功能描述

Use when adding authentication to React applications (login, logout, user sessions, protected routes) - integrates @auth0/auth0-react SDK for SPAs with Vite...

使用说明 (SKILL.md)

Auth0 React Integration

Name: Auth0 React
Author: auth0

Add authentication to React single-page applications using @auth0/auth0-react.

Prerequisites

React 16.11+ application (Vite or Create React App) - supports React 16, 17, 18, and 19
Auth0 account and application configured
If you don't have Auth0 set up yet, use the auth0-quickstart skill first

When NOT to Use

Next.js applications - Use auth0-nextjs skill for both App Router and Pages Router
React Native mobile apps - Use auth0-react-native skill for iOS/Android
Server-side rendered React - Use framework-specific SDK (Next.js, Remix, etc.)
Embedded login - This SDK uses Auth0 Universal Login (redirect-based)
Backend API authentication - Use express-openid-connect or JWT validation instead

Quick Start Workflow

1. Install SDK

npm install @auth0/auth0-react

2. Configure Environment

For automated setup with Auth0 CLI, see Setup Guide for complete scripts.

For manual setup:

Create .env file:

Vite:

VITE_AUTH0_DOMAIN=your-tenant.auth0.com
VITE_AUTH0_CLIENT_ID=your-client-id

Create React App:

REACT_APP_AUTH0_DOMAIN=your-tenant.auth0.com
REACT_APP_AUTH0_CLIENT_ID=your-client-id

3. Wrap App with Auth0Provider

Update src/main.tsx (Vite) or src/index.tsx (CRA):

import React from 'react';
import ReactDOM from 'react-dom/client';
import { Auth0Provider } from '@auth0/auth0-react';
import App from './App';

ReactDOM.createRoot(document.getElementById('root')!).render(
  \x3CReact.StrictMode>
    \x3CAuth0Provider
      domain={import.meta.env.VITE_AUTH0_DOMAIN} // or process.env.REACT_APP_AUTH0_DOMAIN
      clientId={import.meta.env.VITE_AUTH0_CLIENT_ID}
      authorizationParams={{
        redirect_uri: window.location.origin
      }}
    >
      \x3CApp />
    \x3C/Auth0Provider>
  \x3C/React.StrictMode>
);

4. Add Authentication UI

import { useAuth0 } from '@auth0/auth0-react';

export function LoginButton() {
  const { loginWithRedirect, logout, isAuthenticated, user, isLoading } = useAuth0();

  if (isLoading) return \x3Cdiv>Loading...\x3C/div>;

  if (isAuthenticated) {
    return (
      \x3Cdiv>
        \x3Cspan>Welcome, {user?.name}\x3C/span>
        \x3Cbutton onClick={() => logout({ logoutParams: { returnTo: window.location.origin } })}>
          Logout
        \x3C/button>
      \x3C/div>
    );
  }

  return \x3Cbutton onClick={() => loginWithRedirect()}>Login\x3C/button>;
}

5. Test Authentication

Start your dev server and test the login flow:

npm run dev  # Vite
# or
npm start    # CRA

Detailed Documentation

Setup Guide - Automated setup scripts (Bash/PowerShell), CLI commands, manual configuration
Integration Guide - Protected routes, API calls, error handling, advanced patterns
API Reference - Complete SDK API, configuration options, hooks reference, testing strategies

Common Mistakes

Mistake	Fix
Forgot to add redirect URI in Auth0 Dashboard	Add your application URL (e.g., `http://localhost:3000`, `https://app.example.com`) to Allowed Callback URLs in Auth0 Dashboard
Using wrong env var prefix	Vite uses `VITE_` prefix, Create React App uses `REACT_APP_`
Not handling loading state	Always check `isLoading` before rendering auth-dependent UI
Storing tokens in localStorage	Never manually store tokens - SDK handles secure storage automatically
Missing Auth0Provider wrapper	Entire app must be wrapped in `\x3CAuth0Provider>`
Provider not at root level	Auth0Provider must wrap all components that use auth hooks
Wrong import path for env vars	Vite uses `import.meta.env.VITE_`, CRA uses `process.env.REACT_APP_`
Using `acr_values` redirect for in-app MFA	Use `useAuth0().mfa` API for in-app enrollment/challenge/verify flows
Not catching `MfaRequiredError`	Wrap `getAccessTokenSilently` in try/catch and check `instanceof MfaRequiredError`
Making direct HTTP calls to MFA endpoints	Use the `mfa` property from `useAuth0()` — it handles token management automatically
Forgetting refresh tokens for step-up MFA	Set `useRefreshTokens={true}` on Auth0Provider when using `interactiveErrorHandler="popup"`

Related Skills

auth0-quickstart - Basic Auth0 setup
auth0-migration - Migrate from another auth provider
auth0-mfa - Add Multi-Factor Authentication

Quick Reference

Core Hooks:

useAuth0() - Main authentication hook
isAuthenticated - Check if user is logged in
user - User profile information
loginWithRedirect() - Initiate login
logout() - Log out user
getAccessTokenSilently() - Get access token for API calls
mfa - MFA API client for enrollment, challenge, and verification
- mfa.getAuthenticators(mfaToken) - List enrolled authenticators
- mfa.getEnrollmentFactors(mfaToken) - Get available enrollment factors
- mfa.enroll(params) - Enroll new authenticator (OTP, SMS, Email, Voice, Push)
- mfa.challenge(params) - Initiate MFA challenge
- mfa.verify(params) - Verify MFA challenge and complete authentication

MFA Error Types (import from @auth0/auth0-react):

MfaRequiredError - Thrown by getAccessTokenSilently when MFA is needed (has mfa_token and mfa_requirements)
MfaEnrollmentError, MfaChallengeError, MfaVerifyError - Thrown by respective mfa.* methods

Common Use Cases:

Login/Logout buttons → See Step 4 above
Protected routes → Integration Guide
API calls with tokens → Integration Guide
Error handling → Integration Guide
MFA handling → Integration Guide

References

安全使用建议

This skill appears to do what it says: add Auth0 to React apps. Before running the automated setup: 1) Back up any existing .env file and confirm prompts when asked — the scripts will append to .env. 2) Prefer installing the Auth0 CLI via your OS package manager (brew/scoop/choco) rather than blindly running a remote install script (curl | sh); if you must run the remote installer, inspect it first. 3) The skill will read package.json to detect Vite vs CRA — that's expected. If you need higher assurance, run the manual steps (install @auth0/auth0-react and configure the provider) instead of the automated scripts.

功能分析

Type: OpenClaw Skill Name: auth0-react Version: 1.0.0 The skill bundle provides legitimate documentation and automation scripts for integrating the official Auth0 React SDK into applications. The setup scripts in 'references/setup.md' use the official Auth0 CLI to configure environment variables and include explicit safety instructions for the AI agent to avoid reading existing secrets from '.env' files without user consent. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.

能力标签

requires-oauth-tokenrequires-sensitive-credentials

能力评估

✓ Purpose & Capability

Name/description, examples, and referenced guides all match a React Auth0 integration. No unrelated credentials, binaries, or config paths are requested.

ℹ Instruction Scope

The SKILL.md and references stay within expected scope (install SDK, wrap app with Auth0Provider, read package.json to detect Vite vs CRA, and create/append a .env with Auth0 domain/client ID). The setup guide explicitly warns never to read .env contents in LLM context and requires explicit user confirmation before writing to .env, which is a good safeguard.

ℹ Install Mechanism

This is an instruction-only skill (no install spec). The setup scripts instruct installing the Auth0 CLI via package managers (brew/scoop/choco) or by piping a raw.githubusercontent.com install script to sh. Using package managers is low risk; piping a remote install script to sh is common but carries execution risk — users/agents should review the script before running it.

✓ Credentials

No required environment variables or credentials are declared. The only environment interaction is creating/appending a .env with the Auth0 domain and client ID (not secrets). The skill asks for user confirmation before modifying .env.

✓ Persistence & Privilege

The skill does not request persistent platform privileges (always is false). It does not modify other skills or system-wide agent settings.

版本历史

v1.0.0

- Initial release of the auth0-react skill. - Provides step-by-step integration instructions for adding Auth0 authentication to React SPAs (Vite or Create React App). - Includes setup prerequisites, quick start workflow, common pitfalls, detailed documentation references, and core usage examples. - Covers protected routes, API access, and advanced features like MFA handling using @auth0/auth0-react SDK. - Lists related skills and troubleshooting guidance for common mistakes.

元数据

Slug auth0-react

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Auth0 React 是什么？

Use when adding authentication to React applications (login, logout, user sessions, protected routes) - integrates @auth0/auth0-react SDK for SPAs with Vite... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 75 次。

如何安装 Auth0 React？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install auth0-react」即可一键安装，无需额外配置。

Auth0 React 是免费的吗？

是的，Auth0 React 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Auth0 React 支持哪些平台？

Auth0 React 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Auth0 React？

由 Auth0（@auth0）开发并维护，当前版本 v1.0.0。

Auth0 React