Use when adding Auth0 login, logout, and callback handling to Java Servlet web applications - integrates com.auth0:mvc-auth-commons SDK for server-side Java apps using javax.servlet with session-based authentication. Triggers on AuthenticationController, AuthorizeUrl, Tokens, IdentityVerificationException, Java MVC auth.
Add Auth0 authentication to Java Servlet web applications using com.auth0:mvc-auth-commons. Provides AuthenticationController for building authorize URLs and handling callbacks, with session-based authentication and support for Organizations and Multiple Custom Domains.
Agent instruction: Before providing SDK setup instructions, fetch the latest release version by running:
bash
gh api repos/auth0/auth0-java-mvc-common/releases/latest --jq '.tag_name'
Use the returned version in all dependency lines instead of any hardcoded version below. If the API call fails, use 1.12.0.
Prerequisites
Java 8+ (Java 17+ recommended)
Servlet container (Tomcat, Jetty, etc.) with javax.servlet 3+
Maven 3.6+ or Gradle 7+
Auth0 Regular Web Application configured
If you don't have Auth0 set up yet, use the auth0-quickstart skill first
When NOT to Use
Use Case
Recommended Skill
Spring Boot web applications with auto-configuration
Use Spring Boot + Okta starter for auto-configured Spring Boot login
Spring Boot REST APIs (stateless JWT)
Use auth0-springboot-api for JWT Bearer token validation
Single Page Applications
Use auth0-react, auth0-vue, or auth0-angular for client-side auth
Mobile applications
Use auth0-android or auth0-swift for native mobile
Machine-to-machine API calls
Use Auth0 Management API SDK for server-to-server
Quick Start Workflow
Agent instruction: If the user's prompt already provides Auth0 credentials (domain, client ID, client secret), use them directly — skip the bootstrap script and credential questions. Only offer setup options when credentials are missing.
You need a Regular Web Application (not SPA or Native) in Auth0.
STOP — ask the user before proceeding.
Ask exactly this question and wait for their answer before doing anything else:
"How would you like to create the Auth0 application?
Automated — I'll run Auth0 CLI scripts that create the application and write the values to your config automatically.
Manual — You create the application yourself in the Auth0 Dashboard (or via auth0 apps create) and provide me the Domain, Client ID, and Client Secret.
Which do you prefer? (1 = Automated / 2 = Manual)"
Do NOT proceed to any setup steps until the user has answered. Do NOT default to manual.
If the user chose Automated, follow the Setup Guide for complete CLI scripts. The automated path writes configuration for you — skip Step 3 below and proceed directly to Step 4.
If the user chose Manual, follow the Setup Guide (Manual Setup section). Then continue with Step 3.
Quick reference for manual application creation:
bash
# Using Auth0 CLI
auth0 apps create \
--name "My Java Web App" \
--type regular \
--callbacks http://localhost:3000/callback \
--logout-urls http://localhost:3000
Or create manually in Auth0 Dashboard → Applications → Applications → Create Application → Regular Web Applications
3. Configure Credentials
Store credentials as environment variables (never hardcode in source):
Agent instruction: Java does not auto-load .env files. System.getenv() only reads OS-level environment variables. If you generate a .env file, you must also either: (1) add dotenv-java as a dependency and use Dotenv.load().get("AUTH0_DOMAIN") instead of System.getenv(), or (2) instruct the user to run source .env before starting the server. Do not generate code that uses both a .env file and System.getenv() without a loading mechanism — the values will be null.
Important: Domain must NOT include https://. The library constructs the issuer URL automatically.
4. Initialize AuthenticationController
Create a singleton AuthenticationController instance:
