This is the flow that regular web apps use to access an API.
Use this endpoint to exchange an Authorization Code for a Token.
See: https://auth0.com/docs/api/authentication#authorization-code-flow44
PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use client authentication.
See: https://auth0.com/docs/api/authentication#authorization-code-flow-with-pkce45
This is the OAuth 2.0 grant that server processes use to access an API.
Use this endpoint to directly request an Access Token by using the Client's credentials (a Client ID and a Client Secret or a Client Assertion).
See: https://auth0.com/docs/api/authentication#client-credentials-flow
This is the OAuth 2.0 extension that allows to initiate an OAuth flow from the backchannel instead of by building a URL.
This information is typically received from a highly trusted public client like a SPA*. (*Note: For single-page applications and native/mobile apps, we recommend using web flows instead.)
See: https://auth0.com/docs/api/authentication#resource-owner-password
const auth0 = new AuthenticationApi({
domain: 'my-domain.auth0.com',
clientId: 'myClientId'
clientSecret: 'myClientSecret'
});
await auth0.oauth.passwordGrant({
username: 'myusername@example.com',
password: 'mypassword'
},
{ initOverrides: { headers: { 'auth0-forwarded-for': 'END.USER.IP.123' } } }
);
Set the'auth0-forwarded-for' header to the end-user IP as a string value if you want brute-force protection to work in server-side scenarios.
Use this endpoint to refresh an Access Token using the Refresh Token you got during authorization.
See: https://auth0.com/docs/api/authentication#refresh-token
Use this endpoint to invalidate a Refresh Token if it has been compromised.
The behaviour of this endpoint depends on the state of the Refresh Token Revocation Deletes Grant toggle. If this toggle is enabled, then each revocation request invalidates not only the specific token, but all other tokens based on the same authorization grant. This means that all Refresh Tokens that have been issued for the same user, application, and audience will be revoked. If this toggle is disabled, then only the refresh token is revoked, while the grant is left intact.
See: https://auth0.com/docs/api/authentication#revoke-refresh-token
Exchanges a subject token for an access token for the connection.
The request body includes:
urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token
urn:ietf:params:oauth:token-type:refresh_token
).http://auth0.com/oauth/token-type/federated-connection-access-token
) indicating that a federated connection access token is desiredlogin_hint
if providedThe options to retrieve a token for a connection.
A promise with the token response data.
Protected
requestOptional
initOverrides: RequestInit | InitOverrideFunctionOptional
clientOptional
clientOptional
clientOptional
useReadonly
idProtected
configuration
OAuth 2.0 flows.