By default, authentication takes place on which is hosted by

While you must use Auth0 for authentication you can override the configuration of REACT_APP_OIDC_CLIENT_ID and REACT_APP_OIDC_DOMAIN to use another instance.

You will need to update the backend services (such as Normandy) to use the same domain as well.

Debugging Silent Authentication

The way the authentication works is that a never-ending loop checks if the access token has expired, or is about to expire. Actually, it only uses localStorage.expiresAt to do this. To debug this you can either sit very patiently and wait till the check ticks again, or you can speed it up manually. First, to control how often the check ticks, you can override REACT_APP_CHECK_AUTH_EXPIRY_INTERVAL_SECONDS when starting the dev server:


That will cause the check to run every 10 seconds.

Secondly, to avoid awaiting for the access token to expire, you can paste this function into the Web Console:

window.windExpires = hours => {
  let expires = JSON.parse(localStorage.getItem('expiresAt')) - hours * 1000 * 3600;
  localStorage.setItem('expiresAt', JSON.stringify(expires));

Now you can type, in the Web Console:


That will simulate that 1.5 hours on the localStorage.expiresAt has gone past.