Express

Install:

npm install express @rokadhq/dhal

Use the Express adapter:

import express from "express";
import { dhal } from "@rokadhq/dhal/express";

const app = express();

app.use(express.json({ limit: "1mb" }));
app.use(dhal());

app.get("/", (_req, res) => {
  res.json({ ok: true });
});

app.post("/api/login", (_req, res) => {
  res.status(401).json({ error: "bad credentials" });
});

app.listen(3000);

Why order matters

Place Dhal early enough to protect routes, but after body middleware when you want rules to inspect parsed bodies.

Recommended:

app.use(express.json({ limit: "1mb" }));
app.use(dhal());

If you need raw-body inspection, capture rawBody in your body parser and expose it on the request object.

Credential-stuffing signals

The Express adapter records response outcomes after the response finishes. Repeated 401 or 403 on configured login routes can trigger credential-stuffing controls.

Why order matters​

Credential-stuffing signals​

Why order matters

Credential-stuffing signals