Auth0 Nuxt

v1.0.0

Use when implementing Auth0 authentication in Nuxt 3/4 applications, configuring session management, protecting routes with middleware, or integrating API ac...

⭐ 0· 69·0 current·0 all-time

by@auth0

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for auth0/auth0-nuxt.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Auth0 Nuxt" (auth0/auth0-nuxt) from ClawHub.
Skill page: https://clawhub.ai/auth0/auth0-nuxt
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install auth0-nuxt

ClawHub CLI

Package manager switcher

npx clawhub@latest install auth0-nuxt

Security Scan

Capability signals

Requires OAuth tokenRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description match the SKILL.md and reference files: they provide step-by-step setup, middleware patterns, session-store examples, and security guidance for @auth0/auth0-nuxt. All binaries, packages, and APIs referenced (npm package, openssl, Auth0 endpoints, Redis/Mongo/Postgres drivers) are coherent with implementing Auth0 in Nuxt.

✓

Instruction Scope

The runtime instructions are focused on configuring Auth0 with Nuxt (install package, set runtimeConfig/.env, add middleware, optional session store implementations). They do call external services (Auth0, example APIs) as expected for an auth integration and include patterns for protecting routes. There is no instruction to read unrelated host files or exfiltrate data.

✓

Install Mechanism

This is an instruction-only skill with no install spec and no code files executed by the skill itself. That minimizes install-time risk. The SKILL.md tells the developer to npm install @auth0/auth0-nuxt locally, which is standard for this purpose.

ℹ

Credentials

The documentation expects several sensitive environment variables (NUXT_AUTH0_DOMAIN, NUXT_AUTH0_CLIENT_ID, NUXT_AUTH0_CLIENT_SECRET, NUXT_AUTH0_SESSION_SECRET and optional DB/Redis creds) which are appropriate for an Auth0 integration. However, the registry metadata lists no required env vars or primary credential — that omission reduces transparency and should be corrected so users understand which secrets must be provided.

✓

Persistence & Privilege

No elevated persistence or privileged flags are set (always:false). The skill does not request modifying other skills or system-wide agent settings. It is user-invocable and allowed to be invoked autonomously by default, which is normal for skills and not by itself a concern.

Assessment

This appears to be official guidance for integrating Auth0 with Nuxt and is internally consistent. Before using: 1) Be prepared to provide the Auth0 credentials and a strong session secret — these are sensitive and must not be committed to source control. 2) Note the registry metadata does not declare required env vars; verify you understand and securely store the NUXT_AUTH0_* values and any DB/Redis credentials used for stateful session stores. 3) Install @auth0/auth0-nuxt from the official npm package and review its package and release provenance yourself. 4) For production, enforce HTTPS, correct callback URLs, and restrict database/Redis access. 5) If you need higher assurance, confirm the skill's source repo and package versions match Auth0's official releases or request the publisher to update registry metadata to list the required env vars.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis

latestvk97034gg5srg7grft1e6hane7h84xhc8

69downloads

0stars

1versions

Updated 1w ago

v1.0.0

MIT-0

Auth0 Nuxt SDK

Overview

Server-side session authentication for Nuxt 3/4. NOT the same as @auth0/auth0-vue (client-side SPA).

Core principle: Uses server-side encrypted cookie sessions, not client-side tokens.

When to Use

Use this when:

Building Nuxt 3/4 applications with server-side rendering (Node.js 20 LTS+)
Need secure session management with encrypted cookies
Protecting server routes and API endpoints
Accessing Auth0 Management API or custom APIs

Don't use this when:

Using Nuxt 2 (not supported - use different Auth0 SDK)
Building pure client-side SPA without server (use @auth0/auth0-vue instead)
Using non-Auth0 authentication provider
Static site generation only (SSG) without server runtime

Critical Mistakes to Avoid

Mistake	Solution
Installing `@auth0/auth0-vue` or `@auth0/auth0-spa-js`	Use `@auth0/auth0-nuxt`
Auth0 app type "Single Page Application"	Use "Regular Web Application"
Env vars: `VITE_AUTH0_` or `VUE_APP_AUTH0_`	Use `NUXT_AUTH0_*` prefix
Using `useUser()` for security checks	Use `useAuth0(event).getSession()` server-side
Missing callback URLs in Auth0 Dashboard	Add `http://localhost:3000/auth/callback`
Weak/missing session secret	Generate: `openssl rand -hex 64`

Quick Setup

# 1. Install
npm install @auth0/auth0-nuxt

# 2. Generate secret
openssl rand -hex 64

# 3. .env
NUXT_AUTH0_DOMAIN=your-tenant.auth0.com
NUXT_AUTH0_CLIENT_ID=your-client-id
NUXT_AUTH0_CLIENT_SECRET=your-client-secret
NUXT_AUTH0_SESSION_SECRET=<from-openssl>
NUXT_AUTH0_APP_BASE_URL=http://localhost:3000
NUXT_AUTH0_AUDIENCE=https://your-api  # optional

// 4. nuxt.config.ts
export default defineNuxtConfig({
  modules: ['@auth0/auth0-nuxt'],
  runtimeConfig: {
    auth0: {
      domain: '',
      clientId: '',
      clientSecret: '',
      sessionSecret: '',
      appBaseUrl: 'http://localhost:3000',
      audience: '',  // optional
    },
  },
})

Built-in Routes

The SDK automatically mounts these routes:

Route	Method	Purpose
`/auth/login`	GET	Initiates login flow. Supports `?returnTo=/path` parameter
`/auth/callback`	GET	Handles Auth0 callback after login
`/auth/logout`	GET	Logs user out and redirects to Auth0 logout
`/auth/backchannel-logout`	POST	Receives logout tokens for back-channel logout

Customize: Pass routes: { login, callback, logout, backchannelLogout } or mountRoutes: false to module config.

Composables

Composable	Context	Usage
`useAuth0(event)`	Server-side	Access `getUser()`, `getSession()`, `getAccessToken()`, `logout()`
`useUser()`	Client-side	Display user data only. Never use for security checks

// Server example
const auth0 = useAuth0(event);
const session = await auth0.getSession();

<script setup>
const user = useUser();
</script>

<template>
  <div v-if="user">Welcome {{ user.name }}</div>
<template>

Protecting Routes

Three layers: Route middleware (client), server middleware (SSR), API guards.

// middleware/auth.ts - Client navigation
export default defineNuxtRouteMiddleware((to) => {
  if (!useUser().value) return navigateTo(`/auth/login?returnTo=${encodeURIComponent(to.path)}`);
});

// server/middleware/auth.server.ts - SSR protection
export default defineEventHandler(async (event) => {
  const url = getRequestURL(event);
  const auth0Client = useAuth0(event);
  const session = await auth0Client.getSession();
  if (!session)  {
    return sendRedirect(event, `/auth/login?returnTo=${encodeURIComponent(url.pathname)}`);
  }
});

// server/api/protected.ts - API endpoint protection
export default defineEventHandler(async (event) => {
  const auth0Client = useAuth0(event);
  const session = await auth0Client.getSession();

  if (!session) {
    throw createError({
      statusCode: 401,
      statusMessage: 'Unauthorized'
    });
  }

  return { data: 'protected data' };
});

For role-based, permission-based, and advanced patterns: route-protection.md

Session Management

Stateless (Default)

Uses encrypted, chunked cookies. No configuration needed.

Stateful (Redis, MongoDB, etc.)

For larger sessions or distributed systems:

// nuxt.config.ts
modules: [
  ['@auth0/auth0-nuxt', {
    sessionStoreFactoryPath: '~/server/utils/session-store-factory.ts'
  }]
]

For complete session store implementations, see: session-stores.md

API Integration

Configure audience for API access tokens:

// nuxt.config.ts
runtimeConfig: {
  auth0: {
    audience: 'https://your-api-identifier',
  }
}

Retrieve tokens server-side:

// server/api/call-api.ts
export default defineEventHandler(async (event) => {
  const auth0Client = useAuth0(event);
  const { accessToken } = await auth0Client.getAccessToken();

  return await $fetch('https://api.example.com/data', {
    headers: {
      Authorization: `Bearer ${accessToken}`
    }
  });
});

Security Checklist

✅ Server-side validation only (never trust useUser())
✅ HTTPS in production
✅ Strong session secret (openssl rand -hex 64)
✅ Never commit .env files
✅ Stateful sessions for PII/large data

Troubleshooting

Error	Solution
"Module not found"	Install `@auth0/auth0-nuxt`, not `@auth0/auth0-vue`
"Missing domain/clientId/clientSecret"	Check `NUXT_AUTH0_` prefix, `.env` location, `runtimeConfig`
"Redirect URI mismatch"	Match Auth0 Dashboard callback to `appBaseUrl + /auth/callback`
"useAuth0 is not defined"	Use only in server context with H3 event object
Cookies too large	Use stateful sessions or reduce scopes

Additional Resources

Guides: Route Protection Patterns • Custom Session Stores • Common Examples

Links: Auth0-Nuxt GitHub • Auth0 Docs • Nuxt Modules

Comments

Loading comments...