Optional
Internal
auth0Internal property to send information about the client to the authorization server.
Optional
env?: { Optional
authorizationURL parameters that will be sent back to the Authorization Server. This can be known parameters defined by Auth0 or custom parameters that you define.
Optional
authorizeA maximum number of seconds to wait before declaring background calls to /authorize as failed for timeout Defaults to 60s.
Optional
cache
Specify a custom cache implementation to use for token storage
and retrieval. This setting takes precedence over
cacheLocation if they are both specified.
Optional
cache
The location to use when storing cache data. Valid values are
memory or localstorage. The default
setting is memory.
Read more about changing storage options in the Auth0 docs
The Client ID found on your Application settings page
Optional
cookieThe domain the cookie is accessible from. If not set, the cookie is scoped to the current domain, including the subdomain.
Note: setting this incorrectly may cause silent authentication to stop working on page load.
To keep a user logged in across multiple subdomains set this to
your top-level domain and prefixed with a . (eg:
.example.com).
Your Auth0 account domain such as
'example.auth0.com',
'example.eu.auth0.com' or ,
'example.mycompany.com' (when using
custom domains)
Optional
error
Path in your application to redirect to when the Authorization
server returns an error. Defaults to /
Optional
httpConfiguration for the built-in Http Interceptor, used for automatically attaching access tokens.
Optional
http
Specify the timeout for HTTP calls using fetch. The
default is 10 seconds.
Optional
issuer
The issuer to be used for validation of JWTs, optionally defaults to the domain above
Optional
leeway
The value in seconds used to account for clock skew in JWT expirations. Typically, this value is no more than a minute or two at maximum. Defaults to 60s.
Optional
legacySets an additional cookie with no SameSite attribute to support legacy browsers that are not compatible with the latest SameSite changes. This will log a warning on modern browsers, you can disable the warning by setting this to false but be aware that some older useragents will not work, See https://www.chromium.org/updates/same-site/incompatible-clients Defaults to true
Optional
nowModify the value used as the current time during the token validation.
Note: Using this improperly can potentially compromise the token validation.
Optional
session
Number of days until the cookie
auth0.is.authenticated will expire Defaults to 1.
Optional
skip
By default, if the page URL has code and state parameters, the
SDK will assume they are for an Auth0 application and attempt to
exchange the code for a token. In some cases the code might be
for something else (e.g. another OAuth SDK). In these instances
you can instruct the client to ignore them by setting
skipRedirectCallback.
AuthModule.forRoot({
skipRedirectCallback: window.location.pathname === '/other-callback'
})
Note: In the above example,
/other-callback is an existing route that will be
called by any other OAuth provider with a code (or
error in case when something went wrong) and
state.
Optional
use
If true, the SDK will use a cookie when storing
information about the auth transaction while the user is going
through the authentication flow on the authorization server.
The default is false, in which case the SDK will
use session storage.
You might want to enable this if you rely on your users being able to authenticate using flows that may end up spanning across multiple tabs (e.g. magic links) or you cannot otherwise rely on session storage being available.
Optional
use
If true, data to the token endpoint is transmitted as
x-www-form-urlencoded data, if false it will be transmitted as
JSON. The default setting is true.
Note: Setting this to false may
affect you if you use Auth0 Rules and are sending custom,
non-primitive data. If you disable this, please verify that your
Auth0 Rules continue to work as intended.
Optional
use
If true, refresh tokens are used to fetch new access tokens from
the Auth0 server. If false, the legacy technique of using a
hidden iframe and the authorization_code grant with
prompt=none is used. The default setting is
false.
Note: Use of refresh tokens must be enabled by an administrator on your Auth0 client application.
Optional
use
If true, fallback to the technique of using a hidden iframe and
the authorization_code grant with
prompt=none when unable to use refresh tokens. If
false, the iframe fallback is not used and errors relating to a
failed refresh_token grant should be handled
appropriately. The default setting is false.
Note: There might be situations where doing
silent auth with a Web Message response from an iframe is not
possible, like when you're serving your application from the
file system or a custom protocol (like in a Desktop or Native
app). In situations like this you can disable the iframe
fallback and handle the failed refresh_token grant
and prompt the user to login interactively with
loginWithRedirect or
loginWithPopup."
E.g. Using the file: protocol in an Electron
application does not support that legacy technique.
let token: string;
try {
token = await auth0.getTokenSilently();
} catch (e) {
if (e.error === 'missing_refresh_token' || e.error === 'invalid_grant') {
auth0.loginWithRedirect();
}
}
Optional
worker
If provided, the SDK will load the token worker from this URL
instead of the integrated blob. An example of when
this is useful is if you have strict Content-Security-Policy
(CSP) and wish to avoid needing to set
worker-src: blob:. We recommend either serving the
worker, which you can find in the module at
<module_path>/dist/auth0-spa-js.worker.production.js, from the same host as your application or using the Auth0 CDN
https://cdn.auth0.com/js/auth0-spa-js/<version>/auth0-spa-js.worker.production.js.
Note: The worker is only used when
useRefreshTokens: true,
cacheLocation: 'memory', and the
cache is not custom.
Configuration for the authentication service