docs: add security recommendation callout for React SPA setup in Universal Components docs (#1366)

chakrihacker · web-flow · commit cf52c3b822a0 · 2026-06-25T11:40:13.000+05:30
* feat: add security recommendation callout for React SPA setup in Universal Components docs

* docs: fix callout copy, anchor, and add shadcn tab callout in overview

* feat: add security recommendation for Auth0ComponentProvider in production applications

* fix: remove deprecated ReleaseStageNotice component from universal-components-overview
diff --git a/main/docs/get-started/universal-components/universal-components-overview.mdx b/main/docs/get-started/universal-components/universal-components-overview.mdx
@@ -4,15 +4,6 @@ description: Learn what Auth0 Universal Components are and choose a platform to
 sidebarTitle: Auth0 Universal Components
 ---
 
-import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"
-
-<ReleaseStageNotice
-    feature="Auth0 Universal Components"
-    stage="beta"
-    terms="true"
-    contact="Auth0 Support"
-/>
-
 Auth0 Universal Components is a library of pre-built UI components you can use to build your identity pipeline and experience inside your web and native applications. Built on [Auth0 SDKs](/docs/libraries) with an API-first approach, Universal Components allow you to embed Auth0's services, such as Organization management and MFA enrollment, without building the UI manually or managing high-privilege backend proxies.
 
 With Universal Components, you can:
diff --git a/main/docs/get-started/universal-components/web/auth0-component-provider.mdx b/main/docs/get-started/universal-components/web/auth0-component-provider.mdx
@@ -31,6 +31,11 @@ Nest `Auth0ComponentProvider` in your authentication provider (`Auth0Provider`).
 
 <Tabs>
   <Tab title="React">
+
+<Callout icon="shield-halved" color="#F59E0B" iconType="solid">
+  **Security recommendation:** For production applications that manage Organization configuration, Auth0 recommends the [Next.js setup](/docs/get-started/universal-components/auth0-component-provider#next-js) (Regular Web App). Next.js proxy mode stores tokens server-side, which reduces the attack surface compared to browser-stored tokens in a Single Page Application. If you use React SPA mode, review the [Token Storage](/docs/secure/security-guidance/data-security/token-storage) guidance to understand the tradeoffs.
+</Callout>
+
     ```tsx App.tsx
     import { Auth0Provider } from "@auth0/auth0-react";
     import { Auth0ComponentProvider } from "@auth0/universal-components-react/spa";
@@ -970,6 +975,10 @@ All custom methods are optional. Only implement the ones you need. Methods recei
   </Tab>
 
   <Tab title="shadcn">
+  <Callout icon="shield-halved" color="#F59E0B" iconType="solid">
+    **Security recommendation:** For production applications that manage Organization configuration, Auth0 recommends the [Next.js setup](/docs/get-started/universal-components/auth0-component-provider#next-js) (Regular Web App). Next.js proxy mode stores tokens server-side, which reduces the attack surface compared to browser-stored tokens in a Single Page Application. If you use React SPA mode, review the [Token Storage](/docs/secure/security-guidance/data-security/token-storage) guidance to understand the tradeoffs.
+  </Callout>
+
     ```tsx App.tsx
     import { Auth0Provider } from "@auth0/auth0-react";
     import { Auth0ComponentProvider } from "@auth0/universal-components-react/spa";
