Skip to main content

AI Prompt

Using AI to integrate Auth0? Add this prompt to Cursor, Windsurf, Copilot, Claude Code or your favourite AI-powered IDE to speed up development.
This quickstart requires:
  • Python 3.9 or higher
  • pip package manager
  • jq - Required for Auth0 CLI setup
  • Familiarity with FastAPI
If you haven’t already, sign up for a free Auth0 account to follow along.
This guide demonstrates how to integrate Auth0 with a FastAPI API to add authentication and protect your endpoints.
1

Create a new FastAPI project

Create a new directory for your FastAPI project and set up a virtual environment.
2

Install dependencies

Create a requirements.txt file with the following dependencies:
requirements.txt
Install the dependencies:
3

Setup your Auth0 API

You’ll need to create an Auth0 API to represent your FastAPI application.
  1. Navigate to Applications > APIs in the Auth0 Dashboard
  2. Click Create API
  3. Provide a Name for your API (e.g., “My FastAPI API”)
  4. Set the Identifier to your API identifier (e.g., https://my-fastapi-api)
  5. Leave the Signing Algorithm as RS256
  6. Click Create
The Identifier is a unique identifier for your API. It’s recommended to use a URL, but it doesn’t have to be a publicly accessible URL—Auth0 won’t call it. This value cannot be modified afterwards.
Make note of the Domain and Identifier (Audience) values. You’ll need these in the next step.
4

Define API permissions

Permissions (also known as scopes) allow you to define how your API can be accessed. You can create permissions for your API in the Auth0 Dashboard.
  1. In the Auth0 Dashboard, navigate to your API’s Permissions tab
  2. Add the following permissions:
    • read:messages with description “Read messages”
    • write:messages with description “Write messages”
These permissions will be used to control access to specific endpoints in your API.
5

Configure the Auth0 client

Create a .env file in your project root to store your Auth0 configuration:
.env
Replace YOUR_AUTH0_DOMAIN with your Auth0 domain (e.g., dev-abc123.us.auth0.com) and YOUR_API_IDENTIFIER with the identifier you set when creating your API.
Never commit your .env file to version control. Add it to your .gitignore file to keep your credentials secure.
Now create an app.py file and initialize your FastAPI application with Auth0:
app.py
6

Create protected routes

Add the following routes to your app.py file. These routes demonstrate different levels of access control:
app.py
The require_auth() method validates the access token sent in the Authorization header. When called with a scopes parameter, it also verifies that the token contains the specified permission.
7

Run your API

Start your FastAPI application:
Your API is now running on http://localhost:8000.
Visit http://localhost:8000/api/public in your browser. You should see the public message without needing authentication.

Test your API

To test the protected endpoints, you’ll need to obtain an access token from Auth0.

Get an access token

The easiest way to get an access token for testing is through the Auth0 Dashboard:
  1. Navigate to Applications > APIs in the Auth0 Dashboard
  2. Select your API
  3. Click the Test tab
  4. Click Copy Token in the Asking Auth0 for tokens from my application section

Call your API

Use the access token to call your protected endpoint:
You should receive a response with the private message and your user ID. To test the scoped endpoint, make sure your token includes the read:messages scope:
If your token doesn’t have the required scope, you’ll receive a 403 Forbidden response.

Advanced Usage

You can access custom claims that have been added to the access token through Auth0 Actions.Access custom claims in your route handler:
To add custom claims to your access tokens, create an Auth0 Action:
  1. Navigate to Actions > Library in the Auth0 Dashboard
  2. Click Create Action
  3. Select Build from scratch
  4. Name your action and select the Login / Post Login trigger
  5. Add your custom claims:
  1. Click Deploy and add the action to your Login flow
Custom claims must use a namespaced format (e.g., https://myapp.example.com/claim_name) to avoid conflicts with standard claims.
If you need to protect an endpoint but don’t need to access the claims, you can use the dependencies parameter:
This validates the access token but doesn’t inject the claims into your function.
DPoP (Demonstrating Proof-of-Possession) is currently in Early Access. Contact Auth0 support to enable it for your tenant.
DPoP provides enhanced security by cryptographically binding access tokens to the client that requested them. This prevents token theft and replay attacks.The SDK enables DPoP support by default. You can configure DPoP behavior:
Mixed mode (default) accepts both Bearer and DPoP tokens:
DPoP-only mode rejects Bearer tokens:
When using DPoP, clients must include both the Authorization: DPoP <token> and DPoP: <proof> headers. The SDK automatically validates the DPoP proof and binds it to the access token.
Only enable trust_proxy when your application is behind a trusted reverse proxy. Never enable this for applications directly exposed to the internet.
If your application runs behind a reverse proxy (nginx, AWS ALB, etc.), you need to enable proxy trust for DPoP validation to work correctly:
Configure your reverse proxy to forward the necessary headers:
This is essential for DPoP validation because the SDK needs to match the exact URL the client used. Without proxy trust, your application sees internal URLs while DPoP proofs reference external URLs, causing validation failures.
The SDK raises HTTPException for authentication errors. FastAPI handles these automatically, returning appropriate HTTP responses to the client.You can implement custom error handling if needed:
Authentication errors include:
  • 401 Unauthorized: Missing, invalid, or expired access token
  • 403 Forbidden: Valid token but insufficient permissions (scopes)

Common Issues

Problem: Token validation fails with “Invalid audience” error.Solution: Verify that the AUTH0_AUDIENCE in your .env file exactly matches the Identifier you configured for your API in the Auth0 Dashboard.
  1. Open the Auth0 Dashboard and navigate to Applications > APIs
  2. Select your API
  3. Check the Identifier value in the Settings tab
  4. Update your .env file:
  5. Restart your application
Problem: Token validation fails with “Invalid issuer” error.Solution: Verify that your AUTH0_DOMAIN is correct and does not include the https:// protocol.Your domain should look like dev-abc123.us.auth0.com, not https://dev-abc123.us.auth0.com.Update your .env file:
Problem: Protected endpoint returns 403 even with a valid access token.Solution: The access token doesn’t include the required scope.
  1. Check what scopes your endpoint requires
  2. When requesting a token, ensure you include the required scopes
  3. Verify the scope exists in your API’s Permissions tab in the Auth0 Dashboard
  4. Decode your token at jwt.io to verify it contains the scope claim with the required values
Problem: Python cannot find the Auth0 FastAPI SDK.Solution: Ensure the SDK is installed in your active virtual environment.
Problem: Application cannot fetch signing keys from Auth0.Solution: Check your network connectivity and domain configuration.
  1. Verify your domain is accessible:
  2. Check that your firewall allows outbound HTTPS (port 443) connections to *.auth0.com
  3. If behind a corporate proxy, configure the HTTP_PROXY and HTTPS_PROXY environment variables
Problem: DPoP authentication returns errors about URL or proof validation.Solution:
  1. If behind a reverse proxy, enable proxy trust:
  2. Verify your proxy forwards these headers:
    • X-Forwarded-Proto
    • X-Forwarded-Host
    • X-Forwarded-Prefix
  3. Ensure DPoP is enabled for your tenant (contact Auth0 support)
  4. Verify the DPoP proof htu claim matches your request URL exactly

Next Steps

SDK Documentation

Explore the Auth0 FastAPI SDK on GitHub for advanced configuration and examples

Scopes and Permissions

Learn how to define and use scopes for fine-grained access control

Auth0 Actions

Customize your authentication flow and add custom claims to tokens

FastAPI Documentation

Learn more about FastAPI features, async patterns, and best practices

API Authorization

Implement role-based access control (RBAC) for your API

Deploy to Production

Best practices for deploying FastAPI applications with Auth0