Skip to content

Bearer Auth Middleware

The Bearer Auth Middleware provides authentication by verifying an API token in the Request header. The HTTP clients accessing the endpoint will add the Authorization header with Bearer {token} as the header value.

Using curl from the terminal, it would look like this:

curl -H 'Authorization: Bearer honoiscool' http://localhost:8787/auth/page


import { Hono } from 'hono'
import { bearerAuth } from 'hono/bearer-auth'


const app = new Hono()

const token = 'honoiscool'

app.use('/api/*', bearerAuth({ token }))

app.get('/api/page', (c) => {
  return c.json({ message: 'You are authorized' })

To restrict to a specific route + method:

const app = new Hono()

const token = 'honoiscool'

app.get('/api/page', (c) => {
  return c.json({ message: 'Read posts' })
})'/api/page', bearerAuth({ token }), (c) => {
  return c.json({ message: 'Created post!' }, 201)

To implement multiple tokens (E.g., any valid token can read but create/update/delete are restricted to a privileged token):

const app = new Hono()

const readToken = 'read'
const privilegedToken = 'read+write'
const privilegedMethods = ['POST', 'PUT', 'PATCH', 'DELETE']

app.on('GET', '/api/page/*', async (c, next) => {
  // List of valid tokens
  const bearer = bearerAuth({ token: [readToken, privilegedToken] })
  return bearer(c, next)
app.on(privilegedMethods, '/api/page/*', async (c, next) => {
  // Single valid privileged token
  const bearer = bearerAuth({ token: privilegedToken })
  return bearer(c, next)

// Define handlers for GET, POST, etc.

If you want to verify the value of the token yourself, specify the verifyToken option; returning true means it is accepted.

const app = new Hono()

    verifyToken: async (token, c) => {
      return token === 'dynamic-token'


  • token: string | string[] - required
    • The string to validate the incoming bearer token against
  • verifyToken: (token: string, c: Context) => boolean | Promise<boolean>
    • The function to verify the token
  • realm: string
  • prefix: string
    • The prefix (or known as schema) for the Authorization header value. Default is "Bearer"
  • headerName: string
    • The header name. Default is Authorization
  • hashFunction: Function
    • A function to handle hashing for safe comparison of authentication tokens

Released under the MIT License.