import { Auth0ClientOptions, RedirectLoginOptions, PopupLoginOptions, PopupConfigOptions, RedirectLoginResult, GetTokenSilentlyOptions, GetTokenWithPopupOptions, LogoutOptions, User, IdToken, GetTokenSilentlyVerboseResponse, TokenEndpointResponse, ConnectAccountRedirectResult, RedirectConnectAccountOptions, ClientConfiguration, RevokeRefreshTokenOptions } from './global'; import { CustomTokenExchangeOptions } from './TokenExchange'; import { Dpop } from './dpop/dpop'; import { Fetcher, type FetcherConfig, type CustomFetchMinimalOutput } from './fetcher'; import { MfaApiClient } from './mfa'; /** * Auth0 SDK for Single Page Applications using [Authorization Code Grant Flow with PKCE](https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce). */ export declare class Auth0Client { private readonly transactionManager; private readonly cacheManager; private readonly lockManager; private readonly domainUrl; private readonly tokenIssuer; private readonly scope; private readonly cookieStorage; private readonly dpop; private readonly sessionCheckExpiryDays; private readonly orgHintCookieName; private readonly isAuthenticatedCookieName; private readonly nowProvider; private readonly httpTimeoutMs; private readonly options; private readonly userCache; private readonly myAccountApi; /** * MFA API client for multi-factor authentication operations. * * Provides methods for: * - Listing enrolled authenticators * - Enrolling new authenticators (OTP, SMS, Voice, Push, Email) * - Initiating MFA challenges * - Verifying MFA challenges */ readonly mfa: MfaApiClient; private worker?; private readonly authJsClient; private readonly defaultOptions; constructor(options: Auth0ClientOptions); /** * Returns a readonly copy of the initialization configuration. * * @returns An object containing domain and clientId * * @example * ```typescript * const auth0 = new Auth0Client({ * domain: 'tenant.auth0.com', * clientId: 'abc123' * }); * * const config = auth0.getConfiguration(); * // { domain: 'tenant.auth0.com', clientId: 'abc123' } * ``` */ getConfiguration(): Readonly; private _url; private _authorizeUrl; private _verifyIdToken; private _processOrgHint; /** * Extracts the session transfer token from the current URL query parameters * for Native to Web SSO flows. * * @param paramName The query parameter name to extract from the URL * @returns The session transfer token if present, undefined otherwise */ private _extractSessionTransferToken; /** * Clears the session transfer token from the current URL using the History API. * This prevents the token from being re-sent on subsequent authentication requests, * which is important since session transfer tokens are typically single-use. * * @param paramName The query parameter name to remove from the URL */ private _clearSessionTransferTokenFromUrl; /** * Applies the session transfer token from the URL to the authorization parameters * if configured and not already provided. * * @param authorizationParams The authorization parameters to enhance * @returns The authorization parameters with session_transfer_token added if applicable */ private _applySessionTransferToken; private _prepareAuthorizeUrl; /** * ```js * try { * await auth0.loginWithPopup(options); * } catch(e) { * if (e instanceof PopupCancelledError) { * // Popup was closed before login completed * } * } * ``` * * Opens a popup with the `/authorize` URL using the parameters * provided as arguments. Random and secure `state` and `nonce` * parameters will be auto-generated. If the response is successful, * results will be valid according to their expiration times. * * IMPORTANT: This method has to be called from an event handler * that was started by the user like a button click, for example, * otherwise the popup will be blocked in most browsers. * * @param options * @param config */ loginWithPopup(options?: PopupLoginOptions, config?: PopupConfigOptions): Promise; /** * ```js * const user = await auth0.getUser(); * ``` * * Returns the user information if available (decoded * from the `id_token`). * * @typeparam TUser The type to return, has to extend {@link User}. */ getUser(): Promise; /** * ```js * const claims = await auth0.getIdTokenClaims(); * ``` * * Returns all claims from the id_token if available. */ getIdTokenClaims(): Promise; /** * ```js * await auth0.loginWithRedirect(options); * ``` * * Performs a redirect to `/authorize` using the parameters * provided as arguments. Random and secure `state` and `nonce` * parameters will be auto-generated. * * @param options */ loginWithRedirect(options?: RedirectLoginOptions): Promise; /** * After the browser redirects back to the callback page, * call `handleRedirectCallback` to handle success and error * responses from Auth0. If the response is successful, results * will be valid according to their expiration times. */ handleRedirectCallback(url?: string): Promise | ConnectAccountRedirectResult>; /** * Handles the redirect callback from the login flow. * * @template AppState - The application state persisted from the /authorize redirect. * @param {string} authenticationResult - The parsed authentication result from the URL. * @param {string} transaction - The login transaction. * * @returns {RedirectLoginResult} Resolves with the persisted app state. * @throws {GenericError | Error} If the transaction is missing, invalid, or the code exchange fails. */ private _handleLoginRedirectCallback; /** * Handles the redirect callback from the connect account flow. * This works the same as the redirect from the login flow expect it verifies the `connect_code` * with the My Account API rather than the `code` with the Authorization Server. * * @template AppState - The application state persisted from the connect redirect. * @param {string} connectResult - The parsed connect accounts result from the URL. * @param {string} transaction - The login transaction. * @returns {Promise} The result of the My Account API, including any persisted app state. * @throws {GenericError | MyAccountApiError} If the transaction is missing, invalid, or an error is returned from the My Account API. */ private _handleConnectAccountRedirectCallback; /** * ```js * await auth0.checkSession(); * ``` * * Check if the user is logged in using `getTokenSilently`. The difference * with `getTokenSilently` is that this doesn't return a token, but it will * pre-fill the token cache. * * This method also heeds the `auth0.{clientId}.is.authenticated` cookie, as an optimization * to prevent calling Auth0 unnecessarily. If the cookie is not present because * there was no previous login (or it has expired) then tokens will not be refreshed. * * It should be used for silently logging in the user when you instantiate the * `Auth0Client` constructor. You should not need this if you are using the * `createAuth0Client` factory. * * **Note:** the cookie **may not** be present if running an app using a private tab, as some * browsers clear JS cookie data and local storage when the tab or page is closed, or on page reload. This effectively * means that `checkSession` could silently return without authenticating the user on page refresh when * using a private tab, despite having previously logged in. As a workaround, use `getTokenSilently` instead * and handle the possible `login_required` error [as shown in the readme](https://github.com/auth0/auth0-spa-js#creating-the-client). * * @param options */ checkSession(options?: GetTokenSilentlyOptions): Promise; /** * Fetches a new access token and returns the response from the /oauth/token endpoint, omitting the refresh token. * * @param options */ getTokenSilently(options: GetTokenSilentlyOptions & { detailedResponse: true; }): Promise; /** * Fetches a new access token and returns it. * * @param options */ getTokenSilently(options?: GetTokenSilentlyOptions): Promise; private _getTokenSilently; /** * Checks if an error should be handled by the interactive error handler. * Matches: * - MfaRequiredError (refresh token path, error='mfa_required') * - GenericError from iframe path (error='login_required', * error_description='Multifactor authentication required') * Extensible for future interactive error types. */ private _isInteractiveError; /** * Checks if a login_required error from the iframe flow is actually * an MFA step-up requirement. The /authorize endpoint returns * error='login_required' with error_description='Multifactor authentication required' * when MFA is needed but prompt=none prevents interaction. */ private _isIframeMfaError; /** * Handles MFA errors by opening a popup to complete authentication, * then reads the resulting token from cache. */ private _handleInteractiveErrorWithPopup; /** * ```js * const token = await auth0.getTokenWithPopup(options); * ``` * Opens a popup with the `/authorize` URL using the parameters * provided as arguments. Random and secure `state` and `nonce` * parameters will be auto-generated. If the response is successful, * results will be valid according to their expiration times. * * @param options * @param config */ getTokenWithPopup(options?: GetTokenWithPopupOptions, config?: PopupConfigOptions): Promise; /** * ```js * const isAuthenticated = await auth0.isAuthenticated(); * ``` * * Returns `true` if there's valid information stored, * otherwise returns `false`. * */ isAuthenticated(): Promise; /** * ```js * await auth0.buildLogoutUrl(options); * ``` * * Builds a URL to the logout endpoint using the parameters provided as arguments. * @param options */ private _buildLogoutUrl; /** * ```js * await auth0.revokeRefreshToken(); * ``` * * Revokes the refresh token using the `/oauth/revoke` endpoint. * This invalidates the refresh token so it can no longer be used to obtain new access tokens. * * The method works with both memory and localStorage cache modes: * - For memory storage with worker: The refresh token never leaves the worker thread, * maintaining security isolation * - For localStorage: The token is retrieved from cache and revoked * * If `useRefreshTokens` is disabled, this method does nothing. * * **Important:** This method revokes the refresh token for a single audience. If your * application requests tokens for multiple audiences, each audience may have its own * refresh token. To fully revoke all refresh tokens, call this method once per audience. * If you want to terminate the user's session entirely, use `logout()` instead. * * When using Multi-Resource Refresh Tokens (MRRT), a single refresh token may cover * multiple audiences. In that case, revoking it will affect all cache entries that * share the same token. * * @param options - Optional parameters to identify which refresh token to revoke. * Defaults to the audience configured in `authorizationParams`. * * @example * // Revoke the default refresh token * await auth0.revokeRefreshToken(); * * @example * // Revoke refresh tokens for each audience individually * await auth0.revokeRefreshToken({ audience: 'https://api.example.com' }); * await auth0.revokeRefreshToken({ audience: 'https://api2.example.com' }); */ revokeRefreshToken(options?: RevokeRefreshTokenOptions): Promise; /** * ```js * await auth0.logout(options); * ``` * * Clears the application session and performs a redirect to `/v2/logout`, using * the parameters provided as arguments, to clear the Auth0 session. * * If the `federated` option is specified it also clears the Identity Provider session. * [Read more about how Logout works at Auth0](https://auth0.com/docs/logout). * * @param options */ logout(options?: LogoutOptions): Promise; private _getTokenFromIFrame; private _getTokenUsingRefreshToken; private _saveEntryInCache; private _getIdTokenFromCache; private _getEntryFromCache; private _requestToken; /** * ```js * await auth0.loginWithCustomTokenExchange(options); * ``` * * Exchanges an external subject token for Auth0 tokens and logs the user in. * This method implements the Custom Token Exchange grant as specified in RFC 8693. * * The exchanged tokens are automatically cached, establishing an authenticated session. * After calling this method, you can use `getUser()`, `getIdTokenClaims()`, and * `getTokenSilently()` to access the user's information and tokens. * * @param {CustomTokenExchangeOptions} options - The options required to perform the token exchange. * * @returns {Promise} A promise that resolves to the token endpoint response, * which contains the issued Auth0 tokens (access_token, id_token, etc.). * * The request includes the following parameters: * - `grant_type`: "urn:ietf:params:oauth:grant-type:token-exchange" * - `subject_token`: The external token to exchange * - `subject_token_type`: The type identifier of the external token * - `scope`: Merged scopes from the request and SDK defaults * - `audience`: Target audience (defaults to SDK configuration) * - `organization`: Optional organization ID/name for org-scoped authentication * * **Example Usage:** * * ```js * const options = { * subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...', * subject_token_type: 'urn:acme:legacy-system-token', * scope: 'openid profile email', * audience: 'https://api.example.com', * organization: 'org_12345' * }; * * try { * const tokenResponse = await auth0.loginWithCustomTokenExchange(options); * console.log('Access token:', tokenResponse.access_token); * * // User is now logged in - access user info * const user = await auth0.getUser(); * console.log('Logged in user:', user); * } catch (error) { * console.error('Token exchange failed:', error); * } * ``` */ loginWithCustomTokenExchange(options: CustomTokenExchangeOptions): Promise; /** * @deprecated Use `loginWithCustomTokenExchange()` instead. This method will be removed in the next major version. * * Exchanges an external subject token for Auth0 tokens. * * @param {CustomTokenExchangeOptions} options - The options required to perform the token exchange. * @returns {Promise} A promise that resolves to the token endpoint response. * * **Example:** * ```js * // Instead of: * const tokens = await auth0.exchangeToken(options); * * // Use: * const tokens = await auth0.loginWithCustomTokenExchange(options); * ``` */ exchangeToken(options: CustomTokenExchangeOptions): Promise; protected _assertDpop(dpop: Dpop | undefined): asserts dpop is Dpop; /** * Returns the current DPoP nonce used for making requests to Auth0. * * It can return `undefined` because when starting fresh it will not * be populated until after the first response from the server. * * It requires enabling the {@link Auth0ClientOptions.useDpop} option. * * @param nonce The nonce value. * @param id The identifier of a nonce: if absent, it will get the nonce * used for requests to Auth0. Otherwise, it will be used to * select a specific non-Auth0 nonce. */ getDpopNonce(id?: string): Promise; /** * Sets the current DPoP nonce used for making requests to Auth0. * * It requires enabling the {@link Auth0ClientOptions.useDpop} option. * * @param nonce The nonce value. * @param id The identifier of a nonce: if absent, it will set the nonce * used for requests to Auth0. Otherwise, it will be used to * select a specific non-Auth0 nonce. */ setDpopNonce(nonce: string, id?: string): Promise; /** * Returns a string to be used to demonstrate possession of the private * key used to cryptographically bind access tokens with DPoP. * * It requires enabling the {@link Auth0ClientOptions.useDpop} option. */ generateDpopProof(params: { url: string; method: string; nonce?: string; accessToken: string; }): Promise; /** * Returns a new `Fetcher` class that will contain a `fetchWithAuth()` method. * This is a drop-in replacement for the Fetch API's `fetch()` method, but will * handle certain authentication logic for you, like building the proper auth * headers or managing DPoP nonces and retries automatically. * * Check the `EXAMPLES.md` file for a deeper look into this method. */ createFetcher(config?: FetcherConfig): Fetcher; /** * Initiates a redirect to connect the user's account with a specified connection. * This method generates PKCE parameters, creates a transaction, and redirects to the /connect endpoint. * * You must enable `Offline Access` from the Connection Permissions settings to be able to use the connection with Connected Accounts. * * @template TAppState - The application state to persist through the transaction. * @param {RedirectConnectAccountOptions} options - Options for the connect account redirect flow. * @param {string} options.connection - The name of the connection to link (e.g. 'google-oauth2'). * @param {string[]} [options.scopes] - Array of scopes to request from the Identity Provider during the connect account flow. * @param {AuthorizationParams} [options.authorization_params] - Additional authorization parameters for the request to the upstream IdP. * @param {string} [options.redirectUri] - The URI to redirect back to after connecting the account. * @param {TAppState} [options.appState] - Application state to persist through the transaction. * @param {(url: string) => Promise} [options.openUrl] - Custom function to open the URL. * * @returns {Promise} Resolves when the redirect is initiated. * @throws {MyAccountApiError} If the connect request to the My Account API fails. */ connectAccountWithRedirect(options: RedirectConnectAccountOptions): Promise; /** * @internal * Internal method used by MfaApiClient to exchange MFA tokens for access tokens. * This method should not be called directly by applications. */ _requestTokenForMfa(options: { grant_type: string; mfaToken: string; scope?: string; audience?: string; otp?: string; binding_code?: string; oob_code?: string; recovery_code?: string; }, additionalParameters?: RequestTokenAdditionalParameters): Promise; } interface RequestTokenAdditionalParameters { nonceIn?: string; organization?: string; scopesToRequest?: string; } export {};