@auth0/nextjs-auth0 - v4.11.0
    Preparing search index...

    Interface Auth0ClientOptions

    interface Auth0ClientOptions {
        allowInsecureRequests?: boolean;
        appBaseUrl?: string;
        authorizationParameters?: AuthorizationParameters;
        beforeSessionSaved?: BeforeSessionSavedHook;
        clientAssertionSigningAlg?: string;
        clientAssertionSigningKey?: string | CryptoKey;
        clientId?: string;
        clientSecret?: string;
        domain?: string;
        dpopKeyPair?: DpopKeyPair;
        dpopOptions?: DpopOptions;
        enableAccessTokenEndpoint?: boolean;
        enableConnectAccountEndpoint?: boolean;
        enableParallelTransactions?: boolean;
        enableTelemetry?: boolean;
        httpTimeout?: number;
        includeIdTokenHintInOIDCLogoutUrl?: boolean;
        logoutStrategy?: LogoutStrategy;
        noContentProfileResponseWhenUnauthenticated?: boolean;
        onCallback?: OnCallbackHook;
        pushedAuthorizationRequests?: boolean;
        routes?: Partial<
            Pick<
                Routes,
                "login"
                | "callback"
                | "logout"
                | "backChannelLogout"
                | "connectAccount",
            >,
        >;
        secret?: string;
        session?: SessionConfiguration;
        sessionStore?: SessionDataStore;
        signInReturnToPath?: string;
        transactionCookie?: TransactionCookieOptions;
        useDPoP?: boolean;
    }
    Index

    Properties

    allowInsecureRequests?: boolean

    Allow insecure requests to be made to the authorization server. This can be useful when testing with a mock OIDC provider that does not support TLS, locally. This option can only be used when NODE_ENV is not set to production.

    appBaseUrl?: string

    The URL of your application (e.g.: http://localhost:3000).

    If it's not specified, it will be loaded from the APP_BASE_URL environment variable.

    authorizationParameters?: AuthorizationParameters

    Additional parameters to send to the /authorize endpoint.

    beforeSessionSaved?: BeforeSessionSavedHook

    A method to manipulate the session before persisting it.

    See beforeSessionSaved for additional details

    clientAssertionSigningAlg?: string

    The algorithm used to sign the client assertion JWT. Uses one of token_endpoint_auth_signing_alg_values_supported if not specified. If the Authorization Server discovery document does not list token_endpoint_auth_signing_alg_values_supported this property will be required.

    clientAssertionSigningKey?: string | CryptoKey

    Private key for use with private_key_jwt clients. This should be a string that is the contents of a PEM file or a CryptoKey.

    clientId?: string

    The Auth0 client ID.

    If it's not specified, it will be loaded from the AUTH0_CLIENT_ID environment variable.

    clientSecret?: string

    The Auth0 client secret.

    If it's not specified, it will be loaded from the AUTH0_CLIENT_SECRET environment variable.

    domain?: string

    The Auth0 domain for the tenant (e.g.: example.us.auth0.com).

    If it's not specified, it will be loaded from the AUTH0_DOMAIN environment variable.

    dpopKeyPair?: DpopKeyPair

    ES256 key pair for DPoP proof generation.

    If not provided when useDPoP is true, the SDK will attempt to load keys from environment variables AUTH0_DPOP_PUBLIC_KEY and AUTH0_DPOP_PRIVATE_KEY. Keys must be in PEM format and use the P-256 elliptic curve.

    import { generateKeyPair } from "oauth4webapi";

    const keyPair = await generateKeyPair("ES256");

    const auth0 = new Auth0Client({
    useDPoP: true,
    dpopKeyPair: keyPair
    });
    import { importSPKI, importPKCS8 } from "jose";
    import { readFileSync } from "fs";

    const publicKeyPem = readFileSync("dpop-public.pem", "utf8");
    const privateKeyPem = readFileSync("dpop-private.pem", "utf8");

    const auth0 = new Auth0Client({
    useDPoP: true,
    dpopKeyPair: {
    publicKey: await importSPKI(publicKeyPem, "ES256"),
    privateKey: await importPKCS8(privateKeyPem, "ES256")
    }
    });
    • DpopKeyPair for the key pair interface
    • generateDpopKeyPair for generating new key pairs
    dpopOptions?: DpopOptions

    Configuration options for DPoP timing validation and retry behavior.

    These options control how the SDK validates DPoP proof timing and handles nonce errors. Proper configuration is important for both security and reliability.

    const auth0 = new Auth0Client({
    useDPoP: true,
    dpopOptions: {
    clockTolerance: 60, // Allow 60 seconds clock difference
    clockSkew: 0, // No clock adjustment needed
    retry: {
    delay: 200, // 200ms delay before retry
    jitter: true // Add randomness to prevent thundering herd
    }
    }
    });
    # .env.local
    AUTH0_DPOP_CLOCK_SKEW=0
    AUTH0_DPOP_CLOCK_TOLERANCE=30
    AUTH0_RETRY_DELAY=100
    AUTH0_RETRY_JITTER=true

    DpopOptions for detailed option descriptions

    enableAccessTokenEndpoint?: boolean

    Boolean value to enable the /auth/access-token endpoint for use in the client app.

    Defaults to true.

    NOTE: Set this to false if your client does not need to directly interact with resource servers (Token Mediating Backend). This will be false for most apps.

    A security best practice is to disable this to avoid exposing access tokens to the client app.

    See: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-token-mediating-backend

    enableConnectAccountEndpoint?: boolean

    If true, the /auth/connect endpoint will be mounted to enable users to connect additional accounts.

    enableParallelTransactions?: boolean
    enableTelemetry?: boolean

    Boolean value to opt-out of sending the library name and version to your authorization server via the Auth0-Client header. Defaults to true.

    httpTimeout?: number

    Integer value for the HTTP timeout in milliseconds for authentication requests. Defaults to 5000 ms.

    includeIdTokenHintInOIDCLogoutUrl?: boolean

    Configure whether to include id_token_hint in OIDC logout URLs.

    Recommended (default): Set to true to include id_token_hint parameter. Auth0 recommends using id_token_hint for secure logout as per the OIDC specification.

    Alternative approach: Set to false if your application cannot securely store ID tokens. When disabled, only logout_hint (session ID), client_id, and post_logout_redirect_uri are sent.

    logoutStrategy?: LogoutStrategy

    Configure the logout strategy to use.

    • 'auto' (default): Attempts OIDC RP-Initiated Logout first, falls back to /v2/logout if not supported
    • 'oidc': Always uses OIDC RP-Initiated Logout (requires RP-Initiated Logout to be enabled)
    • 'v2': Always uses the Auth0 /v2/logout endpoint (supports wildcards in allowed logout URLs)
    noContentProfileResponseWhenUnauthenticated?: boolean

    If true, the profile endpoint will return a 204 No Content response when the user is not authenticated instead of returning a 401 Unauthorized response.

    Defaults to false.

    onCallback?: OnCallbackHook

    A method to handle errors or manage redirects after attempting to authenticate.

    See onCallback for additional details

    pushedAuthorizationRequests?: boolean

    If enabled, the SDK will use the Pushed Authorization Requests (PAR) protocol when communicating with the authorization server.

    routes?: Partial<
        Pick<
            Routes,
            "login"
            | "callback"
            | "logout"
            | "backChannelLogout"
            | "connectAccount",
        >,
    >

    Configure the paths for the authentication routes.

    See Custom routes for additional details.

    secret?: string

    A 32-byte, hex-encoded secret used for encrypting cookies.

    If it's not specified, it will be loaded from the AUTH0_SECRET environment variable.

    Configure the session timeouts and whether to use rolling sessions or not.

    See Session configuration for additional details.

    sessionStore?: SessionDataStore

    A custom session store implementation used to persist sessions to a data store.

    See Database sessions for additional details.

    signInReturnToPath?: string

    The path to redirect the user to after successfully authenticating. Defaults to /.

    transactionCookie?: TransactionCookieOptions

    Configure the transaction cookie used to store the state of the authentication transaction.

    useDPoP?: boolean

    Enable DPoP (Demonstrating Proof-of-Possession) for enhanced OAuth 2.0 security.

    When enabled, the SDK will:

    • Generate DPoP proofs for token requests and protected resource requests
    • Bind access tokens cryptographically to the client's key pair
    • Prevent token theft and replay attacks
    • Handle DPoP nonce errors with automatic retry logic

    DPoP requires an ES256 key pair that can be provided via dpopKeyPair option or loaded from environment variables AUTH0_DPOP_PUBLIC_KEY and AUTH0_DPOP_PRIVATE_KEY.

    false
    
    import { generateKeyPair } from "oauth4webapi";

    const dpopKeyPair = await generateKeyPair("ES256");

    const auth0 = new Auth0Client({
    useDPoP: true,
    dpopKeyPair
    });
    // .env.local
    // AUTH0_DPOP_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----..."
    // AUTH0_DPOP_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----..."

    const auth0 = new Auth0Client({
    useDPoP: true
    // Keys loaded automatically from environment
    });