Class Auth0Client

constructor

• new Auth0Client(options): Auth0Client

• Parameters

  • options: Auth0ClientOptions

  Returns Auth0Client

Readonly mfa

checkSession

• checkSession(options?): Promise<void>

• await auth0.checkSession();
  Copy

  Check if the user is logged in using getTokenSilently. The difference with getTokenSilently is that this doesn't return a token, but it will pre-fill the token cache.

  This method also heeds the auth0.{clientId}.is.authenticated cookie, as an optimization to prevent calling Auth0 unnecessarily. If the cookie is not present because there was no previous login (or it has expired) then tokens will not be refreshed.

  It should be used for silently logging in the user when you instantiate the Auth0Client constructor. You should not need this if you are using the createAuth0Client factory.

  Note: the cookie may not be present if running an app using a private tab, as some browsers clear JS cookie data and local storage when the tab or page is closed, or on page reload. This effectively means that checkSession could silently return without authenticating the user on page refresh when using a private tab, despite having previously logged in. As a workaround, use getTokenSilently instead and handle the possible login_required error as shown in the readme.

  Parameters

  • Optional options: GetTokenSilentlyOptions

  Returns Promise<void>

connectAccountWithRedirect

• connectAccountWithRedirect<TAppState>(options): Promise<void>

• Initiates a redirect to connect the user's account with a specified connection. This method generates PKCE parameters, creates a transaction, and redirects to the /connect endpoint.

  You must enable Offline Access from the Connection Permissions settings to be able to use the connection with Connected Accounts.

  Type Parameters

  • TAppState = any

    The application state to persist through the transaction.

  Parameters

  • options: RedirectConnectAccountOptions<TAppState>

    Options for the connect account redirect flow.

  Returns Promise<void>

  Resolves when the redirect is initiated.

  Throws

  If the connect request to the My Account API fails.

createFetcher

• createFetcher<TOutput>(config?): Fetcher<TOutput>

• Returns a new Fetcher class that will contain a fetchWithAuth() method. This is a drop-in replacement for the Fetch API's fetch() method, but will handle certain authentication logic for you, like building the proper auth headers or managing DPoP nonces and retries automatically.

  Check the EXAMPLES.md file for a deeper look into this method.

  Type Parameters

  • TOutput extends CustomFetchMinimalOutput = Response

  Parameters

  • config: FetcherConfig<TOutput> = {}

  Returns Fetcher<TOutput>

exchangeToken

• exchangeToken(options): Promise<TokenEndpointResponse>

• Parameters

  • options: CustomTokenExchangeOptions

    The options required to perform the token exchange.

  Returns Promise<TokenEndpointResponse>

  A promise that resolves to the token endpoint response.

  Example:

  // Instead of:
  const tokens = await auth0.exchangeToken(options);
  
  // Use:
  const tokens = await auth0.loginWithCustomTokenExchange(options);
  Copy

  Deprecated

  Use loginWithCustomTokenExchange() instead. This method will be removed in the next major version.

  Exchanges an external subject token for Auth0 tokens.

generateDpopProof

• generateDpopProof(params): Promise<string>

• Returns a string to be used to demonstrate possession of the private key used to cryptographically bind access tokens with DPoP.

  It requires enabling the Auth0ClientOptions.useDpop option.

  Parameters

  • params: {
        accessToken: string;
        method: string;
        nonce?: string;
        url: string;
    }

    • accessToken: string

    • method: string

    • Optional nonce?: string

    • url: string

  Returns Promise<string>

getConfiguration

• getConfiguration(): Readonly<ClientConfiguration>

• Returns a readonly copy of the initialization configuration.

  Returns Readonly<ClientConfiguration>

  An object containing domain and clientId

  Example

  const auth0 = new Auth0Client({
    domain: 'tenant.auth0.com',
    clientId: 'abc123'
  });
  
  const config = auth0.getConfiguration();
  // { domain: 'tenant.auth0.com', clientId: 'abc123' }
  Copy

getDpopNonce

• getDpopNonce(id?): Promise<undefined | string>

• Returns the current DPoP nonce used for making requests to Auth0.

  It can return undefined because when starting fresh it will not be populated until after the first response from the server.

  It requires enabling the Auth0ClientOptions.useDpop option.

  Parameters

  • Optional id: string

    The identifier of a nonce: if absent, it will get the nonce used for requests to Auth0. Otherwise, it will be used to select a specific non-Auth0 nonce.

  Returns Promise<undefined | string>

getIdTokenClaims

• getIdTokenClaims(): Promise<undefined | IdToken>

• const claims = await auth0.getIdTokenClaims();
  Copy

  Returns all claims from the id_token if available.

  Returns Promise<undefined | IdToken>

getTokenSilently

• getTokenSilently(options): Promise<GetTokenSilentlyVerboseResponse>

• Fetches a new access token and returns the response from the /oauth/token endpoint, omitting the refresh token.

  Parameters

  • options: GetTokenSilentlyOptions & {
        detailedResponse: true;
    }

  Returns Promise<GetTokenSilentlyVerboseResponse>
• getTokenSilently(options?): Promise<string>

• Fetches a new access token and returns it.

  Parameters

  • Optional options: GetTokenSilentlyOptions

  Returns Promise<string>

getTokenWithPopup

• getTokenWithPopup(options?, config?): Promise<undefined | string>

• const token = await auth0.getTokenWithPopup(options);
  Copy

  Opens a popup with the /authorize URL using the parameters provided as arguments. Random and secure state and nonce parameters will be auto-generated. If the response is successful, results will be valid according to their expiration times.

  Parameters

  • options: GetTokenWithPopupOptions = {}
  • config: PopupConfigOptions = {}

  Returns Promise<undefined | string>

getUser

• getUser<TUser>(): Promise<undefined | TUser>

• const user = await auth0.getUser();
  Copy

  Returns the user information if available (decoded from the id_token).

  Type Parameters

  • TUser extends User<TUser>

  Returns Promise<undefined | TUser>

  Typeparam

  TUser The type to return, has to extend User.

handleRedirectCallback

• handleRedirectCallback<TAppState>(url?): Promise<RedirectLoginResult<TAppState> | ConnectAccountRedirectResult<TAppState>>

• After the browser redirects back to the callback page, call handleRedirectCallback to handle success and error responses from Auth0. If the response is successful, results will be valid according to their expiration times.

  Type Parameters

  • TAppState = any

  Parameters

  • url: string = window.location.href

  Returns Promise<RedirectLoginResult<TAppState> | ConnectAccountRedirectResult<TAppState>>

isAuthenticated

• isAuthenticated(): Promise<boolean>

• const isAuthenticated = await auth0.isAuthenticated();
  Copy

  Returns true if there's valid information stored, otherwise returns false.

  Returns Promise<boolean>

loginWithCustomTokenExchange

• loginWithCustomTokenExchange(options): Promise<TokenEndpointResponse>

• await auth0.loginWithCustomTokenExchange(options);
  Copy

  Exchanges an external subject token for Auth0 tokens and logs the user in. This method implements the Custom Token Exchange grant as specified in RFC 8693.

  The exchanged tokens are automatically cached, establishing an authenticated session. After calling this method, you can use getUser(), getIdTokenClaims(), and getTokenSilently() to access the user's information and tokens.

  Parameters

  • options: CustomTokenExchangeOptions

    The options required to perform the token exchange.

  Returns Promise<TokenEndpointResponse>

  A promise that resolves to the token endpoint response, which contains the issued Auth0 tokens (access_token, id_token, etc.).

  The request includes the following parameters:

  • grant_type: "urn:ietf:params:oauth:grant-type:token-exchange"
  • subject_token: The external token to exchange
  • subject_token_type: The type identifier of the external token
  • scope: Merged scopes from the request and SDK defaults
  • audience: Target audience (defaults to SDK configuration)
  • organization: Optional organization ID/name for org-scoped authentication

  Example Usage:

  const options = {
    subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
    subject_token_type: 'urn:acme:legacy-system-token',
    scope: 'openid profile email',
    audience: 'https://api.example.com',
    organization: 'org_12345'
  };
  
  try {
    const tokenResponse = await auth0.loginWithCustomTokenExchange(options);
    console.log('Access token:', tokenResponse.access_token);
  
    // User is now logged in - access user info
    const user = await auth0.getUser();
    console.log('Logged in user:', user);
  } catch (error) {
    console.error('Token exchange failed:', error);
  }
  Copy

loginWithPopup

• loginWithPopup(options?, config?): Promise<void>

• try {
   await auth0.loginWithPopup(options);
  } catch(e) {
   if (e instanceof PopupCancelledError) {
     // Popup was closed before login completed
   }
  }
  Copy

  Opens a popup with the /authorize URL using the parameters provided as arguments. Random and secure state and nonce parameters will be auto-generated. If the response is successful, results will be valid according to their expiration times.

  IMPORTANT: This method has to be called from an event handler that was started by the user like a button click, for example, otherwise the popup will be blocked in most browsers.

  Parameters

  • Optional options: PopupLoginOptions
  • Optional config: PopupConfigOptions

  Returns Promise<void>

loginWithRedirect

• loginWithRedirect<TAppState>(options?): Promise<void>

• await auth0.loginWithRedirect(options);
  Copy

  Performs a redirect to /authorize using the parameters provided as arguments. Random and secure state and nonce parameters will be auto-generated.

  Type Parameters

  • TAppState = any

  Parameters

  • options: RedirectLoginOptions<TAppState> = {}

  Returns Promise<void>

logout

• logout(options?): Promise<void>

• await auth0.logout(options);
  Copy

  Clears the application session and performs a redirect to /v2/logout, using the parameters provided as arguments, to clear the Auth0 session.

  If the federated option is specified it also clears the Identity Provider session. Read more about how Logout works at Auth0.

  Parameters

  • options: LogoutOptions = {}

  Returns Promise<void>

setDpopNonce

• setDpopNonce(nonce, id?): Promise<void>

• Sets the current DPoP nonce used for making requests to Auth0.

  It requires enabling the Auth0ClientOptions.useDpop option.

  Parameters

  • nonce: string

    The nonce value.
  • Optional id: string

    The identifier of a nonce: if absent, it will set the nonce used for requests to Auth0. Otherwise, it will be used to select a specific non-Auth0 nonce.

  Returns Promise<void>