Auth0 Setup
import { Steps } from ‘@astrojs/starlight/components’;
Quibble uses Auth0 to authenticate hosts only. Players join without any account.
You need two Auth0 resources: an SPA Application (for the Next.js frontend) and an API (for the Go backend JWT validation).
Prerequisites
Section titled “Prerequisites”- An Auth0 account (free tier is sufficient)
- Your Quibble deployment URL (e.g.
https://quibble.yourdomain.com)
Create the API
Section titled “Create the API”-
In the Auth0 dashboard, go to Applications → APIs → Create API.
-
Set:
- Name:
Quibble API - Identifier:
https://api.yourdomain.com(this becomesAUTH0_AUDIENCE— can be any URL, doesn’t need to resolve)
- Name:
-
Leave Signing Algorithm as
RS256. -
Click Create.
Create the SPA Application
Section titled “Create the SPA Application”-
Go to Applications → Applications → Create Application.
-
Set:
- Name:
Quibble - Type:
Single Page Web Applications
- Name:
-
Click Create.
-
On the Settings tab, configure:
- Allowed Callback URLs:
https://quibble.yourdomain.com/api/auth/callback - Allowed Logout URLs:
https://quibble.yourdomain.com - Allowed Web Origins:
https://quibble.yourdomain.com
- Allowed Callback URLs:
-
Save changes and note the Client ID and Client Secret.
Configure environment variables
Section titled “Configure environment variables”AUTH0_DOMAIN=your-tenant.us.auth0.comAUTH0_AUDIENCE=https://api.yourdomain.comWeb frontend
Section titled “Web frontend”AUTH0_SECRET=<random 32+ character string>AUTH0_BASE_URL=https://quibble.yourdomain.comAUTH0_ISSUER_BASE_URL=https://your-tenant.us.auth0.comAUTH0_CLIENT_ID=<your SPA client ID>AUTH0_CLIENT_SECRET=<your SPA client secret>Generate a random AUTH0_SECRET:
openssl rand -hex 32Local development
Section titled “Local development”For local dev, set DEV_AUTH_TOKEN to any non-empty string in both the API and web app .env files. This bypasses Auth0 entirely — no Auth0 config is needed locally.
DEV_AUTH_TOKEN=devtoken123
# apps/web/.env.localDEV_AUTH_TOKEN=devtoken123