[declandewet]

I've found that Passport is much easier to work with, as it is just Express middleware, plus there are way more strategies should you ever want to support any other form of authentication. There's a plethora of points made on Passport over EveryAuth (that might be biased - but worth a look) by the author of Passport over here: http://stackoverflow.com/questions/11974947/everyauth-vs-pas...

He also mentions that if you just want API authentication then Passport has two sibling projects for that purpose - OAuthorize and OAuth2orize.

You would most likely be using bearer tokens issued by OAuth2 to implement this, and Passport supports this pretty well, with the bonus that it's actively maintained: https://github.com/jaredhanson/passport-http-bearer

[argonaut]

Thanks! Any thoughts on using passport for a restful user account login/registration API? I guess I've been spoiled by how Rails/Django have everything built-in.

[declandewet]

It would be much more straight-forward than it would be in Rails. Passport is very easy to use compared to libraries like Devise, and it gives you the option to write your own middleware to use along with it. Middleware in Express is literally just a function you call in between the route parameter and the callback, like so:

app.get('/dashboard', ensureAuthenticated(), function(req, res) { });

Your ensureAuthenticated function would look like this:

function ensureAuthenticated(req, res, next) { if (req.isAuthenticated()) { next(); } else { res.send('You are not authorized to access this page.'); } }

Passport provides a few of these utility middlewares out of the box. It seems intimidating at first and I could spend a long time explaining it, but it would be much better just to dive in and give it a try. You can even head over to their IRC, which is #passportjs if I remember correctly, and ask which strategy would be best for your application and get started from there.