How do you implement a @Public() decorator to skip a global auth guard for specific routes in NestJS?

Define @Public() using SetMetadata with a known key. In the global auth guard, use Reflector.getAllAndOverride() to check for the isPublic flag first — if true, bypass authentication entirely. This is the canonical pattern used in virtually every production NestJS auth setup.

Complete @Public() decorator and guard implementation

Why this pattern is preferred over whitelisting routes:

Opt-in public routes are safer — all routes are protected by default.
@Public() is co-located with the route — easier to audit than a centralized whitelist.
Works at both method and class level — @Public() on the controller marks all its routes as public.
No need to maintain a list of excluded paths in the guard or middleware configuration.

Question Loading...

How do you implement a @Public() decorator to skip a global auth guard for specific routes in NestJS?

Complete @Public() decorator and guard implementation

Why this pattern is preferred over whitelisting routes:

Opt-in public routes are safer — all routes are protected by default.
@Public() is co-located with the route — easier to audit than a centralized whitelist.
Works at both method and class level — @Public() on the controller marks all its routes as public.
No need to maintain a list of excluded paths in the guard or middleware configuration.