> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# Hosted Login vs. Embedded Login
> Describes the differences between hosted login (Universal Login) and embedded login.
When you design the login experience for your application, you’ll need to decide if you want it to be hosted ([Universal Login](/docs/authenticate/login/auth0-universal-login)) or embedded.
## Hosted login
In a hosted login flow, the application redirects the user to the authorization server to perform authentication, and then the authorization server returns the user to the application.
### Universal Login flow
In the typical user authentication experience with Universal Login:
1. Your application triggers an authentication request by invoking an Auth0 SDK’s login method or by calling the [Auth0 Authentication API Login endpoint](https://auth0.com/docs/api/authentication/login/) directly.
2. Your application redirects the user to the Auth0 authorization server (your Auth0 tenant).
3. Auth0 checks for a session cookie on the [Auth0 Session Layer](/docs/manage-users/sessions/session-layers).
* If a session cookie is not found, Auth0 redirects the user to Universal Login to authenticate and creates an associated session cookie.
* If a session cookie is found, Auth0 uses it to authenticate the user.
4. Auth0 returns the user to your application with an [ID token](/docs/secure/tokens/id-tokens) and an [access token](/docs/secure/tokens/access-tokens).
## Embedded login
In an embedded login flow, the user authenticates directly within your application. The application serves the login form, collects the user’s credentials, sends that data to the authentication provider, and then receives a response with the user’s ID token and access token.
For web applications, embedded login uses [cross-origin authentication](/docs/authenticate/login/cross-origin-authentication) unless you [configure a custom domain](/docs/customize/custom-domains) for your Auth0 tenant. Cross-origin authentication uses third-party cookies to allow for secure authentication transactions across different origins.
## Feature comparison
| Feature | Hosted | Embedded |
| --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Single Sign-on](/docs/authenticate/single-sign-on) | Built-in cross-application SSO through [session cookies](/docs/manage-users/sessions) on the Auth0 Authorization Server (your Auth0 tenant), including support for third-party applications and multi-domain architectures. | Supported with shared domain architecture. Web applications using the [Lock](/docs/libraries/lock/lock-api-reference#checksession) or [Auth0.js](/docs/libraries/auth0js#using-checksession-to-acquire-new-tokens) libraries can share sessions when configured under the same custom domain. Native applications can share sessions with web applications through [Native to Web SSO](/docs/authenticate/single-sign-on/native-to-web). |
| [Customization](/docs/customize) | Customize many parts of the experience through theming, page templates, text elements, and prompts, or use [Advanced Customizations for Universal Login](/docs/customize/login-pages/advanced-customizations) for full UI customization. | Full control over the UI because the login form is rendered by your application. |
| Feature management | Features are managed centrally in the Auth0 Dashboard or through the Auth0 Management API and apply to all applications using Universal Login.
For example, when you enable MFA in the Dashboard, it is immediately reflected in subsequent logins. | Features are configured per application, giving you control over the release cadence in each app.
Server-side capabilities such as [API-driven MFA](/docs/secure/multi-factor-authentication) can be enabled without client updates. UI-affecting changes (for example, a new login screen) are released on your application's own schedule. |
| User experience | Users are redirected between your application and the Auth0 Authorization Server during authentication.
For native applications, this requires implementation of universal/deep links. | Users remain inside your application during authentication, which can be useful for tightly branded or in-app sign-in experiences. |
| Security and maintenance | Auth0 delivers security updates to the login experience transparently. | Auth0 provides the security building blocks (like custom domains, [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication), API-driven MFA, [Native Passkey APIs](/docs/authenticate/database-connections/passkeys) and [DPoP](/docs/secure/sender-constraining/demonstrating-proof-of-possession-dpop)) and you choose when to roll updates out to your users. |
## Choosing between hosted and embedded login
Hosted and embedded login are not mutually exclusive. The same application can use Universal Login for some flows and embedded flows for others, picking the approach that best fits each part of the user journey.
* **Universal Login**: Auth0 manages the login surface and is the default for primary sign-in, sign-up, and password reset. Auth0's hosted solution also provides automatic security updates and coordinates SSO across third-party or multi-domain applications.
* **Embedded Login**: Allows full control over the UI and keeps users inside your application. You can use Embedded Login for [factor enrollment](/docs/authenticate/login/embedded-login/use-cases/enrollment), step-up authentication, passkey registration with [Passkey APIs](/docs/authenticate/database-connections/passkeys), [link connected accounts](/docs/manage-users/user-accounts/user-account-linking), or sign-in using [Native Social Login](/docs/authenticate/identity-providers/social-identity-providers).
Common hybrid patterns include:
* A web application that uses Universal Login for sign-in and sign-up, then exposes embedded MFA enrollment and passkey management in account settings.
* A native application that uses a browser-based redirect for primary authentication and embedded Passkey APIs for passwordless re-authentication.
* A SaaS product that uses Universal Login for first-party employees and embedded flows inside a customer-facing app where in-app branding is critical.
For native applications, [RFC 8252: OAuth 2.0 for Native Apps](https://www.rfc-editor.org/rfc/rfc8252.txt) recommends external user-agents for browser-mediated flows. Modern embedded paths—such as Passkey APIs and Native Social Login—use protocol-compliant token exchanges that meet the same security goals while keeping the user inside the application, and they coexist with Universal Login in the same app.