Sharing session between 2 web apps on different subdomains


We currently have a web app using Lock to authenticate users hosted on, and we are creating a single page app (React) that will be hosted on
In the long term app1 will disappear and app2 will be the only one staying, but right now, during our beta phase, our users will have access to some features in app2 and the rest in app1.

The only way to access app2 is from app1, so I’m looking for a way to have the users being automatically authenticated on app2, so they wouldn’t have to log in twice.

So far I have tried to save access_token and id_token to cookies with the domain, to be accessible by both apps. I can retrieve them and use them in app2, but when they are about to expire I did not find a way to renew them.
I have tried with auth0-js and checkSession but I could not figure out a way to “log in” the user when instantiating the webAuth on app2.

Any idea how to do that ? Maybe something obvious that I’m missing :upside_down_face:



Hi Olivier,

I assume in this case you are using universal login. Is that correct?

If so, you can use checkSession to issue a new token via silent authentication. It will use the user’s existing session in Auth0 to issue a new token without redirecting the user or requiring them to re-authenticate.

Please keep in mind that SSO only applies to database connections as in the case of third-party identity providers the session is considered to be maintained with the provider and not Auth0.

Also, since you are using React, have you considered using auth0-spa-js for your second app? It’s a high-level library built on top of Auth0.js that enforces best practices and handles a lot of the details for you.

With it you can simply use getTokenSilently (example: to retrieve a new token via silent authentication.

getTokenSilently also implements caching so it will only fetch a new token once the current one has expired.

Our React quickstart uses this SDK and provides a useAuth0 hook you can use to provide common functions such as getTokenSilently to your components.

Please read through the following articles for a further understanding of how SSO works with Auth0:

Hi Richard,

Thanks for your answer!

I am now unsing auth0-spa-js!
But my issue is still the same, when the user gets to app2 they are not logged in, I can only retrieve the id_token and access_token from the cookies I am saving from app1.

So my question is, is there a way to provide this tokens to the auth0 client when instantiating it in app2 ?