Auth0

Auth0

Auth0 is an identity-as-a-service platform providing authentication, authorization, and SSO for web and mobile applications. Scripts handle login flows, token management, and session persistence using Auth0's Universal Login. Integrates with social providers, enterprise IdPs, and MFA to secure application access.

Back to Vendor Library

Overview

Auth0, an Okta company, is an identity-as-a-service platform that provides authentication, authorization, and single sign-on (SSO) infrastructure for web and mobile applications. Developers integrate Auth0 to handle login flows, user registration, multi-factor authentication (MFA), social login, and enterprise identity provider (IdP) federation — offloading the complexity and security risk of building authentication in-house. Auth0 powers the login experience for thousands of applications across enterprise, startup, and consumer contexts.

What This Script Does

The Auth0 JavaScript SDK (cdn.auth0.com/js/auth0-spa-js/*/auth0-spa-js.production.js) and Auth0's Universal Login page manage the full authentication lifecycle:

Login and session management

  • Renders login forms (email/password, social provider buttons) either inline using Auth0.js or via a redirect to Auth0's hosted Universal Login page at {tenant}.auth0.com
  • After successful authentication, issues access tokens, ID tokens (JWTs), and optionally refresh tokens
  • Sets cookies for session persistence: auth0 session cookie (server-side, HTTPOnly, scoped to the Auth0 tenant domain) and auth0.{clientId}.is.authenticated in localStorage (client-side, used by the SPA SDK to track login state)
  • Manages silent authentication via hidden iframes to refresh tokens without user interaction
  • Sets CSRF protection cookies (_csrf) scoped to the Auth0 domain to prevent cross-site request forgery during login flows

Multi-factor authentication

  • Orchestrates MFA challenges: TOTP (Google Authenticator), SMS OTP, push notifications, and WebAuthn/FIDO2 hardware keys
  • MFA state is managed via short-lived session cookies during the authentication flow

Social and enterprise login

  • Redirects to external identity providers (Google, Microsoft, GitHub, SAML IdPs, LDAP/AD) and handles the OAuth 2.0 / OIDC callback
  • Normalizes user profiles from external providers into a consistent Auth0 user object

Consent & Compliance

  • Category: Essential — authentication is strictly necessary for accessing protected application functionality
  • GDPR: Auth0 cookies are essential for authentication and session management. They do not require consent under GDPR — authentication is necessary for the performance of a service contract (Article 6(1)(b)). Consent is not the appropriate legal basis for essential authentication cookies.
  • Data transfers: Auth0/Okta is a US company. Authentication data (user credentials, tokens, profile data) is processed in the US and optionally in EU data centers. Auth0 offers Private Cloud deployments and EU-region tenants for data residency. EU-US Data Privacy Framework applies.
  • Security posture: Auth0 is SOC 2 Type II certified, ISO 27001 certified, and HIPAA compliant. Its infrastructure is a high-value security target — organizations should enable anomaly detection, brute-force protection, and MFA enforcement in Auth0 settings.
  • Cookies set: auth0 (session, HTTPOnly, Auth0 domain), _csrf (session, Auth0 domain), auth0.{clientId}.is.authenticated (localStorage, application domain, 3 days by default)

Should You Block This Without Consent?

No consent required. Auth0 is an essential authentication service. Its cookies and scripts are necessary to operate the login system and maintain user sessions — they are exempt from consent requirements under GDPR and ePrivacy. Include Auth0 in your privacy policy as an infrastructure processor, but do not gate it behind a consent banner.

Visit website

Consent Categories

Essential
Functional

Also Known As

Auth0Okta Auth0authentication SDKSSO cookiesidentity platformUniversal Login

Industries

Computers Electronics and Technology

Tracked Domains (1)

cdn.auth0.comEssential

Frequently Asked Questions

Does Auth0 require user consent before loading?

No. Auth0 is essential authentication infrastructure. Its cookies and scripts are strictly necessary for login and session management. Under GDPR, authentication is supported by contractual necessity rather than consent. Do not gate Auth0 behind a consent banner.

What cookies does Auth0 set?

Auth0 sets an HTTPOnly session cookie on the Auth0 tenant domain for server-side session management, a CSRF protection cookie during login flows, and an auth0.{clientId}.is.authenticated entry in localStorage on the application domain, persisted for 3 days by default.

How does ConsentStack treat Auth0?

ConsentStack classifies Auth0 as essential, meaning its scripts and cookies are always permitted regardless of the visitor's consent choices. Auth0 is listed in the privacy policy as an infrastructure processor, but it is never blocked by ConsentStack's consent enforcement layer.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Auth0

ConsentStack automatically detects and manages Auth0 trackers so your site stays compliant with global privacy regulations.

Get started free