Migrate from v9 to v10
Auth0.js v10 contains a security fix for CVE-2026-42280 and one breaking change:
If you need the v9 API reference, see the auth0-js package on npm and select your v9 version, or browse the v9 source and changelog on GitHub.
Embedded login for web applications uses cross-origin authentication unless you configure a custom domain for your tenant. Cross-origin authentication uses third-party cookies to allow for secure authentication transactions across different origins.
Ready-to-go example
The example directory of the Auth0.js library is a ready-to-go app that can help you to quickly and easily try out Auth0.js. To run it:- If you don’t have node installed, do that now
- Download dependencies by running
npm installfrom the root of this project - Finally, execute
npm startfrom the root of this project, and then browse to your app running on the node server, presumably athttp://localhost:3000/example.
Setup and initialization
The following sections cover methods of installation, how to initialize Auth0.js, signup, login, logout, and more.Configure your Auth0 application for embedded login
When implementing embedded login, the library uses cross-origin calls inside hidden iframes to perform authentication. To make sure this can be done securely, Auth0 needs to know the domains where you host your applications. Add the domain to the Allowed Web Origins field. You can find this field in the Application Settings area of your Dashboard.Installation options
You have a few options for using Auth0.js in your project. Pick one of the below depending on your needs: Install via npm or yarn:auth0-js module, bundle it up along with all of its dependencies, or import it using:
Initialization
Initialize a new instance of the Auth0 application as follows:Available parameters
There are two required parameters that must be passed in theoptions object when instantiating webAuth and more that are optional.
Because of clock skew issues, you may occasionally encounter the error
The token was issued in the future. The leeway parameter can be used to allow a few seconds of leeway to ID Token expiration times, to prevent that from occurring.
Scope
The defaultscope value in Auth0.js v10 is openid profile email.
Running Auth0.js locallyIf you don’t specify at least the above scope when initializing Auth0.js, and you are running your website from
http://localhost or http://127.0.0.1, calling the getSSOData() method will result in the following error in the browser console:Consent required. When using getSSOData, the user has to be authenticated with the following scope: openid profile emailThat will not happen when you run your application in production or if you specify the openid profile email scope. You can read more about this in the User consent and third-party applications document.Login
You can choose a method for login based on the type of authentication you need in your application.webAuth.authorize()
Theauthorize() method can be used for logging in users through or social connections as shown in the examples below. This method invokes the /authorize endpoint of the Authentication API, and can take a variety of parameters through the options object.
For hosted login, one must call the
/authorize() method.
webAuth.authorize({//Any additional options can go here});
For social logins, the connection parameter will need to be specified:
webAuth.authorize({connection: 'twitter'});
webAuth.popup.authorize()
For popup authentication thepopup.authorize method can be used. Popup authentication cannot be used within hosted login pages. Typically, popup authentication is used by single-page applications so the current state is not lost by doing a full page redirection.
Default authorization with popup (Universal Login):
authorize:
Handle popup authentication results
When using popup authentication, you’ll have to provide aredirectUri where the destination page communicates the authorization results back to the callback by using the webAuth.popup.callback method. A simple implementation would be something like this:
redirectUri to the application’s Allowed Callback URLs list in the application configuration page on the Dashboard.
webAuth.login()
Embedded login for web applications uses cross-origin authentication unless you configure a custom domain for your tenant. Cross-origin authentication uses third-party cookies to allow for secure authentication transactions across different origins.
login method can be used for embedded login through cross-origin authentication for database connections, using /co/authenticate.
webAuth.crossOriginVerification()
ThecrossOriginVerification() method can be used to help provide cross-origin authentication to customers who have third-party cookies disabled in their browsers. To learn more about its usage, read Cross-Origin Authentication.
buildAuthorizeUrl(options)
ThebuildAuthorizeUrl method can be used to build the /authorize URL, in order to initialize a new transaction. Use this method if you want to implement browser based (passive) authentication.
The state parameter is an opaque value that Auth0 will send back to you. This method helps prevent CSRF attacks, and it needs to be specified if you redirect to the URL yourself instead of calling webAuth.authorize(). For more information, see State Parameter.
Single Sign-On with embedded authentication
Embedded login supports (SSO) when your applications share the following architecture:- The applications attempting SSO are first-party applications. Sharing embedded sessions with third-party applications is not supported.
- The applications and your Auth0 tenant share a top-level domain via a custom domain. Traditional Auth0 domains use the
foo.auth0.comformat; custom domains let your applications and Auth0 tenant share the same top-level domain, which also helps prevent CSRF attacks.
Passwordless login
authentication allows users to log in by receiving a one-time password through email or text message. The process will require you to start the passwordless process, generating and dispatching a code to the user (or a code within a link), followed by accepting their credentials through the verification method. That could happen in the form of a login screen which asks for their (email or phone number) and the code you just sent them. It could also be implemented in the form of a passwordless link instead of a code sent to the user. They would simply click the link in their email or text and it would hit your endpoint and verify this data automatically using the same verification method (just without manual entry of a code by the user). To use passwordless authentication, initialize Auth0.js with aredirectUri and set responseType: 'token'.
Start passwordless authentication
The first step in passwordless authentication with Auth0.js is thepasswordlessStart method, which has several parameters which can be passed within its options object:
Note that exactly one of the optional
phoneNumber and email parameters must be sent in order to start the passwordless transaction.
Complete passwordless authentication
If sending a code, you will then need to prompt the user to enter that code. You will process the code, and authenticate the user, with thepasswordlessLogin method, which has several parameters which can be sent in its options object:
As with
passwordlessStart, exactly one of the optional phoneNumber and email parameters must be sent in order to verify the passwordless transaction.
To use passwordlessLogin, specify redirectUri and responseType when initializing WebAuth.
Extract the authResult and get user info
After authentication occurs, you can use theparseHash method to parse a URL hash fragment when the user is redirected back to your application in order to extract the result of an Auth0 authentication response. You may choose to handle this in a callback page that will then redirect to your main application, or in-page, as the situation dictates.
The parseHash method takes an options object that contains the following parameters:
The contents of the authResult object returned by
parseHash depend upon which authentication parameters were used. It can include:
client.userInfo method can be called passing the returned accessToken. It will make a request to the /userinfo endpoint and return the user object, which contains the user’s information, formatted similarly to the below example.
Using nonces
By default (and ifresponseType contains id_token), Auth0.js will generate a random nonce when you call webAuth.authorize, store it in local storage, and pull it out in webAuth.parseHash. The default behavior should work in most cases, but some use cases may require a developer to control the nonce.
If you want to use a developer generated nonce, then you must provide it as an option to both webAuth.authorize and webAuth.parseHash.
webAuth.authorize({<Tooltip tip="Nonce: Arbitrary number issued once in an authentication protocol to detect and prevent replay attacks." cta="View Glossary" href="/docs/glossary?term=nonce">nonce</Tooltip>: '1234', responseType: 'token id_token'}); webAuth.parseHash({nonce: '1234'}, callback);
If you’re calling webAuth.checkSession instead of webAuth.authorize, then you only have to specify your custom nonce as an option to checkSession:
webAuth.checkSession method will automatically verify that the returned ’s nonce claim is the same as the option.
Error codes and descriptions
When Auth0.js is used for embedded login, it employs the/co/authenticate endpoint, which can produce the following errors:
Error descriptions are intended to be human readable. The description should not be parsed by any code and is subject to change at any time.
In addition, you can also get a generic 403 error without an
error or error_description property. The response body would just include something similar to the following:
Origin https://test.app is not allowed.
Logout
To log out a user, use thelogout() method. This method accepts an options object, which can include the following parameters.
If the clientID parameter is included, the returnTo URL that is provided must be listed in the Application’s Allowed Logout URLs in the Auth0 dashboard. However, if the clientID parameter is not included, the returnTo URL must be listed in the Allowed Logout URLs at the account level in the Auth0 dashboard.
Signup
To sign up a user, use thesignup method. This method accepts an options object, which can include the following parameters.
Signups should be for database connections. Here is an example of the
signup method and some sample code for a form.
Using checkSession to acquire new tokens
ThecheckSession method allows you to acquire a new token from Auth0 for a user who is already authenticated against Auth0 for your domain. The method accepts any valid OAuth2 parameters that would normally be sent to authorize. If you omit them, it will use the ones provided when initializing Auth0.
The call to checkSession can be used to get a new token for the API that was specified as the when webAuth was initialized:
authResult.
Or, the token can be acquired for a different API than the one used when initializing webAuth by specifying an audience and scope:
checkSession() triggers any rules you may have set up, so you should check on your rules in the Dashboard prior to using it.
The actual redirect to /authorize happens inside an iframe, so it will not reload your application or redirect away from it.
However, the browser must have third-party cookies enabled. Otherwise, checkSession() is unable to access the current user’s session (making it impossible to obtain a new token without displaying anything to the user). The same will happen if users have Safari’s ITP enabled.
Remember to add the URL where the authorization request originates from, to the Allowed Web Origins list of your Auth0 application in the Dashboard under your application’s Settings.
Polling with checkSession()
In some multi-application scenarios, where Single Logout is desired (a user logging out of one application needs to be logged out of other applications), an application can be set up to periodically poll Auth0 usingcheckSession() to see if a session exists. If the session does not exist, you can then log the user out of the application. The same polling method can be used to implement silent authentication for a Single Sign-on (SSO) scenario.
The poll interval between checks to checkSession() should be at least 15 minutes between calls to avoid any issues in the future with rate limiting of this call.
Password reset requests
If attempting to set up a password reset functionality, you’ll use thechangePassword method and pass in an options object, with a connection parameter and an email parameter.
User management
The Management API provides functionality that allows you to link and unlink separate user accounts from different providers and update user metadata. For more information, read User Account Linking. To get started, you first need to obtain a an that can be used to call the Management API. You can do it by specifying thehttps://{yourDomain}/api/v2/ audience when initializing Auth0.js, in which case you will get the access token as part of the authentication flow.
If you use custom domains, you will need to instantiate a new copy of webAuth using your Auth0 domain rather than your custom one, for use with the Management API calls, as it only works with Auth0 domains.
You can also do so by using checkSession():
You must specify the specific scopes you need. You can ask for the following scopes:
read:current_userupdate:current_user_identitiescreate:current_user_metadataupdate:current_user_metadatadelete:current_user_metadatacreate:current_user_device_credentialsdelete:current_user_device_credentials
auth0.Management instance by passing it the account’s Auth0 domain, and the access token.
Get the user profile
To get the user profile data, use thegetUser() method, with the userId and a callback as parameters. The method returns the user profile. Note that the userID required here will be the same one fetched from the client.userInfo method.
auth0Manage.getUser(userId, cb);
Update the user profile
When updating user metadata, you will need to first create auserMetadata object, and then call the patchUserMetadata method, passing it the user id and the userMetadata object you created. The values in this object will overwrite existing values with the same key, or add new ones for those that don’t yet exist in the user metadata. For more information, read Metadata.
auth0Manage.patchUserMetadata(userId, userMetadata, cb);
Link users
Linking user accounts will allow a user to authenticate from any of their accounts and no matter which one they use, still pull up the same profile upon login. Auth0 treats all of these accounts as separate profiles by default, so if you wish a user’s accounts to be linked, this is the way to go. ThelinkUser method accepts two parameters, the primary userId and the secondary user’s ID Token (the token obtained after login with this identity). The user ID in question is the unique identifier for the primary user account. The ID should be passed with the provider prefix, for example, auth0|1234567890 or facebook|1234567890, when using this method. See User Account Linking for details.
auth0Manage.linkUser(userId, secondaryUserToken, cb);
After linking the accounts, the second account will no longer exist as a separate entry in the user database, and will only be accessible as part of the primary one.
When accounts are linked, the secondary account’s metadata is not merged with the primary account’s metadata, and if they are ever unlinked, the secondary account will likewise not retain the primary account’s metadata when it becomes separate again.