Interface AuthOptions

An instance of http.Agent or https.Agent to pass to the http.get or https.get method options. Use when behind an http(s) proxy.

Expected JWT "aud" (Audience) Claim value(s). REQUIRED: You can also provide the AUDIENCE environment variable.

Cache configuration for OIDC discovery metadata and JWKS. Caching reduces network requests and improves performance, especially in MCD scenarios with multiple issuers.

Default behavior (if not specified):

• Discovery cache: 100 entries, 10 minute TTL
• JWKS cache: 100 entries, 10 minute TTL

Maximum time (in milliseconds) between successful HTTP requests to the JWKS and Discovery endpoint. Default is 600000 (10 minutes).

Deprecated

Use cache.ttl instead for more granular control

Clock tolerance (in secs) used when validating the exp and iat claim. Defaults to 5 secs.

Duration in ms for which no more HTTP requests to the JWKS Uri endpoint will be triggered after a previous successful fetch. Default is 30000.

Expected JWT "iss" (Issuer) Claim value. REQUIRED (if you don't include {@Link AuthOptions.issuerBaseURL}) You can also provide the ISSUER environment variable.

Base url, used to find the authorization server's app metadata per https://datatracker.ietf.org/doc/html/rfc8414 You can pass a full url including .well-known if your discovery lives at a non standard path. REQUIRED (if you don't include {@Link AuthOptions.jwksUri} and {@Link AuthOptions.issuer}) You can also provide the ISSUER_BASE_URL environment variable.

Url for the authorization server's JWKS to find the public key to verify an Access Token JWT signed with an asymmetric algorithm. REQUIRED (if you don't include {@Link AuthOptions.issuerBaseURL}) You can also provide the JWKS_URI environment variable.

Maximum age (in secs) from when a token was issued to when it can no longer be accepted.

MCD (Multiple Custom Domains) Support: Configure multiple issuers for JWT validation. When present, the SDK operates in MCD mode.

Examples:

• Static issuers: { issuers: ['https://tenant1.auth0.com', 'https://tenant2.auth0.com'] }
• With config: { issuers: [{ issuer: 'https://...', alg: 'RS256' }] }
• Dynamic resolver: { issuers: async (context) => [...] }

Cannot be used with issuerBaseURL.

Secret to verify an Access Token JWT signed with a symmetric algorithm. By default this SDK validates tokens signed with asymmetric algorithms.

If set to true the token validation will strictly follow 'JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens' https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-12 Defaults to false.

Timeout in ms for HTTP requests to the JWKS and Discovery endpoint. When reached the request will be aborted. Default is 5000.

You must provide this if your tokens are signed with symmetric algorithms and it must be one of HS256, HS384 or HS512. You may provide this if your tokens are signed with asymmetric algorithms and, if provided, it must be one of RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES256K, ES384, ES512 or EdDSA (case-sensitive).

Pass in custom validators to override the existing validation behavior on standard claims or add new validation behavior on custom claims.

 {
   validators: {
     // Disable issuer validation by passing `false`
     iss: false,
     // Add validation for a custom claim to equal a passed in string
     org_id: 'my_org_123'
     // Add validation for a custom claim, by passing in a function that
     // accepts:
     // roles: the value of the claim
     // claims: an object containing the JWTPayload
     // header: an object representing the JWTHeader
     roles: (roles, claims, header) => roles.includes('editor') && claims.isAdmin
   }
 }
Copy