auth-server-nest overview

@vendidit/auth-server-nest is a thin NestJS adapter over auth-server-ts. AuthClientModule.forRoot(), @Injectable() providers, global guards (JwtAuthGuard, RolesGuard, PermissionsGuard, ServiceOnlyGuard), decorators (@Public, @CurrentUser, @Roles, @Permissions, @ServiceOnly). Ships an AxiosHttpTransportAdapter + RedisTokenCacheAdapter so it works against the standard NestJS service tier out of the box.

Source	Vendidit/auth-server-nest
Stack	TypeScript 5+ · NestJS 10+ · axios
Wraps	auth-server-ts
Mirror	auth-server-laravel

📦

Every consumer needs to register an app first. A system_admin creates an apps row, the consumer sets VENDIDIT_APP_CODE + JWT_ACCESS_SECRET, and tokens issued to that app_code carry the right scope. See the full flow in App registration.

The 80% usage

import { Module } from '@nestjs/common';
import { APP_GUARD } from '@nestjs/core';
import {
    AuthClientModule,
    JwtAuthGuard,
    AUTH_CLIENT_REDIS,
} from '@vendidit/auth-server-nest';

@Module({
    imports: [
        AuthClientModule.forRoot({
            serviceName: 'orders-api',
            authServerUrl: process.env.AUTH_SERVER_URL!,
            jwtSecret: process.env.JWT_ACCESS_SECRET!,
            appCode: 'orders-api',
            checkRevocation: true,
            m2m: {
                clientId: process.env.AUTH_CLIENT_ID!,
                clientSecret: process.env.AUTH_CLIENT_SECRET!,
            },
            permissions: { manifest: ORDERS_PERMISSIONS },
        }),
    ],
    providers: [
        { provide: APP_GUARD, useClass: JwtAuthGuard },
        { provide: AUTH_CLIENT_REDIS, useExisting: REDIS_CLIENT },
    ],
})
export class AppModule {}

import { Controller, Get, UseGuards } from '@nestjs/common';
import {
    JwtAuthGuard,
    RolesGuard,
    Roles,
    Public,
    CurrentUser,
    type AuthenticatedUser,
} from '@vendidit/auth-server-nest';

@Controller('orders')
@UseGuards(JwtAuthGuard, RolesGuard)
export class OrdersController {
    @Get('/me')
    listMine(@CurrentUser() user: AuthenticatedUser) {
        return this.orders.byUser(user.id);
    }

    @Get('/admin')
    @Roles('system_admin', 'org_admin')
    listAll() {
        return this.orders.all();
    }

    @Public()
    @Get('/health')
    health() {
        return { ok: true };
    }
}

What you get

• AuthClientModule.forRoot(options) — DI-wired module. Construct once in AppModule, every feature module imports it transitively.
• Guards — JwtAuthGuard, RolesGuard, PermissionsGuard, ServiceOnlyGuard. Apply globally via APP_GUARD or per-controller.
• Decorators — @Public() (opt out of JwtAuthGuard), @CurrentUser() (param decorator returning AuthenticatedUser / ServicePrincipal), @Roles(...), @Permissions(...), @ServiceOnly().
• Services — TokenValidatorService, ServiceAuthClient, AuthHttpClient, PermissionRegistrarService — injectable for custom orchestration.
• Bundled adapters — AxiosHttpTransportAdapter, RedisTokenCacheAdapter (compatible with ioredis and node-redis via the AUTH_CLIENT_REDIS DI token).

Related pages

• How it works — module wiring, providers, guard mechanics.
• Quickstart.
• Class reference — auto-generated.
• auth-server-ts — the core this wraps.