Labsco
auth0 logo

auth0-springboot-api

37

by auth0 · part of auth0/agent-skills

Use when securing Spring Boot API endpoints with JWT Bearer token validation, scope-based authorization, or DPoP proof-of-possession - integrates…

🔥🔥🔥🔥✓ VerifiedFreeQuick setup
🧩 One of 7 skills in the auth0/agent-skills package — works on its own, and pairs well with its siblings.

Use when securing Spring Boot API endpoints with JWT Bearer token validation, scope-based authorization, or DPoP proof-of-possession - integrates…

Inspect the full instructions your agent will receiveExpand

This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.

by auth0

Use when securing Spring Boot API endpoints with JWT Bearer token validation, scope-based authorization, or DPoP proof-of-possession - integrates… npx skills add https://github.com/auth0/agent-skills --skill auth0-springboot-api Download ZIPGitHub37

Auth0 Spring Boot API Integration

Protect Spring Boot API endpoints with JWT access token validation using com.auth0:auth0-springboot-api. Features auto-configuration, scope-based authorization, and built-in DPoP (RFC 9449) support.

Agent instruction: Before providing SDK setup instructions, fetch the latest release version by running:

Copy & paste — that's it
gh api repos/auth0/auth0-auth-java/releases/latest --jq '.tag_name'

Use the returned version in all dependency lines instead of any hardcoded version below. If the API call fails (e.g., no releases yet), use 1.0.0-beta.1.

When NOT to Use

Use Case Recommended Skill Server-rendered web applications (Spring MVC with sessions) Use auth0-java for Spring Boot web apps with login UI Single Page Applications Use auth0-react, auth0-vue, or auth0-angular for client-side auth Mobile applications Use auth0-android or auth0-swift for native mobile Non-Spring Java APIs Use auth0-spring-security-api for plain Spring Security

Scope-Based Authorization

See Integration Guide for defining and enforcing scope-based access control via filter chain, @PreAuthorize, or programmatic checks.

DPoP Support

Built-in proof-of-possession token binding per RFC 9449. See Integration Guide for configuration modes (DISABLED, ALLOWED, REQUIRED).

Related Skills

  • auth0-quickstart — Basic Auth0 setup and account creation

  • auth0-java — Spring Boot web apps with login UI (Regular Web Application)

Quick Reference

Configuration Properties (application.yml):

  • auth0.domain — Auth0 tenant domain, no https:// prefix (required)

  • auth0.audience — API Identifier from Auth0 API settings (required)

  • auth0.dpop-mode — DPoP mode: DISABLED, ALLOWED (default), REQUIRED

  • auth0.dpop-iat-offset-seconds — DPoP proof time window (default: 300)

  • auth0.dpop-iat-leeway-seconds — DPoP proof time leeway (default: 30)

User Claims (via Auth0AuthenticationToken):

  • authentication.getName() — User ID (subject / sub claim)

  • token.getClaim("email") — Any specific claim by name

  • token.getClaims() — All JWT claims as Map<String, Object>

  • token.getScopes() — Scopes as Set<String>

Common Use Cases:

  • Protect routes → requestMatchers("/path").authenticated() (see Step 4)

  • Scope enforcement → hasAuthority("SCOPE_read:data") or @PreAuthorize (see Integration Guide)

  • DPoP token binding → Integration Guide

  • Complete API reference → API Reference

Detailed Documentation

  • Setup Guide — Auth0 CLI automation, environment configuration, secret management

  • Integration Guide — Scope policies, DPoP, controller patterns, error handling

  • API Reference — Complete configuration options, claims reference, testing checklist

References