OptionalallowOptionalappThe URL of your application (e.g.: http://localhost:3000).
If it's not specified, it will be loaded from the APP_BASE_URL environment variable.
OptionalauthorizationAdditional parameters to send to the /authorize endpoint.
OptionalbeforeA method to manipulate the session before persisting it.
See beforeSessionSaved for additional details
OptionalclientThe algorithm used to sign the client assertion JWT.
Uses one of token_endpoint_auth_signing_alg_values_supported if not specified.
If the Authorization Server discovery document does not list token_endpoint_auth_signing_alg_values_supported
this property will be required.
OptionalclientPrivate key for use with private_key_jwt clients.
This should be a string that is the contents of a PEM file or a CryptoKey.
OptionalclientThe Auth0 client ID.
If it's not specified, it will be loaded from the AUTH0_CLIENT_ID environment variable.
OptionalclientThe Auth0 client secret.
If it's not specified, it will be loaded from the AUTH0_CLIENT_SECRET environment variable.
OptionaldomainThe Auth0 domain for the tenant (e.g.: example.us.auth0.com).
If it's not specified, it will be loaded from the AUTH0_DOMAIN environment variable.
OptionaldpopES256 key pair for DPoP proof generation.
If not provided when useDPoP is true, the SDK will attempt to load keys from
environment variables AUTH0_DPOP_PUBLIC_KEY and AUTH0_DPOP_PRIVATE_KEY.
Keys must be in PEM format and use the P-256 elliptic curve.
import { generateKeyPair } from "oauth4webapi";
const keyPair = await generateKeyPair("ES256");
const auth0 = new Auth0Client({
useDPoP: true,
dpopKeyPair: keyPair
});
import { importSPKI, importPKCS8 } from "jose";
import { readFileSync } from "fs";
const publicKeyPem = readFileSync("dpop-public.pem", "utf8");
const privateKeyPem = readFileSync("dpop-private.pem", "utf8");
const auth0 = new Auth0Client({
useDPoP: true,
dpopKeyPair: {
publicKey: await importSPKI(publicKeyPem, "ES256"),
privateKey: await importPKCS8(privateKeyPem, "ES256")
}
});
OptionaldpopConfiguration options for DPoP timing validation and retry behavior.
These options control how the SDK validates DPoP proof timing and handles nonce errors. Proper configuration is important for both security and reliability.
const auth0 = new Auth0Client({
useDPoP: true,
dpopOptions: {
clockTolerance: 60, // Allow 60 seconds clock difference
clockSkew: 0, // No clock adjustment needed
retry: {
delay: 200, // 200ms delay before retry
jitter: true // Add randomness to prevent thundering herd
}
}
});
OptionalenableBoolean value to enable the /auth/access-token endpoint for use in the client app.
Defaults to true.
NOTE: Set this to false if your client does not need to directly interact with resource servers (Token Mediating Backend). This will be false for most apps.
A security best practice is to disable this to avoid exposing access tokens to the client app.
OptionalenableIf true, the /auth/connect endpoint will be mounted to enable users to connect additional accounts.
OptionalenableOptionalenableBoolean value to opt-out of sending the library name and version to your authorization server
via the Auth0-Client header. Defaults to true.
OptionalhttpInteger value for the HTTP timeout in milliseconds for authentication requests.
Defaults to 5000 ms.
OptionalincludeConfigure whether to include id_token_hint in OIDC logout URLs.
Recommended (default): Set to true to include id_token_hint parameter.
Auth0 recommends using id_token_hint for secure logout as per the
OIDC specification.
Alternative approach: Set to false if your application cannot securely
store ID tokens. When disabled, only logout_hint (session ID), client_id,
and post_logout_redirect_uri are sent.
OptionallogoutConfigure the logout strategy to use.
'auto' (default): Attempts OIDC RP-Initiated Logout first, falls back to /v2/logout if not supported'oidc': Always uses OIDC RP-Initiated Logout (requires RP-Initiated Logout to be enabled)'v2': Always uses the Auth0 /v2/logout endpoint (supports wildcards in allowed logout URLs)OptionalnoIf true, the profile endpoint will return a 204 No Content response when the user is not authenticated instead of returning a 401 Unauthorized response.
Defaults to false.
OptionalonA method to handle errors or manage redirects after attempting to authenticate.
See onCallback for additional details
OptionalpushedIf enabled, the SDK will use the Pushed Authorization Requests (PAR) protocol when communicating with the authorization server.
OptionalroutesConfigure the paths for the authentication routes.
See Custom routes for additional details.
OptionalsecretA 32-byte, hex-encoded secret used for encrypting cookies.
If it's not specified, it will be loaded from the AUTH0_SECRET environment variable.
OptionalsessionConfigure the session timeouts and whether to use rolling sessions or not.
See Session configuration for additional details.
OptionalsessionA custom session store implementation used to persist sessions to a data store.
See Database sessions for additional details.
OptionalsignThe path to redirect the user to after successfully authenticating. Defaults to /.
OptionaltransactionConfigure the transaction cookie used to store the state of the authentication transaction.
OptionaluseEnable DPoP (Demonstrating Proof-of-Possession) for enhanced OAuth 2.0 security.
When enabled, the SDK will:
DPoP requires an ES256 key pair that can be provided via dpopKeyPair option
or loaded from environment variables AUTH0_DPOP_PUBLIC_KEY and AUTH0_DPOP_PRIVATE_KEY.
import { generateKeyPair } from "oauth4webapi";
const dpopKeyPair = await generateKeyPair("ES256");
const auth0 = new Auth0Client({
useDPoP: true,
dpopKeyPair
});
Allow insecure requests to be made to the authorization server. This can be useful when testing with a mock OIDC provider that does not support TLS, locally. This option can only be used when NODE_ENV is not set to
production.