Why do I get "auth0-spa-js must run on a secure origin" error?

Question: Why do I get “auth0-spa-js must run on a secure origin” error?


Internally, the SDK uses Web Cryptography API to create SHA-256 digest.

According to the spec (via Github issues), Web Cryptography API requires a secure origin, so that accessing Crypto.subtle in a not secure context return undefined.

In most browsers, secure origins are origins that match at least one of the following (scheme, host, port) patterns:

(https, *, *)
(wss, *, *)
(*, localhost, *)
(*, 127/8, *)
(*, ::1/128, *)
(file, *, —)

If you’re running your application from a secure origin, it’s possible that your browser doesn’t support the Web Crypto API. For a compatibility table, please check https://caniuse.com/#feat=mdn-api_subtlecrypto

Supporting Documentation:

Relevant GH issue: https://github.com/w3c/webcrypto/issues/28
Documentation: Repository Documentation

1 Like