Auth0 configuration for user-facing applications (SPA frontend + API backend).
- Auth0 account with tenant (Step 2.4)
- APIs → Applications → APIs → Create API
- Name:
Example API - Identifier:
https://api.example.com - Signing Algorithm: RS256
- Click Create
- Save Identifier as
<AUTH0_AUDIENCE>
- Applications → Applications → Create Application
- Name:
example-ui-dev(orexample-ui-prd) - Type: Single Page Application
- Click Create
In Settings → Application URIs:
Development:
| Setting | Value |
|---|---|
| Allowed Callback URLs | http://localhost:5173, https://<APP>-dev.<TAILNET_NAME>.ts.net |
| Allowed Logout URLs | http://localhost:5173, https://<APP>-dev.<TAILNET_NAME>.ts.net |
| Allowed Web Origins | http://localhost:5173, https://<APP>-dev.<TAILNET_NAME>.ts.net |
Production:
| Setting | Value |
|---|---|
| Allowed Callback URLs | https://app.<DOMAIN> |
| Allowed Logout URLs | https://app.<DOMAIN> |
| Allowed Web Origins | https://app.<DOMAIN> |
Note: SPA doesn't use Client Secret (public client).
- In SPA application settings, scroll to APIs
- Enable your API (e.g.,
Example API)
The Action created in oauth2-proxy setup works for SPA too.
Roles assigned to users will appear in <AUTH0_GROUPS_CLAIM>/groups claim in both ID and Access tokens.
Placeholders for values.yaml:
<AUTH0_AUDIENCE>— API identifier (e.g.,https://api.example.com)
Doppler shared:
AUTH0_CLIENT_SECRET— same secret used by oauth2-proxy
Note:
AUTH0_DOMAINandAUTH0_CLIENT_IDare already configured in oauth2-proxy setup.
"Unable to verify token" in API
- Check
AUTH0_DOMAINdoesn't havehttps://prefix - Check
AUTH0_AUDIENCEmatches in both UI and API
CORS errors
- Check Allowed Web Origins in Auth0 includes UI origin
- Check CORS configured in backend API
Callback URL mismatch
- URL must exactly match (including trailing slash)
- Check protocol (http vs https)
Dev Keys warning
If not using Social Connections (Google, Facebook login):
- Authentication → Social
- Disable all providers with "Dev Keys" label