Use when adding Auth0 authentication to an iOS, macOS, tvOS, watchOS, or visionOS application — integrates the Auth0.swift SDK for native Apple platform auth...
---
name: auth0-swift
description: Use when adding Auth0 authentication to an iOS, macOS, tvOS, watchOS, or visionOS application — integrates the Auth0.swift SDK for native Apple platform authentication using Web Auth, CredentialsManager, and biometric protection.
license: Proprietary
metadata:
author: Auth0 <support@auth0.com>
version: '1.0.1'
openclaw:
emoji: "\U0001F510"
homepage: https://github.com/auth0/agent-skills
---
# Auth0 Swift Integration
Auth0.swift is the official Auth0 SDK for Apple platforms (iOS, macOS, tvOS, watchOS, visionOS). This skill adds complete native authentication to Swift apps using Web Auth (system browser redirect), secure Keychain credential storage via `CredentialsManager`, and optional biometric protection.
> **Agent instruction:** Before providing SDK setup instructions, fetch the latest release version by running:
> ```bash
> gh api repos/auth0/Auth0.swift/releases/latest --jq '.tag_name'
> ```
> Use the returned version in all dependency lines instead of any hardcoded version below. Current known version: `2.18.0`.
## When NOT to Use
- **Android apps**: Use [auth0-android](/auth0-android)
- **React Native apps**: Use [auth0-react-native](/auth0-react-native)
- **Flutter apps**: Use the native Flutter Auth0 SDK
- **Web SPAs** (React, Angular, Vue): Use [auth0-react](/auth0-react), [auth0-angular](/auth0-angular), or [auth0-vue](/auth0-vue)
- **Node.js/Express servers**: Use [auth0-express](/auth0-express)
## Prerequisites
- **iOS** 14.0+ / **macOS** 11.0+ / tvOS 14.0+ / watchOS 7.0+ / visionOS 1.0+
- **Xcode** 16.x
- **Swift** 6.0+
- Auth0 account — [Sign up free](https://auth0.com/signup)
- Node.js 20+ (for bootstrap script automation)
- Auth0 CLI — `brew install auth0/auth0-cli/auth0` (for bootstrap script)
## Quick Start Workflow
> **Agent instruction:** Follow these steps in order. If you encounter an error at any step, attempt to fix it up to 5 times before calling `AskUserQuestion` to ask the user for guidance. Always search existing code first — if there are existing login/logout handlers, hook into them rather than creating new ones.
### Step 1 — Install SDK
> **Agent instruction:** Check the project directory for an existing package manager file:
> - `Podfile` present → **CocoaPods**
> - `Cartfile` present → **Carthage**
> - `Package.swift` present → **Swift Package Manager**
>
> If none are found, ask via `AskUserQuestion`: _"Which dependency manager does your project use — Swift Package Manager, CocoaPods, or Carthage?"_
>
> **Swift Package Manager — `Package.swift` project:** Run this command in the project root to add the dependency automatically, then add `"Auth0"` to the target's `dependencies` array in `Package.swift`:
> ```bash
> swift package add-dependency https://github.com/auth0/Auth0.swift --from 2.18.0
> ```
>
> **Swift Package Manager — Xcode project (`.xcodeproj`, no `Package.swift`):** The CLI command does not apply. Instruct the user to add the package via Xcode: File → Add Package Dependencies → `https://github.com/auth0/Auth0.swift` → Up to Next Major Version from `2.18.0`.
>
> **CocoaPods or Carthage:** Follow the matching installation steps in [Setup Guide](./references/setup.md#sdk-installation). Do not just show the instructions — perform the file edits and run the commands.
### Step 2 — Configure Auth0
> **Agent instruction:**
> - **If Auth0 credentials (domain AND client ID) are already in the user's prompt:** Write `Auth0.plist` directly with those values and proceed to Step 3.
> - **If no credentials are provided:** Run the bootstrap script — do NOT ask the user to create or configure an Auth0 application manually. Always use the CLI path.
>
> Follow [Setup Guide — Auth0 Configuration](./references/setup.md#auth0-configuration) for pre-flight checks and the script command.
### Step 3 — Configure Callback URLs
> **Agent instruction:**
> 1. Read `Auth0.plist` to obtain `ClientId` and `Domain`.
> 2. Extract the bundle identifier from `project.pbxproj`: search for `PRODUCT_BUNDLE_IDENTIFIER`, skip values containing `$(` or `Tests`.
> 3. Ask the user via `AskUserQuestion`: _"Which callback URL scheme would you like to use?"_
> - **Custom scheme** (`{bundle}://`) — simpler, works on all Apple platforms
> - **HTTPS Universal Links** — recommended for production; prevents URL scheme hijacking
>
> Then follow **only** the matching path below.
#### Path A — Custom Scheme
> **Agent instruction:** Register the callback URLs using the Auth0 CLI (substitute real values for `CLIENT_ID`, `BUNDLE_ID`, `DOMAIN`):
> ```bash
> auth0 apps update CLIENT_ID \
> --callbacks "BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" \
> --logout-urls "BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" \
> --no-input
> ```
> Then follow the [URL scheme registration steps in Setup Guide](./references/setup.md#register-url-scheme-required-for-custom-scheme-callbacks) to register `$(PRODUCT_BUNDLE_IDENTIFIER)` as a URL type in Xcode.
#### Path B — HTTPS Universal Links
> **Agent instruction:** All four steps below are required — skipping any one will cause the callback redirect to fail silently after login.
>
> **Step B1 — Register callback URLs via Auth0 CLI:**
> Register both HTTPS and custom scheme so the app works in all scenarios:
> ```bash
> auth0 apps update CLIENT_ID \
> --callbacks "https://DOMAIN/ios/BUNDLE_ID/callback,BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" \
> --logout-urls "https://DOMAIN/ios/BUNDLE_ID/callback,BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" \
> --no-input
> ```
>
> **Step B2 — Configure Device Settings via Auth0 CLI:**
> Extract `DEVELOPMENT_TEAM` from `project.pbxproj` (10-character value, e.g. `ABC12DE34F`). If not found, ask via `AskUserQuestion`: _"What is your Apple Team ID? (developer.apple.com → Account → Membership Details)"_
> ```bash
> auth0 api patch applications/CLIENT_ID \
> --data '{"mobile":{"ios":{"team_id":"TEAM_ID","app_bundle_identifier":"BUNDLE_ID"}}}' \
> --no-input
> ```
> Auth0 will now host `https://DOMAIN/.well-known/apple-app-site-association` automatically — required for Universal Links to work on device.
>
> **Step B3 — Add Associated Domains entitlement in Xcode:**
> Add `com.apple.developer.associated-domains` to the app's `.entitlements` file with both `applinks:` and `webcredentials:` entries for the Auth0 domain. See [Setup Guide — Associated Domains](./references/setup.md#associated-domains-setup-https-universal-links) for the complete entitlements XML, Xcode capability steps, and build settings verification.
>
> **Step B4 — Use `.useHTTPS()` in the SDK:**
> ```swift
> Auth0.webAuth().useHTTPS()
> ```
### Step 4 — Implement Authentication
> **Agent instruction:** Search the project for `@main struct` (SwiftUI) or `AppDelegate`/`UIViewController` (UIKit) to detect the UI framework. If ambiguous, ask via `AskUserQuestion`: _"Does your app use SwiftUI or UIKit?"_ Then follow **only** the matching path below.
#### SwiftUI
> **Agent instruction:** Create `AuthenticationService.swift` as an `ObservableObject`, then wire it into the app entry point and root view. Search for the `@main` struct and `ContentView` (or equivalent root view) and update them as shown.
```swift
// AuthenticationService.swift
import Auth0
import Combine
class AuthenticationService: ObservableObject {
@Published var isAuthenticated = false
private let credentialsManager = CredentialsManager(authentication: Auth0.authentication())
init() { isAuthenticated = credentialsManager.canRenew() }
func login() async {
do {
let credentials = try await Auth0
.webAuth()
.useHTTPS()
.scope("openid profile email offline_access")
.start()
_ = credentialsManager.store(credentials: credentials)
await MainActor.run { isAuthenticated = true }
} catch WebAuthError.userCancelled { }
catch { print("Login failed: \(error)") }
}
func logout() async {
do { try await Auth0.webAuth().useHTTPS().clearSession() }
catch { print("Logout failed: \(error)") }
_ = credentialsManager.clear()
await MainActor.run { isAuthenticated = false }
}
}
```
```swift
// @main App struct — inject AuthenticationService as environment object
@StateObject private var auth = AuthenticationService()
// In body: ContentView().environmentObject(auth)
// Root ContentView — branch on authentication state
@EnvironmentObject var auth: AuthenticationService
// In body: if auth.isAuthenticated { HomeView() } else { LoginView() }
```
For complete SwiftUI app lifecycle wiring, see [Integration Patterns](./references/integration.md#swiftui-app-lifecycle-recommended).
#### UIKit
> **Agent instruction:** Create `AuthenticationService.swift` as a plain class, then add login/logout calls to the relevant `UIViewController`. Also check whether the app uses `SFSafariViewController` — if so, add `WebAuthentication.resume(with:)` to `AppDelegate`/`SceneDelegate` (see note below).
```swift
// AuthenticationService.swift
import Auth0
class AuthenticationService {
private let credentialsManager = CredentialsManager(authentication: Auth0.authentication())
var isAuthenticated: Bool { credentialsManager.canRenew() }
func login() async throws {
let credentials = try await Auth0
.webAuth()
.useHTTPS()
.scope("openid profile email offline_access")
.start()
_ = credentialsManager.store(credentials: credentials)
}
func logout() async throws {
try await Auth0.webAuth().useHTTPS().clearSession()
_ = credentialsManager.clear()
}
}
```
```swift
// In your UIViewController
private let auth = AuthenticationService()
@IBAction func loginTapped(_ sender: UIButton) {
Task {
do {
try await auth.login()
await MainActor.run { navigateToHome() }
} catch WebAuthError.userCancelled { }
catch { print("Login failed: \(error)") }
}
}
@IBAction func logoutTapped(_ sender: UIButton) {
Task {
do { try await auth.logout() }
catch { print("Logout failed: \(error)") }
await MainActor.run { navigateToLogin() }
}
}
```
> **Note — SFSafariViewController only:** If the app uses `.provider(WebAuthentication.safariProvider())` instead of the default `ASWebAuthenticationSession`, add `WebAuthentication.resume(with: url)` to `AppDelegate.application(_:open:url:options:)` and `SceneDelegate.scene(_:openURLContexts:)`. See [Integration Patterns](./references/integration.md#uikit-app-lifecycle) for the exact code.
### Step 5 — Verify Build
> **Agent instruction:** Run a build to verify the integration compiles without errors:
> ```bash
> xcodebuild build -scheme YOUR_SCHEME -destination "platform=iOS Simulator,name=iPhone 16"
> ```
> If the build fails, review error messages and fix up to 5 times before asking the user.
## Detailed Documentation
- **[Setup Guide](./references/setup.md)** — Auth0 Dashboard configuration, bootstrap script, manual setup, URL scheme registration, CocoaPods/SPM/Carthage install
- **[Integration Patterns](./references/integration.md)** — Web Auth login/logout, CredentialsManager, biometric protection, MFA, organizations, error handling, SwiftUI/UIKit patterns
- **[API Reference & Testing](./references/api.md)** — Full API reference, configuration options, claims reference, testing checklist, troubleshooting
## Common Mistakes
| Mistake | Fix |
|---------|-----|
| Auth0 app type not set to **Native** | In Auth0 Dashboard, select "Native" when creating the application |
| Missing callback URL in Auth0 Dashboard | Add both `https://` Universal Link and `{bundle}://` custom scheme to Allowed Callback URLs and Logout URLs |
| `Auth0.plist` not added to Xcode target | Right-click file in Navigator → "Add Files to Target" → check your app target |
| Missing `offline_access` scope | Add `"offline_access"` to scope string to receive a refresh token for silent renewal |
| Tokens stored in `UserDefaults` | Always use `CredentialsManager` — it stores tokens in Keychain with access control |
| Calling `credentialsManager.credentials()` before `store()` | Store credentials from login result before attempting to retrieve |
| Opening `.xcodeproj` instead of `.xcworkspace` (CocoaPods) | Always open the `.xcworkspace` file after `pod install` |
| Not calling `clearSession()` on logout | Always call `clearSession()` to remove the Auth0 session cookie from the browser |
| Build error "No such module 'Auth0'" | Verify the package is added to the correct target; for CocoaPods, open `.xcworkspace` |
## Related Skills
- `auth0-quickstart` - Basic Auth0 setup
- `auth0-cli` - Manage Auth0 resources from the terminal
---
## References
- [Auth0.swift GitHub](https://github.com/auth0/Auth0.swift)
- [iOS/macOS Quickstart](https://auth0.com/docs/quickstart/native/ios-swift)
- [Auth0.swift API Documentation](https://auth0.github.io/Auth0.swift/documentation/auth0/)
- [Auth0 Dashboard](https://manage.auth0.com)
- [EXAMPLES.md](https://github.com/auth0/Auth0.swift/blob/master/EXAMPLES.md)
don't have the plugin yet? install it then click "run inline in claude" again.
added explicit decision points for missing credentials and framework detection, broke procedure into 5 numbered steps with clear inputs/outputs, documented external connections (auth0 dashboard, cli, development team id), added edge cases (rate limits, auth expiry, empty result sets, network timeouts, sfsafariviewcontroller resume handlers), expanded output contract with file locations and keychain storage guarantees, clarified outcome signal with testable user actions.
add native authentication to iOS, macOS, tvOS, watchOS, or visionOS apps via the official Auth0.swift SDK. use this when you need Web Auth (system browser redirect), secure Keychain storage via CredentialsManager, optional biometric unlock, and token refresh without asking the user to log in again. do not use for android, react native, flutter, web SPAs, or backend services.
auth0 account and credentials:
example.auth0.com) , from Auth0 Dashboarddevelopment environment:
brew install auth0/auth0-cli/auth0 (for automated setup)project setup:
package.swift (swift package manager), podfile (cocoapods), or cartfile (carthage)product_bundle_identifier in project.pbxproj)external connections:
~/.auth0/config.json or AUTH0_TOKEN env varpackage.swift, podfile, cartfileaskuserquestion: "which dependency manager does your project use: swift package manager, cocoapods, or carthage?"gh api repos/auth0/Auth0.swift/releases/latest --jq '.tag_name' and store result (fallback to 2.18.0 if unavailable)swift package add-dependency https://github.com/auth0/Auth0.swift --from <VERSION> and add "Auth0" to target dependencies arrayhttps://github.com/auth0/Auth0.swift > up to next major version from <VERSION>./references/setup.md#sdk-installation (perform file edits and run commands, do not just show instructions)auth0.plist with domain and clientid keys, proceed to step 3./references/setup.md#auth0-configuration using auth0 cliauth0.plist file in xcode project with correct domain and client idauth0.plist file (read domain and client id), project.pbxproj (extract bundle identifier)product_bundle_identifier from project.pbxproj, skip any value containing $( or tests{bundle}://) for simplicity, or https universal links for production security?"auth0 apps update CLIENT_ID --callbacks "BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" --logout-urls "BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" --no-input./references/setup.md#register-url-scheme-required-for-custom-scheme-callbacks (register $(PRODUCT_BUNDLE_IDENTIFIER) as url type in xcode)development_team from project.pbxproj (10-char value)askuserquestion: "what is your apple team id (developer.apple.com > account > membership details)?"auth0 apps update CLIENT_ID --callbacks "https://DOMAIN/ios/BUNDLE_ID/callback,BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" --logout-urls "https://DOMAIN/ios/BUNDLE_ID/callback,BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" --no-inputauth0 api patch applications/CLIENT_ID --data '{"mobile":{"ios":{"team_id":"TEAM_ID","app_bundle_identifier":"BUNDLE_ID"}}}' --no-input./references/setup.md#associated-domains-setup-https-universal-links and add com.apple.developer.associated-domains entitlement with both applinks: and webcredentials: entries to .entitlements file.useHTTPS() on Auth0.webAuth() calls.well-known/apple-app-site-association at https://DOMAIN, entitlements file updated, sdk ready to use https@main struct (swiftui) or appdelegate/uiviewcontroller (uikit)askuserquestion: "does your app use swiftui or uikit?"@main struct and contentview or root viewauthenticationservice.swift as observableobject with @published var isAuthenticated, credentialsmanager instance, login() async method, and logout() async method@main app struct: add @stateobject private var auth = AuthenticationService(), pass .environmentobject(auth) to root contentview@environmentobject var auth: AuthenticationService, add conditional rendering: if auth.isAuthenticated { homeview() } else { loginview() }auth.login() in a task block, navigate to home on successauth.logout() in a task block, navigate to login on successauthenticationservice.swift as plain class with credentialsmanager instance, isAuthenticated property, login() async throws method, and logout() async throws methodprivate let auth = AuthenticationService() propertyauth.login() inside task block, navigate to home on success, handle webauthеrror.usercancelled silentlyauth.logout() inside task block, navigate to login on success.provider(webAuthentication.safariProvider())webAuthentication.resume(with: url) to appdelegate.application(_:open:url:options:) and scenedelegate.scene(_:openURLContexts:) per ./references/integration.md#uikit-app-lifecyclebuildconfigurations in project.pbxproj or ask user)xcodebuild build -scheme YOUR_SCHEME -destination "platform=iOS Simulator,name=iPhone 16"askuserquestion with error outputmissing auth0 credentials (step 2): if domain and client id not in user prompt, do not ask user to manually create application in dashboard. instead, run auth0 cli bootstrap to create application automatically.
package manager not detected (step 1): if no package manager file found, ask user which one they use (spm, cocoapods, carthage). do not assume or suggest one.
ambiguous ui framework (step 4): if project has both @main struct and appdelegate, ask user which framework they are actively using for new code. do not guess.
callback url scheme choice (step 3): if user selects custom scheme, skip universal links setup (steps 3b1-3b3). if user selects universal links, perform all four substeps (3b1, 3b2, 3b3, 3b4) , skipping any one causes silent callback redirect failure.
sfsafariviewcontroller in uikit (step 4b): if .provider(webAuthentication.safariProvider()) is found anywhere in project, register url resume handler in appdelegate and scenedelegate. if using default aswebauthenticationsession, url resume handler is not needed.
build fails after 5 retries (step 5): stop attempting local fixes and ask user for guidance via askuserquestion. do not claim success if build has not completed without errors.
successful integration produces:
auth0.plist file in xcode project root, committed to target, with domain and clientid keys2.18.0 or later) via spm, cocoapods, or carthageauthenticationservice.swift (swiftui or uikit variant) with login(), logout(), and token managementcredentialsmanager.credentials() if offline_access scope grantedfile locations:
auth0.plist in project rootauthenticationservice.swift in project source folder.entitlements file (for universal links) at project root or in app target folderbuild/ folderuser can run the built app in simulator or on device, tap login button, see auth0 universal login page in system browser, enter credentials, return to app with isAuthenticated = true, access tokens valid in keychain, tap logout and see isAuthenticated = false. subsequent app launch finds stored refresh token and silently re-authenticates without user interaction (if offline_access scope requested). build completes without errors. no auth0-related runtime crashes. tokens never appear in userdefaults or console logs.
credits: original skill by auth0 support@auth0.com. enriched for implexa standards with explicit decision points, edge case handling, and component structure.