Skip to main content
You can add login to your native, mobile, or single-page app using the Authorization Code Flow with PKCE. To learn how the flow works and why you should use it, read Authorization Code Flow with Proof Key for Code Exchange (PKCE). To learn how to call your API from a native, mobile, or single-page app, read Call Your API Using Authorization Code Flow with PKCE. To implement the Authorization Code Flow with Proof Key for Code Exchange (PKCE), you can use the following resources: Following successful login, your application will have access to the user’s and . The ID token will contain basic user profile information, and the access token can be used to call the Auth0 /userinfo endpoint or your own protected APIs. To learn more about ID tokens, read ID Tokens. To learn more about access tokens, read Access Tokens.

Prerequisites

Register your app with Auth0. To learn more, read Register Native Applications or Register Single-Page Web Applications.
  • Select an Application Type of Native or Single-Page App, depending on your application type.
  • Add an Allowed Callback URL of YOUR_CALLBACK_URL. Your callback URL format will vary depending on your application type and platform. For details about the format for your application type and platform, see our Native/Mobile Quickstarts and Single-Page App Quickstarts.
  • Make sure your application’s Grant Types include Authorization Code. To learn more, read Update Grant Types.

Create code verifier

Create a code_verifier, which is a cryptographically-random, Base64-encoded key that will eventually be sent to Auth0 to request tokens. To learn more about the algorithm to create the code_verifier, read section 4.1 Client Creates a Code Verifier of the Proof Key for Code Exchange spec.

Javascript sample

Java sample

Android sample

Swift 5 sample

Objective-C sample

Create code challenge

Generate a code_challenge from the code_verifier that will be sent to Auth0 to request an authorization_code. To learn more about how the code_challenge is derived from the code_verifier, read section 4.2 Client Creates the Code Challenge of the OAuth Proof Key for Code Exchange spec.

Javascript sample

Java sample

Swift 5 sample

Objective-C sample

Authorize user

Request the user’s authorization and redirect back to your app with an authorization_code. Once you’ve created the code_verifier and the code_challenge, you must get the user’s authorization. This is technically the beginning of the , and this step may include one or more of the following processes: * Authenticating the user; * Redirecting the user to an to handle authentication; * Checking for active Single Sign-on (SSO) sessions; * Obtaining user consent for the requested permission level, unless consent has been previously given. To authorize the user, your app must send the user to the authorization URL, including the code_challenge you generated in the previous step and the method you used to generate the code_challenge.

Authorization URL example

Parameters

As an example, your HTML snippet for your authorization URL when adding login to your app might look like:

Response

If all goes well, you’ll receive an HTTP 302 response. The authorization code is included at the end of the URL:

Request tokens

Exchange your authorization_code and code_verifier for tokens. Now that you have an Authorization Code, you must exchange it for tokens. Using the extracted Authorization Code (code) from the previous step, you will need to POST to the token URL sending along the code_verifier.

POST to token URL example

Parameters

Response

If all goes well, you’ll receive an HTTP 200 response with a payload containing access_token, refresh_token, id_token, and token_type values:
Validate your tokens before saving them. To learn how, read Validate ID Tokens and Validate Access Tokens.
ID tokens contain user information that must be decoded and extracted. Access tokens are used to call the Auth0 Authentication API’s /userinfo endpoint or another API. If you are calling your own API, the first thing your API will need to do is verify the Access token. Refresh tokens are used to obtain a new access token or ID token after the previous one has expired. The refresh_token will only be present in the response if you included the offline_access scope and enabled Allow Offline Access for your API in the Dashboard.
Refresh tokens must be stored securely since they allow a user to remain authenticated essentially forever.

Use cases

Basic authentication request

This example shows the most basic request you can make when authorizing the user in step 1. It displays the Auth0 login screen and allows the user to sign in with any of your configured connections: Now, when you request tokens, your ID Token will contain the most basic claims. When you decode the ID Token, it will look similar to:

Request user’s name and profile picture

In addition to the usual user authentication, this example shows how to request additional user details, such as name and picture. To request the user’s name and picture, you need to add the appropriate scopes when authorizing the user: Now, when you request tokens, your ID token will contain the requested name and picture claims. When you decode the ID token, it will look similar to:

Request user log in with GitHub

In addition to the usual user authentication, this example shows how to send users directly to a social identity provider, such as GitHub. For this example to work, you need to go to Auth0 Dashboard > Authentication > Social and configure the appropriate connection. Get the connection name from the Settings tab. To send users directly to the GitHub login screen, you need to pass the connection parameter and set its value to the connection name (in this case, github) when authorizing the user: Now, when you request tokens, your ID token will contain a sub claim with the user’s unique ID returned from GitHub. When you decode the ID token, it will look similar to:

Learn more