__user__link" href="/getlarge">Edouard Maleix</a>Follow </h2> <div class="ltag__user__summary"> <a class="ltag__user__link" href="/getlarge">I am a Senior Software Engineer, focusing on distributed systems, application security and developer productivity/creativity. Based in Vienna 🥐, Austria.</a> </div> </div> </div> typescript nestjs tutorial