Auth that just works

Protect your app
with a fingerprint

Add passkey authentication to any Express app with a single line of code. No passwords. No OAuth. No database. Your users authenticate with their fingerprint or face — you ship faster.

Get started See the demo
npm install isitme
server.js
import express from "express";
import cookieParser from "cookie-parser";
import { isitme } from "isitme";

const app = express();

app.use(cookieParser());
app.use(isitme());  // That's it. Every route is now protected.

app.get("/", (req, res) => {
  res.send("You are authenticated!");
});

app.listen(3000);

Auth shouldn't be the hardest part of your app

You want to protect a dashboard. Not set up an identity provider.

The usual approach

  • Set up OAuth with a third-party provider
  • Configure callback URLs, scopes, secrets
  • Add a database for sessions and users
  • Build login, signup, forgot-password flows
  • Handle password hashing and security
All you wanted was to keep strangers out of your dashboard. Instead you spent a weekend on auth.

With isitme

  • Install one npm package
  • Add one line of middleware
  • Your device's biometrics are the auth
First visitor registers a passkey. Everyone after that needs to prove it's them. Done.

Everything you need, nothing you don't

isitme is a complete auth layer with zero configuration. Here's what's built in.

One line of code

Add app.use(isitme()) and every route is protected. No config files. No environment variables. No boilerplate.

Passkeys, not passwords

WebAuthn uses your device's fingerprint sensor or face recognition. Nothing to leak, phish, or forget.

No database required

Credentials are stored in the isitme cloud by default. Only public keys. Safe even if fully compromised. Or bring your own storage.

Built-in login page

A polished, responsive login UI ships with the package. Customize the colors or replace it entirely with your own.

Secure sessions

JWT sessions in HTTP-only cookies. Automatic expiry. No session store to run. No tokens to manage client-side.

TypeScript first

Full type definitions and autocomplete out of the box. Works great in plain JavaScript too.

Built for your workflow

Protect everything, protect some routes, or use conditional logic. isitme adapts to how you build.

server.js
app.use(isitme());
// Every route is now protected
server.js
app.use(isitme({ publicPaths: ["/", "/about"] }));

app.get("/", (req, res) => {
  res.send("Public homepage");
});

app.get("/dashboard", (req, res) => {
  res.send("Protected — passkey required");
});
server.js
app.use(isitme({ publicPaths: ["/"] }));

app.get("/", (req, res) => {
  if (req.isAuthenticated) {
    res.send("Welcome back! Here's your dashboard.");
  } else {
    res.send("Sign in to see your dashboard.");
  }
});

See it in action

What happens when someone visits your protected app for the first time.

localhost:3000
U

Visits localhost:3000 for the first time

i

No credentials found. Showing registration page...

Protect this site with isitme Use your fingerprint or face ID to secure this site. Only you will have access. [ Register with passkey ]
U

Taps fingerprint sensor

i

Credential stored. Session created.

Redirecting to your app...

You are authenticated!

Next time they visit, one fingerprint scan and they're in. No username. No password.

Three steps. Sixty seconds.

From zero to biometric-protected app.

1

Install the package

One dependency. That's all you need.

2

Add the middleware

Two lines: cookie parser and isitme. Every route is now protected.

3

Start your app

First visitor registers a passkey. The site is locked to their biometrics. Done.

Your entire auth setup
npm install isitme express cookie-parser # server.js import express from "express"; import cookieParser from "cookie-parser"; import { isitme } from "isitme"; const app = express(); app.use(cookieParser()); app.use(isitme()); app.get("/", (req, res) => { res.send("Protected!"); }); app.listen(3000);
node server.js # Open localhost:3000 — register your passkey

Frequently asked questions

Those are full identity platforms designed for multi-user SaaS apps. isitme is for a simpler use case: you built something and you want to lock the door. No user management, no social logins, no dashboard to configure. One line and it works.
Modern passkeys sync across devices via iCloud Keychain, Google Password Manager, or Windows Hello. If you register on your MacBook, your iPhone can authenticate too. For self-hosted setups, you can register multiple devices or use recovery codes.
Yes. WebAuthn was designed for this. We only store public keys and credential IDs. The private key never leaves your device's secure enclave. Even if our database is fully compromised, an attacker gets nothing useful. They can't authenticate, extract biometrics, or use credentials on other domains.
The default "first-user-wins" mode is designed for personal dashboards. Multi-user support with invite links is on the roadmap. For now, isitme is perfect for protecting admin panels, personal tools, and side projects.
WebAuthn is supported in all modern browsers: Chrome, Safari, Firefox, and Edge. It works on macOS (Touch ID), Windows (Hello), iOS (Face ID / Touch ID), and Android (fingerprint / face). Coverage is over 95% of web users.
Yes. isitme supports local JSON file storage, in-memory storage, or a custom storage adapter you write yourself. Pass a file path or your own adapter to the middleware and everything stays on your infrastructure.

Your app is ready.
Lock the door.

Add passkey auth in 60 seconds. No configuration required.

Get started View on GitHub