Skip to main content
Use Auth0 when it is already approved as the enterprise identity broker or when a deployment needs Auth0-managed upstream connections. Direct Google Workspace is simpler when Google is the customer’s system of record.

Auth0 application

Create a Regular Web Application. Configure:
For localhost, add the same values with http://localhost:3000. Do not use Auth0 development keys in production. Use a tenant/application owned by the deploying organization and store the client secret in its secret manager.

Overlay environment

The issuer must be the Auth0 tenant issuer, not the Overlay origin. Keep local, staging, and production applications and secrets separate.

Regression smoke

  • /api/auth/options exposes only the Auth0 connection.
  • The SSO route redirects to the configured Auth0 tenant.
  • Auth0 returns to the exact auth0 callback path.
  • The resulting Overlay session has a verified, allowed-domain email.
  • Refresh, sign-out, and account deletion operate through Better Auth.