Bolt.new AI and Duo Security integration: Step-by-Step Guide 2025

The direct answer is: you don't “integrate Bolt.new with Duo Security” as a platform‑to‑platform feature; instead, inside Bolt.new you build a normal backend (Node.js, Python, etc.) and integrate Duo Security using Duo’s real REST APIs, Web SDK, iframe prompt, or Auth API. Bolt.new acts only as the coding/sandbox environment where you write the server logic, provide Duo API credentials via environment variables, and test flows exactly like any other web app.

So the practical integration pattern is: your Bolt.new backend ⇢ calls Duo’s auth endpoints (or hosts Duo Web SDK login flow) ⇢ validates signatures ⇢ returns session tokens to your frontend. Everything happens through real Duo Security APIs using a Duo application’s ikey (integration key), skey (secret key), and host.

 

Duo Integration in Bolt.new — How It Actually Works

 

Because Bolt.new is just a browser-based dev environment, you integrate Duo the same way you would in a normal Node/Python full-stack project. Bolt doesn’t have built‑in Duo modules; you wire it yourself through standard web patterns.

• Create a Duo Security Application in the Duo Admin Panel. Choose the type: "Web SDK" for login pages, or "Auth API" for signing requests or second-factor verification.
• Copy your Integration Key (ikey), Secret Key (skey), and API Hostname. These are required for every API call.
• Store them in Bolt.new environment variables (never hard‑code secrets into your code). Bolt.new lets you create ENV vars in the project settings.
• Write server routes in Bolt.new that call Duo’s API to start the auth flow, sign requests, and verify responses.
• Implement the login page using either:
  • Duo Web SDK iframe prompt
  • a manual Auth API call sequence

 

Typical Node.js Auth API Example (works in Bolt.new)

 

This is an actual working pattern for Duo’s Auth API. This does not use made‑up SDKs — it uses Duo’s documented v2 endpoints.

// server.js
// Example of verifying a Duo second-factor using Duo's Auth API.
// This works in Bolt.new as long as env vars are set.

import express from "express";
import fetch from "node-fetch";
import crypto from "crypto";

const app = express();
app.use(express.json());

const DUO_IKEY = process.env.DUO_IKEY;   // Integration key
const DUO_SKEY = process.env.DUO_SKEY;   // Secret key
const DUO_HOST = process.env.DUO_HOST;   // api-xxxx.duosecurity.com

// This signs the request, required by Duo
function signDuoRequest(method, path, params) {
  const args = [method.toUpperCase(), DUO_HOST, path];
  const canon = args.join("\n") + "\n" + new URLSearchParams(params).toString();
  const sig = crypto.createHmac("sha1", DUO_SKEY).update(canon).digest("hex");
  const auth = `${DUO_IKEY}:${sig}`;
  return "Basic " + Buffer.from(auth).toString("base64");
}

app.post("/duo-auth", async (req, res) => {
  const { username, factor } = req.body;

  const path = "/auth/v2/auth";
  const params = {
    username,
    factor,        // Example: "push"
    device: "auto" // Duo handles device selection
  };

  const authHeader = signDuoRequest("POST", path, params);

  const response = await fetch(`https://${DUO_HOST}${path}`, {
    method: "POST",
    headers: {
      "Authorization": authHeader,
      "Content-Type": "application/x-www-form-urlencoded"
    },
    body: new URLSearchParams(params)
  });

  const result = await response.json();
  res.json(result);
});

app.listen(3000, () => console.log("Duo API test server running"));

 

This lets you trigger Duo operations like sending push notifications. For Web SDK (the standard login iframe), you would instead sign and verify SSO-style tokens.

 

Front-End Flow Inside Bolt.new

 

• Render your login form in the browser.
• On submit, send username to your backend route like /duo-auth.
• Your backend calls Duo, waits for the auth result, and returns it.
• If Duo says "allow", create your own session token (JWT or cookie).

Bolt.new will preview this full flow using its built‑in development server. Once working, you can export the project and deploy it like any other Node.js backend.

 

Important Security Notes

 

• Never expose ikey/skey/host to the client browser. Only the backend uses them.
• Use HTTPS once deployed. Duo requires it for production use.
• Ensure clock sync between server and real world, because Duo signatures require accurate timestamps.

This is the real way to integrate Duo Security within a Bolt.new project: Bolt is simply the development sandbox; you wire Duo exactly as you would in any standard backend using official Duo REST endpoints and your Duo application's keys.