Skip to main content

Auth0 SDKs

Updated Auth0 SDKs to secure AI agent workflows:

Python Server SDK

The Auth0 Server Python SDK is a library for implementing user authentication in Python applications. 
pip install auth0-server-python
Below are examples that show how to use the Auth0 Python SDK to handle CIBA, RAR, and retrieving access tokens for external identity connections. Each snippet highlights a specific pattern for secure, server-side authentication flows. For more examples, click here.
Client-Initiated Backchannel Authentication (CIBA) enables applications to authenticate users via a separate channel or device, without requiring browser-based redirects.
  • binding_message: An optional, human-readable message to be displayed at the consumption device and authentication device. This allows the user to ensure the transaction initiated by the consumption device is the same that triggers the action on the authentication device.
  • login_hint[‘sub’]: The sub claim of the user that is trying to login using Client-Initiated Backchannel Authentication, and to which a push notification to authorize the login will be sent.
  • requested_expiry: The requested lifetime, in seconds, of the authentication request. The default value on Auth0 is 300 seconds.
from auth0_server_python import ServerClient

# Initialize the Auth0 client
auth0 = ServerClient(
    domain="YOUR_AUTH0_DOMAIN",
    client_id="YOUR_CLIENT_ID",
    client_secret="YOUR_CLIENT_SECRET",
    secret="YOUR_SECRET",
)

async def authenticate_via_backchannel():
    # Configure backchannel options
    options = {
        "login_hint": {"sub": "user-id"},  # The user identifier
        "binding_message": "Login to Example App",  # Message displayed to the user
        "authorization_params": {
            "requested_expiry": 300,  # Optional: Token expiry time in seconds
        }
    }

    # Initiate backchannel authentication
    try:
        result = await auth0.login_backchannel(options)

        # Authentication successful
        print(f"User authenticated successfully")
        print(f"Token type: {result.get('token_type')}")
        print(f"Expires in: {result.get('expires_in')} seconds")

        # You can now use the session for API calls
        return result
    except Exception as e:
        print(f"Authentication failed: {str(e)}")
        return None
When using Client-Initiated Backchannel Authentication, you can also use Rich Authorization Requests (RAR) by setting authorizationParams.authorization_details:
result = await auth0.login_backchannel({
    "binding_message": "<binding_message>",
    "login_hint": {
        "sub": "auth0|123456789"
    },
    "authorization_params": {
        "authorization_details": json.dumps([{
            "type": "<type>",
            # additional fields here
        }])
    }
})
The SDK’s get_access_token_for_connection() can be used to retrieve an Access Token for a connection (e.g. google-oauth2) for the current logged-in user:
connection_options = {
    "connection": "google-oauth2"
    # optionally "login_hint": "<some_hints>"
}
access_token_for_google = await server_client.get_access_token_for_connection(connection_options)
  • connection: The connection for which an access token should be retrieved, e.g. google-oauth2 for Google.
  • loginHint: Optional login hint to inform which connection account to use, can be useful when multiple accounts for the connection exist for the same user.
The SDK will cache the token internally, and return it from the cache when not expired. When no token is found in the cache, or the token is expired, calling get_access_token_for_connection() will call Auth0 to retrieve a new token and update the cache.In order to do this, the SDK needs access to a Refresh Token. So ensure to always include offline_access if you want to be able to retrieve and refresh an access token for a connection.

Python API SDK

The auth0-api-python library allows you to secure APIs running on Python, particularly for verifying Auth0-issued access tokens. It’s intended as a foundation for building more framework-specific integrations (e.g., with FastAPI, Django, etc.), but you can also use it directly in any Python server-side environment. 
pip install auth0-api-python
Below is an example demonstrating how to use the Auth0 Python API SDK to exchange an Auth0 access token for an access token from an upstream identity provider (via a specified connection). This is useful when you want to act on behalf of the user with external APIs beyond Auth0. For more examples, click here.
If you need to get an access token for an upstream idp via a connection, you can use the get_access_token_for_connection method:
import asyncio

from auth0_api_python import ApiClient, ApiClientOptions

async def main():
    api_client = ApiClient(ApiClientOptions(
        domain="<AUTH0_DOMAIN>",
        audience="<AUTH0_AUDIENCE>",
        client_id="<AUTH0_CLIENT_ID>",
        client_secret="<AUTH0_CLIENT_SECRET>",
    ))
    connection = "my-connection" # The Auth0 connection to the upstream idp
    access_token = "..." # The Auth0 access token to exchange

    connection_access_token = await api_client.get_access_token_for_connection({"connection": connection, "access_token": access_token})
    # The returned token is the access token for the upstream idp
    print(connection_access_token)

asyncio.run(main())

FastAPI SDK

The Auth0 FastAPI SDK is a library for implementing user authentication in FastAPI web applications using Auth0. 
pip install auth0-fastapi

FastAPI API SDK

The Auth0 FastAPI API SDK library allows you to secure FastAPI APIs using bearer tokens from Auth0. It exposes a simple require_auth dependency that checks if incoming requests have a valid JWT, then provides the token claims to your route handler. 
pip install auth0-fastapi-api
Below is an example demonstrating how to use the Auth0 FastAPI API SDK to exchange an Auth0 access token for an access token from an upstream identity provider (via a specified connection). This is useful when you want to act on behalf of the user with external APIs beyond Auth0. For more examples, click here.
If you need to get an access token for an upstream idp via a connection, you can use the get_access_token_for_connection method on the underlying api_client:
import asyncio

from auth0_fastapi_api import Auth0FastAPI

async def main():
    auth0 = Auth0FastAPI(
        domain="<AUTH0_DOMAIN>",
        audience="<AUTH0_AUDIENCE>",
        client_id="<AUTH0_CLIENT_ID>",
        client_secret="<AUTH0_CLIENT_SECRET>",
    )
    connection = "my-connection" # The Auth0 connection to the upstream idp
    access_token = "..." # The Auth0 access token to exchange

    connection_access_token = await auth0.api_client.get_access_token_for_connection({"connection": connection, "access_token": access_token})
    # The returned token is the access token for the upstream idp
    print(connection_access_token)

asyncio.run(main())

Auth0 AI SDKs

Auth0 AI SDKs to streamline integrating your application with popular agentic frameworks:

Auth0 AI SDK

This SDK provides base abstractions for authentication and authorization in AI applications, including tools for implementing asynchronous user authentication using the Client Initiated Backchannel Authentication (CIBA) protocol. It supports:
  • A RAG Retriever for using OpenFGA
  • Tools for implementing asynchronous user authentication,
  • Tools for getting access tokens for third-party connections,
  • OpenFGA-based tool authorizers.
pip install auth0-ai