Enumeration AccessTokenForConnectionErrorCode
Enum representing error codes related to access tokens for connections.
-Index
Enumeration Members
Enumeration AccessTokenForConnectionErrorCode
Enum representing error codes related to access tokens for connections.
+Index
Enumeration Members
Enumeration Members
FAILED_
Failed to exchange the refresh token.
-MISSING_
The refresh token is missing.
-MISSING_
The session is missing.
-MISSING_
The refresh token is missing.
+MISSING_
The session is missing.
+Enumeration ConnectAccountErrorCodes
Enum representing error codes related to the connect account flow.
-Index
Enumeration Members
Enumeration ConnectAccountErrorCodes
Enum representing error codes related to the connect account flow.
+Index
Enumeration Members
Enumeration Members
FAILED_
Failed to complete the connect account flow.
-FAILED_
Failed to initiate the connect account flow.
-MISSING_
The session is missing.
-FAILED_
Failed to initiate the connect account flow.
+MISSING_
The session is missing.
+Enumeration CustomTokenExchangeErrorCode
Error codes for Custom Token Exchange errors.
-Index
Enumeration Members
Enumeration CustomTokenExchangeErrorCode
Error codes for Custom Token Exchange errors.
+Index
Enumeration Members
Enumeration Members
EXCHANGE_
The token exchange request failed.
-INVALID_
The subject_token_type is not a valid URI, wrong length, or uses a reserved namespace.
-MISSING_
The actor_token was provided without actor_token_type.
-MISSING_
The subject_token is missing or empty.
-INVALID_
The subject_token_type is not a valid URI, wrong length, or uses a reserved namespace.
+MISSING_
The actor_token was provided without actor_token_type.
+MISSING_
The subject_token is missing or empty.
+Enumeration DPoPErrorCode
Error codes for DPoP-related errors.
+Enumeration DPoPErrorCode
Error codes for DPoP-related errors.
These error codes categorize different types of failures that can occur during DPoP (Demonstrating Proof-of-Possession) operations.
-Index
Enumeration Members
Index
Enumeration Members
Enumeration Members
DPOP_
DPoP configuration is invalid or incomplete. This occurs when the provided DPoP configuration contains invalid values or missing required components.
-DPOP_
Failed to calculate dpop_jkt (JWK thumbprint) parameter. +
DPOP_
Failed to calculate dpop_jkt (JWK thumbprint) parameter. This occurs when the SDK cannot generate the required thumbprint from the provided public key for the authorization request.
-DPOP_
Failed to export DPoP public key to JWK format. +
DPOP_
Failed to export DPoP public key to JWK format. This occurs when the SDK cannot convert the CryptoKey to the JSON Web Key format required for DPoP proofs.
-Enumeration RESPONSE_TYPES
Index
Enumeration Members
Enumeration RESPONSE_TYPES
Index
Enumeration Members
CONNECT_
Connect Account flow.
+Enumeration SUBJECT_TOKEN_TYPES
Index
Enumeration Members
Enumeration SUBJECT_TOKEN_TYPES
Index
Enumeration Members
Enumeration Members
SUBJECT_
Indicates that the token is an OAuth 2.0 access token issued by the given authorization server.
SUBJECT_
Indicates that the token is an OAuth 2.0 refresh token issued by the given authorization server.
+SUBJECT_
Indicates that the token is an OAuth 2.0 refresh token issued by the given authorization server.
Function getAccessToken
- getAccessToken(
options: AccessTokenOptions & { includeFullResponse: true },
): Promise<AccessTokenResponse>+Fetches an access token for the currently logged-in user.
+getAccessToken | @auth0/nextjs-auth0 - v4.18.0 Function getAccessToken
- getAccessToken(
options: AccessTokenOptions & { includeFullResponse: true },
): Promise<AccessTokenResponse>Fetches an access token for the currently logged-in user.
Parameters
- options: AccessTokenOptions & { includeFullResponse: true }
Options for fetching the access token, including optional audience and scope.
Returns Promise<AccessTokenResponse>
The access token as a string, or the full token response when
includeFullResponseis true. - options: AccessTokenOptions & { includeFullResponse: true }
Fetches an access token for the currently logged-in user.
+
Fetches an access token for the currently logged-in user.
Parameters
Optionaloptions: AccessTokenOptions & { includeFullResponse?: false }Options for fetching the access token, including optional audience and scope.
Returns Promise<string>
The access token as a string, or the full token response when
includeFullResponseis true.
Function useUser
- useUser(): | {
error: Error;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: null;
}
| {
error: null;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: User;
}
| {
error: undefined;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: undefined;
}Returns
| {
error: Error;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: null;
}
| {
error: null;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: User;
}
| {
error: undefined;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: undefined;
}
Function useUser
- useUser(): | {
error: Error;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: null;
}
| {
error: null;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: User;
}
| {
error: undefined;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: undefined;
}Returns
| {
error: Error;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: null;
}
| {
error: null;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: User;
}
| {
error: undefined;
invalidate: () => Promise<User | undefined>;
isLoading: boolean;
user: undefined;
}
Function filterDefaultIdTokenClaims
Filters the claims to only include those that are considered default.
+filterDefaultIdTokenClaims | @auth0/nextjs-auth0 - v4.18.0 +Function filterDefaultIdTokenClaims
Filters the claims to only include those that are considered default.
Parameters
- claims: { [key: string]: any }
The claims to filter.
Returns User
The filtered claims containing only default ID token claims.
-- claims: { [key: string]: any }
Function generateDpopKeyPair
Generates a new ES256 key pair for DPoP (Demonstrating Proof-of-Possession) operations.
+This function creates a cryptographically secure ES256 key pair suitable for DPoP proof +generation. The generated keys use the P-256 elliptic curve with SHA-256 hashing, +which is the required algorithm for DPoP as specified in RFC 9449.
+Returns Promise<DpopKeyPair>
Promise that resolves to a DpopKeyPair containing the private and public keys
+
Function generateSessionCookie
- generateSessionCookie(
session: Partial<SessionData>,
config: GenerateSessionCookieConfig,
): Promise<string>Parameters
- session: Partial<SessionData>
- config: GenerateSessionCookieConfig
Returns Promise<string>
Function generateSessionCookie
- generateSessionCookie(
session: Partial<SessionData>,
config: GenerateSessionCookieConfig,
): Promise<string>Parameters
- session: Partial<SessionData>
- config: GenerateSessionCookieConfig
Returns Promise<string>
@auth0/nextjs-auth0 - v4.17.0
Hierarchy Summary
- SdkError
- MfaRequiredError
- MfaTokenExpiredError
- MfaTokenInvalidError
- DomainResolutionError
- DomainValidationError
- IssuerValidationError
- SessionDomainMismatchError
- OAuth2Error
- DiscoveryError
- MissingStateError
- InvalidStateError
- InvalidConfigurationError
- AuthorizationError
- AuthorizationCodeGrantRequestError
- AuthorizationCodeGrantError
- BackchannelLogoutError
- BackchannelAuthenticationNotSupportedError
- BackchannelAuthenticationError
- AccessTokenError
- AccessTokenForConnectionError
- CustomTokenExchangeError
- DPoPError
- MyAccountApiError
- ConnectAccountError
- MfaNoAvailableFactorsError
- InvalidRequestError
@auth0/nextjs-auth0 - v4.18.0
Hierarchy Summary
- SdkError
- MfaRequiredError
- MfaTokenExpiredError
- MfaTokenInvalidError
- DomainResolutionError
- DomainValidationError
- IssuerValidationError
- SessionDomainMismatchError
- OAuth2Error
- DiscoveryError
- MissingStateError
- InvalidStateError
- InvalidConfigurationError
- AuthorizationError
- AuthorizationCodeGrantRequestError
- AuthorizationCodeGrantError
- BackchannelLogoutError
- BackchannelAuthenticationNotSupportedError
- BackchannelAuthenticationError
- AccessTokenError
- AccessTokenForConnectionError
- CustomTokenExchangeError
- DPoPError
- MyAccountApiError
- ConnectAccountError
- MfaNoAvailableFactorsError
- InvalidRequestError
@auth0/nextjs-auth0 - v4.17.0
@auth0/nextjs-auth0 - v4.18.0
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications.
@@ -405,4 +405,4 @@
What is Auth0? This project is licensed under the MIT license. See the LICENSE file for more info. -
Interface WithPageAuthRequiredOptions
Options to customize the withPageAuthRequired higher order component.
-onError?: (error: Error) => Element;
onRedirecting?: () => Element;
returnTo?: string;
}
Index
Properties
Interface WithPageAuthRequiredOptions
Options to customize the withPageAuthRequired higher order component.
+onError?: (error: Error) => Element;
onRedirecting?: () => Element;
returnTo?: string;
}
Index
Properties
Properties
Optionalon
withPageAuthRequired(Profile, {
onError: error => <div>Error: {error.message}</div>
});
Render a fallback in case of error fetching the user from the profile API route.
-Optionalon
withPageAuthRequired(Profile, {
onRedirecting: () => <div>Redirecting...</div>
});
+Optionalon
withPageAuthRequired(Profile, {
onRedirecting: () => <div>Redirecting...</div>
});
Render a message to show that the user is being redirected.
-Optionalreturn
withPageAuthRequired(Profile, {
returnTo: '/profile'
});
+Optionalreturn
withPageAuthRequired(Profile, {
returnTo: '/profile'
});
Add a path to return the user to after login.
-Interface MfaApiErrorResponse
Interface for Auth0 MFA API error responses. +
Interface MfaApiErrorResponse
Interface for Auth0 MFA API error responses. All MFA errors from Auth0 follow this shape (snake_case).
-Index
Properties
Index
Properties
Interface MfaRequirements
MFA requirements from an mfa_required error response. +
Interface MfaRequirements
MFA requirements from an mfa_required error response. Indicates which MFA methods are available for the user. Matches Auth0 API response shape and auth0-spa-js type.
-Index
Properties
Index
Properties
Optionalenroll
Required enrollment types (user needs to enroll new authenticator)
+Interface AccessTokenForConnectionOptions
Options for retrieving a connection access token.
-connection: string;
login_hint?: string;
subject_token_type?: SUBJECT_TOKEN_TYPES;
}
Index
Properties
Interface AccessTokenForConnectionOptions
Options for retrieving a connection access token.
+connection: string;
login_hint?: string;
subject_token_type?: SUBJECT_TOKEN_TYPES;
}
Index
Properties
Properties
connection
The connection name for while you want to retrieve the access token.
-Optionallogin_
An optional login hint to pass to the authorization server.
-Optionalsubject_
The type of token that is being exchanged.
+Optionallogin_
An optional login hint to pass to the authorization server.
+Optionalsubject_
The type of token that is being exchanged.
Uses the SUBJECT_TOKEN_TYPES enum with the following allowed values:
SUBJECT_TYPE_REFRESH_TOKEN:"urn:ietf:params:oauth:token-type:refresh_token"SUBJECT_TYPE_ACCESS_TOKEN:"urn:ietf:params:oauth:token-type:access_token"
Defaults to SUBJECT_TYPE_REFRESH_TOKEN.
Interface AccessTokenSet
accessToken: string;
audience: string;
expiresAt: number;
requestedScope?: string;
scope?: string;
token_type?: string;
}
Index
Properties
Interface AccessTokenSet
accessToken: string;
audience: string;
expiresAt: number;
requestedScope?: string;
scope?: string;
token_type?: string;
}
Index
Properties
Interface Auth0ClientOptions
allowInsecureRequests?: boolean;
appBaseUrl?: string | string[];
authorizationParameters?: AuthorizationParameters;
beforeSessionSaved?: BeforeSessionSavedHook;
clientAssertionSigningAlg?: string;
clientAssertionSigningKey?: string | CryptoKey;
clientId?: string;
clientSecret?: string;
discoveryCache?: DiscoveryCacheOptions;
domain?: string | DomainResolver;
dpopKeyPair?: DpopKeyPair;
dpopOptions?: DpopOptions;
enableAccessTokenEndpoint?: boolean;
enableConnectAccountEndpoint?: boolean;
enableParallelTransactions?: boolean;
enableTelemetry?: boolean;
httpTimeout?: number;
includeIdTokenHintInOIDCLogoutUrl?: boolean;
logoutStrategy?: LogoutStrategy;
mfaTokenTtl?: number;
noContentProfileResponseWhenUnauthenticated?: boolean;
onCallback?: OnCallbackHook;
pushedAuthorizationRequests?: boolean;
routes?: Partial<
Pick<
Routes,
"login"
| "callback"
| "logout"
| "backChannelLogout"
| "connectAccount",
>,
>;
secret?: string;
session?: SessionConfiguration;
sessionStore?: SessionDataStore;
signInReturnToPath?: string;
tokenRefreshBuffer?: number;
transactionCookie?: TransactionCookieOptions;
useDPoP?: boolean;
}
Index
Properties
Interface Auth0ClientOptions
allowInsecureRequests?: boolean;
appBaseUrl?: string | string[];
authorizationParameters?: AuthorizationParameters;
beforeSessionSaved?: BeforeSessionSavedHook;
clientAssertionSigningAlg?: string;
clientAssertionSigningKey?: string | CryptoKey;
clientId?: string;
clientSecret?: string;
discoveryCache?: DiscoveryCacheOptions;
domain?: string | DomainResolver;
dpopKeyPair?: DpopKeyPair;
dpopOptions?: DpopOptions;
enableAccessTokenEndpoint?: boolean;
enableConnectAccountEndpoint?: boolean;
enableParallelTransactions?: boolean;
enableTelemetry?: boolean;
httpTimeout?: number;
includeIdTokenHintInOIDCLogoutUrl?: boolean;
logoutStrategy?: LogoutStrategy;
mfaTokenTtl?: number;
noContentProfileResponseWhenUnauthenticated?: boolean;
onCallback?: OnCallbackHook;
pushedAuthorizationRequests?: boolean;
routes?: Partial<
Pick<
Routes,
"login"
| "callback"
| "logout"
| "backChannelLogout"
| "connectAccount",
>,
>;
secret?: string;
session?: SessionConfiguration;
sessionStore?: SessionDataStore;
signInReturnToPath?: string;
tokenRefreshBuffer?: number;
transactionCookie?: TransactionCookieOptions;
useDPoP?: boolean;
}
Index
Properties
Properties
Optionalallow
Allow insecure requests to be made to the authorization server. This can be useful when testing
with a mock OIDC provider that does not support TLS, locally.
This option can only be used when NODE_ENV is not set to production.
Optionalapp
The URL of your application (e.g.: http://localhost:3000).
Optionalapp
The URL of your application (e.g.: http://localhost:3000).
Can be a single URL string, or an array of allowed base URLs. When an array is provided, the SDK validates the incoming request origin against the list and uses the matching entry (allow-list mode). This is useful for multi-domain or preview @@ -40,27 +40,27 @@
If it's not specified, it will be loaded from the APP_BASE_URL environment variable.
Multiple origins can be provided as a comma-separated string (e.g. https://app.example.com,https://myapp.vercel.app).
If neither is provided, the SDK will infer it from the request host at runtime.
Optionalauthorization
Additional parameters to send to the /authorize endpoint.
Optionalbefore
A method to manipulate the session before persisting it.
+Optionalauthorization
Additional parameters to send to the /authorize endpoint.
Optionalbefore
A method to manipulate the session before persisting it.
See beforeSessionSaved for additional details
-Optionalclient
The algorithm used to sign the client assertion JWT. +
Optionalclient
The algorithm used to sign the client assertion JWT.
Uses one of token_endpoint_auth_signing_alg_values_supported if not specified.
If the Authorization Server discovery document does not list token_endpoint_auth_signing_alg_values_supported
this property will be required.
Optionalclient
Private key for use with private_key_jwt clients.
+
Optionalclient
Private key for use with private_key_jwt clients.
This should be a string that is the contents of a PEM file or a CryptoKey.
Optionalclient
The Auth0 client ID.
+Optionalclient
The Auth0 client ID.
If it's not specified, it will be loaded from the AUTH0_CLIENT_ID environment variable.
Optionalclient
The Auth0 client secret.
+Optionalclient
The Auth0 client secret.
If it's not specified, it will be loaded from the AUTH0_CLIENT_SECRET environment variable.
Optionaldiscovery
Configuration for the OIDC discovery metadata cache. +
Optionaldiscovery
Configuration for the OIDC discovery metadata cache. Controls TTL and maximum cached issuers for MCD resolver mode. Also applies in static mode (single cached entry).
Optionaldomain
The Auth0 domain for the tenant.
+Optionaldomain
The Auth0 domain for the tenant.
string: Static domain (e.g.,"example.us.auth0.com"). Existing behavior preserved.DomainResolver: Async function resolving domain per-request from headers. @@ -71,7 +71,7 @@- DomainResolver for resolver signature and examples.
- MCD Examples
Optionaldpop
ES256 key pair for DPoP proof generation.
+Optionaldpop
ES256 key pair for DPoP proof generation.
If not provided when useDPoP is true, the SDK will attempt to load keys from
environment variables AUTH0_DPOP_PUBLIC_KEY and AUTH0_DPOP_PRIVATE_KEY.
Keys must be in PEM format and use the P-256 elliptic curve.
Optionaldpop
Configuration options for DPoP timing validation and retry behavior.
+Optionaldpop
Configuration options for DPoP timing validation and retry behavior.
These options control how the SDK validates DPoP proof timing and handles nonce errors. Proper configuration is important for both security and reliability.
Example: Basic configuration
const auth0 = new Auth0Client({
useDPoP: true,
dpopOptions: {
clockTolerance: 60, // Allow 60 seconds clock difference
clockSkew: 0, // No clock adjustment needed
retry: {
delay: 200, // 200ms delay before retry
jitter: true // Add randomness to prevent thundering herd
}
}
});
@@ -95,17 +95,17 @@
Optionalenable
Boolean value to enable the /auth/access-token endpoint for use in the client app.
Optionalenable
Boolean value to enable the /auth/access-token endpoint for use in the client app.
Defaults to true.
NOTE: Set this to false if your client does not need to directly interact with resource servers (Token Mediating Backend). This will be false for most apps.
A security best practice is to disable this to avoid exposing access tokens to the client app.
-Optionalenable
If true, the /auth/connect endpoint will be mounted to enable users to connect additional accounts.
Optionalenable
Optionalenable
Boolean value to opt-out of sending the library name and version to your authorization server +
Optionalenable
If true, the /auth/connect endpoint will be mounted to enable users to connect additional accounts.
Optionalenable
Optionalenable
Boolean value to opt-out of sending the library name and version to your authorization server
via the Auth0-Client header. Defaults to true.
Optionalhttp
Integer value for the HTTP timeout in milliseconds for authentication requests. +
Optionalhttp
Integer value for the HTTP timeout in milliseconds for authentication requests.
Defaults to 5000 ms.
Optionalinclude
Configure whether to include id_token_hint in OIDC logout URLs.
+Optionalinclude
Configure whether to include id_token_hint in OIDC logout URLs.
Recommended (default): Set to true to include id_token_hint parameter.
Auth0 recommends using id_token_hint for secure logout as per the
OIDC specification.
Optionallogout
Configure the logout strategy to use.
+Optionallogout
Configure the logout strategy to use.
'auto'(default): Attempts OIDC RP-Initiated Logout first, falls back to/v2/logoutif not supported'oidc': Always uses OIDC RP-Initiated Logout (requires RP-Initiated Logout to be enabled)'v2': Always uses the Auth0/v2/logoutendpoint (supports wildcards in allowed logout URLs)
Optionalmfa
MFA context TTL in seconds. Controls how long encrypted mfa_token remains valid. +
Optionalmfa
MFA context TTL in seconds. Controls how long encrypted mfa_token remains valid. Default: 300 (5 minutes, matching Auth0's mfa_token expiration)
Can also be set via AUTH0_MFA_TOKEN_TTL environment variable.
Optionalno
If true, the profile endpoint will return a 204 No Content response when the user is not authenticated +
Optionalno
If true, the profile endpoint will return a 204 No Content response when the user is not authenticated instead of returning a 401 Unauthorized response.
Defaults to false.
Optionalon
A method to handle errors or manage redirects after attempting to authenticate.
+Optionalon
A method to handle errors or manage redirects after attempting to authenticate.
See onCallback for additional details
-Optionalpushed
If enabled, the SDK will use the Pushed Authorization Requests (PAR) protocol when communicating with the authorization server.
-Optionalroutes
Pick<
Routes,
"login"
| "callback"
| "logout"
| "backChannelLogout"
| "connectAccount",
>,
>
Configure the paths for the authentication routes.
+Optionalpushed
If enabled, the SDK will use the Pushed Authorization Requests (PAR) protocol when communicating with the authorization server.
+Optionalroutes
Pick<
Routes,
"login"
| "callback"
| "logout"
| "backChannelLogout"
| "connectAccount",
>,
>
Configure the paths for the authentication routes.
See Custom routes for additional details.
-Optionalsecret
A 32-byte, hex-encoded secret used for encrypting cookies.
+Optionalsecret
A 32-byte, hex-encoded secret used for encrypting cookies.
If it's not specified, it will be loaded from the AUTH0_SECRET environment variable.
Optionalsession
Configure the session timeouts and whether to use rolling sessions or not.
+Optionalsession
Configure the session timeouts and whether to use rolling sessions or not.
See Session configuration for additional details.
-Optionalsession
A custom session store implementation used to persist sessions to a data store.
+Optionalsession
A custom session store implementation used to persist sessions to a data store.
See Database sessions for additional details.
-Optionalsign
The path to redirect the user to after successfully authenticating. Defaults to /.
Optionaltoken
Number of seconds to refresh access tokens early when calling getAccessToken.
+
Optionalsign
The path to redirect the user to after successfully authenticating. Defaults to /.
Optionaltoken
Number of seconds to refresh access tokens early when calling getAccessToken.
This is a server-side buffer applied to token expiration checks. For example,
with a buffer of 60 seconds, tokens expiring within the next minute will be
refreshed proactively when a refresh token is available.
Defaults to 0 (no early refresh).
Optionaltransaction
Configure the transaction cookie used to store the state of the authentication transaction.
-Optionaluse
Enable DPoP (Demonstrating Proof-of-Possession) for enhanced OAuth 2.0 security.
+Optionaltransaction
Configure the transaction cookie used to store the state of the authentication transaction.
+Optionaluse
Enable DPoP (Demonstrating Proof-of-Possession) for enhanced OAuth 2.0 security.
When enabled, the SDK will:
- Generate DPoP proofs for token requests and protected resource requests @@ -169,4 +169,4 @@
Error class representing an access token for connection error. +
Class AccessTokenForConnectionError
Error class representing an access token for connection error. Extends the
-SdkErrorclass.Hierarchy (View Summary)
Index
Constructors
Hierarchy (View Summary)
Index
Constructors
Properties
Constructors
constructor
code: string,
message: string,
cause?: OAuth2Error,
): AccessTokenForConnectionError
Constructs a new
AccessTokenForConnectionErrorinstance.Parameters
The error code.
The error message.
Optionalcause: OAuth2ErrorThe OAuth2 cause of the error.
-Returns AccessTokenForConnectionError
Properties
Optionalcausecode
The error code associated with the access token error.
-Settings
On This Page
Constructors
Properties
Returns AccessTokenForConnectionError