Native to Web SSO Best Practices

For best results when implementing Native to Web SSO, Auth0 recommends adhering to the best practices compiled below. These guidelines can help ensure session integrity:

Use post-login Action triggers to ensure web sessions created through Native to Web SSO are time-boxed appropriately and expire quickly when inactive.  You can use post-login Actions to detect when a session is initiated through a session_transfer_token and apply shorter idle and absolute timeouts:

exports.onExecutePostLogin = async (event, api) => {
  if (event.session_transfer_token) {
    const now = Date.now();

    // Limit the session to 30 minutes total
    api.session.setExpiresAt(now + 30 * 60 * 1000);

    // Set idle timeout to 15 minutes
    api.session.setIdleExpiresAt(now + 15 * 60 * 1000);
  }
};

To reduce the risk of token replay if a token is leaked, logged, or intercepted, always bind the session_transfer_token to the origin environment using enforce_device_binding.

Send the session_transfer_token to the web application using a secure, HTTPOnly cookie scoped to your Auth0 domain to prevent accidental logging or sharing of the token via URLs and to reduce the attack surface for token interception. If you need to use a query parameter (for example, for Chrome Custom Tabs) ensure that the URL uses HTTPS and remove the token from the URL after use.

Only enable allow_refresh_token for web applications that truly need long-lived tokens. In most cases, short-lived access tokens combined with silent authentication are sufficient and safer in browser contexts.

To avoid orphaned credentials and prevent refresh tokens from lingering after logout, use the allow_refresh_token setting to ensure refresh tokens issued via Native to Web SSO are bound to the session that issued them. If the session is revoked or expires, the refresh token is automatically invalidated.