Securing Gatsby with Auth0

:warning: :exclamation: We recently release the new Auth0 React SDK that makes it easier to add user authentication to React applications. You can integrate the Auth0 React SDK with Gatsby. Please checkout this Gatsby sample code and Gatsby example app for more details. Thank you for using Auth0 to secure your user experience.

In this tutorial, you’ll learn how to set up Auth0 for authentication and identity management on a GatsbyJS site.

Brought to you by @sam.julien :man_technologist:t2:

Read on :v:>> How to Secure GatsbyJS Sites with Auth0 for Authentication


I’d love to hear how you’re using Gatsby!

This is great, If i wanted to secure the whole site with auth0, whats the best way to do that?

1 Like

Hi David, thanks! You would just use the same approach and have the logic that’s in the account component in whatever your home component will be. And you’d most likely have a “login” button that would trigger the Auth0 authorization. Everything else would basically be the same though (the auth utility, the silent auth, etc). Hope that helps!


I’m looking to protect the whole gatsby site (without the option to login/logout on click) if that makes sense? Would it be best to wrap auth0 stuff in layout.js or higher?

Ah, I see. Well, in that case, you’d probably want to modify wrapRootElement so that it handles both log in and silent auth.

Hi. The lesson worked fine for me until the silentAuth part. I used Github social authentication instead of Google social authentication.

I was able to log in successfully. However, after i refresh the page, it kicked me out to the home page and thereafter, i cannot navigate back to the account page unless i delete the isLoggedIn key through the application console

The expected behavior: when i refresh the page, it should show my name on the page (instead of kicking me out to the home page)

I pasted in the code thus there shouldn’t be any typos in the code.

any idea what could be the issue?


Hi @myhendry, welcome to the community!

Are you using the provided Auth0 developer keys for your GitHub connection? If so, silentAuth won’t work. You’ll need to create your own GitHub keys. You can read more about that in the Social Connections Devkeys docs as well as the docs on how to connect your app to GitHub.

By the way, GitHub auth is the same used in the GatsbyJS Store, which I implemented using the same procedure in this article. So, feel free to check out that code as well as another resource.

Hope that helps!

Sam Julien

Thanks Sam Julien! I will study that :slight_smile:

1 Like

@sam.julien Wouldn’t it be better in the authService isAuthenticated() function to validate tokens.expiresAt instead of localStorage.isLoggedIn?
A token can be expired without an active logout action from the user.

edit: And set ‘expiresAt’ in localStorage instead of ‘isLoggedIn’

Hi @arn, great question. In this case, we’re using isLoggedIn to trigger silentAuth – this checks whether the user has a valid session on the server and returns a valid token. This way, we never have to rely on the client to keep track of the token outside of memory or manually check the expiration date. Hope that helps!

Hi, thanks for the reply!
I see now that I got confused with !isLoggedIn :slight_smile:

But what if this fails somehow? Add logout() in the checksession error/empty result?

In the example we just navigate to the home route in case of an error in setSession:

if (err) {

I suppose you could call the logout() method just to be safe. I’m trying to think of any edge cases where you wouldn’t want that. I think it’s fine so long as you remember to only call checkSession if isLoggedIn is true. Otherwise, you’ll end up calling it every time the page loads and thus calling log out every time the page loads and a user isn’t logged in. :thinking:

Hey @sam.julien, going through the quickstart for a spa app, it now directs us to use auth0-spa-js. Will this guide be updated to reflect that at some point?

More importantly should we be using auth0-spa-js going forward or is auth0-js still a good option?


Hi @squadsdev, welcome to the community! I do plan on updating the article, or in the short term at least making a branch in the sample code that shows how you’ll use it with Gatsby. It should actually result in a bit less code. In the meantime, you’re fine using auth0-js for now. If you want to dig into the new SPA SDK with Gatsby yourself, the React Quickstart is the place to go.

Hope that helps!


Creating client-side only routes using onCreatePage won’t work for programmatically created pages because of this bug in Gatsby: Programatically created Pages do not trigger onCreatePage · Issue #5255 · gatsbyjs/gatsby · GitHub .

Hi @jocrau, sorry for the delay, I somehow didn’t get a notification on this post. Did you figure out the problem or how to reproduce it?

Hey @sam.julien, I followed the instructions on this blog post (tweaked a little bit for it to be more appropriate for the project I’m working on), and it worked beautifully. However, in the post you mention,

“Note that this isn’t a very sophisticated method of redirecting since there is no implementation of remembering the browser history. For example, if this function is run from a different route, it will always redirect back to /account . In a real application, you’ll want to implement something more robust.”

Right now I’m trying to do just that…redirect the user back to the page they tried to go to before going through the authentication process. How would I go about setting that up?

1 Like

Hey there @jacobsilver2!

I’m sure Sam will look at your hurdle once he’s online!

Hi @jacobsilver2, great question. If you’re using auth0.js like in the tutorial, you can use state to keep track of this (basically you pass state at login and retrieve/process it during the callback handling). Check out this page of the docs to see what I mean. I’m having a hard time finding a specific walkthrough for doing this in React but I’ll keep poking around.

If you’re using the new auth0-spa-js library, check out the current React QuickStart. You could pretty easily replace auth0.js with auth0-spa-js in your case, though it is not necessary. Note that in the new library, you’ll use appState instead of state.

Let me know if that helps.

Sam Julien