Embedded Login with Cross Origin Authentication

monishchaganti2001 · February 16, 2026, 10:31pm

Hi everyone,

We’re building a proof-of-concept for a client (enterprise healthcare) to evaluate different Auth0 authentication approaches side-by-side. One of the POCs requires a fully custom embedded login experience — the user never sees any Auth0 UI, all authentication screens (login, signup, MFA enrollment/challenge etc) are built as custom React components with the client’s branding. Auth0 operates entirely in the background.

The feature set we need to support in this embedded UI:

Email/password login & signup
Social logins (Google, Microsoft, Facebook, GitHub, LinkedIn)
MFA
Recovery codes
Profile management

We have a custom domain configured (e.g., id.ourdomain.com).

The problem:

For email/password login in our own UI (no redirect), the only viable path seems to be Cross-Origin Authentication, which uses Password Grant under the hood. We explicitly don’t want to use ROPG/Password Grant for this or universal login.

Our questions:

Is there any supported Auth0 mechanism to collect username/password credentials in our own custom UI and authenticate against an Auth0 database connection WITHOUT using password grant and WITHOUT redirecting to Auth0’s hosted login page?
If not, what’s the recommended approach for an embedded login POC where the requirement is zero Auth0 UI visibility? Is Cross-Origin Auth still considered acceptable for this specific use case given we have a custom domain configured?
Are there any upcoming Auth0 features or APIs that address this gap — something like a first-party authentication API that allows credential collection in your own UI with modern security flows?
Does anyone have GitHub repos or reference implementations for a fully embedded login with Auth0 (custom UI, no Auth0 pages visible)? Specifically looking for examples that handle the full flow — not just basic login, but MFA enrollment/challenge, social logins, and profile management all within custom components. Most examples I’ve found either use Universal Login or only cover the basic email/password scenario.
For those using Cross-Origin Authentication — we’re currently using webAuth.login() from the auth0-js SDK to send credentials directly to Auth0 without redirect:

webAuth.login({
  realm: 'Username-Password-Authentication',
  username: email,
  password: password,
  scope: 'openid profile email',
  audience: 'https://our-api'
});

Is webAuth.login() still the recommended method for this use case, or should we be using a different method/SDK? I’ve seen references to webAuth.client.login(), webAuth.crossOriginAuthentication.login(), and direct calls to /oauth/token — unclear which is the correct approach in 2025/2026 and whether Auth0 still actively supports this path.

Any pointers would be really helpful. Thanks!

Topic		Replies	Views
Custom UI: User Login using APIs Get Help api	1	4455	February 4, 2020
Does auth0-spa-js SDK have support for Embedded login? Get Help lock , auth0	10	5092	November 17, 2020
Auth0 third party cookie and CORS Get Help javascript , username-password-co , cors , hosted-login-page , embedded-login	2	5536	March 2, 2018
Docs/help around self-hosting the login form Get Help login-experience , new-universal-login-experience	2	2964	December 8, 2022
Auth0.js SPA Passwordless Login Without Redirect Get Help	2	4577	July 8, 2019

Embedded Login with Cross Origin Authentication

Related topics