Advanced Features
node-auth provides optional interfaces and hooks for advanced functionality. Every feature is opt-in — only configure what you need.
| Feature | Guide | Description |
|---|---|---|
| Sessions | ISessionStore | Device-aware session management, per-session revoke |
| Roles & Permissions | IRolesPermissionsStore | RBAC — assign roles, permissions, tenant-scoped |
| Multi-Tenancy | ITenantStore | Tenant CRUD, user↔tenant association |
| CSRF Protection | AuthConfig.csrf | Double-submit cookie pattern |
| User Metadata | IUserMetadataStore | Arbitrary per-user key/value data |
| Account Linking | ILinkedAccountsStore | Link multiple OAuth providers to one account |
| Admin Panel | createAdminRouter() | Built-in admin dashboard (HTML UI + REST API) |
| Dynamic Inbound Webhooks | @webhookAction, ActionRegistry, vm sandbox | Govern and execute JS scripts on inbound webhooks via the admin UI |
| Bearer Token | — | Mobile/native clients: token storage, interceptors |
| Mailer (HTTP) | MailerConfig | Built-in HTTP email transport with bilingual templates |
| Email Verification | emailVerificationMode | none / lazy / strict verification enforcement |
| Change Email | — | Two-step email address change with confirmation link |
| Account Deletion | — | DELETE /auth/account + tenant cleanup |
| Custom JWT Claims | buildTokenPayload | Embed tenant IDs, permissions, feature flags in JWT |
| AuthEventBus | AuthEventBus | Central event bus — subscribe to 26 standardised identity events |
| API Keys | ApiKeyService, IApiKeyStore | Machine-to-machine API key authentication with bcrypt hashing |
| AuthTools | AuthTools | Unified entry point for telemetry, SSE, and webhooks |
| SSE | SseManager | Real-time Server-Sent Events streaming by topic |
| Webhooks | WebhookSender, IWebhookStore | Outgoing webhooks with HMAC signing and retry |
| Telemetry | ITelemetryStore | Persist and query identity events |
| Swagger / OpenAPI | createToolsRouter() | Auto-generated OpenAPI 3.0 spec + Swagger UI |