> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kavachos.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth0

> Authenticate users via Auth0 OIDC with `auth0Provider`. Pass your tenant domain and client credentials to attach Auth0-issued tokens to a KavachOS session.

## Get credentials

<Steps>
  <Step>
    ### Create an application

    Go to the [Auth0 dashboard](https://manage.auth0.com) and create a **Regular Web Application**.

    Set the **Allowed Callback URL** to:

    ```
    https://your-app.com/api/kavach/auth/oauth/callback/auth0
    ```
  </Step>

  <Step>
    ### Copy your credentials

    From the application settings, copy the **Domain**, **Client ID**, and **Client Secret**.

    Your domain looks like `your-tenant.auth0.com`.
  </Step>
</Steps>

## Configuration

```typescript title="lib/kavach.ts" theme={"system"}
import { createKavach } from 'kavachos';
import { oauth, auth0Provider } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://your-app.com',
  plugins: [
    oauth({
      providers: [
        auth0Provider(
          process.env.AUTH0_DOMAIN!,       // your-tenant.auth0.com
          process.env.AUTH0_CLIENT_ID!,
          process.env.AUTH0_CLIENT_SECRET!,
        ),
      ],
    }),
  ],
});
```

```bash theme={"system"}
AUTH0_DOMAIN=your-tenant.auth0.com
AUTH0_CLIENT_ID=...
AUTH0_CLIENT_SECRET=...
```

## Scopes

Default scopes: `openid`, `profile`, `email`

| Scope            | What it unlocks                       |
| ---------------- | ------------------------------------- |
| `openid`         | OIDC authentication, issues ID token  |
| `profile`        | Name, picture, and profile metadata   |
| `email`          | Email address and verification status |
| `offline_access` | Refresh token support                 |

<Info>
  Auth0 supports custom scopes and roles via the Management API. Standard OIDC scopes work out of the box.
</Info>

## Endpoints

| Method | Path                          | Description       |
| ------ | ----------------------------- | ----------------- |
| GET    | `/auth/oauth/authorize/auth0` | Redirect to Auth0 |
| GET    | `/auth/oauth/callback/auth0`  | Handle callback   |