I use Auth0 (https://auth0.com/) to provide social logins for the OpenBenches (https://openbenches.org) website. I don’t want to deal with creating user accounts, managing passwords, or anything like that, so Auth0 is perfect for my needs.

There are a wide range of social media logins provided by Auth0 (https://auth0.com/learn/social-login) - including the usual suspects like Facebook, Twitter, WordPress, Discord, etc. Sadly, there’s no support for Mastodon (https://community.auth0.com/t/custom-social-for-mastodon/103356)0 (https://shkspr.mobi/blog/2026/03/adding-log-in-with-mastodon-to-auth0/#fn:blog).

All is not lost though. The Auth0 documentation says:

However, you can use Auth0’s Connections API to add any OAuth2 Authorization Server as an identity provider.

You can manually add a single Mastodon instance, but that doesn’t work with the decentralised nature of the Fediverse. Instead, I’ve come up with a manual solution which works with any Mastodon server!

Background (https://shkspr.mobi/blog/2026/03/adding-log-in-with-mastodon-to-auth0/#background)

Every Mastodon1 (https://shkspr.mobi/blog/2026/03/adding-log-in-with-mastodon-to-auth0/#fn:masto) server is independent. I have an account on mastodon.social you have an account on whatever.chaos. They are separate servers, albeit running similar software. A generic authenticator needs to work with all these servers. There’s no point only allowing log ins from a single server.

Fortuitously, Mastodon allows app developers to automatically create new apps. A few simple lines of code and you will have an API key suitable for read-only access to that server. You can read how to instantly create Mastodon API keys (https://shkspr.mobi/blog/2024/12/creating-a-generic-log-in-with-mastodon-service/) or you can steal my PHP code (https://github.com/openbenches/openbenches.org/blob/343e4c0169a2af8e567f9444c9cbf5d43d03011a/www/src/Controller/UserController.php#L26).

User Experience (https://shkspr.mobi/blog/2026/03/adding-log-in-with-mastodon-to-auth0/#user-experience)

The user clicks the sign-in button on OpenBenches. They’re taken to the Auth0 social login screen:

The user clicks on Mastodon. This is where Auth0’s involvement ends!

The user is asked to provide the URl of their instance:

In the background, my server contacts the Mastodon instance and creates a read-only API key.

The user is asked to sign in to Mastodon.

The user is asked to authorise read-only access.

The user is now signed in and OpenBenches can retrieve their name, avatar image, and other useful information. Hurrah!

Auth0 (https://shkspr.mobi/blog/2026/03/adding-log-in-with-mastodon-to-auth0/#auth0)

Once you have created a service to generate API keys (https://shkspr.mobi/blog/2024/12/creating-a-generic-log-in-with-mastodon-service/), it will need to run on a publicly accessible web server. For example https://example.com/mastodon_login.

Here’s what you need to do within your Auth0 tennant:

• Authentication → Social → Create Connection

• At the bottom, choose “Create Custom”.

• Choose “Authentication” only.

• Give your connection a name. This will be visible to users.

• “Authorization URL” and “Token URL” have the same value - the URl of your service.

• “Client ID” is only visible to you.

• “Client Secret” any random password; it won’t be used for anything.

• Leave everything else in the default state.

It should look something like this:

Click the “Create” button and you’re (almost) done.

Auth0 Icon (https://shkspr.mobi/blog/2026/03/adding-log-in-with-mastodon-to-auth0/#auth0-icon)

You will need to add a custom icon to the social integration (https://shkspr.mobi/blog/2024/12/add-a-custom-icon-to-auth0s-custom-social-integrations/). Annoyingly, there’s no way to do it through the web interface, so follow that guide to use the command line.

Done! (https://shkspr.mobi/blog/2026/03/adding-log-in-with-mastodon-to-auth0/#done)

I’ll admit, this isn’t the most straightforward thing to implement. Auth0 could make this easier - but it would still rely on users knowing the URl of their home instance.

That said, the Mastodon API is a delight to work with and the read-only permissions reduce risk for all parties.

• Auth0 did blog about Mastodon a few years ago (https://auth0.com/blog/mastdon-for-developers/) but never bothered implementing it! ↩︎ (https://shkspr.mobi/blog/2026/03/adding-log-in-with-mastodon-to-auth0/#fnref:blog)

• I do mean Mastodon; not the wider Fediverse. This only works with sites which have implemented Mastodon’s APIs. ↩︎ (https://shkspr.mobi/blog/2026/03/adding-log-in-with-mastodon-to-auth0/#fnref:masto)