Sign in users and call an API in a Node.js web application

In this article, you learn how to create your Node.js web app that calls your web API. You build the web API by using ASP.NET. You secure the web API by using Microsoft Entra ID for customers. To authorize access to the web API, you must serve requests that include a valid access token, which is issued by External ID for customers itself.

To simplify adding authentication and authorization, the Node.js client web app and .NET web API use Microsoft Authentication Library for Node (MSAL Node) and Microsoft Identity Web respectively.

We've organized the content into four separate articles so it's easy for you to follow:


Token-based authentication ensures that requests to a web API include a valid access token.

The client web app completes the following events:

  • It authenticates users with External ID for customers.

  • It acquires an access token with the required permissions (scopes) for the web API endpoint.

  • It passes the access token as a bearer token in the authentication header of the HTTP request. It uses the format:

    Authorization: Bearer <token>

The web API completes the following events:

  • It reads the bearer token from the authorization header of the HTTP request.

  • It validates the access token.

  • It validates the permissions (scopes) in the token.

  • If the access token is valid, the endpoint responds to the HTTP request, otherwise, it responds with a 401 Unauthorized HTTP error.


If you want to run a sample Node.js web application that calls a sample web API to get a feel of how things work, complete the steps in Sign in users and call an API in sample Node.js web application.

Next steps

Next, learn how to prepare your External ID for customers tenant.