Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Embeddable JavaScript login widget from Okta owned Auth0 that renders a configurable signup, login and MFA UI on top of an Auth0 tenant and sets authentication session cookies.
Auth0 Lock is the embeddable JavaScript widget from Auth0, now part of Okta, that renders a configurable signup, login and multi factor authentication UI inside a website or single page application. It connects to an Auth0 tenant through the OAuth 2.0 and OpenID Connect protocols and delegates the heavy lifting (credential storage, MFA, anomaly detection, social federation) to the Auth0 platform.
Once a session is established, Auth0 sets several cookies on the tenant domain (auth0, did, did_compat, auth0_compat) and possibly state cookies on the application origin during the OAuth callback. The widget also collects device fingerprinting signals, IP, user agent and geolocation hints which feed Auth0 anomaly detection, brute force protection and bot detection.
Authentication cookies that are strictly necessary to deliver the login service requested by the user are exempt from consent under Art. 5(3) ePrivacy. Device fingerprinting, anomaly profiling and any persistent identifier set beyond the session length do, however, fall under the consent regime, and a transparent privacy notice describing each cookie is required.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Auth0 tenants can be pinned to US, EU, AU or JP regions, but Okta Inc. remains a US sub processor that handles anomaly detection, telemetry and global support. Transfers rely on Standard Contractual Clauses, the EU US Data Privacy Framework, and binding corporate rules. A tenant configured in the EU region significantly reduces routine transfers but does not eliminate them.
Pin the tenant to the EU region for European users, sign the Okta Data Processing Addendum, enable custom domains to keep cookies first party, disable optional Auth0 marketing analytics in the dashboard, document attack protection and anomaly detection in the privacy notice and the record of processing.
Websites using Auth0 Lock must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Auth0 is used as the primary identity layer for a high traffic consumer service, when MFA collects biometrics or device telemetry, or when the tenant is set up in the US region while serving EU users. Assess anomaly detection profiling, log retention, attack protection signals and any social or enterprise connections that introduce additional processors.
Sample consent text
We use Auth0 Lock from Okta to manage account creation, login and multi factor authentication. Session cookies needed to keep you signed in are set automatically. With your consent, additional optional analytics and device fingerprinting signals are processed to detect suspicious activity and improve security.
Third-party domains contacted
*.auth0.com*.eu.auth0.com*.us.auth0.comcdn.auth0.comcdn.eu.auth0.comsentry.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| auth0 | HTTP cookie | Session | Stores the Auth0 single sign on session for the tenant domain after a successful login. |
| did | HTTP cookie | 1 year | Device identifier used by Auth0 for attack protection, anomaly detection and bot detection. |
| did_compat | HTTP cookie | 1 year | Same device identifier issued without the SameSite attribute for legacy browser compatibility. |
| auth0_compat | HTTP cookie | Session | Legacy SSO session cookie used by older browsers that do not handle SameSite=None correctly. |
| a0_state | HTTP cookie | 10 minutes | Stores the OAuth state and nonce values during the authorization code callback to prevent CSRF. |
| _legacy_auth0.is.authenticated | localStorage | Persistent | Used by auth0-spa-js to mark a returning user as authenticated for silent token renewal flows. |
Auth0 Lock is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Auth0 sets session cookies on the tenant domain (auth0, did, did_compat, auth0_compat) plus optional state and nonce cookies on the application origin during OAuth callbacks. Custom domains let you keep these cookies first party on your own domain.
Session cookies that are strictly necessary to authenticate the user are exempt under Art. 5(3) ePrivacy. Device fingerprinting, anomaly profiling and persistent identifiers used for cross device analytics require consent.
Contract performance (Art. 6(1)(b) GDPR) covers account creation and login itself. Anomaly detection and attack protection relies on legitimate interests (Art. 6(1)(f) GDPR) and any optional analytics requires consent (Art. 6(1)(a) GDPR).
Yes. Even with an EU tenant, Okta Inc. in the United States acts as sub processor for anomaly detection, telemetry and support. Transfers rely on Standard Contractual Clauses, the EU US Data Privacy Framework and binding corporate rules.
A DPIA is recommended for high traffic consumer services, biometric MFA, and any tenant pinned to the US region while serving EU users. Document profiling by anomaly detection, log retention, attack protection and any social or enterprise connection.
Choose the EU region, enable custom domains, sign the Okta DPA, integrate the widget after consent for any non essential cookies, configure log retention, and disable optional Auth0 marketing analytics in the tenant settings.
EU based identity providers include Keycloak (self hosted, open source), Ory, FusionAuth (self hostable), Frontegg, and managed services like Microsoft Entra External ID or Curity hosted within the EU.
Add an entry for Auth0 Lock, list the session cookies (auth0, did, did_compat, auth0_compat), describe purposes (authentication, attack protection, anomaly detection), durations, US transfer details, and link to Okta's privacy notice and DPA.