Auth0-spa-js...difference between /co/authorize and /usernamepassword/login?


I’m using auth0-spa-js in a React project and I’m wondering why I sometimes see calls to /co/authorize and other times I see calls to /usernamepassword/login ? One call seems to work and the other never does, so I’m trying to figure out what I need to change to use one call over the other. Thanks!

Hey there @ldeveber and welcome to the Auth0 Community, I apologize for the delay in response!

We would be happy to take a look! When you get a chance could you please share a HAR file capture of the calls being made and send it over direct message? Please be sure to select “Preserve log” to catch redirects and scrub the file of user passwords before passing, thanks!

Good morning @ldeveber, to follow up on this front after gathering feedback from one of our senior engineers.

When leveraging Auth0-spa-js there shouldn’t be a call for usernamepassword/login unlike with auth0.js. Auth0-spa-js will unanimously redirect to /authorize and for checksession. Further more the usernamepassword/login is for hosted login page and co/authenticate if you are doing it cross origin. Auth0.js as it stands handles both hosted pages and non hosted pages, it tries to guess which endpoint to hit and which flow to follow.

Documentation that can help on this front is our Cross-Origin Authentication doc and the Auth0.js Github Repo documentation which I will share below:

  • If you’re calling this method from the Universal Login Page, it will use the usernamepassword/login endpoint
  • If you’re calling this method outside the Universal Login Page, it will use the cross origin authentication (/co/authenticate) flow

After finding out more information about your usecase from our team, when it comes to leveraging Electron in this instance our guidance we would be to use the electron’s embedded browser window for triggering opening a browser. An abstract logic workflow that would work is:

login - Open a browser call authorize with a refresh token
logout - Open the browser and kill the session, also revoke the RT
getTokenSilently - Use the RT To get the token
getProfile - use a profile, this was given to you by the idToken

Please let us know if you have any questions on this front that we can assist with and we’d be happy to help!


From what I’m seeing, the /usernamepassword/login endpoint is being used in Chrome, and when visiting the same page in an electron container its using /co/authenticate.

We are using BrowserWindow for the container:

  mainWindow = new BrowserWindow({

I thought we were using the Universal Login Page in both cases, but I’m seeing the two different calls in the network tab.

I will send the HAR files along when I can get it generated!

Sorry for the delay! I have just sent the .har file to the technical account management email. Thank you!

Hi there @ldeveber, do you happen to know which TAM has it so I can take a peek? Thanks!

Hi! We’ve been working with Sukhman Ghumman. Thanks so much!

Hey @ldeveber following up on this front, I took some time to review the HAR file you sent over with our team and we didn’t see anything in the HAR file that sticks out. Since you have a existing open technical support case along with this community topic, to reduce redundancy of efforts by both teams we will be directing focus over the the support case over this community thread so that one of our technical support engineers can follow up with you and get the specifics on this challenge you are experiencing. I appreciate you working with us on this front as we strive towards a solution.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.