// the find
simov/grant
OAuth Proxy
Grant is an OAuth middleware that handles OAuth 1.0a and 2.0 flows across 200+ pre-configured providers. It works as a drop-in middleware for Express, Koa, Hapi, and Fastify, and also as a handler for AWS Lambda, Azure Functions, GCP, and Vercel. The target is any Node.js app that needs to wire up social/third-party auth without reimplementing the dance for each provider.
The provider coverage is genuinely impressive — 200+ providers with their URLs, scope delimiters, and OAuth version baked into a single oauth.json, so you don't hunt through each provider's docs. The six-level configuration cascade (built-in → defaults → provider → overrides → state → dynamic HTTP) gives you coarse-to-fine control without repetition. PKCE support is a first-class config flag rather than a manual workaround. The serverless handler abstractions are clean — same mental model whether you're on Lambda or Express, just a different import.
Last push was February 2025 and activity before that was sparse; several providers in the list (Twitter/X, Instagram, Evernote) have deprecated or fundamentally changed their OAuth APIs since the configs were last verified. The library has no built-in token refresh logic — you get the refresh token and you're on your own to implement the renewal cycle, which is the part most apps actually need. OIDC signature verification is explicitly skipped by default, which is a footgun for anyone who doesn't notice the small disclaimer in the README. The dynamic HTTP override mode, where any config key can be overridden via GET params, is a serious misconfiguration risk if someone enables it carelessly in production.