|
| 1 | +--- |
| 2 | +title: "Auth0" |
| 3 | +description: "Use Auth0 as a User Source so people who already sign in with their Auth0 account can sign in to your MCP Gateways" |
| 4 | +--- |
| 5 | + |
| 6 | +import Image from "next/image"; |
| 7 | +import { Steps } from "nextra/components"; |
| 8 | + |
| 9 | +export const IMAGE_SCALE_FACTOR = 2; |
| 10 | +export const AUTH0_SCREENSHOT_WIDTH = 1552 / IMAGE_SCALE_FACTOR; |
| 11 | +export const AUTH0_SCREENSHOT_HEIGHT = 1099 / IMAGE_SCALE_FACTOR; |
| 12 | + |
| 13 | +# Auth0 |
| 14 | + |
| 15 | +Use Auth0 as a User Source so the people who already sign in through your Auth0 tenant can sign in to your MCP Gateways. This guide walks you through what to do in the Auth0 dashboard. Once you have the values it tells you to copy, [create the User Source in Arcade](/guides/user-sources#create-a-user-source). |
| 16 | + |
| 17 | +## Before you start |
| 18 | + |
| 19 | +- An Auth0 account with permission to create applications in your tenant, typically the **Admin** role. |
| 20 | +- An Arcade project where you'll create the User Source. |
| 21 | + |
| 22 | +## Register an application in Auth0 |
| 23 | + |
| 24 | +<Steps> |
| 25 | + |
| 26 | +### Open the Auth0 dashboard |
| 27 | + |
| 28 | +Sign in to your [Auth0 dashboard](https://manage.auth0.com/). |
| 29 | + |
| 30 | +Go to **Applications** → **Applications**, then click **Create Application**. |
| 31 | + |
| 32 | +### Choose Regular Web Application |
| 33 | + |
| 34 | +In the **Create application** dialog, give the application a name your team will recognize, for example `Arcade User Source`. Under **Choose an application type**, select **Regular Web Application**. That choice gives Arcade the confidential-client setup and Authorization Code flow it needs. See Auth0's [application types reference](https://auth0.com/docs/get-started/applications) for more on each option. |
| 35 | + |
| 36 | +Click **Create**. Auth0 opens the new application's **Settings** tab. |
| 37 | + |
| 38 | +<Image |
| 39 | + alt="Create application dialog in the Auth0 dashboard with Regular Web Application selected" |
| 40 | + className="max-w-full mt-4" |
| 41 | + src="/images/user-sources/auth0/auth0-create-app-light.png" |
| 42 | + width={AUTH0_SCREENSHOT_WIDTH} |
| 43 | + height={AUTH0_SCREENSHOT_HEIGHT} |
| 44 | +/> |
| 45 | + |
| 46 | +### Configure the Allowed Callback URLs |
| 47 | + |
| 48 | +On the **Settings** tab, scroll to **Application URIs** and paste this URL into **Allowed Callback URLs**: |
| 49 | + |
| 50 | +`https://cloud.arcade.dev/oauth2/intermediate_callback` |
| 51 | + |
| 52 | +Leave the other URI fields (Allowed Logout URLs, Allowed Web Origins) empty unless you have a separate reason to set them. Scroll to the bottom of the Settings tab and click **Save Changes**. |
| 53 | + |
| 54 | +### Copy the application credentials |
| 55 | + |
| 56 | +Scroll back to the **Basic Information** section at the top of the **Settings** tab and copy three values: |
| 57 | + |
| 58 | +- **Domain** |
| 59 | +- **Client ID** |
| 60 | +- **Client Secret**. Click the eye icon to reveal it before copying. |
| 61 | + |
| 62 | +You'll paste these into Arcade in the next section. |
| 63 | + |
| 64 | +<Image |
| 65 | + alt="Basic Information section of the Auth0 application Settings tab showing Domain, Client ID, and Client Secret fields" |
| 66 | + className="max-w-full mt-4" |
| 67 | + src="/images/user-sources/auth0/auth0-settings-light.png" |
| 68 | + width={AUTH0_SCREENSHOT_WIDTH} |
| 69 | + height={AUTH0_SCREENSHOT_HEIGHT} |
| 70 | +/> |
| 71 | + |
| 72 | +</Steps> |
| 73 | + |
| 74 | +## Copy these values to Arcade |
| 75 | + |
| 76 | +Copy these values into Arcade's User Source form: |
| 77 | + |
| 78 | +| Arcade field | Where to find it in Auth0 | |
| 79 | +|---|---| |
| 80 | +| **Issuer URL** | `https://<your-auth0-domain>/`, where `<your-auth0-domain>` is the **Domain** value from the application's **Settings** tab. Include the trailing slash. Auth0 emits the issuer with a trailing slash and Arcade matches the value exactly. | |
| 81 | +| **Client ID** | The **Client ID** field in **Basic Information**. | |
| 82 | +| **Client Secret** | The **Client Secret** field in **Basic Information**. | |
| 83 | + |
| 84 | +## Create the User Source in Arcade |
| 85 | + |
| 86 | +Open the Arcade Dashboard, select your project, navigate to **User Sources**, and click **Create User Source**. Paste the values from the table above. For a walkthrough of the form, see [Create a User Source](/guides/user-sources#create-a-user-source) in the User Sources overview. |
| 87 | + |
| 88 | +Once the User Source is active, attach it to an MCP Gateway by following [Create via Dashboard](/guides/mcp-gateways/create-via-dashboard) and picking **User Source** under "Non-Arcade Users" in the gateway form. |
| 89 | + |
| 90 | +## Notes |
| 91 | + |
| 92 | +- **Tenant domains and regions**: Newer Auth0 tenants use region-prefixed domains such as `<tenant>.us.auth0.com` or `<tenant>.eu.auth0.com`. Older tenants use `<tenant>.auth0.com`. Either form works; copy exactly what the **Domain** field on the application's Settings tab displays. See Auth0's [tenant region documentation](https://auth0.com/docs/get-started/auth0-overview/create-tenants) for more on which region your tenant is in. |
| 93 | +- **Custom domains**: If you use Auth0's [custom domain feature](https://auth0.com/docs/customize/custom-domains) (for example, `auth.yourcompany.com`), use the custom domain as the **Issuer URL** hostname. End users see your branded domain on the sign-in page. |
| 94 | +- **Connections**: Auth0 lets you wire up database, social, and enterprise connections behind a single tenant. Arcade doesn't care which connections you've enabled, only that the end users who try to sign in have access to this application. Configure connections under **Authentication** → **Database / Social / Enterprise** in the Auth0 dashboard. |
| 95 | +- **Client secret rotation**: Auth0 lets you rotate the client secret from the **Settings** tab's **Basic Information** section. See [Rotate the client secret](/guides/user-sources#rotate-the-client-secret) in the User Sources guide for the Arcade side. |
| 96 | +- **Custom subject claims**: Arcade's default Subject Claim, `sub`, is Auth0's connection-prefixed user identifier (for example, `auth0|abc123` for a database user or `google-oauth2|abc123` for a Google-linked user). It's stable per user across the tenant. If you need Arcade to identify users by a different value, add a [custom claim](https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims) to the ID token via an Auth0 Action and set the User Source's **Subject Claim** to its name. Arcade only reads ID tokens, so the claim must be on the ID token (not the access token). See [Advanced: scopes and subject claim](/guides/user-sources#advanced-scopes-and-subject-claim) in the overview for what makes a good claim. |
0 commit comments