Skip to main content

Get credentials

1

Create an application

Go to the Auth0 dashboard and create a Regular Web Application.Set the Allowed Callback URL to:
https://your-app.com/api/kavach/auth/oauth/callback/auth0
2

Copy your credentials

From the application settings, copy the Domain, Client ID, and Client Secret.Your domain looks like your-tenant.auth0.com.

Configuration

lib/kavach.ts
import { createKavach } from 'kavachos';
import { oauth, auth0Provider } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://your-app.com',
  plugins: [
    oauth({
      providers: [
        auth0Provider(
          process.env.AUTH0_DOMAIN!,       // your-tenant.auth0.com
          process.env.AUTH0_CLIENT_ID!,
          process.env.AUTH0_CLIENT_SECRET!,
        ),
      ],
    }),
  ],
});

AUTH0_DOMAIN=your-tenant.auth0.com
AUTH0_CLIENT_ID=...
AUTH0_CLIENT_SECRET=...

Scopes

Default scopes: openid, profile, email
ScopeWhat it unlocks
openidOIDC authentication, issues ID token
profileName, picture, and profile metadata
emailEmail address and verification status
offline_accessRefresh token support
Auth0 supports custom scopes and roles via the Management API. Standard OIDC scopes work out of the box.

Endpoints

MethodPathDescription
GET/auth/oauth/authorize/auth0Redirect to Auth0
GET/auth/oauth/callback/auth0Handle callback
Last modified on April 17, 2026