[{"data":1,"prerenderedAt":293},["ShallowReactive",2],{"blog-blueprints/lovable-auth0":3},{"id":4,"title":5,"body":6,"category":273,"date":274,"dateModified":274,"description":275,"draft":276,"extension":277,"faq":278,"featured":276,"headerVariant":279,"image":278,"keywords":278,"meta":280,"navigation":281,"ogDescription":282,"ogTitle":278,"path":283,"readTime":284,"schemaOrg":285,"schemaType":286,"seo":287,"sitemap":288,"stem":289,"tags":290,"twitterCard":291,"__hash__":292},"blog/blog/blueprints/lovable-auth0.md","Lovable + Auth0 Security Blueprint",{"type":7,"value":8,"toc":264},"minimark",[9,20,24,30,35,109,113,128,137,146,150,159,163,168,171,174,177,180,183,186,189,205,240,252],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a Lovable + Auth0 stack,"," you need to: (1) configure callback and logout URLs for production, (2) restrict allowed web origins, (3) keep Client Secret server-side only, and (4) validate tokens on your backend. This blueprint covers Auth0 application settings and token verification best practices.",[21,22],"blueprint-meta",{"time":23},"1-2 hours",[25,26,27],"tldr",{},[13,28,29],{},"Auth0 provides enterprise-grade authentication but requires proper configuration. Key tasks: configure allowed callback URLs for production, restrict allowed origins, store Client Secret securely (server-side only), validate tokens on the backend, and never trust client-side auth checks alone.",[31,32,34],"h2",{"id":33},"auth0-application-configuration","Auth0 Application Configuration",[36,37,38,54],"table",{},[39,40,41],"thead",{},[42,43,44,48,51],"tr",{},[45,46,47],"th",{},"Setting",[45,49,50],{},"Development",[45,52,53],{},"Production",[55,56,57,77,94],"tbody",{},[42,58,59,63,71],{},[60,61,62],"td",{},"Allowed Callback URLs",[60,64,65],{},[66,67,68],"a",{"href":68,"rel":69},"http://localhost:3000/callback",[70],"nofollow",[60,72,73],{},[66,74,75],{"href":75,"rel":76},"https://yourdomain.com/callback",[70],[42,78,79,82,88],{},[60,80,81],{},"Allowed Logout URLs",[60,83,84],{},[66,85,86],{"href":86,"rel":87},"http://localhost:3000",[70],[60,89,90],{},[66,91,92],{"href":92,"rel":93},"https://yourdomain.com",[70],[42,95,96,99,104],{},[60,97,98],{},"Allowed Web Origins",[60,100,101],{},[66,102,86],{"href":86,"rel":103},[70],[60,105,106],{},[66,107,92],{"href":92,"rel":108},[70],[31,110,112],{"id":111},"part-1-auth0-environment-variables","Part 1: Auth0 Environment Variables",[114,115,117],"code-block",{"label":116},"Public (client-side)",[118,119,124],"pre",{"className":120,"code":122,"language":123},[121],"language-text","VITE_AUTH0_DOMAIN=your-tenant.auth0.com\nVITE_AUTH0_CLIENT_ID=your-client-id\nVITE_AUTH0_AUDIENCE=https://your-api\n","text",[125,126,122],"code",{"__ignoreMap":127},"",[114,129,131],{"label":130},"Private (server-side only)",[118,132,135],{"className":133,"code":134,"language":123},[121],"# Never expose this in client code\nAUTH0_CLIENT_SECRET=your-client-secret\n",[125,136,134],{"__ignoreMap":127},[138,139,140],"warning-box",{},[13,141,142,145],{},[16,143,144],{},"Critical:"," The Client Secret must never be in client-side code. If you need server-side operations, use Auth0's Management API from a backend service.",[31,147,149],{"id":148},"part-2-auth0-token-validation","Part 2: Auth0 Token Validation",[114,151,153],{"label":152},"Verify tokens on backend",[118,154,157],{"className":155,"code":156,"language":123},[121],"import jwt from 'jsonwebtoken';\nimport jwksClient from 'jwks-rsa';\n\nconst client = jwksClient({\n  jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`\n});\n\nasync function verifyToken(token: string) {\n  const decoded = jwt.decode(token, { complete: true });\n  const key = await client.getSigningKey(decoded.header.kid);\n\n  return jwt.verify(token, key.getPublicKey(), {\n    audience: process.env.AUTH0_AUDIENCE,\n    issuer: `https://${process.env.AUTH0_DOMAIN}/`,\n    algorithms: ['RS256']\n  });\n}\n",[125,158,156],{"__ignoreMap":127},[31,160,162],{"id":161},"security-checklist","Security Checklist",[164,165,167],"h4",{"id":166},"pre-launch-checklist-for-lovable-auth0","Pre-Launch Checklist for Lovable + Auth0",[13,169,170],{},"Callback URLs restricted to production domain",[13,172,173],{},"Allowed origins configured correctly",[13,175,176],{},"Client Secret only on server-side",[13,178,179],{},"Tokens validated on backend APIs",[13,181,182],{},"Refresh token rotation enabled",[13,184,185],{},"Appropriate token lifetimes configured",[13,187,188],{},"MFA enabled for admin accounts",[190,191,192,199],"faq-section",{},[193,194,196],"faq-item",{"question":195},"Is the Auth0 Client ID safe to expose?",[13,197,198],{},"Yes, the Client ID identifies your application but doesn't grant access. The Client Secret is what must be protected. For SPAs, use PKCE flow which doesn't require a secret.",[193,200,202],{"question":201},"Should I validate tokens on the client?",[13,203,204],{},"Client-side validation is for UX only. Always validate tokens on your backend before performing protected operations. The client can be manipulated.",[206,207,208,212,215],"stack-comparison",{},[31,209,211],{"id":210},"alternative-stack-options","Alternative Stack Options",[13,213,214],{},"Consider these related blueprints for different stack combinations:",[216,217,218,226,233],"ul",{},[219,220,221,225],"li",{},[66,222,224],{"href":223},"/blog/blueprints/lovable-supabase","Lovable + Supabase"," - Built-in auth with Supabase Auth",[219,227,228,232],{},[66,229,231],{"href":230},"/blog/blueprints/lovable-firebase","Lovable + Firebase"," - Firebase Authentication alternative",[219,234,235,239],{},[66,236,238],{"href":237},"/blog/blueprints/lovable-vercel","Lovable + Vercel"," - Deployment platform guide",[241,242,243,247],"related-articles",{},[244,245],"related-card",{"description":246,"href":223,"title":224},"Built-in auth alternative",[244,248],{"description":249,"href":250,"title":251},"Deep dive into Auth0","/blog/guides/auth0","Auth0 Security Guide",[253,254,257,261],"cta-box",{"href":255,"label":256},"/","Start Free Scan",[31,258,260],{"id":259},"using-auth0-with-lovable","Using Auth0 with Lovable?",[13,262,263],{},"Scan for configuration issues and token handling.",{"title":127,"searchDepth":265,"depth":265,"links":266},2,[267,268,269,270,271,272],{"id":33,"depth":265,"text":34},{"id":111,"depth":265,"text":112},{"id":148,"depth":265,"text":149},{"id":161,"depth":265,"text":162},{"id":210,"depth":265,"text":211},{"id":259,"depth":265,"text":260},"blueprints","2026-02-04","Security guide for Lovable + Auth0 stack. Configure Auth0 applications, secure callbacks, handle tokens properly, and protect your Lovable-generated app.",false,"md",null,"purple",{},true,"Complete security configuration for Auth0 apps built with Lovable.","/blog/blueprints/lovable-auth0","9 min read","[object Object]","Article",{"title":5,"description":275},{"loc":283},"blog/blueprints/lovable-auth0",[],"summary_large_image","Hav2z_3vIMnWk9BkkBPfZOPm1EEH2KDWji_5sZGxgX8",1775843932329]