Description

Use when adding authentication to React applications (login, logout, user sessions, protected routes) - integrates @auth0/auth0-react SDK for SPAs with Vite...

README (SKILL.md)

Auth0 React Integration

Name: Auth0 React
Author: auth0

Add authentication to React single-page applications using @auth0/auth0-react.

Prerequisites

React 16.11+ application (Vite or Create React App) - supports React 16, 17, 18, and 19
Auth0 account and application configured
If you don't have Auth0 set up yet, use the auth0-quickstart skill first

When NOT to Use

Next.js applications - Use auth0-nextjs skill for both App Router and Pages Router
React Native mobile apps - Use auth0-react-native skill for iOS/Android
Server-side rendered React - Use framework-specific SDK (Next.js, Remix, etc.)
Embedded login - This SDK uses Auth0 Universal Login (redirect-based)
Backend API authentication - Use express-openid-connect or JWT validation instead

Quick Start Workflow

1. Install SDK

npm install @auth0/auth0-react

2. Configure Environment

For automated setup with Auth0 CLI, see Setup Guide for complete scripts.

For manual setup:

Create .env file:

Vite:

VITE_AUTH0_DOMAIN=your-tenant.auth0.com
VITE_AUTH0_CLIENT_ID=your-client-id

Create React App:

REACT_APP_AUTH0_DOMAIN=your-tenant.auth0.com
REACT_APP_AUTH0_CLIENT_ID=your-client-id

3. Wrap App with Auth0Provider

Update src/main.tsx (Vite) or src/index.tsx (CRA):

import React from 'react';
import ReactDOM from 'react-dom/client';
import { Auth0Provider } from '@auth0/auth0-react';
import App from './App';

ReactDOM.createRoot(document.getElementById('root')!).render(
  \x3CReact.StrictMode>
    \x3CAuth0Provider
      domain={import.meta.env.VITE_AUTH0_DOMAIN} // or process.env.REACT_APP_AUTH0_DOMAIN
      clientId={import.meta.env.VITE_AUTH0_CLIENT_ID}
      authorizationParams={{
        redirect_uri: window.location.origin
      }}
    >
      \x3CApp />
    \x3C/Auth0Provider>
  \x3C/React.StrictMode>
);

4. Add Authentication UI

import { useAuth0 } from '@auth0/auth0-react';

export function LoginButton() {
  const { loginWithRedirect, logout, isAuthenticated, user, isLoading } = useAuth0();

  if (isLoading) return \x3Cdiv>Loading...\x3C/div>;

  if (isAuthenticated) {
    return (
      \x3Cdiv>
        \x3Cspan>Welcome, {user?.name}\x3C/span>
        \x3Cbutton onClick={() => logout({ logoutParams: { returnTo: window.location.origin } })}>
          Logout
        \x3C/button>
      \x3C/div>
    );
  }

  return \x3Cbutton onClick={() => loginWithRedirect()}>Login\x3C/button>;
}

5. Test Authentication

Start your dev server and test the login flow:

npm run dev  # Vite
# or
npm start    # CRA

Detailed Documentation

Setup Guide - Automated setup scripts (Bash/PowerShell), CLI commands, manual configuration
Integration Guide - Protected routes, API calls, error handling, advanced patterns
API Reference - Complete SDK API, configuration options, hooks reference, testing strategies

Common Mistakes

Mistake	Fix
Forgot to add redirect URI in Auth0 Dashboard	Add your application URL (e.g., `http://localhost:3000`, `https://app.example.com`) to Allowed Callback URLs in Auth0 Dashboard
Using wrong env var prefix	Vite uses `VITE_` prefix, Create React App uses `REACT_APP_`
Not handling loading state	Always check `isLoading` before rendering auth-dependent UI
Storing tokens in localStorage	Never manually store tokens - SDK handles secure storage automatically
Missing Auth0Provider wrapper	Entire app must be wrapped in `\x3CAuth0Provider>`
Provider not at root level	Auth0Provider must wrap all components that use auth hooks
Wrong import path for env vars	Vite uses `import.meta.env.VITE_`, CRA uses `process.env.REACT_APP_`
Using `acr_values` redirect for in-app MFA	Use `useAuth0().mfa` API for in-app enrollment/challenge/verify flows
Not catching `MfaRequiredError`	Wrap `getAccessTokenSilently` in try/catch and check `instanceof MfaRequiredError`
Making direct HTTP calls to MFA endpoints	Use the `mfa` property from `useAuth0()` — it handles token management automatically
Forgetting refresh tokens for step-up MFA	Set `useRefreshTokens={true}` on Auth0Provider when using `interactiveErrorHandler="popup"`

Related Skills

auth0-quickstart - Basic Auth0 setup
auth0-migration - Migrate from another auth provider
auth0-mfa - Add Multi-Factor Authentication

Quick Reference

Core Hooks:

useAuth0() - Main authentication hook
isAuthenticated - Check if user is logged in
user - User profile information
loginWithRedirect() - Initiate login
logout() - Log out user
getAccessTokenSilently() - Get access token for API calls
mfa - MFA API client for enrollment, challenge, and verification
- mfa.getAuthenticators(mfaToken) - List enrolled authenticators
- mfa.getEnrollmentFactors(mfaToken) - Get available enrollment factors
- mfa.enroll(params) - Enroll new authenticator (OTP, SMS, Email, Voice, Push)
- mfa.challenge(params) - Initiate MFA challenge
- mfa.verify(params) - Verify MFA challenge and complete authentication

MFA Error Types (import from @auth0/auth0-react):

MfaRequiredError - Thrown by getAccessTokenSilently when MFA is needed (has mfa_token and mfa_requirements)
MfaEnrollmentError, MfaChallengeError, MfaVerifyError - Thrown by respective mfa.* methods

Common Use Cases:

Login/Logout buttons → See Step 4 above
Protected routes → Integration Guide
API calls with tokens → Integration Guide
Error handling → Integration Guide
MFA handling → Integration Guide

References

Usage Guidance

This skill appears to do what it says: add Auth0 to React apps. Before running the automated setup: 1) Back up any existing .env file and confirm prompts when asked — the scripts will append to .env. 2) Prefer installing the Auth0 CLI via your OS package manager (brew/scoop/choco) rather than blindly running a remote install script (curl | sh); if you must run the remote installer, inspect it first. 3) The skill will read package.json to detect Vite vs CRA — that's expected. If you need higher assurance, run the manual steps (install @auth0/auth0-react and configure the provider) instead of the automated scripts.

Capability Analysis

Type: OpenClaw Skill Name: auth0-react Version: 1.0.0 The skill bundle provides legitimate documentation and automation scripts for integrating the official Auth0 React SDK into applications. The setup scripts in 'references/setup.md' use the official Auth0 CLI to configure environment variables and include explicit safety instructions for the AI agent to avoid reading existing secrets from '.env' files without user consent. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.

Capability Tags

requires-oauth-tokenrequires-sensitive-credentials

Capability Assessment

✓ Purpose & Capability

Name/description, examples, and referenced guides all match a React Auth0 integration. No unrelated credentials, binaries, or config paths are requested.

ℹ Instruction Scope

The SKILL.md and references stay within expected scope (install SDK, wrap app with Auth0Provider, read package.json to detect Vite vs CRA, and create/append a .env with Auth0 domain/client ID). The setup guide explicitly warns never to read .env contents in LLM context and requires explicit user confirmation before writing to .env, which is a good safeguard.

ℹ Install Mechanism

This is an instruction-only skill (no install spec). The setup scripts instruct installing the Auth0 CLI via package managers (brew/scoop/choco) or by piping a raw.githubusercontent.com install script to sh. Using package managers is low risk; piping a remote install script to sh is common but carries execution risk — users/agents should review the script before running it.

✓ Credentials

No required environment variables or credentials are declared. The only environment interaction is creating/appending a .env with the Auth0 domain and client ID (not secrets). The skill asks for user confirmation before modifying .env.

✓ Persistence & Privilege

The skill does not request persistent platform privileges (always is false). It does not modify other skills or system-wide agent settings.

Version History

v1.0.0

- Initial release of the auth0-react skill. - Provides step-by-step integration instructions for adding Auth0 authentication to React SPAs (Vite or Create React App). - Includes setup prerequisites, quick start workflow, common pitfalls, detailed documentation references, and core usage examples. - Covers protected routes, API access, and advanced features like MFA handling using @auth0/auth0-react SDK. - Lists related skills and troubleshooting guidance for common mistakes.

Metadata

Slug auth0-react

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Auth0 React?

Use when adding authentication to React applications (login, logout, user sessions, protected routes) - integrates @auth0/auth0-react SDK for SPAs with Vite... It is an AI Agent Skill for Claude Code / OpenClaw, with 75 downloads so far.

How do I install Auth0 React?

Run "/install auth0-react" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Auth0 React free?

Yes, Auth0 React is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Auth0 React support?

Auth0 React is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Auth0 React?

It is built and maintained by Auth0 (@auth0); the current version is v1.0.0.

More Skills

Auth0 React