> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> An explanation of cross-origin authentication in Auth0 and its compatibility with browsers

# Cross-Origin Authentication

Auth0 uses the cross-origin authentication flow when an embedded login form (the Lock widget or a custom login form) collects credentials in your application and submits them to an Auth0 domain. On Auth0, this flow has built-in protections, including third-party cookies for browser-side checks, for better authentication security across origins.

Using third-party cookies allows Lock and Auth0's backend to perform the necessary checks to prevent phishing and other cross-origin attacks when creating a <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=Single+Sign-on">single sign-on</Tooltip> (SSO) experience with the Lock widget or a custom login form. It also produces a secure login experience even if SSO is not a goal.

Cross-origin authentication applies only when authenticating against a directory using a username and password from a web application, and it can be enabled alongside [Universal Login](/docs/authenticate/login/auth0-universal-login) in the same app. For example, your application can use Universal Login for primary sign-in and rely on cross-origin authentication only for an embedded re-authentication or step-up flow. Social <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=IdPs">IdPs</Tooltip> and enterprise federation use a different mechanism, redirecting via standard protocols like <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect and <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip>. Native applications using embedded login use the standard <Tooltip tip="Token Endpoint: Endpoint on the Authorization Server that is used to programmatically request tokens." cta="View Glossary" href="/docs/glossary?term=OAuth+2.0">OAuth 2.0</Tooltip> <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=Token+endpoint">Token endpoint</Tooltip> directly and do not need cross-origin authentication.

## Browser considerations

Modern browsers (including Firefox, Safari with ITP, and Chromium-based browsers) restrict or block third-party cookies by default for privacy reasons. Web applications relying on third-party cookies for cross-origin authentication may fail in those browsers.

To make embedded login work reliably across browsers for production embedded web applications, use the same top-level domain for your application and Auth0 tenant. For example, host your app at `https://example.com` and your Auth0 custom domain at `https://login.example.com`.

With this configuration, the cookies are no longer third party and browsers do not block them. As a security best practice, we recommend using a [custom domain](/docs/customize/custom-domains) or multiple custom domains with the same top-level domain.

For testing or in controlled environments with clear browser coverage requirements, you can create and link a cross-origin verification page that allows cross-origin authentication to work in those specific browsers when third-party cookies are still permitted.

## Learn more

* [Configure Cross-Origin Resource Sharing](/docs/get-started/applications/set-up-cors)
* [Hosted Login vs. Embedded Login](/docs/authenticate/login/universal-vs-embedded-login)
* [Auth0 Universal Login](/docs/authenticate/login/auth0-universal-login)