AuthSession

AuthSession is the easiest way to add web browser based authentication (for example, browser-based OAuth flows) to your app, built on top of WebBrowser, Crypto, and Random. If you would like to understand how it does this, read this document from top to bottom. If you just want to use it, jump to the Authentication Guide.

Platform Compatibility

Android Device	Android Emulator	iOS Device	iOS Simulator	Web

Installation

expo-random is a peer dependency and must be installed alongside expo-auth-session.

Terminal

→ npx expo install expo-auth-session expo-random

If you're installing this in a bare React Native app, you should also follow these additional installation instructions.

In bare-workflow you can use the uri-scheme package to easily add, remove, list, and open your URIs.

To make your native app handle mycoolredirect:// simply run:

Terminal

→ npx uri-scheme add mycoolredirect

You should now be able to see a list of all your project's schemes by running:

Terminal

→ npx uri-scheme list

You can test it to ensure it works like this:

Terminal

# Rebuild the native apps, be sure to use an emulatoryarn androidyarn ios
# Open a URI schemenpx uri-scheme open mycoolredirect://some/redirect

Usage in standalone apps

app.json

{
  "expo": {
    "scheme": "mycoolredirect"
  }
}

In order to be able to deep link back into your app, you will need to set a scheme in your project app.config.js, or app.json, and then build your standalone app (it can't be updated with an update). If you do not include a scheme, the authentication flow will complete but it will be unable to pass the information back into your application and the user will have to manually exit the authentication modal (resulting in a cancelled event).

Guides

The guides have moved: Authentication Guide.

How web browser based authentication flows work

The typical flow for browser-based authentication in mobile apps is as follows:

Initiation: the user presses a sign in button
Open web browser: the app opens up a web browser to the authentication provider sign in page. The url that is opened for the sign in page usually includes information to identify the app, and a URL to redirect to on success. Note: the web browser should share cookies with your system web browser so that users do not need to sign in again if they are already authenticated on the system browser -- Expo's WebBrowser API takes care of this.
Authentication provider redirects: upon successful authentication, the authentication provider should redirect back to the application by redirecting to URL provided by the app in the query parameters on the sign in page (read more about how linking works in mobile apps), provided that the URL is in the allowlist of allowed redirect URLs. Allowlisting redirect URLs is important to prevent malicious actors from pretending to be your application. The redirect includes data in the URL (such as user id and token), either in the location hash, query parameters, or both.
App handles redirect: the redirect is handled by the app and data is parsed from the redirect URL.

What `auth.expo.io` does for you

The auth.expo.io proxy is only used when startAsync is called, or when useProxy: true is passed to the promptAsync() method of an AuthRequest.

It reduces boilerplate

AuthSession handles most of the app-side responsibilities for you:

It opens the sign in URL for your authentication provider (authUrl, you must provide it) in a web browser that shares cookies with your system browser.
It handles success redirects and extracts all of the data encoded in the URL.
It handles failures and provides information to you about what went wrong.

It makes redirect URL allowlists easier to manage for development and working in teams

Additionally, AuthSession simplifies setting up authorized redirect URLs by using an Expo service that sits between you and your authentication provider (read Security considerations for caveats). This is particularly valuable with Expo because your app can live at various URLs. In development, you can have a tunnel URL, a lan URL, and a localhost URL. The tunnel URL on your machine for the same app will be different from a co-worker's machine. When you publish your app, that will be another URL that you need to allowlist. If you have multiple environments that you publish to, each of those will also need to be allowlisted. AuthSession gets around this by only having you allowlist one URL with your authentication provider: https://auth.expo.io/@your-username/your-app-slug. When authentication is successful, your authentication provider will redirect to that Expo Auth URL, and then the Expo Auth service will redirect back to your application. If the URL that the auth service is redirecting back to does not match the published URL for the app or the standalone app scheme (eg: exp://expo.dev/@your-username/your-app-slug, or yourscheme://), then it will show a warning page before asking the user to sign in. This means that in development you will see this warning page when you sign in, a small price to pay for the convenience.

How does this work? When you open an authentication session with AuthSession, it first visits https://auth.expo.io/@your-username/your-app-slug/start and passes in the authUrl and returnUrl (the URL to redirect back to your application) in the query parameters. The Expo Auth service saves away the returnUrl (and if it is not a published URL or your registered custom theme, shows a warning page) and then sends the user off to the authUrl. When the authentication provider redirects back to https://auth.expo.io/@your-username/your-app-slug on success, the Expo Auth services redirects back to the returnUrl that was provided on initiating the authentication flow.

Security considerations

If you are authenticating with a popular social provider, when you are ready to ship to production you should be sure that you do not directly request the access token for the user. Instead, most providers give an option to request a one-time code that can be combined with a secret key to request an access token. For an example of this flow, see the Confirming Identity section in the Facebook Login documentation.

Never put any secret keys inside of your app, there is no secure way to do this! Instead, you should store your secret key(s) on a server and expose an endpoint that makes API calls for your client and passes the data back.

API

import * as AuthSession from 'expo-auth-session';

Hooks

`useAuthRequest(config, discovery)`

Name	Type	Description
config	`AuthRequestConfig`	A valid `AuthRequestConfig` that specifies what provider to use.
discovery	`null \| DiscoveryDocument`	A loaded `DiscoveryDocument` with endpoints used for authenticating. Only `authorizationEndpoint` is required for requesting an authorization code.

Load an authorization request for a code. When the prompt method completes then the response will be fulfilled.

In order to close the popup window on web, you need to invoke WebBrowser.maybeCompleteAuthSession(). See the Identity example for more info.

If an Implicit grant flow was used, you can pass the response.params to TokenResponse.fromQueryParams() to get a TokenResponse instance which you can use to easily refresh the token.

Example

const [request, response, promptAsync] = useAuthRequest({ ... }, { ... });

Name	Type	Description
targetObject	`object`	-
constructorOpt (optional)	`Function`	-

Name	Type	Description
discovery	`AuthDiscoveryDocument`	-
promptOptions (optional)	`AuthRequestPromptOptions`	-

Name	Type	Description
token	`Pick<TokenResponse, 'expiresIn' \| 'issuedAt'>`	-
secondsMargin (optional)	`number`	-

Name	Type	Description
config	`Omit<TokenRequestConfig, 'grantType' \| 'refreshToken'>`	-
discovery	`Pick<DiscoveryDocument, 'tokenEndpoint'>`	-

Name	Type	Description
config	`AccessTokenRequestConfig`	Configuration used to exchange the code for a token.
discovery	`Pick<DiscoveryDocument, 'tokenEndpoint'>`	The `tokenEndpoint` for a provider.

Name	Type	Description
config	`Pick<TokenResponse, 'accessToken'>`	The `accessToken` for a user, returned from a code exchange or auth request.
discovery	`Pick<DiscoveryDocument, 'userInfoEndpoint'>`	The `userInfoEndpoint` for a provider.

Name	Type	Description
urlPath (optional)	`string`	-
options (optional)	`Omit<CreateURLOptions, 'queryParams'>`	-

Name	Type	Description
config	`RefreshTokenRequestConfig`	Configuration used to refresh the given access token.
discovery	`Pick<DiscoveryDocument, 'tokenEndpoint'>`	The `tokenEndpoint` for a provider.

Name	Type	Description
config	`RevokeTokenRequestConfig`	Configuration used to revoke a refresh or access token.
discovery	`Pick<DiscoveryDocument, 'revocationEndpoint'>`	The `revocationEndpoint` for a provider.

Name	Type	Description
code	`string`	The authorization code received from the authorization server.
redirectUri	`string`	If the `redirectUri` parameter was included in the `AuthRequest`, then it must be supplied here as well.Section 3.1.2

Name	Type	Description
clientId	`string`	A unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and shouldn't be used alone for client authentication.The client identifier is unique to the authorization server. Section 2.2
clientSecret (optional)	`string`	Client secret supplied by an auth provider. There is no secure way to store this on the client.Section 2.3.1
codeChallenge (optional)	`string`	Derived from the code verifier by using the `CodeChallengeMethod`.Section 4.2
codeChallengeMethod (optional)	`CodeChallengeMethod`	Method used to generate the code challenge. You should never use `Plain` as it's not good enough for secure verification. Default: `CodeChallengeMethod.S256`
extraParams (optional)	`Record<string, string>`	Extra query params that'll be added to the query string.
prompt (optional)	`Prompt`	Informs the server if the user should be prompted to login or consent again. This can be used to present a dialog for switching accounts after the user has already been logged in.Section 3.1.2.1
redirectUri	`string`	After completing an interaction with a resource owner the server will redirect to this URI. Learn more about linking in Expo.Section 3.1.2
responseType (optional)	`string`	Specifies what is returned from the authorization server.Section 3.1.1 Default: `ResponseType.Code`
scopes (optional)	`string[]`	List of strings to request access to.Section 3.3
state (optional)	`string`	Used for protection against Cross-Site Request Forgery.
usePKCE (optional)	`boolean`	Should use Proof Key for Code Exchange. Default: `true`

Name	Type	Description
androidClientId (optional)	`string`	Android native client ID for use in standalone, and bare workflow.This Google Client ID must be setup as follows: Application Type: Android Application Give it a name (e.g. "Android App"). Package name: Must match the value of `android.package` in your `app.json`. Your app needs to conform to the URI scheme matching your `android.package` (ex. `com.myname.mycoolapp:/`). Standalone: Automatically added, do nothing. Bare workflow: Run `npx uri-scheme add <your android.package> --android` Signing-certificate fingerprint: Run `expo credentials:manager -p android` then select "Update upload Keystore" -> "Generate new keystore" -> "Go back to experience overview" Copy your "Google Certificate Fingerprint", it will output a string that looks like `A1:B2:C3` but longer. To test this you can: Prebuild to generate the native files: `expo prebuild` and run `yarn ios` Build a production IPA: `expo build:android`
expoClientId (optional)	`string`	Proxy client ID for use in the Expo client on iOS and Android.This Google Client ID must be setup as follows: Application Type: Web Application URIs: https://auth.expo.io Authorized redirect URIs: https://auth.expo.io/@your-username/your-project-slug
iosClientId (optional)	`string`	iOS native client ID for use in standalone, bare workflow, and custom clients.This Google Client ID must be setup as follows: Application Type: iOS Application Give it a name (e.g. "iOS App"). Bundle ID: Must match the value of `ios.bundleIdentifier` in your `app.json`. Your app needs to conform to the URI scheme matching your bundle identifier. Standalone: Automatically added, do nothing. Bare workflow: Run `npx uri-scheme add <your bundle id> --ios` To test this you can: Prebuild to generate the native files: `expo prebuild` and run `yarn ios` Create a custom client: `expo client:ios` Build a production IPA: `expo build:ios` Whenever you change the values in `app.json` you'll need to rebuild the native app.
language (optional)	`string`	Language code ISO 3166-1 alpha-2 region code, such as 'it' or 'pt-PT'.
loginHint (optional)	`string`	If the user's email address is known ahead of time, it can be supplied to be the default option. If the user has approved access for this app in the past then auth may return without any further interaction.
selectAccount (optional)	`boolean`	When `true`, the service will allow the user to switch between accounts (if possible). Default: `false.`
shouldAutoExchangeCode (optional)	`boolean`	Should the hook automatically exchange the response code for an authentication token.Defaults to `true` on installed apps (iOS, Android) when `ResponseType.Code` is used (default).
webClientId (optional)	`string`	Expo web client ID for use in the browser.This Google Client ID must be setup as follows: Application Type: Web Application Give it a name (e.g. "Web App"). URIs (Authorized JavaScript origins): https://localhost:19006 & https://yourwebsite.com Authorized redirect URIs: https://localhost:19006 & https://yourwebsite.com To test this be sure to start your app with `expo start:web --https`.

Name	Type	Description
authentication	`TokenResponse \| null`	Returned when the auth finishes with an `access_token` property.
error (optional)	`AuthError \| null`	Possible error if the auth failed with type `error`.
errorCode	`string \| null`	Deprecated. Legacy error code query param, use `error` instead.
params	`Record<string, string>`	Query params from the `url` as an object.
type	`'error' \| 'success'`	How the auth completed.
url	`string`	Auth URL that was opened

Name	Type	Description
authorizationEndpoint (optional)	`string`	Used to interact with the resource owner and obtain an authorization grant.Section 3.1
discoveryDocument (optional)	`ProviderMetadata`	All metadata about the provider.
endSessionEndpoint (optional)	`string`	URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.OPMetadata
registrationEndpoint (optional)	`string`	URL of the OP's Dynamic Client Registration Endpoint.
revocationEndpoint (optional)	`string`	Used to revoke a token (generally for signing out). The spec requires a revocation endpoint, but some providers (like Spotify) do not support one.Section 2.1
tokenEndpoint (optional)	`string`	Used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly).Section 3.2
userInfoEndpoint (optional)	`string`	URL of the OP's UserInfo Endpoint used to return info about the authenticated user.UserInfo

Name	Type	Description
token	`string`	The token that the client wants to get revoked.Section 3.1
tokenTypeHint (optional)	`TokenTypeHint`	A hint about the type of the token submitted for revocation.Section 3.2

Name	Type	Description
access_token	`string`	-
expires_in (optional)	`number`	-
id_token (optional)	`string`	-
issued_at (optional)	`number`	-
refresh_token (optional)	`string`	-
scope (optional)	`string`	-
token_type (optional)	`TokenType`	-

Name	Type	Description
accessToken	`string`	The access token issued by the authorization server.Section 4.2.2
expiresIn (optional)	`number`	The lifetime in seconds of the access token.For example, the value `3600` denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server should provide the expiration time via other means or document the default value. Section 4.2.2
idToken (optional)	`string`	ID Token value associated with the authenticated session.TokenResponse
issuedAt (optional)	`number`	Time in seconds when the token was received by the client.
refreshToken (optional)	`string`	The refresh token, which can be used to obtain new access tokens using the same authorization grant.Section 5.1
scope (optional)	`string`	The scope of the access token. Only required if it's different to the scope that was requested by the client.Section 3.3
state (optional)	`string`	Required if the "state" parameter was present in the client authorization request. The exact value received from the client.Section 4.2.2
tokenType (optional)	`TokenType`	The type of the token issued. Value is case insensitive.Section 7.1

Name	Type	Description
projectNameForProxy (optional)	`string`	Project name to use for the `auth.expo.io` proxy when `useProxy` is `true`.
proxyOptions (optional)	`Omit<CreateURLOptions, 'queryParams'> & { path: string }`	URL options to be used when creating the redirect URL for the auth proxy.
url (optional)	`string`	URL to open when prompting the user. This usually should be defined internally and left `undefined` in most cases.
useProxy (optional)	`boolean`	Should the authentication request use the Expo proxy service `auth.expo.io`. Default: `false`
windowFeatures (optional)	`WebBrowserWindowFeatures`	Only for: Web Features to use with `window.open()`.

Name	Type	Description
authUrl	`string`	The URL that points to the sign in page that you would like to open the user to.
projectNameForProxy (optional)	`string`	Project name to use for the `auth.expo.io` proxy.
returnUrl (optional)	`string`	The URL to return to the application. In managed apps, it's optional and defaults to output of `Linking.createURL('expo-auth-session', params)` call with `scheme` and `queryParams` params. However, in the bare app, it's required - `AuthSession` needs to know where to wait for the response. Hence, this method will throw an exception, if you don't provide `returnUrl`.
showInRecents (optional)	`boolean`	Only for: Android A boolean determining whether browsed website should be shown as separate entry in Android recents/multitasking view. Default: `false`

Name	Type	Description
isTripleSlashed (optional)	`boolean`	Should the URI be triple slashed `scheme:///path` or double slashed `scheme://path`. Defaults to `false`. Passed to `Linking.createURL()` when `useProxy` is `false`.
native (optional)	`string`	Manual scheme to use in Bare and Standalone native app contexts. Takes precedence over all other properties. You must define the URI scheme that will be used in a custom built native application or standalone Expo application. The value should conform to your native app's URI schemes. You can see conformance with `npx uri-scheme list`.
path (optional)	`string`	Optional path to append to a URI. This will not be added to `native`.
preferLocalhost (optional)	`boolean`	Attempt to convert the Expo server IP address to localhost. This is useful for testing when your IP changes often, this will only work for iOS simulator. Default: `false`
projectNameForProxy (optional)	`string`	Project name to use for the `auth.expo.io` proxy when `useProxy` is `true`.
queryParams (optional)	`Record<string, string \| undefined>`	Optional native scheme to use when proxy is disabled. URI protocol `<scheme>://` that must be built into your native app. Passed to `Linking.createURL()` when `useProxy` is `false`.
scheme (optional)	`string`	URI protocol `<scheme>://` that must be built into your native app. Passed to `Linking.createURL()` when `useProxy` is `false`.
useProxy (optional)	`boolean`	Should use the `auth.expo.io` proxy. This is useful for testing managed native apps that require a custom URI scheme. Default: `false`

Name	Type	Description
backchannel_logout_session_supported (optional)	`boolean`	-
backchannel_logout_supported (optional)	`boolean`	-
check_session_iframe (optional)	`string`	-
claim_types_supported (optional)	`string[]`	a list of the Claim Types that the OpenID Provider supports.
claims_locales_supported (optional)	`string[]`	Languages and scripts supported for values in Claims being returned.
claims_parameter_supported (optional)	`boolean`	Boolean value specifying whether the OP supports use of the claims parameter, with `true` indicating support. Default: `false`
claims_supported (optional)	`string[]`	a list of the Claim Names of the Claims that the OpenID Provider may be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
code_challenge_methods_supported (optional)	`CodeChallengeMethod[]`	-
display_values_supported (optional)	`string[]`	a list of the `display` parameter values that the OpenID Provider supports.
frontchannel_logout_session_supported (optional)	`boolean`	-
frontchannel_logout_supported (optional)	`boolean`	-
grant_types_supported (optional)	`string[]`	JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"].
id_token_signing_alg_values_supported (optional)	`string[]`	JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. The algorithm RS256 MUST be included.
jwks_uri (optional)	`string`	URL of the OP's JSON Web Key Set JWK document.
op_policy_uri (optional)	`string`	URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person registering the Client if it is given.
op_tos_uri (optional)	`string`	URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. The registration process should display this URL to the person registering the Client if it is given.
request_parameter_supported (optional)	`boolean`	Boolean value specifying whether the OP supports use of the request parameter, with `true` indicating support. Default: `false`
request_uri_parameter_supported (optional)	`boolean`	Whether the OP supports use of the `request_uri` parameter, with `true` indicating support. Default: `true`
require_request_uri_registration (optional)	`boolean`	Whether the OP requires any `request_uri` values used to be pre-registered using the `request_uris` registration parameter. Pre-registration is required when the value is `true`. Default: `false`
response_modes_supported (optional)	`string[]`	JSON array containing a list of the OAuth 2.0 `response_mode` values that this OP supports, as specified in OAuth 2.0 Multiple Response Type Encoding Practices. If omitted, the default for Dynamic OpenID Providers is `["query", "fragment"]`.
response_types_supported (optional)	`string[]`	JSON array containing a list of the OAuth 2.0 `response_type` values that this OP supports. Dynamic OpenID Providers must support the `code`, `id_token`, and the `token` `id_token` Response Type values
scopes_supported (optional)	`string[]`	JSON array containing a list of the OAuth 2.0 RFC6749 scope values that this server supports.
service_documentation (optional)	`string`	URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation.
subject_types_supported (optional)	`string[]`	JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include `pairwise` and `public`.
token_endpoint_auth_methods_supported (optional)	`('client_secret_post' \| 'client_secret_basic' \| 'client_secret_jwt' \| 'private_key_jwt' \| string)[]`	A list of Client authentication methods supported by this Token Endpoint. If omitted, the default is `['client_secret_basic']`
ui_locales_supported (optional)	`string[]`	Languages and scripts supported for the user interface, represented as a JSON array of BCP47 language tag values.