Interface Auth0ClientOptions

Allow insecure requests to be made to the authorization server. This can be useful when testing with a mock OIDC provider that does not support TLS, locally. This option can only be used when NODE_ENV is not set to production.

The URL of your application (e.g.: http://localhost:3000).

If it's not specified, it will be loaded from the APP_BASE_URL environment variable.

Additional parameters to send to the /authorize endpoint.

A method to manipulate the session before persisting it.

See beforeSessionSaved for additional details

The algorithm used to sign the client assertion JWT. Uses one of token_endpoint_auth_signing_alg_values_supported if not specified. If the Authorization Server discovery document does not list token_endpoint_auth_signing_alg_values_supported this property will be required.

Private key for use with private_key_jwt clients. This should be a string that is the contents of a PEM file or a CryptoKey.

The Auth0 client ID.

If it's not specified, it will be loaded from the AUTH0_CLIENT_ID environment variable.

The Auth0 client secret.

If it's not specified, it will be loaded from the AUTH0_CLIENT_SECRET environment variable.

The Auth0 domain for the tenant (e.g.: example.us.auth0.com).

If it's not specified, it will be loaded from the AUTH0_DOMAIN environment variable.

Boolean value to enable the /auth/access-token endpoint for use in the client app.

Defaults to true.

NOTE: Set this to false if your client does not need to directly interact with resource servers (Token Mediating Backend). This will be false for most apps.

A security best practice is to disable this to avoid exposing access tokens to the client app.

See: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-token-mediating-backend

Boolean value to opt-out of sending the library name and version to your authorization server via the Auth0-Client header. Defaults to true.

Integer value for the HTTP timeout in milliseconds for authentication requests. Defaults to 5000 ms.

Configure whether to include id_token_hint in OIDC logout URLs.

Recommended (default): Set to true to include id_token_hint parameter. Auth0 recommends using id_token_hint for secure logout as per the OIDC specification.

Alternative approach: Set to false if your application cannot securely store ID tokens. When disabled, only logout_hint (session ID), client_id, and post_logout_redirect_uri are sent.

Configure the logout strategy to use.

• 'auto' (default): Attempts OIDC RP-Initiated Logout first, falls back to /v2/logout if not supported
• 'oidc': Always uses OIDC RP-Initiated Logout (requires RP-Initiated Logout to be enabled)
• 'v2': Always uses the Auth0 /v2/logout endpoint (supports wildcards in allowed logout URLs)

If true, the profile endpoint will return a 204 No Content response when the user is not authenticated instead of returning a 401 Unauthorized response.

Defaults to false.

A method to handle errors or manage redirects after attempting to authenticate.

See onCallback for additional details

If enabled, the SDK will use the Pushed Authorization Requests (PAR) protocol when communicating with the authorization server.

Configure the paths for the authentication routes.

See Custom routes for additional details.

A 32-byte, hex-encoded secret used for encrypting cookies.

If it's not specified, it will be loaded from the AUTH0_SECRET environment variable.

Configure the session timeouts and whether to use rolling sessions or not.

See Session configuration for additional details.

A custom session store implementation used to persist sessions to a data store.

See Database sessions for additional details.

The path to redirect the user to after successfully authenticating. Defaults to /.

Configure the transaction cookie used to store the state of the authentication transaction.