Passport

Passport is the authentication middleware for Node.js that supports 500+ strategies. It plugs into Express (or any Connect-compatible framework) and gives you a strategy-based system where each login method is a plugin.

MIT, JavaScript. The architecture is simple: pick a strategy (passport-local for email/password, passport-google-oauth20 for Google), configure it, add two routes (login and callback), done. There are 500+ community strategies covering everything from Twitter to LDAP to TOTP.

Fully free. No paid tier, no hosted service. Every strategy is open source. Solo to large teams: free across the board. Passport is the most battle-tested auth library in the Node ecosystem. If you're on Express, it's probably already in your dependencies.

The catch: Passport is showing its age. The core hasn't had a major update in years. Session-based authentication is the default pattern, and while you can do JWT and stateless auth, it's not native. Modern alternatives like Lucia or Auth.js (formerly NextAuth) have better TypeScript support, better documentation, and patterns that match current web architecture. For new projects, especially Next.js or other modern frameworks, Passport feels like reaching for the old reliable when newer options fit better.