Access Tokens

Server + API: Solution Overview

Auth0 APIs

Session Lifetime

JSON Web Token Claims

JSON Web Token Claims

Connection Settings Best Practices

Namespacing Claims

Authorization Policies

Enable Universal Links Support in Apple Xcode

Which OAuth 2.0 Flow Should I Use?

Session Layers

IdP-Initiated Single Sign-On

Management API v1 (deprecated)

Rotate Client Secret

Role-Based Access Control

Web Sign-In

OAuth 2.0 Authorization Framework

Refresh Tokens


Create Roles

Why You Should Always Use Access Tokens to Secure APIs

Rules Best Practices

Server Client + API: Node.js Implementation for the API

Add scopes/permissions to call Identity Provider's APIs

Execute an Authorization Code Grant Flow

JSON Web Token Claims

Lock v11 for Web


JSON Web Token Claims

Single Sign-On


Secure AWS API Gateway Endpoints Using Custom Authorizers


Add Google Login to Your App

Connect your app to Microsoft Azure Active Directory


OpenID Connect

Configure Okta as an OpenID Connect Identity Provider

Configure Custom Domains with Self-Managed Certificates

User profile claims and scope

Server + API: Solution Overview

Lock Configuration Options


Get Management API Tokens for Single-Page Applications

State Parameter

Security Advice for Customers

Auth0 recommends the following practices to help ensure the security of your end users data and minimize the probability of a data breach:

  • Protect client secrets and keys
  • Protect Management Dashboard credentials, and require multi-factor authentication for access to the Dashboard
  • Review the list of administrators for the Dashboard on a regular basis and remove outdated entries
  • Review the list of connections and applications associated with your Auth0 tenants and remove outdated entries
  • Ensure that Dashboard administrators use corporate credentials that can be easily revoked if necessary, not personal credentials such as a personal email account
  • Remove accounts for terminated employees promptly
  • Ensure that administrators use devices with mandatory screen locking
  • Provide regular training to all Dashboard administrators and developers on security and privacy best practices

Make sure that you monitor any Auth0 extensions you use to send log data to logging tools with reporting capability.