Dev Tools Console Displays “auth0-spa-js must run on a secure origin” Error

Last Updated: Aug 20, 2024

Overview

When viewing the dev tools console within the browser on an SPA JSDK site, the following error is displayed.

auth0-spa-js must run on a secure origin

Applies To

  • SPA JSDK
  • Dev Tools Console
  • Secure Origin Error

Solution

Internally, the SDK uses Web Cryptography API 28 to create SHA-256 digest 6.

According to the spec (via Github issues 196), Web Cryptography API requires a secure origin so that accessing Crypto.subtle in a not secure context returns undefined.

In most browsers, secure origins are origins that match at least one of the following (scheme, host, port) patterns:

(https, *, *)
(wss, *, *)
(*, localhost, *)
(*, 127/8, *)
(*, ::1/128, *)
(file, *, —)

If the User is running their application from a secure origin, it is possible that their browser does not support the Web Crypto API. For a compatibility table, please check Can I use… Support tables for HTML5, CSS3, etc 282.

Related References

1 Like