Skip to main content
When you design the login experience for your application, you’ll need to decide if you want it to be hosted (Universal Login) or embedded.

Hosted login

In a hosted login flow, the application redirects the user to the to perform authentication, and then the authorization server returns the user to the application.

Universal Login flow

In the typical user authentication experience with :
  1. Your application triggers an authentication request by invoking an Auth0 SDK’s login method or by calling the Auth0 Authentication API Login endpoint directly.
  2. Your application redirects the user to the Auth0 authorization server (your Auth0 tenant).
  3. Auth0 checks for a session cookie on the Auth0 Session Layer.
    • If a session cookie is not found, Auth0 redirects the user to Universal Login to authenticate and creates an associated session cookie.
    • If a session cookie is found, Auth0 uses it to authenticate the user.
  4. Auth0 returns the user to your application with an ID token and an access token.

Embedded login

In an embedded login flow, the user authenticates directly within your application. The application serves the login form, collects the user’s credentials, sends that data to the authentication provider, and then receives a response with the user’s and . For web applications, embedded login uses cross-origin authentication unless you configure a custom domain for your Auth0 tenant. Cross-origin authentication uses third-party cookies to allow for secure authentication transactions across different origins.

Feature comparison

Best practice

According to RFC 8252: OAuth 2.0 for Native Apps on IETF, only external user-agents (such as the browser) should be used by native applications for authentication flows.