Auth0
Auth-svc validates JWTs issued by your identity provider, this guide covers how to setup Auth0 as your IDP.
If you want to use a different identity provider (eg, Okta, Keycloak), refer to the the custom JWT provider instructions in the auth-svc repository.
Create an Auth0 account and application
-
Sign up at auth0.com — the free tier is sufficient for development.
-
Go to Applications → Create Application.
- Choose Native as the application type (required for mobile).
- Note down the Domain and Client ID.
-
Under your application's Settings, scroll to Advanced Settings → Grant Types and make sure Refresh Token is enabled.
Create an API
- Go to Applications → APIs → Create API.
- Set a Name (e.g.
auth-svc-api) and an Identifier — this is a logical name, not a real URL (e.g.silent-shard-boilerplate). The identifier becomes yourAUTH0_AUDIENCE. - In the API's Settings tab, enable Allow Offline Access.
- Under the Permissions tab, add the following custom scopes:
| Scope | Description |
|---|---|
write:backup | Create / update keyshare backups |
read:backup | Retrieve keyshare backups |
read:transactions | View transaction history |
write:devices | Register / update devices |
read:devices | View registered devices |
write:face | Register face biometric |
read:face | View face registration status |
Optional: Enable Google SSO
- Go to Authentication → Social → Create Connection → Google / Gmail.
- Provide your Google OAuth web client credentials.
- Enable the connection for your Native application.
Optional: Enable Passkey
- Go to Authentication → Passwordless.
- Enable Passkey and follow the setup wizard.
Environment variables
| Variable | Value | Description |
|---|---|---|
AUTH0_DOMAIN | your-tenant.auth0.com | Your Auth0 tenant domain |
AUTH0_AUDIENCE | silent-shard-boilerplate | Must exactly match the API Identifier above |
AUTH0_ALGORITHMS | RS256 | JWT signing algorithm |
AUTH0_AUDIENCE must exactly match the Identifier set in your Auth0 API. A mismatch causes all JWT verification to fail.