Interface AuthConfig

Configuration for the authentication service

interface AuthConfig {
    auth0Client?: {
        env?: {
            [key: string]: string;
        name: string;
        version: string;
    authorizationParams?: AuthorizationParams;
    authorizeTimeoutInSeconds?: number;
    cache?: ICache;
    cacheLocation?: CacheLocation;
    clientId: string;
    cookieDomain?: string;
    domain: string;
    errorPath?: string;
    httpInterceptor?: HttpInterceptorConfig;
    httpTimeoutInSeconds?: number;
    issuer?: string;
    leeway?: number;
    legacySameSiteCookie?: boolean;
    nowProvider?: (() => number | Promise<number>);
    sessionCheckExpiryDays?: number;
    skipRedirectCallback?: boolean;
    useCookiesForTransactions?: boolean;
    useFormData?: boolean;
    useRefreshTokens?: boolean;
    useRefreshTokensFallback?: boolean;
    workerUrl?: string;


  • Auth0ClientOptions
    • AuthConfig


auth0Client?: {
    env?: {
        [key: string]: string;
    name: string;
    version: string;

Internal property to send information about the client to the authorization server.

Type declaration

  • Optional env?: {
        [key: string]: string;
    • [key: string]: string
  • name: string
  • version: string
authorizationParams?: AuthorizationParams

URL parameters that will be sent back to the Authorization Server. This can be known parameters defined by Auth0 or custom parameters that you define.

authorizeTimeoutInSeconds?: number

A maximum number of seconds to wait before declaring background calls to /authorize as failed for timeout Defaults to 60s.

cache?: ICache

Specify a custom cache implementation to use for token storage and retrieval. This setting takes precedence over cacheLocation if they are both specified.

cacheLocation?: CacheLocation

The location to use when storing cache data. Valid values are memory or localstorage. The default setting is memory.

Read more about changing storage options in the Auth0 docs

clientId: string

The Client ID found on your Application settings page

cookieDomain?: string

The domain the cookie is accessible from. If not set, the cookie is scoped to the current domain, including the subdomain.

Note: setting this incorrectly may cause silent authentication to stop working on page load.

To keep a user logged in across multiple subdomains set this to your top-level domain and prefixed with a . (eg:

domain: string

Your Auth0 account domain such as '', '' or , '' (when using custom domains)

errorPath?: string

Path in your application to redirect to when the Authorization server returns an error. Defaults to /

httpInterceptor?: HttpInterceptorConfig

Configuration for the built-in Http Interceptor, used for automatically attaching access tokens.

httpTimeoutInSeconds?: number

Specify the timeout for HTTP calls using fetch. The default is 10 seconds.

issuer?: string

The issuer to be used for validation of JWTs, optionally defaults to the domain above

leeway?: number

The value in seconds used to account for clock skew in JWT expirations. Typically, this value is no more than a minute or two at maximum. Defaults to 60s.

legacySameSiteCookie?: boolean

Sets an additional cookie with no SameSite attribute to support legacy browsers that are not compatible with the latest SameSite changes. This will log a warning on modern browsers, you can disable the warning by setting this to false but be aware that some older useragents will not work, See Defaults to true

nowProvider?: (() => number | Promise<number>)

Type declaration

    • (): number | Promise<number>
    • Modify the value used as the current time during the token validation.

      Note: Using this improperly can potentially compromise the token validation.

      Returns number | Promise<number>

sessionCheckExpiryDays?: number

Number of days until the cookie will expire Defaults to 1.

skipRedirectCallback?: boolean

By default, if the page URL has code and state parameters, the SDK will assume they are for an Auth0 application and attempt to exchange the code for a token. In some cases the code might be for something else (e.g. another OAuth SDK). In these instances you can instruct the client to ignore them by setting skipRedirectCallback.

skipRedirectCallback: window.location.pathname === '/other-callback'

Note: In the above example, /other-callback is an existing route that will be called by any other OAuth provider with a code (or error in case when something went wrong) and state.

useCookiesForTransactions?: boolean

If true, the SDK will use a cookie when storing information about the auth transaction while the user is going through the authentication flow on the authorization server.

The default is false, in which case the SDK will use session storage.


You might want to enable this if you rely on your users being able to authenticate using flows that may end up spanning across multiple tabs (e.g. magic links) or you cannot otherwise rely on session storage being available.

useFormData?: boolean

If true, data to the token endpoint is transmitted as x-www-form-urlencoded data, if false it will be transmitted as JSON. The default setting is true.

Note: Setting this to false may affect you if you use Auth0 Rules and are sending custom, non-primitive data. If you disable this, please verify that your Auth0 Rules continue to work as intended.

useRefreshTokens?: boolean

If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the legacy technique of using a hidden iframe and the authorization_code grant with prompt=none is used. The default setting is false.

Note: Use of refresh tokens must be enabled by an administrator on your Auth0 client application.

useRefreshTokensFallback?: boolean

If true, fallback to the technique of using a hidden iframe and the authorization_code grant with prompt=none when unable to use refresh tokens. If false, the iframe fallback is not used and errors relating to a failed refresh_token grant should be handled appropriately. The default setting is false.

Note: There might be situations where doing silent auth with a Web Message response from an iframe is not possible, like when you're serving your application from the file system or a custom protocol (like in a Desktop or Native app). In situations like this you can disable the iframe fallback and handle the failed refresh_token grant and prompt the user to login interactively with loginWithRedirect or loginWithPopup."

E.g. Using the file: protocol in an Electron application does not support that legacy technique.


let token: string;
try {
token = await auth0.getTokenSilently();
} catch (e) {
if (e.error === 'missing_refresh_token' || e.error === 'invalid_grant') {
workerUrl?: string

If provided, the SDK will load the token worker from this URL instead of the integrated blob. An example of when this is useful is if you have strict Content-Security-Policy (CSP) and wish to avoid needing to set worker-src: blob:. We recommend either serving the worker, which you can find in the module at <module_path>/dist/auth0-spa-js.worker.production.js, from the same host as your application or using the Auth0 CDN<version>/auth0-spa-js.worker.production.js.

Note: The worker is only used when useRefreshTokens: true, cacheLocation: 'memory', and the cache is not custom.