Call Your API from Your Native/Mobile App
Everything you need to know to call your API from your native/mobile app
Using Auth0 in your applications means that you will be "outsourcing" the authentication process to a centralized login page in the same way that Gmail, YouTube, and any other Google property redirects to accounts.google.com whenever a user signs in.
Your user will authenticate, and Auth0 will generate an ID Token and Access Token that will be passed back to your application. The Access Token can then be used to call your API.
How it works
How it works
In a native/mobile application, the default experience will open a SafariViewController in iOS or a Custom Chrome Tab in Android.
When your app needs to fetch user data from your API:
- If the user is not already authenticated, our SDK redirects the user to your Auth0 Authorization Server.
- The user authenticates with Auth0 using one of your configured login options (e.g., username/password, social identity provider, SAMLSAML).
- Your app requests an ID Token, Access Token, and Refresh Token.
- Auth0 responds with the requested tokens.
- The Access Token can be used to call your API and retrieve requested data.
For security in native/mobile devices, Auth0 uses the Authorization Code Flow with Proof Key for Code Exchange (PKCE).
Implementation overview
Implementation overview
- 1
Configure the sign-in methods
Auth0 supports a wide range of authentication methods: regular username/password (users can be stored in Auth0 or your own database), social (i.e., Google, Facebook, and 50+ other providers), passwordless (email magic link, email code, and phone code), and enterprise (e.g., SAML-based, ADFS, Ping, Okta).
Go to the dashboard and turn on the methods you want to allow; they will automatically show up in the login/sign-up page. By default, email/password and Google are enabled. - 2
Customize the sign-in UI (optional)
The default experience is demonstrated in the image below and can be completely customized in the dashboard, from changing the logo and primary colors to completely overriding it with your own login screen.
- 3
Use an SDK for your chosen platform to trigger the flow
An open-source OpenID Connect (OIDC) SDK for your chosen platform can redirect to the Auth0 Universal Login page and handle the response, validating the ID Token.
Your app can store the ID Token. Follow one of our Regular Web App Quickstarts to get started with the integration.
- 1
Configure your API
Once you have created your API, you will need to configure any scopes that applications can request during authorization. - 2
Get an Access Token
Your app requests an Access Token (and optionally, a Refresh Token) from your Auth0 Authorization Server using the Authorization Code Flow with PKCE. - 3
Call your API
When your app calls your API, it includes the retrieved Access Token in the HTTP Authorization header. - 4
Refresh your Access Token
When the Access Token expires you can use the Refresh Token to get a new one from your Auth0 Authorization Server.
The easiest way to implement the Authorization Code Flow with PKCE is to follow our Mobile/Native Quickstarts.
You can also use our mobile SDKs:
Finally, to use our API endpoints, you can follow our tutorial: Call Your API Using the Authorization Code Flow with PKCE.
Keep reading
Guides
Step-by-step instructions for tasks
Keep reading
Guides
Step-by-step instructions for tasks
What's next
- Auth0 offers many ways to personalize your user's login experience and customize tokens using rules and hooks.
- If you are building your own API and you want to secure the endpoints using Auth0, see Protect Your API.
- If you would like to make your native/mobile app work with input-constrained devices, see Call Your API from an Input-Constrained Device.
- If you need to add login to your own native/mobile app, learn how at: Add Login to Your Native/Mobile App.