Identity Provider

    Auth0 for LLM Authentication

    Already using Auth0? Use your existing tenant to authenticate users for local LLMs. Attach Gateway verifies Auth0 JWTs and adds per-user identity to every request.

    Get Started View Documentation

    Why Auth0 + Attach?

    Auth0 handles user authentication beautifully. But local LLMs like Ollama don't speak OIDC. Attach bridges the gap:

    ┌──────────┐     ┌──────────┐     ┌─────────────────┐     ┌─────────┐
│  User    │────▶│  Auth0   │────▶│  Attach Gateway │────▶│  Ollama │
│  (App)   │ JWT │  Verify  │     │  (Token Check)  │     │  / vLLM │
└──────────┘     └──────────┘     └─────────────────┘     └─────────┘

    What You Get

    OIDC Token Verification

    Attach validates Auth0 JWTs automatically. Invalid tokens get rejected before reaching your LLM.

    Per-User Identity

    X-Attach-User headers carry the verified Auth0 user ID to all downstream services.

    Existing Auth0 Setup

    Use your existing Auth0 tenant and applications. No new identity provider to configure.

    Setup Guide

    1

    Get your Auth0 credentials

    From your Auth0 dashboard, grab your domain and API audience.

    # Auth0 Dashboard > Applications > APIs
Domain: your-tenant.auth0.com
Audience: your-api-identifier
    2

    Configure Attach Gateway

    export OIDC_ISSUER=https://your-tenant.auth0.com/
export OIDC_AUD=your-api-identifier

# Start the gateway
attach-gateway --port 8080
    3

    Get a token from Auth0

    # Using Auth0 CLI or SDK
auth0 login
export JWT=$(auth0 api tokens create --audience your-api-identifier)
    4

    Make authenticated requests

    curl -H "Authorization: Bearer $JWT" \
  -d '{"model":"llama3","prompt":"hello"}' \
  http://localhost:8080/api/chat

# Without valid token: 401 Unauthorized
# With valid token: 200 OK + response

    Supported Auth0 Features

    JWT (RS256) token verification
    Custom API audiences
    Machine-to-machine tokens
    User metadata in claims
    Auth0 Actions compatibility
    Multi-tenant applications
    Role-based access (via claims)
    Token refresh handling

    Security Note

    Attach Gateway verifies tokens using Auth0's JWKS endpoint. Private keys never leave Auth0. Tokens are validated for signature, expiration, audience, and issuer on every request.

    Frequently Asked Questions

    Can I use Auth0 Actions to customize claims?

    Yes. Auth0 Actions can add custom claims to tokens (like roles, permissions, or organization IDs). Attach passes these through in the X-Attach-Claims header, and you can use them for fine-grained access control in your LLM application.

    Do I need a paid Auth0 plan?

    No. Auth0's free tier works perfectly with Attach. You get up to 7,500 monthly active users and unlimited machine-to-machine tokens. The free tier includes custom API audiences, which is all Attach needs.

    How do I handle token refresh?

    Token refresh is handled client-side using Auth0's SDK. When your access token expires, your app requests a new one from Auth0 using the refresh token. Attach doesn't need to know about refresh—it just validates whatever JWT you send.

    Can multiple apps share one Auth0 API?

    Absolutely. Create one API in Auth0, authorize multiple applications to request tokens for it, and all those apps can use the same Attach Gateway. User identity is preserved across apps via the 'sub' claim.

    Related Integrations

    Ollama

    Secure Ollama with Auth0

    CrewAI

    Auth0 for multi-agent workflows

    Claude Code Enterprise

    Enterprise runtime for Claude Code

    Ready to Use Auth0 with Your LLMs?

    Connect your existing Auth0 tenant in under 5 minutes. No new identity provider needed.

    Quick Start GuideView on GitHub