@auth0/auth0-api-js
v1.2.1
Published
Auth0 Authentication SDK for API's on JavaScript runtimes
Downloads
21,033
Maintainers
auth0-oss
ziluvatar
iaco
pubalokta
auth0npm
auth0brokkr
hzalaz
aaguiarz
charlesrea
ncluer
julien.wollscheid
cristiandouce
sambego
sandrinodimattia
lzychowski
davidpatrick0
sergii.biienko
jpadilla
jessele
rhamzeh_auth0
oktajeffoktajeff
david.renaud.okta
bsmith-auth0
madhuri.rm23
npirani_okta
soumya.bodavula
jamescgarrett-okta
stheller
jfromaniello
edgarchirivella-okta
sanjay.manikandhan
rithuc23
enriquepina
josecarlos-chavez_atko
sgarcia-atko
roger.chan
joshbetz_auth0
andriy0k
maaantone
jason.gervais
shafatkhan
psychoticbrat
brohowismynamealreadytaken
lewisbyrne-okta
tarunpreet.kaur
harish.sundar
dannyturcotte
auth0-werner
safder.areepattamannilKeywords
Readme
The @auth0/auth0-api-js library allows for securing API's running on a JavaScript runtime.
Using this SDK as-is in your API may not be trivial, as it is not a plug-and-play library for your framework. Instead, it is designed to be used as a building block for building framework-specific SDKs.
📚 Documentation - 🚀 Getting Started - 💬 Feedback
Documentation
- Docs Site - explore our docs site and learn more about Auth0.
Getting Started
1. Install the SDK
npm i @auth0/auth0-api-jsThis library requires Node.js 20 LTS and newer LTS versions.
2. Create the Auth0 SDK client
Create an instance of the ApiClient. This instance will be imported and used anywhere we need access to the methods.
import { ApiClient } from '@auth0/auth0-api-js';
const apiClient = new ApiClient({
domain: '<AUTH0_DOMAIN>',
audience: '<AUTH0_AUDIENCE>',
});The AUTH0_DOMAIN can be obtained from the Auth0 Dashboard once you've created an application.
The AUTH0_AUDIENCE is the identifier of the API. You can find this in the API section of the Auth0 dashboard.
3. Verify the Access Token
The SDK's verifyAccessToken method can be used to verify the access token.
const apiClient = new ApiClient({
domain: '<AUTH0_DOMAIN>',
audience: '<AUTH0_AUDIENCE>',
});
const accessToken = '...';
const decodedAndVerifiedToken = await apiClient.verifyAccessToken({
accessToken,
});The SDK automatically validates claims like iss, aud, exp, and nbf. You can also pass additional claims to be required by configuring requiredClaims:
const apiClient = new ApiClient({
domain: '<AUTH0_DOMAIN>',
audience: '<AUTH0_AUDIENCE>',
});
const accessToken = '...';
const decodedAndVerifiedToken = await apiClient.verifyAccessToken({
accessToken,
requiredClaims: ['my_custom_claim'],
});4. Protected Resource Metadata (RFC 9728)
The SDK supports OAuth 2.0 Protected Resource Metadata as defined in RFC 9728:
import {
ProtectedResourceMetadataBuilder,
BearerMethod,
SigningAlgorithm,
} from '@auth0/auth0-api-js';
const resourceServerUrl = 'https://api.example.com';
const authServers = ['https://your-tenant.us.auth0.com'];
const metadata = new ProtectedResourceMetadataBuilder(resourceServerUrl, authServers)
.withBearerMethodsSupported([BearerMethod.HEADER])
.withResourceSigningAlgValuesSupported(
SigningAlgorithm.RS256,
SigningAlgorithm.ES256,
)
.withScopesSupported(['read', 'write', 'admin'])
.build();
// Serve metadata from the standard RFC 9728 endpoint
app.get('/.well-known/oauth-protected-resource', (req, res) => {
res.json(metadata.toJSON());
});5. Token Exchange
The SDK supports RFC 8693 OAuth 2.0 Token Exchange, allowing you to exchange tokens for different API audiences while preserving user identity.
When to Use Which Flow
Custom Token Exchange: Use when you control the subject token format. Common scenarios:
- Exchanging MCP server tokens for Auth0 tokens
- Migrating from legacy authentication systems
- Federating with partner systems using custom token formats
- Exchanging tokens issued by your own services
Access Token Exchange with Token Vault (via
getAccessTokenForConnection): Use when exchanging for external provider's access tokens:- Accessing Google APIs with a user's Google token
- Calling Facebook Graph API with a user's Facebook token
- Any scenario where Auth0 manages the external provider's refresh tokens in the Token Vault
Custom Token Exchange Example
import { ApiClient } from '@auth0/auth0-api-js';
const apiClient = new ApiClient({
domain: '<AUTH0_DOMAIN>',
audience: '<AUTH0_AUDIENCE>',
clientId: '<AUTH0_CLIENT_ID>',
clientSecret: '<AUTH0_CLIENT_SECRET>',
});
// Exchange a custom token (e.g., from an MCP server or legacy system)
const result = await apiClient.getTokenByExchangeProfile(
userToken, // The token to exchange
{
subjectTokenType: 'urn:example:custom-token', // Your custom token type URN
audience: 'https://api.backend.com',
}
);
// Handle token expiry - check expiresAt and re-exchange when needed
// Note: expiresAt is in seconds, Date.now() is in milliseconds
const tokenIsValid = Math.floor(Date.now() / 1000) < result.expiresAt;
if (!tokenIsValid) {
// Re-exchange with a fresh subject token (e.g., from your auth provider)
const newSubjectToken = await getNewTokenFromYourProvider();
const refreshed = await apiClient.getTokenByExchangeProfile(newSubjectToken, {
subjectTokenType: 'urn:example:custom-token',
audience: 'https://api.backend.com',
});
}Security Note: The
extraparameter (if exposed in your application) should never contain Personally Identifiable Information (PII) or sensitive data. Extra parameters may be logged by Auth0 or included in audit trails. Only use it for non-sensitive technical parameters that don't identify users.
Learn more: Custom Token Exchange | Token Vault
Feedback
Contributing
We appreciate feedback and contribution to this repo! Before you get started, please read the following:
- Auth0's general contribution guidelines
- Auth0's code of conduct guidelines
- This repo's contribution guide
Raise an issue
To provide feedback or report a bug, please raise an issue on our issue tracker.
Vulnerability Reporting
Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.