Passport

Passport.js is the authentication middleware that every Express.js tutorial teaches — plug in a "strategy" for Google OAuth, GitHub login, JWT, or local username/password, and it handles the session dance. With 500+ strategies, it supports practically every auth method that exists.

If you're building a Node.js/Express API and need auth, Passport still works. But in 2026, it's showing its age. Auth.js (NextAuth v5) is the modern choice for Next.js apps with built-in session management and zero-config OAuth. Better Auth emerged as the recommended alternative after Lucia Auth deprecated. Clerk and Auth0 are managed services that handle everything for $0-25/month.

The catch: Passport gives you the building blocks and expects you to wire everything together — session storage, serialization, error handling, CSRF protection. That's a lot of security-critical code for you to get right. The docs are outdated. No built-in session management. TypeScript support is community-maintained. For most new projects, a managed auth service or Auth.js saves weeks of work and is actually more secure.