Integrating Application Programming Interfaces (APIs) with Auth0 requires configuring network settings in accordance with current standards. Implementing the recommended Domain Name System (DNS) resolutions, Transport Layer Security (TLS) configurations, and Hypertext Transfer Protocol (HTTP) optimization strategies ensures resilient connections and maintains the security of authentication traffic.

• Auth0
• Application Programming Interfaces (APIs)
• Software Development Kits (SDKs)

What are the best practices for DNS and hostname resolution?

Implement the following DNS and hostname resolution strategies to maintain reliable connectivity with Auth0 services.

• Use Auth0-provided hostnames: Connect to Auth0 using the provided hostnames instead of the underlying IP address. Auth0 infrastructure depends on DNS-based traffic steering for load balancing, cloud and Content Delivery Network (CDN) routing, and region failover. Avoid using DNS-based filtering.
• Respect DNS Time to Live (TTL): Honor the TTL provided by DNS. TTL values remain low to allow applications to respond to infrastructure changes quickly.
• DNS caching: Use the operating system DNS resolver where possible. Ensure application-level resolvers cache responses no longer than the TTL.
• Support multiple A/AAAA records: Auth0 returns multiple IP addresses for a given hostname. Distribute connections across returned IPs through round-robin or randomized assignment. Set the configuration to failover immediately if one address is unreachable.

What are the best practices for Transport Layer Security (TLS)?

Configure TLS settings according to the following guidelines to ensure secure, uninterrupted communication.

• Use modern TLS versions: Auth0 only supports HTTP requests with TLS. Use TLS 1.3 or TLS 1.2. Auth0 does not support TLS 1.1 and below.
• Use modern cipher suites: Avoid highly customized client cipher suite configurations. Use default secure settings from the runtime unless compliance constraints require otherwise (for example, FIPS). Clients with limited cipher suite support may be rejected. To review the available ciphers, read TLS (SSL) Versions and Ciphers.
• Support Server Name Indication (SNI): APIs must use the SNI TLS extension on all HTTPS traffic to Auth0. Auth0 rejects traffic without SNI.
• Honor certificate validation: Do not disable certificate validation or pin certificates. Auth0 renews and replaces certificates automatically. Certificate pinning can cause service disruptions.
• Allow intermediate certificate rotation: Ensure the TLS client trusts any valid, publicly-trusted certificate authority in the operating system trust store by default, updates the trust store during regular updates, avoids pinning intermediate certificates, and rejects only invalid chains.
• Enable TLS session resumption and reuse: Allow TLS session tickets or session IDs in HTTP/2 to reduce the TLS handshake overhead.

What are the best practices for HTTP configurations?

Optimize HTTP traffic by applying the following protocol and connection management standards.

• Use a modern HTTP protocol: Use HTTP/2 or HTTP/3. These protocols provide connection multiplexing, use HTTP header compression, and require fewer Transmission Control Protocol (TCP) connections.
  • NOTE: Avoid HTTP/1.1 unless required. HTTP/1.1 is fully supported but is less efficient. Use is discouraged unless necessary.
• Enable and reuse persistent connections: Configure the API to reuse HTTP connections to reduce request latency and improve reliability. Keep connections open for up to 300 seconds, limit maximum idle connections, avoid creating a new HTTP API object per request, and rotate connections periodically to refresh their health.
• Request Retries: Implement request retries for idempotent requests. Inspect the HTTP Retry-After response header to determine the wait time before an application can make another request (for example, Retry-After: 300).
  • If the header is present, wait the specified number of seconds before retrying a request. Adherence to the Retry-After ensures fair usage and prevents cascading failures or rate-limiting.
  • If the header is absent, use exponential backoff to determine the retry interval and limit attempts to a maximum of three.

What are the best practices for Auth0 SDKs?

Select the appropriate official Auth0 SDK based on the application architecture to ensure automatic support for resilient connection pooling, retry logic, and security standards.

• Authentication and Authorization SDKs: Use these SDKs for end-user login and obtaining tokens.
  • Single-Page Applications (SPA): JavaScript/TypeScript libraries handle token lifecycles and Proof Key for Code Exchange (PKCE) flows in the browser (for example, React, Vue, Angular).
  • Regular Web Applications: Server-side libraries manage sessions and cookie-based transactions (for example, Node.js, ASP.NET Core, PHP).
  • Native/Mobile Applications: Platform-native libraries interact with system browsers and secure storage (Swift, Kotlin, React Native).
• Backend Service and API: Use these libraries to validate incoming Access Tokens. These libraries handle cryptographic signature verification and caching of JSON Web Key Sets (JWKS).
• Management API SDKs: Use these SDKs to programmatically perform administrative tasks, such as creating new users and rotating Client Secrets. These SDKs handle rate-limiting headers and retry logic.