🚀 Announcing Beta Release: A new Springboot API SDK

[tanya732]

We're excited to announce the Beta Release of auth0-springboot-api, a new SDK for securing Spring Boot APIs with Auth0 tokens. Built on top of Spring Security, it provides Auth0-optimised JWT validation with built-in DPoP (Demonstration of Proof-of-Possession) support, all wired through Spring Boot auto-configuration.

✨ Key Features

• ✅ Complete Spring Security JWT Functionality — All features from Spring Security JWT Bearer are available
• 🛡️ Built-in DPoP Support — Proof-of-possession token security per RFC 9449, with flexible enforcement modes
• ⚡ Spring Boot Auto-Configuration — Set auth0.domain and auth0.audience in application.yml, add the filter to your SecurityFilterChain, and you're done
• 🎛️ Flexible Authentication Modes — Bearer-only, DPoP-only, or both controlled via a single dpopMode property

🧩 Getting Started

Installation

Maven:

<dependency>
  <groupId>com.auth0</groupId>
  <artifactId>auth0-springboot-api</artifactId>
  <version>1.0.0-beta.0</version>
</dependency>

Gradle:

  implementation 'com.auth0:auth0-springboot-api:1.0.0-beta.0'

🧰 Configuration

1. Configure Auth0 properties in application.yml:

  auth0:
    domain: "your-tenant.auth0.com"
    audience: "https://your-api-identifier"

2. Create a Security Configuration:

@Configuration
public class SecurityConfig {
    @Bean
    SecurityFilterChain apiSecurity(HttpSecurity http, Auth0AuthenticationFilter authFilter) throws Exception {
        return http.csrf(csrf -> csrf.disable())
                   .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                   .authorizeHttpRequests(auth -> auth
                       .requestMatchers("/api/protected").authenticated()
                       .anyRequest().permitAll())
                   .addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class)
                   .build();
    }
}

That's it. Your API now validates JWT tokens from Auth0.

🛡️ DPoP Support

Enable DPoP with a single property, zero controller changes required:

  auth0:
    domain: "your-tenant.auth0.com"
    audience: "https://your-api-identifier"
    dpopMode: ALLOWED

Mode	Description
ALLOWED	Accept both DPoP and Bearer tokens
REQUIRED	Only accept DPoP tokens, reject Bearer tokens
DISABLED	Standard JWT Bearer validation only

DPoP proof validation happens at the filter level, controllers work the same regardless of whether the client sends a Bearer or DPoP token.

---

📌 Important Notes

• Requires Spring Boot 3.2+ (Java 17+)
• Scope-based authorization is built in JWT scopes map to Spring Security authorities with a SCOPE_ prefix (e.g., SCOPE_read:messages)
• This is a beta release, your feedback will directly shape v1.0.0

---

📚 Resources

• 📖 README - https://github.com/auth0/auth0-auth-java/blob/main/auth0-springboot-api/README.md
• 💻 Examples - https://github.com/auth0/auth0-auth-java/blob/main/auth0-springboot-api/EXAMPLES.md
• 🧪 Playground - https://github.com/auth0/auth0-auth-java/tree/main/auth0-springboot-api-playground
• 📦 Maven Central - https://central.sonatype.com/artifact/com.auth0/auth0-springboot-api

---

🛝 Try the Playground

Run the Application

./gradlew :auth0-springboot-api-playground:bootRun

Curl for Bearer authentication

# Bearer authentication
curl -H "Authorization: Bearer <your-jwt-token>" http://localhost:8080/api/protected

Curl for DPoP Authentication

# DPoP authentication
curl -H "Authorization: DPoP <your-dpop-bound-token>" \
     -H "DPoP: <your-dpop-proof>" \
     http://localhost:8080/api/protected

---

💬 Feedback

Since this is our first beta, your input will directly shape v1.0.0 let us know what breaks, what confuses, and what delights. Post questions or suggestions below, or open an issue on GitHub.