Overview

Relevant source files

• CHANGELOG.md
• README.md
• package.json
• src/index.ts
• src/lib/httpResponseHeadersUtils.ts
• src/lib/index.ts
• yarn.lock

The Auth0 Node.js SDK (package name: auth0) is a comprehensive client library for integrating with Auth0's Authentication API and Management API v2. This SDK enables server-side applications to authenticate users, manage Auth0 resources, and perform administrative operations on Auth0 tenants.

This page provides a high-level introduction to the SDK's architecture, primary components, and capabilities. For installation and setup instructions, see Installation and Quick Start. For detailed information about the SDK's dual-layer architecture and code generation workflow, see Architecture and Design.

Package Information

The SDK is distributed as the auth0 package on npm. As of version 5.4.0, it requires Node.js ^20.19.0 || ^22.12.0 || ^24.0.0 and provides first-class TypeScript support with full type definitions.

Property	Value
Package Name	auth0
Current Version	5.4.0
License	MIT
Repository	https://github.com/auth0/node-auth0
Minimum Node.js	20.19.0, 22.12.0, or 24.0.0
Module Systems	CommonJS and ES Modules

Sources: package.json1-140

Primary Client Classes

The SDK exposes three main client classes, each targeting a specific Auth0 API surface:

AuthenticationClient

The AuthenticationClient provides methods for user-facing authentication operations. It implements various OAuth 2.0 flows, passwordless authentication, and database connection management.

Key capabilities:

• OAuth 2.0 grant types (authorization code, PKCE, client credentials, password, refresh token)
• Pushed Authorization Requests (PAR)
• Passwordless authentication via email and SMS
• Database user signup and password management
• Client Initiated Backchannel Authentication (CIBA)
• ID token validation with configurable options

Sources: README.md36-48 Diagram 1 from high-level architecture

ManagementClient

The ManagementClient enables programmatic administration of Auth0 tenants. It provides access to 30+ resource-specific sub-clients, each managing a particular Auth0 entity type (users, clients, connections, actions, etc.).

Key capabilities:

• Comprehensive CRUD operations for all Auth0 resources
• Automatic token management with intelligent caching
• Custom domain header support for whitelisted endpoints
• Fern-generated type-safe clients with consistent interfaces
• Pagination support (offset-based and checkpoint-based)
• Request helpers for timeouts, retries, and custom headers

Sources: README.md50-76 src/management/wrapper/ManagementClient.ts Diagram 1 from high-level architecture

UserInfoClient

The UserInfoClient retrieves authenticated user profile information using an access token. It provides a simple interface to the OpenID Connect UserInfo endpoint.

Key capabilities:

• Fetch user profile data with an access token
• Returns standard OIDC claims (sub, name, email, etc.)

Sources: README.md78-91

Module System and Exports

The SDK supports both CommonJS (require()) and ES Modules (import) through dual compilation. The package exports are configured to automatically resolve the correct module format based on the consumption context.

Root export (auth0):

• Provides AuthenticationClient, ManagementClient, UserInfoClient
• Exports all TypeScript types and interfaces
• Exports error classes (ManagementError, AuthApiError)
• Exports utility classes (HttpResponseHeadersUtils)

Legacy export (auth0/legacy):

• Provides v4.x-compatible API interface
• Enables gradual migration from v4 to v5
• Wraps the underlying auth0-legacy package (v4.27.0)

Sources: package.json14-39 src/index.ts1-7 Diagram 4 from high-level architecture

Type System and Error Handling

The SDK provides comprehensive TypeScript types for all request parameters, response bodies, and error scenarios.

Key exported types:

• Management.* namespace: All Management API types (actions, users, clients, connections, etc.)
• Auth.* namespace: Authentication API request/response types
• ManagementError: Structured error with statusCode, message, body, and rawResponse
• AuthApiError: Authentication API error with error codes
• Page<T>: Paginated response wrapper with navigation helpers
• TokenQuotaBucket: Token quota information from response headers

Sources: src/index.ts1-7 src/lib/errors.js src/lib/models.js README.md254-274

Architecture Layers

The SDK employs a two-layer architecture for the Management API, separating auto-generated code from custom business logic.

Generated Layer:

• Produced by Fern from Auth0's OpenAPI specification
• Contains base FernClient class with HTTP infrastructure
• Includes 30+ resource-specific clients (UsersClient, ActionsClient, ClientsClient, etc.)
• Provides complete type definitions for all API operations
• Can be regenerated as Auth0's API evolves

Custom Layer:

• Protected from code generation by .fernignore
• ManagementClient wrapper extends FernClient with Auth0-specific features
• TokenProvider implements intelligent token caching with expiry management
• AuthenticationClient is entirely hand-written (not generated)
• Custom telemetry, logging, and header management

Sources: Diagram 2 from high-level architecture, .fernignore src/management/wrapper/ManagementClient.ts src/management/Client.ts

Runtime Compatibility

The SDK leverages native fetch and works across diverse JavaScript runtimes:

Runtime	Supported Versions	Notes
Node.js	20.19+, 22.12+, 24+	Native fetch support required
Vercel Edge	Latest	Full support
Cloudflare Workers	Latest	Full support
Deno	1.25+	Full support
Bun	1.0+	Full support
React Native	Latest	With polyfill for fetch

The SDK defaults to the global fetch client if present, eliminating the need for runtime-specific builds.

Sources: README.md576-587 package.json113-114 Diagram 4 from high-level architecture

Key Features

Authentication:

• Complete OAuth 2.0 flow implementations including PKCE and PAR
• Passwordless authentication (email/SMS)
• Database user management (signup, password changes)
• CIBA (Client Initiated Backchannel Authentication)
• ID token validation with JWKS verification

Management:

• 30+ resource-specific sub-clients
• Automatic token acquisition and caching
• Custom domain header support
• Comprehensive pagination (offset and checkpoint-based)
• Rich Authorization Requests (RAR) support
• Request-level customization (timeouts, retries, headers, abort signals)

Developer Experience:

• Full TypeScript support with auto-completion
• Structured error types with detailed diagnostics
• Request helpers (withTimeout, withRetries, withHeaders, etc.)
• Configurable logging for debugging
• Access to raw HTTP responses and headers
• Token quota tracking via response headers

Sources: README.md254-575 Diagram 3 from high-level architecture, Diagram 6 from high-level architecture

Migration and Compatibility

The SDK provides a legacy export at auth0/legacy that maintains full backward compatibility with the v4.x API. This allows applications to migrate incrementally from v4 to v5 without requiring a complete rewrite.

For comprehensive migration guidance, including breaking changes, method name updates, and new features, see Migration Guide (v4 to v5) and Legacy Client Support.

Sources: README.md93-252 package.json28-38 package.json77

Next Steps

• To get started with the SDK, proceed to Installation and Quick Start
• For deep dive into the architecture, see Architecture and Design
• For build system details, see Package Structure and Module System
• For Authentication API operations, see Authentication Client
• For Management API operations, see Management Client

Sources: Table of contents from section numbers 1.1-1.3, 2, 3