Auth0 is the default provider for the whole product. Unless you configure a custom issuer, every login and every signature request in NEAR Auth flows through Auth0.
Supported login methods
Through Auth0, NEAR Auth supports several ways for users to sign in — no seed phrases and nothing to install:Users sign in with their existing Google account. No new credentials to create.
Apple
Apple Sign-In for a secure, privacy-preserving login on iOS and beyond.
Username & password
Auth0’s native email/password authentication for users who prefer a dedicated account.
Passkeys
Passwordless, public-key authentication bound to the user’s device.
sub claim) that deterministically maps to one NEAR key. The same login always controls the same account, regardless of which method the user picked.
Per-transaction authentication
NEAR Auth does not just authenticate users once at login. For every transaction or delegate action, the app asks Auth0 to issue a fresh JWT whose payload contains the encoded transaction. This means each sensitive operation is individually authorized by the user. The mechanism is a custom JWT claim calledfatxn. When you request a signature, the provider Base64-encodes the transaction (or delegate action) and passes it to Auth0 as an authorization parameter. Auth0 mints a JWT that carries the encoded payload in fatxn, alongside the standard claims (sub, iss, exp, aud, …).
On-chain, the Auth0 Guard verifies the JWT’s RS256 signature and issuer, then checks that its fatxn claim matches the transaction being signed. If they don’t match, verification fails and no signature is produced — so a JWT issued for one transaction can never be replayed to sign a different one.
App requests a signature
Your app calls
requestTransactionSignature({ transaction }) (or requestDelegateActionSignature({ delegateAction })) on the provider.Auth0 issues a JWT with the tx embedded
The provider encodes the transaction and sends it to Auth0 with the
transaction:sign scope and the network’s signingAudience. Auth0 returns a JWT whose fatxn claim holds the encoded transaction.To retrieve the request afterward, call
getSignatureRequest(). It fetches the token silently for the signingAudience, decodes the fatxn claim, and returns a SignatureRequest of { guardId, verifyPayload, signPayload } ready to hand to the NEAR Auth contract.Login: popup vs. redirect
The JavaScript provider supports two Auth0 flows, and it picks one based on the options you pass:- Popup (default) — call
login()with noredirectUri. Auth0 opens in a popup window and control returns to your page when the user finishes. This keeps your app’s state intact and is the smoothest experience for single-page apps. - Redirect — call
login({ redirectUri })with aredirectUri. The browser navigates away to Auth0 and returns to your callback URL. The provider detects thecode/statequery parameters on return and completes the login automatically.
requestTransactionSignature({ transaction, redirectUri }) uses redirect when a redirectUri is present, and popup otherwise.
Configuration and network defaults
You configure the JavaScript provider with a small options object:networkselects mainnet or testnet and picks the defaultdomainandsigningAudience.clientIdis your Auth0 application client id.domainis the Auth0 tenant that issues tokens.signingAudienceis the Auth0 API audience used specifically for signature requests. It is what routes a signing JWT to the Auth0 Guard: the audience value is the guard’s on-chain account id, and the guard verifies that its own account appears in the token’saudclaim.
domain and signingAudience unset, NEAR Auth fills them in from FAST_AUTH_AUTH0_DEFAULTS for your network:
| Network | domain | signingAudience | clientId |
|---|---|---|---|
| mainnet | login.auth.near.org | auth0.jwt.fast-auth.near | dsurLc47fOcWme5PkYeClBvuW0tYrmgW |
| testnet | login.testnet.fast-auth.com | auth0.jwt.fast-auth.testnet | np8paqIpMWmNbzT4xAvOOapZBjsOpptl |
The
signingAudience values (auth0.jwt.fast-auth.near / auth0.jwt.fast-auth.testnet) are the Auth0 Guard contract accounts. Requiring the guard’s own account in aud is how the Auth0 Guard ensures a token was minted for it and not for some other consumer.jwt#https://<domain>/, and the MPC derivation path is jwt#https://<domain>/#<sub> — deterministic per user identity.
Where this fits
Auth0 is one layer of the NEAR Auth protocol: it authenticates users and authorizes transactions off-chain, while a guard contract enforces those tokens on-chain and the MPC network signs.Auth0 Guard contract
The on-chain contract that RS256-verifies Auth0 JWTs and checks the
fatxn claim.JWT verification
The token format, standard claims, and the custom
fatxn payload.JavaScript provider
The web provider that drives Auth0 login and signature requests.
How it works
The end-to-end flow from login to on-chain signature.