📚 Documentation - 🚀 Getting Started - 💻 API Reference - 💬 Feedback

Documentation

• Library docs - a complete reference and examples.
• Sample App - a sample application integrated with Auth0.
• Examples - code samples for common auth0-js authentication scenario's.
• Docs site - explore our docs site and learn more about Auth0.

Getting started

Installation

From CDN:

<!-- Latest patch release -->
<script src="https://cdn.auth0.com/js/auth0/9.28.0/auth0.min.js"></script>

From npm:

npm install auth0-js

After installing the auth0-js module using npm, you'll need to bundle it up along with all of its dependencies, or import it using:

import auth0 from 'auth0-js';

Configure the SDK

auth0.WebAuth

Provides support for all the authentication flows.

var auth0 = new auth0.WebAuth({
  domain: '{YOUR_AUTH0_DOMAIN}',
  clientID: '{YOUR_AUTH0_CLIENT_ID}'
});

auth0.Authentication

Provides an API client for the Auth0 Authentication API.

var auth0 = new auth0.Authentication({
  domain: '{YOUR_AUTH0_DOMAIN}',
  clientID: '{YOUR_AUTH0_CLIENT_ID}'
});

auth0.Management

Provides an API Client for the Auth0 Management API (only methods meant to be used from the client with the user token). You should use an access_token with the https://YOUR_DOMAIN.auth0.com/api/v2/ audience to make this work. For more information, read the user management section of the Auth0.js documentation.

var auth0 = new auth0.Management({
  domain: '{YOUR_AUTH0_DOMAIN}',
  token: '{ACCESS_TOKEN_FROM_THE_USER}'
});

API reference

auth0.webAuth

• constructor
• authorize(options)
• changePassword(options)
• checkSession(options, callback)
• login(options, callback)
• logout(options)
• parseHash(options, callback)
• passwordlessLogin(options, callback)
• passwordlessStart(options, callback)
• passwordlessVerify(options, callback)
• renderCaptcha(element, options, callback)
• renewAuth(options, callback)
• signup(options, callback)
• signupAndAuthorize(options, callback)
• validateAuthenticationResponse(options, parsedHash, callback)

auth0.Authentication

• buildAuthorizeUrl(options)
• buildLogoutUrl(options)
• delegation(options, callback)
• getChallenge(callback)
• getSSOData(withActiveDirectories, callback)
• login(options, callback)
• loginWithDefaultDirectory(options, callback)
• loginWithResourceOwner(options, callback)
• userInfo(token, callback)

auth0.Management

• getUser(userId, callback)
• linkUser(userId, secondaryUserId, callback)
• patchUserAttributes(userId, user, callback)
• patchUserMetadata(userId, userMetadata, callback)

Feedback

Contributing

We appreciate feedback and contribution to this repo! Before you get started, please see the following:

• Auth0's general contribution guidelines
• Auth0's code of conduct guidelines

Raise an issue

To provide feedback or report a bug, please raise an issue on our issue tracker.

Vulnerability Reporting

Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

<picture> <source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150"> <source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150"> </picture>

Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?

This project is licensed under the MIT license. See the LICENSE file for more info.

Change Log

v9.28.0 (2024-10-21)

Full Changelog

Fixed

• Ensure done callback is correctly fired on captcha reload #1469 (srijonsaha)

v9.27.0 (2024-09-27)

Full Changelog

Added

• [IAMRISK-3539] Add challenge endpoint for signup #1467 (TSLarson)

Changed

• Update codeowner file with new GitHub team name #1452 (stevenwong-okta)

v9.26.1 (2024-05-20)

Full Changelog

Fixed

• Call done callback once Arkose is ready #1433 (srijonsaha)

v9.26.0 (2024-04-30)

Full Changelog

Changed

• Update endpoint and add API to get password reset challenge #1431 (srijonsaha)

Note: PR #1431 is a breaking change for a newly-added, WIP, undocumented feature.

v9.25.0 (2024-04-25)

Full Changelog

Added

• Add APIs to get captcha challenge for reset password #1426 (srijonsaha)

v9.24.1 (2024-01-04)

Full Changelog

Changed

• [IAMRISK-3011] Auth0 V2 Captcha failOpen support #1382 (alexkoumarianos-okta)

v9.24.0 (2023-12-13)

Full Changelog

Added

• [IAMRISK-2915] Added support for Auth0 v2 captcha provider #1368 (alexkoumarianos-okta)

v9.23.3 (2023-11-13)

Full Changelog

Security

• Bump idtoken-verifier from 2.2.2 to 2.2.4 #1362 (cgetzen)

v9.23.2 (2023-10-27)

Full Changelog

Security

• Bump crypto-js from 4.1.1 to 4.2.0 #1354 (dependabot[bot])

v9.23.1 (2023-10-19)

Full Changelog

Changed

• [IAMRISK-2817] Update API for Arkose to use a callback based API #1349 (srijonsaha)

v9.23.0 (2023-10-06)

Full Changelog

Added

• [IAMRISK-2602] Add support for Arkose #1341 (srijonsaha)

v9.22.1 (2023-07-18)

Full Changelog

Changed

• Do not lowercase org_name claim #1315 (frederikprijck)

v9.22.0 (2023-07-13)

Full Changelog

Added

• Added support for hCaptcha and Friendly Captcha #1312 (DominickBattistini)
• Support Organization Name #1313 (frederikprijck)

Security

• Security: Update Dependencies #1310 (evansims)

v9.21.0 (2023-05-24)

Full Changelog

Added

• Add cookieDomain option #1304 (telmaantunes)

v9.20.2 (2023-02-28)

Full Changelog

Fixed

• fix(docs): document error() option for renderCaptcha() #1290 (pmalouin)

Security

• chore: update superagent to 7.1.5 #1296 (stevehobbsdev)

v9.20.1 (2023-01-12)

Full Changelog

Fixed

• Updated jsdocs for Authentication#login #1284 (siddtheone)

Security

• Bump jsonwebtoken from 8.5.1 to 9.0.0 #1282 (dependabot[bot])

v9.20.0 (2022-12-13)

Full Changelog

Added

• Support Captcha challenge for passwordless login #1277 (DominickBattistini)

v9.19.2 (2022-11-04)

Full Changelog

Changed

• Regenerate API docs using new readme #1271 (frederikprijck)
• Update readme based on the internal redesign #1269 (frederikprijck)

Fixed

• support timeout option in Popup.loginWithCredentials #1273 (stevehobbsdev)

v9.19.1 (2022-09-09)

Full Changelog

Changed

• Clean up old/missing library migration links #1256 (stevehobbsdev)
• Clarify usage of legacySameSiteCookie in readme #1255 (stevehobbsdev)

Security

• Security: Bump dev dependencies and update lockfile #1244 (evansims)

v9.19.0 (2022-01-25)

Full Changelog

Added

• Add compatibility cookie for SameSite, with option to turn it off #1232 (stevehobbsdev)

v9.18.1 (2022-01-14)

Full Changelog

Fixed

• Set sameSite to 'none' for cookies when using HTTPS #1229 (stevehobbsdev)

v9.18.0 (2021-11-09)

Full Changelog

Added

• Make state expiration configurable #1217 (aedelbro)

Full Changelog

Added

• Add xRequestLanguage, which sends X-Request-Language header to /passwordless/start #1210 (stevehobbsdev)

Fixed

• Check window object only if it is options.hash is not set #1209 (FDiskas)

v9.16.4 (2021-08-26)

Full Changelog

Fixed

• Fix: Passwordless Verify #1202 (seanaye)

v9.16.3 (2021-08-24)

Full Changelog

Security

• Dependency updates #1200 (stevehobbsdev)

Fixed

• Add check around accessing event.data in web-message-handler #1195 (stevehobbsdev)

v9.16.2 (2021-05-26)

Full Changelog

Security

• Update idtoken-verifier to 2.1.2 #1182 (stevehobbsdev)

v9.16.1 (2021-05-25)

Full Changelog

Security

• Bump idtoken-verifier and run npm audit fix #1179 (frederikprijck)

v9.16.0 (2021-04-26)

Full Changelog

Added

• Add Recaptcha Enterprise support #1169 (akmjenkins)

Fixed

• Document optional params to WebAuth.signup #1168 (zog)

Security

• [Security] Bump y18n from 4.0.0 to 4.0.1 #1162 (dependabot-preview[bot])

v9.15.0 (2021-03-19)

Full Changelog

Added

• [SDK-2391] Organizations support #1159 (stevehobbsdev)
• [SDK-2273] Add onRedirecting login hook #1157 (stevehobbsdev)

Changed

• Apply secure flag to cookies when running on https protocol #1158 (stevehobbsdev)

v9.14.3 (2021-01-26)

Full Changelog

Changed

• Add otp to tokenParams #1153 (psamim)

v9.14.2 (2021-01-14)

Full Changelog

v9.14.2 is a maintenance release to fix a faulty NPM package - there are no additional changes from 9.14.1.

v9.14.1 (2021-01-14)

Full Changelog

Changed

• Allow domain to contain http scheme #1144 (danmastrowcoles)

v9.14.0 (2020-09-11)

Full Changelog

Added

• [CAUTH-551] add render captcha method #1126 (jfromaniello)

Fixed

• [SDK-1812] Inclusive language updates #1125 (stevehobbsdev)
• Update superagent dependency to 5.3.1 to get around babel bug #1120 (paviad)

Security

• Dependencies and NPM lock file #1130 (stevehobbsdev)

v9.13.4 (2020-07-02)

Full Changelog

Changed

• [CAUTH-423] Add login state if available to the sign-up request #1117 (jfromaniello)

v9.13.3 (2020-06-26)

Full Changelog

Changed

• Bump idtoken-verifier to 2.0.3 #1113 (stevehobbsdev)

Fixed

• Fix IE default redirect url #1108 (vincentdesmares)
• Document that checkSession requires a callback #1103 (civility-bot)

v9.13.2 (2020-04-09)

Full Changelog

Fixed

• docs: Javascript -> JavaScript #1096 (nwtgck)

Security

• Fixed information disclosure through error object commit (stevehobbsdev)
• Bump minimist from 1.2.0 to 1.2.5 #1098 (dependabot[bot])
• Dependency updates for security advisories #1097 (stevehobbsdev)

v9.13.1 (2020-04-01)

Full Changelog

Fixed

• Add screen_hint to allowed parameters #1093 (tomaszn)

Security

• Update idtoken-verifier dependency #1091 (lbalmaceda)

v9.13.0 (2020-03-27)

Full Changelog

Added

• [SDK-1405] Added support for new generic error codes and details #1084 (stevehobbsdev)
• Fix unit tests by stubbing RSA verification #1085 (stevehobbsdev)
• Updated JS docs for user_metadata #1088 (stevehobbsdev)

v9.12.2 (2020-01-14)

Full Changelog

Changed

• [SDK-1266] Bumped idtoken-verifier to latest patch #1073 (stevehobbsdev)

Security

• [Security] Bump handlebars from 4.1.2 to 4.5.3 #1068 (dependabot-preview[bot])

v9.12.1 (2019-12-17)

Full Changelog

Fixed

• Set the default token validation leeway to 60 sec #1062 (stevehobbsdev)

v9.12.0 (2019-12-11)

Full Changelog

Added

• [CAUTH-239] Add getChallenge method #1057 (jfromaniello)

Fixed

• Fixed passwordless params priority #1058 (stevehobbsdev)
• Bugfix for WebExtension #1054 (STK913)
• Readme develop #1043 (jsoref)
• Fixed typo #1039 (Nyholm)

Security

• [SDK-974] Improved OIDC compliance #1059 (stevehobbsdev)

v9.11.3 (2019-07-23)

Fixed

Use cdn-uploader from NPM.

Full Changelog

v9.11.2 (2019-07-15)

Full Changelog

Fixed

• Upgrade idtoken-verifier to fix importing auth0.js in SSR apps #965 (luisrudge)

v9.11.1 (2019-06-27)

Full Changelog

Fixed

• Fix nonce error when id_token doesn't have a nonce #954 (luisrudge)

v9.11.0 (2019-06-25)

Full Changelog

Added

• Add method to patch root user attributes #949 (luisrudge)

Changed

• Fix/check nonce state hs256 tokens #952 (luisrudge)

Fixed

• Ignore syntax errors from popups #948 (luisrudge)

v9.10.4 (2019-05-24)

Full Changelog

Fixed

• Fix checksession success response casing #943 (luisrudge)

v9.10.3 (2019-05-22)

Full Changelog

v9.10.2 (2019-04-15)

Full Changelog

Changed

• Modify telemetry inside the ULP #922 (luisrudge)

v9.10.1 (2019-03-18)

Full Changelog

Fixed

• Throw nonce error when using HS256 id_tokens #913 (luisrudge)
• Fix different id_token payload casing between authorize and popup.authorize #911 (luisrudge)

v9.10.0 (2019-01-28)

Full Changelog

Changed

• Trim username, email and phoneNumber params in every request #895 (ScottRudiger)

v9.9.1 (2019-01-23)

Full Changelog

Fixed

• Don't store transactions when inside the hosted login page #899 (luisrudge)

v9.9.0 (2019-01-10)

Full Changelog

Fixed

• Don't use storage when inside the Universal Login Page #889 (luisrudge)

v9.8.2 (2018-11-13)

Full Changelog

Fixed

• Prevent checkSession to be called without a redirect_uri #851 (ojas360)
• Parse file protocol from Url #846 (anion155)

v9.8.1 (2018-10-23)

Full Changelog

Fixed

• Fixed transaction state not being set to expire in 30 minutes #835 (sayuti-daniel)
• Fix incorrect error wrapping for signup/change password errors #829 (luisrudge)

v9.8.0 (2018-09-26)

Full Changelog

Released

• Start using cookies instead of localStorage by default #817 (luisrudge)

v9.7.4-beta1 (2018-08-28)

Full Changelog

Changed

• Start using cookies instead of localStorage by default #817 (luisrudge)

v9.7.3 (2018-07-23)

Full Changelog

Fixed

• Fix npm module export #808 (luisrudge)

v9.7.3-beta1 (2018-07-18)

Full Changelog

Fixed

• Fix npm module export #808 (luisrudge)
  • We're testing the new module export to make sure we restore the previous behavior before committing to a patch fix

v9.7.2 (2018-07-13)

Full Changelog

Fixed

• Fix default export for auth0js #803 (luisrudge)

v9.7.1 (2018-07-13)

Full Changelog

Fixed

• Fix build folder not being published in the tag #801 (luisrudge)

v9.7.0 (2018-07-12)

Full Changelog

Added

• Add SRI hashes to the cdn #782 (luisrudge)

Fixed

• options is optional in WebAuth.prototype.authorize #789 (behrangsa)
• Removing domain option from methods (it can't be overridden) #781 (luisrudge)

v9.6.1 (2018-06-07)

Full Changelog

Fixed

• Remove global from window helpers #764 (fetis)

v9.6.0 (2018-05-28)

Full Changelog

Changed

• Added access_type and display to the parameters-whitelist #760 (lordnox)

Fixed

• Clear local state when checkSession call fails #758 (luisrudge)

v9.5.1 (2018-04-28)

Full Changelog

Fixed

• Prevent using window object on initialize #746 (luisrudge)

v9.5.0 (2018-04-24)

Full Changelog

Added

• Add transaction manager to passwordlessLogin and login #731 (luisrudge)
• Add error message when there is no access_token and id_token is HS256 #727 (luisrudge)

Fixed

• Fix storing values when DOM storage is not available #737 (luisrudge)
• getSSOData should call /ssodata from the ULP #733 (luisrudge)
• Return /userinfo error inside the token validation callback #724 (luisrudge)

v9.4.2 (2018-03-28)

Full Changelog

Added

• Add jwksURI override option #717 (luisrudge)

v9.4.1 (2018-03-22)

Full Changelog

Fixed

• Don't validate access_token when there is no payload.at_hash claim #718 (luisrudge)

v9.4.0 (2018-03-22)

Full Changelog

Added

• Adding access_token validation for RS256 id_token's #709 (luisrudge)

v9.3.4 (2018-03-21)

Full Changelog

Added

• Add flag __enableIdPInitiatedLogin to enable idp initiated logins #708 (luisrudge)

v9.3.3 (2018-03-09)

Full Changelog

Added

• Add __enableImpersonation flag to enable impersonation again #689 (luisrudge)

Fixed

• Use CookieStorage when accessing localStorage throws an error #698 (luisrudge)
• Remove email param in cross auth login #692 (luisrudge)
• Add audience:/userinfo to getSSOData checkSession call #688 (luisrudge)

v9.3.2 (2018-03-02)

Full Changelog

Fixed

• Adding legacy error handling for co/auth endpoint #685 (luisrudge)

v9.3.1 (2018-02-28)

Full Changelog

v9.3.0 (2018-02-22)

Full Changelog

Fixed

• Fix CSRF vulnerability when hash.state is empty. Please read more about it here and here. #673 (luisrudge)
• Use WinChan on popup.callback again + adding origin check to keep it secure #669 (luisrudge)
• Fixed error handling for auth in popup mode #668 (luisrudge)
• Fix inconsistent cross origin error handling #667 (luisrudge)

v9.2.3 (2018-02-14)

Full Changelog

Changed

• Use webAuth.login when calling signupAndLogin to support Universal Login Page #664 (luisrudge)

Fixed

• Fix federated param #661 (luisrudge)

v9.2.2 (2018-02-08)

Full Changelog

Fixed

• Making Authentication constructor accept one or two params #657 (luisrudge)

v9.2.1 (2018-02-05)

Full Changelog

Fixed

• Remove origin check from checkSession when redirectUri is empty #653 (luisrudge)

v9.2.0 (2018-02-01)

Full Changelog

Added

• Normalized login and passwordlessLogin usage to make it work in embedded and hosted scenarios #646 (luisrudge)

v9.1.3 (2018-01-29)

Full Changelog

Fixed

• Use origin.port when available #641 (luisrudge)

v9.1.2 (2018-01-26)

Full Changelog

Fixed

• Fixing ie/edge window.location.origin issue #638 (luisrudge)

v9.1.1 (2018-01-24)

Full Changelog

Fixed

• Fix undefined origin in popup mode #635 (luisrudge)

v9.1.0 (2018-01-16)

Full Changelog

Changed

• Validate current window origin and redirecturi origin to prevent mismatches #615 (luisrudge)

v9.0.3 (2018-01-15)

Full Changelog

Fixed

• Use window.location.origin instead of window.origin #627 (thoean)
• Do not consider a load event valid if protocol is "about:" #619 (damien-gl)

v9.0.2 (2017-12-29)

Full Changelog

Fixed

• Blacklisting invalid params in authorize url #611 (luisrudge)

v9.0.1 (2017-12-26)

Full Changelog

Changed

• setting getSSOData timeout to 5s #602 (luisrudge)

v9.0.0 (2017-12-21)

Full Changelog

Breaking change Auth0.js v9 uses our latest embedded login API. This version removes API calls to usernamepassword/login and user/ssodata and is not supported in centralized login scenarios (i.e. Hosted Login Pages). If you are using a Hosted Login Page, keep using Auth0.js v8.

The scenarios below use a mix of Cross Origin Authentication and WebAuth.checkSession. Read more about Cross Origin Authentication and how to enable Web Origins here.

We wrote a Migration Guide to make upgrading your app easy. If you need help, please reach out to our amazing support team at https://support.auth0.com.

Breaking change WebAuth.client.getSSOData now uses WebAuth.checkSession and a local cache to obtain the resulting data.

Breaking change WebAuth.client.loginWithCredentials now uses Cross Origin Authentication to handle authentication requests.

Breaking change WebAuth.client.signupAndLogin now uses Cross Origin Authentication to handle the authentication request after the signup.

Breaking change WebAuth.popup.loginWithCredentials now uses Cross Origin Authentication and WebAuth.checkSession to handle authentication requests without making a page redirect.

v8.10.1 (2017-09-19)

Full Changelog

Changed

• Removing renewSession and keeping only checkSession #505 (luisrudge)

v8.10.0 (2017-09-18)

Full Changelog

Added

• Adding web_message flow #500 (luisrudge)

Fixed

• Fixing tenant override in popup mode #501 (luisrudge)
• Allow overriding the timeout as part of the renewAuth method #497 (dctoon)

v8.9.3 (2017-08-21)

Full Changelog

Fixed

• Using transaction manager on passwordlessStart #492 (luisrudge)

v8.9.2 (2017-08-17)

Full Changelog

Fixed

• Fix passwordlessVerify not sending nonce #489 (luisrudge)

v8.9.1 (2017-08-11)

Full Changelog

Fixed

• Fixed credentialType url #487 (luisrudge)

v8.9.0 (2017-08-10)

Full Changelog

Added

• Add flag to retry requests #484 (luisrudge)
• Add cross-origin-auth support to Passwordless #482 (luisrudge)

Changed

• Avoid snake casing of metadata on signup #475 (hzalaz)

Fixed

• Send empty verifier when can't access sessionStorage #470 (luisrudge)

v8.8.0 (2017-06-20)

Full Changelog

Changed

• Update idtoken-verifier #458 (hzalaz)

Fixed

• Fix passwordless inside hosted login page #459 (hzalaz)

v8.7.0 (2017-05-24)

Full Changelog

Added

• Adding scope to the parsed hash object #434 (luisrudge)
• Add option to filter iframe events to prevent incorrect events triggering callbacks #432 (aaronchilcott)
• Adding cross-origin-auth sessionless flow #431 (luisrudge)
• Adding new LoginTicket flow (with session) #426 (hzalaz)

Changed

• Sending all /co/authenticate errors to the error callback #443 (luisrudge)
• Fix some examples and docs + using https everywhere #436 (luisrudge)

Fixed

• Add login_ticket to params whitelist #442 (luisrudge)
• Fix decoding base64 string with special characters #440 (luisrudge)
• Fixed issues with overrides not being used #430 (sandrinodimattia)

v8.6.1 (2017-05-08)

Full Changelog

Fixed

• Fix postMessage handler to handle parsed objects as well #420 (luisrudge)

v8.6.0 (2017-04-24)

Full Changelog

Fixed

• Fixed nonce checking on renewAuth method #413 (luisrudge)
• Fixed 'qs' dependency #401 (maxpaj)

v8.5.0 (2017-03-27)

Full Changelog

Changed

• Improve jsdocs #393 (hzalaz)

Fixed

• Fixing error handling for when the error comes as a successful response from WinChan #395 (luisrudge)
• Correct spelling mistake in web-auth JSDoc resulting in incorrect autocomplete suggestions #388 (Geeman201)

v8.4.0 (2017-03-13)

Full Changelog Closed issues

• winchanOptions missing parameters #378
• 'Nonce does not match' error when state data contains '=' encoded as %3D #377

Added

• Added possibility to specify custom popup size #379 (artemtool)

Changed

• Whitelist resource owner parameters #386 (hzalaz)
• Only allow to be used in node 6.9 or later #385 (hzalaz)
• Restrict what popupOptions fields are used #383 (hzalaz)
• Replace querystring implementation with qs module #382 (selaux)
• Deprecation warning: webauth.login → webauth.authorize #367 (dtinth)

Fixed

• Pass to popup the needed params for auth #381 (hzalaz)

v8.3.0 (2017-03-01)

Full Changelog

Added

• Integration tests #346 (glena)
• Whitelist nonce, state, _csrf and _instate from constructor #345 (glena)
• Added flag to disable id_token verification for legacy Auth0 Applications #341 (glena)
• Popup no owp #337 (glena)

Changed

• Remove warnings around refreshing session #353 (hzalaz)
• Updated passwordless start jsdocs #340 (glena)

Fixed

• Only parse cordova callback hash #370 (hzalaz)

v8.2.0 (2017-01-30)

Full Changelog

Added

• Plugins support + cordova plugin #333 (glena)

Fixed

• popup.authorize should not require redirectURI when using OWP #336 (glena)

v8.1.3 (2017-01-23)

Full Changelog

Fixed

• Fix case convertion of null values #329 (glena)

v8.1.2 (2017-01-19)

Full Changelog

Fixed

• Fixed params whitelist for authorize endpoint #324 (glena)

v8.1.1 (2017-01-17)

Full Changelog

Changed

• Removed state requirement #321 (glena)

Removed

• Revert "Fallback to math.random if there is no crypto support" #320 (glena)

Fixed

• Fix undefined variable #319 (glena)

v8.1.0 (2017-01-17)

Full Changelog

Added

• Fallback to math.random if there is no crypto support #316 (glena)

Fixed

• Fix passwordless #315 (glena)
• Passwordless start: map params to authParams and fix tests #306 (glena)
• Fix transaction usage to delete what is stored in local storage #298 (glena)

Breaking changes

• Do not change casing of the user profile object #307 (glena)

v8.0.4 (2017-01-06)

Full Changelog

Fixed

• Fix undefined valud in for #295 (glena)

v8.0.3 (2017-01-06)

Full Changelog

Added

• Add the option to provide a leeway #292 (glena)

v8.0.2 (2017-01-05)

Full Changelog

Fixed

• Polyfill functions #285 (glena)

v8.0.1 (2017-01-04)

Full Changelog

Fixed

• Fix getSSOData failing due to extra headers #284 (glena)

v8.0.0 (2017-01-03)

Full Changelog

In v8 auth0.js is divided in three different components:

• WebAuth: Handles all AuthN/AuthZ flows with redirect/popup inside the browser and related Auth API endpoints, e.g. /logout.
• AuthenticationAPI: Helper methods for calling Auth0 Authentication API
• ManagementAPI: Helper methods for calling Auth0 Management API

To get started you can just create a WebAuth instance like this

var auth0 = new auth0.WebAuth({
  domain: '{YOUR_AUTH0_DOMAIN}',
  clientID: '{YOUR_AUTH0_CLIENT_ID}'
});

Since auth0.js is intended to be used in javascript clients running in the browser most of the times an instance of WebAuth is needed.

And if you ever need to perform an xhr request to Auth0 Authentication API, WebAuth exposes an instance of AuthenticationAPI

auth0.client.userInfo(accessToken, function (error, userInfo) {
  // User information or error
});

Added

• add token validation and signature verification to the parseHash method #278 (glena)
• Add method to signup and login using password-realm #277 (glena)

Breaking changes

• Rename methods based on authN and authZ type #280 (glena)

v8.0.0-beta.3 (2016-12-19)

Full Changelog

Fixed

• special handling for popup error responses #276 (glena)

v8.0.0-beta.2 (2016-12-16)

Full Changelog

Added

• Cookie fallback for storage #270 (glena)

Fixed

• Return policy attr in errors + responseType validation #273 (glena)

v8.0.0-beta.1 (2016-12-14)

Full Changelog

Added

• Add get user country method for passwordless #267 (glena)
• Login with password realm grant via /oauth/token #265 (glena)

Changed

• Add standard fields to parseHash and normalize responses to camelCase #261 (glena)
• Add Whitelist of authorize parameters #258 (glena)

Fixed

• Send cookies on CORS call #259 (glena)

v8.0.0-alpha.2 (2016-12-05)

Full Changelog

Closed issues

• redirectUri should not be mandatory in the constructor #249
• responseMode should be part of the constructor params #247
• Check if all the methods accepts the same parames from constructor #246

Added

• Preload window for popup signup and login #256 (glena)
• Quirks mode and deprecations warning #255 (glena)
• Added responseMode, all methods uses the same params from construct, redirectUri is not mandatory #253 (glena)
• Added sso data client #251 (glena)
• V8 Popup mode #245 (glena)
• Added nonce and status to mitigate replay attacks #244 (glena)

Changed

• Fix nonce mismatch check #254 (glena)

v8.0.0-alpha.1 (2016-11-21)

Full Changelog

Added

• Change webauth structure + Allow to abort requests #240 (glena)
• added extra options + snake to camel all the options #236 (glena)
• V8: Signup and passwordless #232 (glena)
• Webauth redirect login/callback #231 (glena)