OptionalallowOptionalappThe URL of your application (e.g.: http://localhost:3000).
If it's not specified, it will be loaded from the APP_BASE_URL environment variable.
OptionalauthorizationAdditional parameters to send to the /authorize endpoint.
OptionalbeforeA method to manipulate the session before persisting it.
See beforeSessionSaved for additional details
OptionalclientThe algorithm used to sign the client assertion JWT.
Uses one of token_endpoint_auth_signing_alg_values_supported if not specified.
If the Authorization Server discovery document does not list token_endpoint_auth_signing_alg_values_supported
this property will be required.
OptionalclientPrivate key for use with private_key_jwt clients.
This should be a string that is the contents of a PEM file or a CryptoKey.
OptionalclientThe Auth0 client ID.
If it's not specified, it will be loaded from the AUTH0_CLIENT_ID environment variable.
OptionalclientThe Auth0 client secret.
If it's not specified, it will be loaded from the AUTH0_CLIENT_SECRET environment variable.
OptionaldomainThe Auth0 domain for the tenant (e.g.: example.us.auth0.com).
If it's not specified, it will be loaded from the AUTH0_DOMAIN environment variable.
OptionalenableBoolean value to enable the /auth/access-token endpoint for use in the client app.
Defaults to true.
NOTE: Set this to false if your client does not need to directly interact with resource servers (Token Mediating Backend). This will be false for most apps.
A security best practice is to disable this to avoid exposing access tokens to the client app.
OptionalenableBoolean value to opt-out of sending the library name and version to your authorization server
via the Auth0-Client header. Defaults to true.
OptionalhttpInteger value for the HTTP timeout in milliseconds for authentication requests.
Defaults to 5000 ms.
OptionalonA method to handle errors or manage redirects after attempting to authenticate.
See onCallback for additional details
OptionalpushedIf enabled, the SDK will use the Pushed Authorization Requests (PAR) protocol when communicating with the authorization server.
OptionalroutesConfigure the paths for the authentication routes.
See Custom routes for additional details.
OptionalsecretA 32-byte, hex-encoded secret used for encrypting cookies.
If it's not specified, it will be loaded from the AUTH0_SECRET environment variable.
OptionalsessionConfigure the session timeouts and whether to use rolling sessions or not.
See Session configuration for additional details.
OptionalsessionA custom session store implementation used to persist sessions to a data store.
See Database sessions for additional details.
OptionalsignThe path to redirect the user to after successfully authenticating. Defaults to /.
OptionaltransactionConfigure the transaction cookie used to store the state of the authentication transaction.
Allow insecure requests to be made to the authorization server. This can be useful when testing with a mock OIDC provider that does not support TLS, locally. This option can only be used when NODE_ENV is not set to
production.