feat: add custom fetch support

[castrinho18]

Changes

Context
At this moment DPoP is not supported in Components for SPA and we should not be responsible to create or manage this, because we should just relay on the auth SDKs that already manage all the authentication process.

As a first step, we should allow users to pass their own custom fetcher so they can create a fetcher by using the auth SDKs, like auth0-spa-js (https://github.com/auth0/auth0-spa-js/blob/main/EXAMPLES.md#using-dpop-in-your-own-requests) or auth0-react (https://github.com/auth0/auth0-react/blob/main/EXAMPLES.md#enabling-dpop), and then they can reuse the same fetcher into Universal Components.

Next step, not in this PR:
As a second step, we should be able to get the current instance of the fetcher that the auth0-react is using from the useAuth0 hook, but the problem is that at this moment useAuth0 only expose the createFetcher function to allow users to create fetchers, not an instance itself.

const { createFetcher } = useAuth0();

We are opening conversations about how we can inherit this fetcher directly from auth0-react by using the useAuth0 hook, maybe auth0-react must instantiate it's own fetcher instead of exposing createFetcher or maybe we should just create a new fetcher using this method.

PR implementation
This PR adds a new customFetch property into spa-provider and proxy-provider to support custom fetcher for API requests in the different SDK available in CoreClient (MyOrganization and MyAccount).

In addition, it updates the documentation to include the new prop.

References

Testing

1. Do a pnpm run build
2. Go to one examples app
3. Open where the Auth0ComponentProvider is been used and pass a new function using the customFetch prop.
4. Run the app
5. Go to any page and config if API requests are using this provider
6. Repeat the same process in RWA and SPA examples app

• This change adds unit test coverage
• This change has been tested on the latest version of the platform/language or why not

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All existing and new tests complete without errors

[github-actions]

🚀 Preview deployment

Branch: refs/pull/64/merge
Commit: 55670ee

📝 Preview URL: https://auth0-universal-components-ent3b7mxy-okta.vercel.app

---

Updated at 2026-01-26T19:49:19.783Z

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.64%. Comparing base (12a3855) to head (479f517).

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #64      +/-   ##
==========================================
+ Coverage   83.62%   83.64%   +0.02%     
==========================================
  Files         125      125              
  Lines       10320    10336      +16     
  Branches     1092     1029      -63     
==========================================
+ Hits         8630     8646      +16     
  Misses       1690     1690              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rax7389]

just a small thing we should use ?? to avoid this redundant checking pattern

[rax7389]

similar applies here

[rax7389]

similar changes for this provider

[frederikprijck]

Why not the same as SPA-JS?

info: RequestInfo | URL,
init?: RequestInit,