Stand up an Express endpoint that verifies an X-Auth bearer and asserts the bound action — in three lines.
The Node SDK runs anywhere Node runs — Express, Fastify, Hono, Lambda.
npm install @xentranet/x-auth expressRead your tenant id from env and create a singleton SDK instance.
import { XAuth } from '@xentranet/x-auth';
export const xauth = XAuth.init({
tenantId: process.env.XAUTH_TENANT_ID!,
});verifyTransaction middlewareWrap your sensitive routes. The middleware throws on a missing, expired, or action-mismatched bearer — Express turns the throw into 401.
import { Request, Response, NextFunction } from 'express';
import { xauth } from './xauth';
export const verifyTransaction = (action: string) =>
async (req: Request, res: Response, next: NextFunction) => {
try {
const bearer = req.headers.authorization?.replace('Bearer ', '');
const { transaction_ctx } = await xauth.verify(bearer, {
expect: { action, amount: req.body?.amount },
});
(req as any).transaction_ctx = transaction_ctx;
next();
} catch (err) {
res.status(401).json({ error: 'invalid_transaction' });
}
};Apply the middleware to any route that performs a sensitive action. The frontend (React, Angular, Vue, mobile) sends a bearer it got from advice().
import express from 'express';
import { verifyTransaction } from './middleware';
const app = express();
app.use(express.json());
app.post('/api/transfer', verifyTransaction('transfer'), async (req, res) => {
const { transaction_ctx } = req as any;
await ledger.transfer(transaction_ctx);
res.json({ ok: true });
});
app.listen(3000);Pair this backend with any frontend — the bearer protocol is the same.