---
title: "Express Connector"
url: "https://docs.caracal.run/sdks/connectors/express/"
markdown_url: "https://docs.caracal.run/markdown/sdks/connectors/express.md"
description: "Express 5 middleware for Caracal mandate verification."
page_type: "page"
concepts: []
requires: []
---

# Express Connector

Canonical URL: https://docs.caracal.run/sdks/connectors/express/
Markdown URL: https://docs.caracal.run/markdown/sdks/connectors/express.md
Description: Express 5 middleware for Caracal mandate verification.
Page type: page
Concepts: none
Requires: none

---

`@caracalai/mcp-express` protects Express routes by parsing the bearer token, verifying the mandate through `@caracalai/transport-mcp`, and attaching Caracal claims to the request.

## Install

```bash
npm install @caracalai/mcp-express @caracalai/transport-mcp @caracalai/revocation-redis
```

The connector has an Express `^5.0.0` peer dependency and targets Node `>=22`.

## Middleware

```ts
import express from "express";
import { caracalAuth } from "@caracalai/mcp-express";
import { createMandateVerifier } from "@caracalai/transport-mcp";
import { RedisRevocationStore } from "@caracalai/revocation-redis";

const app = express();

const verifier = createMandateVerifier({
  issuer: "https://sts.example.com",
  audience: "https://mcp.example.com",
  zoneId: "zone_prod",
  revocations: new RedisRevocationStore(redis),
});

app.use("/mcp", caracalAuth({ verifier }, {
  requiredScopes: ["mcp:tool:call"],
  requiredTargets: ["https://mcp.example.com"],
  requireAgent: true,
}));
```

## Request shape

The middleware attaches Caracal claims to `req.caracal` and `req.caracalClaims` when verification succeeds. Use the exported `CaracalRequest` type when a handler needs typed access.

```ts
import type { CaracalRequest } from "@caracalai/mcp-express";

app.post("/mcp/tools/search", (req: CaracalRequest, res) => {
  res.json({ subject: req.caracal?.sub });
});
```

## Failure behavior

Failed verification returns an MCP transport error code such as `missing_token`, `invalid_token`, `insufficient_scope`, or `session_revoked`, plus a safe `error_hint` field. Pair the connector with a shared revocation store when multiple resource-server instances serve the same resource.

## Related pages

- [Protect an Express App](/guides/protect-express/)
- [MCP Auth Transport](/sdks/transport-mcp/)
- [Redis Revocation Store](/sdks/connectors/redis/)
