From auth0
Adds, fixes, and improves authentication with Auth0 across apps — login, MFA, SSO, RBAC, Organizations, custom domains, and more. Supports migration from Clerk, NextAuth.js, Firebase Auth, etc.
How this skill is triggered — by the user, by Claude, or both
Slash command
/auth0:auth0The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Detect intent → detect framework → detect tooling → load 2–3 reference files.
assets/acul/js-templates/login-id.jsassets/acul/js-templates/login-password.jsassets/acul/react-templates/login-id.tsxassets/acul/react-templates/login-password.tsxassets/acul/theme-templates/globals.cssassets/acul/theme-templates/tailwind.config.tsassets/acul/theme-templates/theme-provider.tsassets/acul/theme-templates/tokens.cssreferences/feature-acul.mdreferences/feature-branding.mdreferences/feature-custom-domains.mdreferences/feature-dpop.mdreferences/feature-mfa.mdreferences/feature-migration.mdreferences/feature-organizations.mdreferences/framework-android.mdreferences/framework-angular.mdreferences/framework-aspnetcore-api.mdreferences/framework-aspnetcore-auth.mdreferences/framework-expo.mdDetect intent → detect framework → detect tooling → load 2–3 reference files.
Match the request against the What the developer wants column — it describes
the goal in plain language, not just the Auth0 term (someone who says "make
users confirm with a code from their phone" lands on feature:mfa). The
Intent you pick is a lookup key: in Step 4 it appears verbatim as a
section heading (### feature:mfa) listing which reference files to load.
| What the developer wants (plain language + Auth0 term) | Intent |
|---|---|
| Add login, signup, sign-in, or "let users log in / create accounts" to an app | integrate |
| Require a second step after the password — a one-time code, SMS or email code, authenticator app, passkey, fingerprint/face (biometric), or security key; or re-confirm identity before a sensitive action. Auth0: multi-factor authentication (MFA), two-factor (2FA), two-step verification, step-up authentication. | feature:mfa |
| Let separate companies, teams, workspaces, or tenants each have their own users, members, roles, and login — typically a product sold to businesses. Auth0: Organizations, multi-org, B2B SaaS. | feature:organizations |
Serve the login page from your own web address (e.g. login.example.com, auth.company.com) instead of the default Auth0 URL. Auth0: custom domain. | feature:custom-domains |
| Build fully custom login/signup screens with your own code or framework, beyond what theme settings allow. Auth0: Advanced Customization for Universal Login (ACUL). | feature:acul |
| Change how the login page looks — logo, colors, fonts, background, overall theme. Auth0: branding, Universal Login customization. | feature:branding |
| Bind tokens to the client so a stolen or leaked token can't be reused/replayed from another machine. Auth0: DPoP (Demonstrating Proof-of-Possession), sender-constrained tokens. | feature:dpop |
| Ask for best practices, "is this secure?", how to handle tokens safely, "how should I do X". Auth0: guidance / security. | guidance |
| Hit an error: 401 Unauthorized, 403 Forbidden, CORS, callback URL mismatch, redirect loop. Auth0: debugging. | debug |
| Hit rate limiting: 429 Too Many Requests, quota exceeded. Auth0: rate limits. | debug:rate-limit |
| Move an existing app off Clerk, NextAuth.js, Firebase, Cognito, Okta, Supabase, Passport.js, or another auth provider. Auth0: provider migration. | migrate |
| Upgrade the Auth0 SDK itself to a new major version (e.g. Auth0.swift v2→v3, Auth0.Android v3→v4) — breaking changes, deprecated APIs, "update to the latest SDK". Auth0: SDK major-version upgrade. | upgrade-sdk |
Use the Auth0 CLI directly — "create an app/API with the auth0 CLI", script tenant setup, or automate Auth0 config in CI — with no application framework in play. Auth0: CLI / tooling-only. | tooling |
Skip this step for the
toolingintent — a CLI-first request has no framework. Go to Step 3, load the tooling reference; only ask about a framework if the developer later pivots to integrating auth into an app.
Work top-down. Stop at the first tier that yields a framework.
Read the project files. Stop at the first match.
package.json → dependenciesRows are most-specific first — an Ionic/Capacitor project also carries
@auth0/auth0-angular (etc.), so check the @capacitor/browser rows first.
| Package | Framework |
|---|---|
@capacitor/browser + @auth0/auth0-angular | ionic-angular |
@capacitor/browser + @auth0/auth0-react | ionic-react |
@capacitor/browser + @auth0/auth0-vue | ionic-vue |
@auth0/nextjs-auth0 | nextjs |
@auth0/auth0-nuxt | nuxt |
@auth0/auth0-react | react |
@auth0/auth0-vue | vue |
@auth0/auth0-angular | angular |
@auth0/auth0-spa-js | spa-js |
express-openid-connect | express |
@auth0/auth0-fastify | fastify |
@auth0/auth0-fastify-api | fastify-api |
express-oauth2-jwt-bearer | express-jwt |
react-native-auth0 + app.json or app.config.js present | expo |
react-native-auth0 (no Expo files) | react-native |
requirements.txt or pyproject.toml| Package | Framework |
|---|---|
auth0-server-python | flask |
auth0-fastapi-api | fastapi-api |
build.gradle or pom.xml| Dependency | Framework |
|---|---|
mvc-auth-commons (com.auth0:mvc-auth-commons) | java-mvc |
spring-security-oauth2-resource-server | springboot-api |
*.csproj or NuGet.Config| Package | Framework |
|---|---|
Auth0.AspNetCore.Authentication (no .Api suffix) | aspnetcore-auth |
Auth0.AspNetCore.Authentication.Api | aspnetcore-api |
Auth0.OidcClient.MAUI | maui |
Auth0.OidcClient.AndroidX | net-android |
Auth0.OidcClient.iOS | net-ios |
Auth0.OidcClient.WinForms | winforms |
Auth0.OidcClient.WPF | wpf |
composer.jsonauth0/auth0-php powers both PHP web apps and APIs; the mode is set via
SdkConfiguration's strategy. The STRATEGY_API row is more specific — check
it first.
| Package | Framework |
|---|---|
auth0/auth0-php + SdkConfiguration::STRATEGY_API (or strategy: 'api') | php-api |
auth0/auth0-php (no STRATEGY_API / STRATEGY_REGULAR or strategy: 'webapp') | php |
auth0/login (laravel, no AuthorizationGuard) | laravel |
auth0/login + AuthorizationGuard | laravel-api |
If
auth0/auth0-phpis installed but noSdkConfigurationstrategy is set yet (fresh project), fall through to variant disambiguation below (intent: building/protecting an API →php-api, elsephp).
go.mod| Module | Framework |
|---|---|
github.com/auth0/go-jwt-middleware | go |
| Signal | Framework |
|---|---|
Package.swift or .xcodeproj + Auth0.swift | swift |
build.gradle + com.auth0.android:auth0 | android |
pubspec.yaml + auth0_flutter + flutter.web: false | flutter-native |
pubspec.yaml + auth0_flutter + web enabled | flutter-web |
If no Auth0 SDK matched, detect the framework from ordinary (non-Auth0)
dependencies. Stop at the first match. For a web-vs-API split, the base is
chosen here; the variant is resolved in "Variant disambiguation" below. Rows are
most-specific first — an Ionic project also carries @angular/core / vue /
react, so check the @ionic/* rows first (as in Tier 1).
| Signal | Base framework |
|---|---|
next in package.json | nextjs |
nuxt in package.json | nuxt |
@ionic/* + @angular/core | ionic-angular |
@ionic/* + react | ionic-react |
@ionic/* + vue | ionic-vue |
@angular/core in package.json | angular |
vue in package.json (no nuxt) | vue |
expo in package.json | expo |
react-native (no expo) | react-native |
react (no meta-framework above) | react (SPA) — see note |
express in package.json | express (variant below) |
fastify in package.json | fastify (variant below) |
flask in requirements.txt/pyproject.toml | flask |
fastapi in requirements.txt/pyproject.toml | fastapi-api |
spring-boot in pom.xml/build.gradle | springboot-api |
laravel/framework in composer.json | laravel (variant below) |
composer.json present (no Laravel) | php (variant below) |
go.mod present + HTTP server/router | go |
Package.swift or .xcodeproj | swift |
pubspec.yaml (Flutter, web disabled) | flutter-native |
pubspec.yaml (Flutter, web enabled) | flutter-web |
*.csproj referencing MAUI | maui |
*.csproj (WinForms) | winforms |
*.csproj (WPF) | wpf |
*.csproj ASP.NET (web app or API) | aspnetcore (variant below) |
reactnote: a plain React project maps toreactfor an SPA using the React SDK, orspa-jsif the app is framework-agnostic vanilla JS. If unclear, ask before loading.
If no workspace signal matched, read the developer's request for a framework or language name and map it here. Stop at the first match.
| Developer mentions... | Framework |
|---|---|
Next.js / next | nextjs |
| Nuxt | nuxt |
| Angular (not Ionic) | angular |
| Vue (not Nuxt/Ionic) | vue |
| React SPA (not Next.js) | react |
| vanilla JS / plain JS / no framework SPA | spa-js |
| Express (web app / server-rendered) | express |
| Express API / protect API routes | express-jwt |
| Fastify (web) / Fastify API | fastify / fastify-api |
| Flask | flask |
| FastAPI | fastapi-api |
| Spring Boot | springboot-api |
| Java MVC / servlet | java-mvc |
| ASP.NET Core web app / API | aspnetcore-auth / aspnetcore-api |
| MAUI / WinForms / WPF | maui / winforms / wpf |
| PHP web app / PHP API | php / php-api |
| Laravel web app / Laravel API | laravel / laravel-api |
| Go / Golang API | go |
| Swift / iOS | swift |
| Android / Kotlin | android |
| Flutter (native / web) | flutter-native / flutter-web |
| React Native / Expo | react-native / expo |
| Ionic (Angular/React/Vue) | ionic-angular / ionic-react / ionic-vue |
Some frameworks have separate web-app and API references. When Tier 1 did not pin the variant, choose intent-first:
| Base | Web-app variant | API variant | Choose API when… |
|---|---|---|---|
| express | express | express-jwt | protecting API routes / validating JWTs, no server-rendered UI |
| fastify | fastify | fastify-api | resource server / JWT validation only |
| php | php | php-api | building/protecting a PHP API, no web UI |
| laravel | laravel | laravel-api | API-only (token guard), no Blade UI |
| aspnetcore | aspnetcore-auth | aspnetcore-api | Web API / JWT bearer, no cookie login UI |
If intent is still ambiguous (both a UI and protected endpoints, or unclear), state what you detected and ask the developer web app vs API before loading.
Ask the developer what framework/language they are using. Do not guess.
If Tier 2 (workspace) and Tier 3 (prompt) disagree materially (e.g. the prompt
says "Next.js" but package.json has no next), state the conflict and ask
rather than silently picking. Workspace signals outrank the prompt when both are
present and consistent.
Read the project file tree. This is a project-context decision, not a product preference.
| Project has... | Load |
|---|---|
terraform/ directory OR any *.tf files | tooling-terraform.md |
| Auth0 MCP server active in this agent session | tooling-mcp.md |
| Anything else (default) | tooling-cli.md |
Find the section below whose heading matches the Intent you picked in Step 1, then read the reference files it lists.
Read: references/framework-{framework}.md
Read: references/tooling-{tooling}.md
Follow the integration workflow in framework-{framework}.md.
Use tooling-{tooling}.md for all Auth0 tenant configuration steps.
Read: references/feature-mfa.md
Read: references/tooling-{tooling}.md
If framework detected: Read references/framework-{framework}.md (for SDK-side step-up trigger)
Read: references/feature-organizations.md
Read: references/tooling-{tooling}.md
If framework detected: Read references/framework-{framework}.md
If multi-tenant architecture / B2B SaaS design question: also Read references/pattern-multi-tenant.md
Read: references/feature-custom-domains.md
Read: references/tooling-{tooling}.md
Read: references/feature-acul.md
Read: references/tooling-{tooling}.md
Read: references/feature-branding.md
Read: references/tooling-{tooling}.md
Read: references/feature-dpop.md
Read: references/tooling-{tooling}.md
If a SPA framework is detected (vue/react/angular/spa-js): Read references/framework-{framework}.md
DPoP is SPA-only (no SSR: Next.js/Nuxt) — feature-dpop.md states the exclusion.
Read: references/pattern-security.md
If framework detected: Read references/framework-{framework}.md (for SDK-specific guidance — token storage, session handling, route protection)
If token handling / JWT vs opaque / storage: Read references/pattern-token-handling.md
If multi-tenant / B2B architecture: Read references/pattern-multi-tenant.md + references/feature-organizations.md
Read: references/pattern-common-errors.md
If framework detected: Read references/framework-{framework}.md
Read: references/pattern-rate-limiting.md
Read: references/feature-migration.md
Read: references/tooling-{tooling}.md
If framework detected: Read references/framework-{framework}.md
Read: references/framework-{framework}.md
Follow its "Major Version Migration" section (e.g. Auth0.swift v3, Auth0.Android v4).
This is an Auth0 SDK version bump — NOT a provider migration. Do not load feature-migration.md.
If no framework is detected: ask which Auth0 SDK the developer is upgrading.
Read: references/tooling-{tooling}.md
No framework file — this is a CLI/tooling-only task (create apps/APIs, script
tenant setup, automate config in CI). If the developer then wants to integrate
auth into an app, return to Step 1 with the integrate intent.
claude plugin install auth0@claude-plugins-officialCovers authentication and authorization patterns: JWT, OAuth2, sessions, RBAC, ABAC, passkeys, MFA. Use for implementing login flows, token management, and access control.
Use when the user asks for a WorkOS docs URL, term, or dashboard field (Sign-in endpoint, initiate_login_uri, Redirect URI, `WORKOS_*` env vars), or is implementing, debugging, or migrating WorkOS — AuthKit, SSO/SAML, Directory Sync, RBAC, FGA, MFA, Vault, Audit Logs, Admin Portal, Pipes (Connected Apps), Feature Flags, Radar (bot/fraud detection), webhooks, Custom Domains, running the `workos` CLI in agent or sandbox sessions (`WORKOS_MODE`, `workos doctor`), or migrating from Auth0, Clerk, Cognito, Firebase, Supabase, Stytch, Descope, or Better Auth. Also triggers on @workos-inc/* imports.
Sets up Microsoft Entra ID login/logout authentication and role-based authorization for Power Pages code sites. Creates framework-specific auth services, UI components, and access controls.