Safe management of Auth0 information in source control


Hello! I am working with Auth0 for the first time; the project is an open-source one whose code will be stored in GitHub repositories. The project structure is a SPA (written in React/Redux) with a .NET Core backend API; the SPA uses the Lock widget to do initial authentication and obtain an access token, which is then provided as a bearer token in the header of requests to the API.

Auth management is not my specialty (hence my excitement about Auth0!) and I’m trying to figure out best practices and make sure I don’t do anything dumb.

Right now, as I see it, I am using the following pieces of potentially sensitive information relating to Auth0:

  • The Auth0 domain value (, used both in my SPA and API.
  • The Auth0 client ID value (gibberish string), used in my SPA application.
  • The Auth0 API identifier value (a URL string), used in my API.

Which of these am I safe to keep in source control and which should absolutely be kept secret? At the moment, my plan is that I have two tenants, one for the dev environment and one for prod; the dev tenant info is kept in source control and anyone can use it to spin up the application locally and hack on it, while the prod tenant info is kept hidden in environment variables in our CI/hosting servers. Is this a safe approach to take or should I be restricting the information more carefully?

Thanks for any insight!

The domain and client ID definitely do not need to be protected. They both form part of publicly visible URLs. You just need to protect the client secret.

Pretty sure the API identifier (audience) does not need to be protected either.

Hm. Okay, that’s interesting. Now I’m just confused how this all works :slight_smile: because if I’m following the examples from Auth0 correctly, the client secret doesn’t need to be in the code at all (implicit grant flow I guess?). Clearly I have more research to do about how this all fits together.

Thanks for the info. :slight_smile:


Those values are not secrets so you don’t have to hide them, anyway I’d recommend to always use them from environment variables as they’re application settings and by doing so you will be able to change them without touching the code.
If you want to have a publicly shared default tenant (and other config) you can add that one to the code or documentation without problem, but bear in mind that all the developers will be using the same Auth0 tenant.

Hope it helps!

PS: The client secret is the one that has to be kept securely but it’s only used in the symmetric algorithm HS256 (the recommended one is the RS256 that doesn’t rely on a secret key)


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.