curityio · gary-archer · Jan 2, 2026 · Jan 2, 2026 · Jan 2, 2026 · Jan 2, 2026
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
@@ -6,7 +6,7 @@ An example SPA demonstrating the code and deployment to integrate with token han
 
 The example deployment requires the following components:
 
-- Node.js 20+
+- Node.js 22+
 - Docker
 - jq
 - OpenSSL 3
@@ -24,12 +24,6 @@ Use the [Curity developer portal](https://developer.curity.io/releases/token-han
 - [OpenResty OAuth Proxy 2.0.1+](https://developer.curity.io/releases/token-handler?proxy=openresty)
 - [NGINX OAuth Proxy 2.0.0+](https://developer.curity.io/releases/token-handler?proxy=nginx)
 
-Also, ensure that your computer's Curity Docker image is up to date (9.5.0 or later):
-
-```bash
-docker pull curity.azurecr.io/curity/idsvr
-```
-
 ## Deploy the System
 
 Two example deployments are provided, to explain the moving parts of the end-to-end solution.
@@ -91,6 +85,13 @@ Browse to the SPA at `http://www.product.example`.\
 Log in as the pre-shipped account `demouser` / `Password1`.\
 Test all OAuth lifecycle operations against token handler components running at `http://bff.product.example`. 
 
+## Adapt the Deployment
+
+Once you understand the deployment you can adapt and redeploy in various ways:
+
+- [Run in Development Mode](https://curity.io/resources/learn/token-handler-deployment-example/#spa-developer-setup) to understand the pure SPA developer experience.
+- [Change Domain Names](https://curity.io/resources/learn/token-handler-deployment-example/#change-external-urls) and [Upgrade to HTTPS URLs](https://curity.io/resources/learn/token-handler-deployment-example/#https-setup) to rehearse real deployments.
+
 ## Clean Up
 
 When finished testing, teardown any local Docker-deployed components like this:

diff --git a/api/Dockerfile b/api/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:20-bookworm-slim
+FROM node:22-bookworm-slim
 
 RUN groupadd --gid 10000 apiuser \
   && useradd --uid 10001 --gid apiuser --shell /bin/bash --create-home apiuser

diff --git a/api/package-lock.json b/api/package-lock.json
diff --git a/api/package.json b/api/package.json
@@ -4,22 +4,21 @@
     "description": "An example API to validate JWTs and return data to the SPA",
     "author": "Curity AB",
     "license": "Apache-2.0",
-    "main": "server.ts",
     "type": "module",
     "engines": {
-        "node": ">=20"
+        "node": ">=22"
     },
     "scripts": {
         "build": "rm -rf dist && tsc",
         "start": "npm run build && node dist/server.js"
     },
     "dependencies": {
-        "express": "^5.1.0",
-        "jose": "^6.0.10"
+        "express": "^5.2.1",
+        "jose": "^6.1.3"
     },
     "devDependencies": {
-        "@types/express": "^5.0.1",
-        "@types/node": "^20.11.30",
-        "typescript": "^5.8.3"
+        "@types/express": "^5.0.6",
+        "@types/node": "^22.13.14",
+        "typescript": "^5.9.3"
     }
 }
diff --git a/api/tsconfig.json b/api/tsconfig.json
@@ -3,8 +3,8 @@
       "target": "ES2022",
       "strict": true,
       "lib": ["ES2022"],
-      "module": "ES2022",
-      "moduleResolution": "Node",
+      "module": "Node18",
+      "moduleResolution": "Node16",
       "allowSyntheticDefaultImports": true,
       "outDir": "dist"
     },

diff --git a/deploy.sh b/deploy.sh
@@ -31,6 +31,11 @@ if [ $? -ne 0 ]; then
   exit 1
 fi
 
+#
+# Pull the latest image for the Curity Token Handler
+#
+docker pull curity.azurecr.io/curity/idsvr
+
 #
 # Run the deployment for this scenario
 #

diff --git a/deployments/curity/docker-compose.yml b/deployments/curity/docker-compose.yml
@@ -94,7 +94,7 @@ services:
   # The SQL database used by the Curity Identity Server
   #
   curity-data:
-    image: postgres:17.4
+    image: postgres:18.1
     hostname: dbserver
     volumes:
       - ./idsvr/data-backup.sql:/docker-entrypoint-initdb.d/data-backup.sql

diff --git a/deployments/external/docker-compose.yml b/deployments/external/docker-compose.yml
@@ -98,7 +98,7 @@ services:
   # Keycloak is used as the external authorization server
   #
   keycloak:
-    image: quay.io/keycloak/keycloak:25.0.1
+    image: quay.io/keycloak/keycloak:26.4.7
     hostname: login-internal
     ports:
     - 8080:8080
@@ -108,8 +108,6 @@ services:
       KC_HTTP_ENABLED: 'true'
       KC_HTTPS_ENABLED: 'false'
       KC_HEALTH_ENABLED: 'true'
-      KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: Password1
       KC_LOG_LEVEL: INFO
       KC_DB: postgres
       KC_DB_URL_HOST: keycloak-dbserver
@@ -129,7 +127,7 @@ services:
   # Keycloak's data includes preshipped user accounts
   #
   keycloakdata:
-    image: postgres:17.4
+    image: postgres:18.1
     hostname: keycloak-dbserver
     environment:
       POSTGRES_USER: postgres

diff --git a/spa/app.css → spa/css/app.css b/spa/app.css → spa/css/app.css
diff --git a/spa/css/bootstrap.min.css b/spa/css/bootstrap.min.css
diff --git a/spa/index.html b/spa/index.html
@@ -5,12 +5,12 @@
         <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'>
         <title>Demo Web Client</title>
 
-        <link href='https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css' rel='stylesheet' integrity='sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC' crossorigin='anonymous' />
+        <link href='bootstrap.min.css' rel='stylesheet' />
         <link href='app.css' rel='stylesheet' />
     </head>
     <body>
         <div id='root'></div>
         <script type='module' async src='vendor.bundle.js'></script>
         <script type='module' async src='app.bundle.js'></script>
     </body>
-</html>
+</html>
-Original file line number
+Diff line change
@@ Expand Up / @@ -31,6 +31,11 @@ if [ $? -ne 0 ]; then @@
       exit 1
     fi
+    #
+    # Pull the latest image for the Curity Token Handler
+    #
+    docker pull curity.azurecr.io/curity/idsvr
     #
     # Run the deployment for this scenario
     #
@@ Expand Down @@