How it works
Google One Tap uses the Federated Credential Management (FedCM) API, a browser-native authentication standard that does not rely on third-party cookies or page redirects.- A user navigates to your Universal Login page with an active Google session in their browser.
- Universal Login detects the active Google session and displays the Google One Tap overlay.
- The user selects their Google account from the prompt.
- Google returns a signed ID token to Universal Login.
- Auth0 validates the ID token against the Google social connection configured for your tenant.
- Auth0 creates or updates the user profile and issues Auth0 tokens.
- Auth0 redirects the user to your application.
Before you start
- You must enable and configure Universal Login for your tenant. Google One Tap is not supported in the Classic Login experience. To learn more, read Universal Login vs. Classic Login.
- You must create and configure a Google social connection (
google-oauth2) in your tenant. To learn more, read Add Google Login to Your App.
Enable Google One Tap
Enable Google One Tap on individual applications with Auth0 Dashboard, the Management API, or an Auth0 SDK.- Auth0 Dashboard
- Management API
- Auth0 SDKs
- Navigate to Auth0 Dashboard > Applications.
- Create a new application or choose an existing application to use with Google One Tap.
- Under Settings, search for Social Login and toggle on Allow Google One Tap.

- Select Save.
- Navigate to Auth0 Dashboard > Authentication > Social.
- Create a new Google social connection or select your existing
google-oauth2connection. - Under the connection settings:
- Under the Settings tab, verify your Google Client ID and Client Secret. You cannot use Auth0 developer keys with the One Tap integration.
- Under the Applications tab, verify the application you want to use for One Tap is toggled on.
- Select Save.
Considerations
Advanced Customizations for Universal Login (ACUL)
ACUL customization applies to Google One Tap. If you have customized thelogin,login-id,signup, or signup-id screens, your configurations apply. To learn more about ACUL, read Configure ACUL.
Multi-factor authentication (MFA)
If your tenant or connection policy requires multi-factor authentication (MFA), Google One Tap completes the first authentication factor using the Google ID token. Auth0 then presents the standard Universal Login MFA challenge screen for the second factor. Users complete MFA as part of the Universal Login flow.Enterprise connections
You can only use Google One Tap if you use a Google social connection (google-oauth2). It does not apply to Google Workspace enterprise connections. If your tenant uses Home Realm Discovery to route users with a corporate Google domain to an enterprise connection, that routing is unaffected.
Browser support
Google One Tap requires browser support for the FedCM API. Auth0 passes"itp_support: true" to the One Tap library by default. It is supported in Chrome and Chromium-based browsers. When browsers, such as iOS and Firefox, do not support FedCM, a different UX is provided.