diff --git a/apps/demo_web/package.json b/apps/demo_web/package.json
index 91382b34d..6a403c229 100644
--- a/apps/demo_web/package.json
+++ b/apps/demo_web/package.json
@@ -11,6 +11,7 @@
     "lint": "next lint"
   },
   "dependencies": {
+    "auth0-js": "^9.28.1",
     "next": "^15.4.5",
     "react": "*",
     "react-dom": "*"
diff --git a/apps/demo_web/src/app/test/page.tsx b/apps/demo_web/src/app/test/page.tsx
new file mode 100644
index 000000000..3ad718925
--- /dev/null
+++ b/apps/demo_web/src/app/test/page.tsx
@@ -0,0 +1,351 @@
+"use client";
+
+import React, { useEffect, useMemo, useState } from "react";
+import auth0 from "auth0-js";
+
+const AUTH0_DOMAIN = "dev-0v00qjwpomau3ldk.us.auth0.com";
+const AUTH0_CLIENT_ID = "AMtmlNKxJiNY7abqewmq9mjERf2TOlfo";
+const AUTH0_EMAIL_CONNECTION = "email";
+const AUTH0_SCOPE = "openid profile email";
+
+type Stage = "enter-email" | "enter-code" | "complete";
+
+export default function Auth0TestPage(): React.ReactElement {
+  const [email, setEmail] = useState("");
+  const [code, setCode] = useState("");
+  const [stage, setStage] = useState<Stage>("enter-email");
+  const [statusMessage, setStatusMessage] = useState<string | null>(null);
+  const [errorMessage, setErrorMessage] = useState<string | null>(null);
+  const [authResult, setAuthResult] = useState<auth0.Auth0DecodedHash | null>(
+    null,
+  );
+  const [isSending, setIsSending] = useState(false);
+  const [isVerifying, setIsVerifying] = useState(false);
+
+  const webAuth = useMemo(
+    () =>
+      new auth0.WebAuth({
+        domain: AUTH0_DOMAIN,
+        clientID: AUTH0_CLIENT_ID,
+        responseType: "token id_token",
+        scope: AUTH0_SCOPE,
+        redirectUri:
+          typeof window !== "undefined"
+            ? `${window.location.origin}/test`
+            : undefined,
+        audience: `https://${AUTH0_DOMAIN}/userinfo`,
+      }),
+    [],
+  );
+
+  useEffect(() => {
+    if (typeof window === "undefined") {
+      return;
+    }
+
+    const hash = window.location.hash;
+    if (!hash || hash.length < 2) {
+      return;
+    }
+
+    webAuth.parseHash({ hash }, (err, result) => {
+      window.history.replaceState(
+        {},
+        document.title,
+        window.location.pathname + window.location.search,
+      );
+
+      if (err) {
+        setErrorMessage(
+          err.description ?? err.error_description ?? String(err),
+        );
+        setIsVerifying(false);
+        return;
+      }
+
+      if (result) {
+        setAuthResult(result);
+        setStatusMessage("Authentication completed successfully.");
+        setStage("complete");
+      }
+      setIsVerifying(false);
+    });
+  }, [webAuth]);
+
+  const handleSendCode = async (event: React.FormEvent) => {
+    event.preventDefault();
+
+    setErrorMessage(null);
+    setStatusMessage(null);
+
+    if (!email) {
+      setErrorMessage("Please enter your email address.");
+      return;
+    }
+
+    setIsSending(true);
+    webAuth.passwordlessStart(
+      {
+        connection: AUTH0_EMAIL_CONNECTION,
+        email,
+        send: "code",
+      },
+      (err) => {
+        setIsSending(false);
+        if (err) {
+          setErrorMessage(
+            err.description ?? err.error_description ?? String(err),
+          );
+          return;
+        }
+
+        setStatusMessage("Authentication code sent to your email.");
+        setStage("enter-code");
+      },
+    );
+  };
+
+  const handleVerifyCode = async (event: React.FormEvent) => {
+    event.preventDefault();
+
+    setErrorMessage(null);
+    setStatusMessage(null);
+
+    if (!code) {
+      setErrorMessage("Please enter the authentication code.");
+      return;
+    }
+
+    setIsVerifying(true);
+    webAuth.passwordlessLogin(
+      {
+        connection: AUTH0_EMAIL_CONNECTION,
+        email,
+        verificationCode: code,
+      },
+      (err) => {
+        if (err) {
+          setIsVerifying(false);
+          setErrorMessage(
+            err.description ?? err.error_description ?? String(err),
+          );
+        }
+      },
+    );
+  };
+
+  return (
+    <main
+      style={{
+        minHeight: "100vh",
+        display: "flex",
+        justifyContent: "center",
+        alignItems: "center",
+        background: "#0d0d0d",
+        color: "#ffffff",
+        fontFamily: "system-ui, sans-serif",
+        padding: "24px",
+      }}
+    >
+      <div
+        style={{
+          width: "100%",
+          maxWidth: "420px",
+          background: "#1a1a1a",
+          borderRadius: "16px",
+          padding: "32px",
+          boxShadow: "0 20px 45px rgba(0,0,0,0.4)",
+        }}
+      >
+        <h1 style={{ fontSize: "1.6rem", marginBottom: "12px" }}>
+          Auth0 Email OTP Login
+        </h1>
+        <p style={{ marginBottom: "24px", color: "#bbbbbb" }}>
+          Enter your email address to receive an OTP for authentication.
+        </p>
+
+        {errorMessage && (
+          <div
+            style={{
+              padding: "12px 14px",
+              borderRadius: "12px",
+              background: "rgba(255, 75, 75, 0.15)",
+              color: "#ff6b6b",
+              marginBottom: "20px",
+            }}
+          >
+            {errorMessage}
+          </div>
+        )}
+
+        {statusMessage && (
+          <div
+            style={{
+              padding: "12px 14px",
+              borderRadius: "12px",
+              background: "rgba(80, 200, 120, 0.15)",
+              color: "#4cd964",
+              marginBottom: "20px",
+            }}
+          >
+            {statusMessage}
+          </div>
+        )}
+
+        {stage === "enter-email" && (
+          <form onSubmit={handleSendCode}>
+            <label
+              htmlFor="email"
+              style={{ display: "block", marginBottom: "8px" }}
+            >
+              Email Address
+            </label>
+            <input
+              id="email"
+              type="email"
+              value={email}
+              onChange={(e) => setEmail(e.target.value)}
+              placeholder="user@example.com"
+              style={{
+                width: "100%",
+                padding: "14px",
+                borderRadius: "10px",
+                border: "1px solid #333",
+                background: "#101010",
+                color: "#fafafa",
+                marginBottom: "16px",
+              }}
+            />
+            <button
+              type="submit"
+              disabled={isSending}
+              style={{
+                width: "100%",
+                padding: "14px",
+                borderRadius: "10px",
+                border: "none",
+                background: "#5f5cff",
+                color: "#fff",
+                fontWeight: 600,
+                cursor: "pointer",
+                opacity: isSending ? 0.6 : 1,
+              }}
+            >
+              {isSending ? "Sending..." : "Send Authentication Code"}
+            </button>
+          </form>
+        )}
+
+        {stage === "enter-code" && (
+          <form onSubmit={handleVerifyCode}>
+            <label
+              htmlFor="code"
+              style={{ display: "block", marginBottom: "8px" }}
+            >
+              Authentication Code Received by Email
+            </label>
+            <input
+              id="code"
+              type="text"
+              value={code}
+              onChange={(e) => setCode(e.target.value)}
+              placeholder="123456"
+              style={{
+                width: "100%",
+                padding: "14px",
+                borderRadius: "10px",
+                border: "1px solid #333",
+                background: "#101010",
+                color: "#fafafa",
+                letterSpacing: "0.15em",
+                marginBottom: "16px",
+              }}
+            />
+            <button
+              type="submit"
+              disabled={isVerifying}
+              style={{
+                width: "100%",
+                padding: "14px",
+                borderRadius: "10px",
+                border: "none",
+                background: "#5f5cff",
+                color: "#fff",
+                fontWeight: 600,
+                cursor: "pointer",
+                opacity: isVerifying ? 0.6 : 1,
+              }}
+            >
+              {isVerifying ? "Verifying..." : "Verify Authentication Code"}
+            </button>
+            <button
+              type="button"
+              onClick={() => {
+                setStage("enter-email");
+                setCode("");
+                setStatusMessage(null);
+                setErrorMessage(null);
+              }}
+              style={{
+                marginTop: "12px",
+                width: "100%",
+                padding: "12px",
+                borderRadius: "10px",
+                border: "1px solid #333",
+                background: "transparent",
+                color: "#bbbbbb",
+                cursor: "pointer",
+              }}
+            >
+              Re-enter Email
+            </button>
+          </form>
+        )}
+
+        {stage === "complete" && (
+          <div>
+            <p style={{ marginBottom: "16px" }}>
+              Login successful. Check the issued token information.
+            </p>
+            <pre
+              style={{
+                background: "#111",
+                padding: "16px",
+                borderRadius: "12px",
+                overflowX: "auto",
+                fontSize: "0.85rem",
+                lineHeight: 1.5,
+                border: "1px solid #222",
+              }}
+            >
+              {JSON.stringify(authResult, null, 2)}
+            </pre>
+            <button
+              type="button"
+              onClick={() => {
+                setStage("enter-email");
+                setEmail("");
+                setCode("");
+                setStatusMessage(null);
+                setErrorMessage(null);
+                setAuthResult(null);
+              }}
+              style={{
+                marginTop: "16px",
+                width: "100%",
+                padding: "12px",
+                borderRadius: "10px",
+                border: "1px solid #333",
+                background: "transparent",
+                color: "#bbbbbb",
+                cursor: "pointer",
+              }}
+            >
+              Re-test
+            </button>
+          </div>
+        )}
+      </div>
+    </main>
+  );
+}
diff --git a/apps/demo_web/src/components/widgets/account_widget/account_widget.tsx b/apps/demo_web/src/components/widgets/account_widget/account_widget.tsx
index b5f92b94f..858aad9d0 100644
--- a/apps/demo_web/src/components/widgets/account_widget/account_widget.tsx
+++ b/apps/demo_web/src/components/widgets/account_widget/account_widget.tsx
@@ -1,26 +1,46 @@
 import React, { useState } from "react";
-
 import { useSDKState } from "@oko-wallet-demo-web/state/sdk";
 import { useUserInfoState } from "@oko-wallet-demo-web/state/user_info";
 import { AuthProgressWidget } from "./auth_progress_widget";
 import { AccountInfoWidget } from "./account_info_widget";
-import { LoginWidget } from "../login_widget/login_widget";
+import {
+  type EmailLoginState,
+  LoginWidget,
+} from "../login_widget/login_widget";
 
 type SigningInState =
   | { status: "ready" }
   | { status: "signing-in" }
   | { status: "failed"; error: string };
 
+const initialEmailLoginState: EmailLoginState = {
+  stage: "enter-email",
+  email: "",
+};
+
 export const AccountWidget: React.FC<AccountWidgetProps> = () => {
   const okoWallet = useSDKState((state) => state.oko_cosmos)?.okoWallet;
   const [signingInState, setSigningInState] = useState<SigningInState>({
     status: "ready",
   });
-
-  const { email, publicKey, isSignedIn } = useUserInfoState();
+  const [emailLoginState, setEmailLoginState] = useState<EmailLoginState>(
+    initialEmailLoginState,
+  );
+  const [emailStatusMessage, setEmailStatusMessage] = useState<string | null>(
+    null,
+  );
+  const [emailErrorMessage, setEmailErrorMessage] = useState<string | null>(
+    null,
+  );
+  const [isVerifyingCode, setIsVerifyingCode] = useState(false);
+
+  const email = useUserInfoState((state) => state.email);
+  const publicKey = useUserInfoState((state) => state.publicKey);
+  const isSignedIn = useUserInfoState((state) => state.isSignedIn);
+  const clearUserInfo = useUserInfoState((state) => state.clearUserInfo);
 
   // TODO: add other login methods, and update the type accordingly
-  const [loginMethod] = useState<
+  const [loginMethod, setLoginMethod] = useState<
     "email" | "google" | "telegram" | "x" | "apple"
   >("google");
 
@@ -28,11 +48,54 @@ export const AccountWidget: React.FC<AccountWidgetProps> = () => {
     method: "email" | "google" | "telegram" | "x" | "apple",
     email?: string,
   ) {
+    setLoginMethod(method);
+
     if (!okoWallet) {
       console.error("eWallet is not initialized");
       return;
     }
 
+    if (method === "email") {
+      const targetEmail = email?.trim() ?? "";
+
+      if (!targetEmail) {
+        setEmailErrorMessage("email is required");
+        return;
+      }
+
+      setEmailErrorMessage(null);
+      setEmailStatusMessage("Sending authentication code...");
+      setEmailLoginState({
+        stage: "sending-code",
+        email: targetEmail,
+      });
+
+      try {
+        await okoWallet.startEmailSignIn(targetEmail);
+
+        setEmailLoginState({
+          stage: "receive-code",
+          email: targetEmail,
+        });
+        setEmailStatusMessage("Authentication code sent to your email.");
+      } catch (error: any) {
+        console.error("Failed to send Auth0 email code", error);
+
+        setEmailLoginState({
+          stage: "enter-email",
+          email: targetEmail,
+        });
+        const message =
+          error instanceof Error
+            ? error.message
+            : "Failed to send authentication code";
+        setEmailErrorMessage(message);
+        setEmailStatusMessage(null);
+      }
+
+      return;
+    }
+
     if (method !== "google") {
       console.error("Unsupported login method atm: %s", method);
       return;
@@ -58,11 +121,19 @@ export const AccountWidget: React.FC<AccountWidgetProps> = () => {
   }
 
   async function handleSignOut() {
-    if (okoWallet) {
-      await okoWallet.signOut();
-    } else {
+    if (!okoWallet) {
       console.error("EWallet is not initialized");
+      return;
     }
+
+    await okoWallet.signOut();
+    clearUserInfo();
+    setLoginMethod("google");
+    setSigningInState({ status: "ready" });
+    setEmailLoginState(initialEmailLoginState);
+    setEmailStatusMessage(null);
+    setEmailErrorMessage(null);
+    setIsVerifyingCode(false);
   }
 
   if (!okoWallet) {
@@ -94,7 +165,74 @@ export const AccountWidget: React.FC<AccountWidgetProps> = () => {
     );
   }
 
-  return <LoginWidget onSignIn={handleSignIn} />;
+  function handleEmailChange(inputEmail: string) {
+    setEmailLoginState({
+      stage: "enter-email",
+      email: inputEmail,
+    });
+    setEmailStatusMessage(null);
+    setEmailErrorMessage(null);
+    setIsVerifyingCode(false);
+  }
+
+  async function handleVerifyEmailCode(code: string) {
+    if (!okoWallet) {
+      console.error("eWallet is not initialized");
+      return;
+    }
+
+    setLoginMethod("email");
+
+    const targetEmail = emailLoginState.email.trim();
+    if (!targetEmail) {
+      setEmailErrorMessage("email is required");
+      return;
+    }
+
+    if (!code.trim()) {
+      setEmailErrorMessage("authentication code is required");
+      return;
+    }
+
+    try {
+      setSigningInState({ status: "signing-in" });
+      setEmailErrorMessage(null);
+      setEmailStatusMessage("Verifying authentication code...");
+      setIsVerifyingCode(true);
+
+      await okoWallet.completeEmailSignIn(targetEmail, code.trim());
+
+      setEmailStatusMessage("Authentication code verified");
+      setEmailErrorMessage(null);
+      setSigningInState({ status: "ready" });
+    } catch (error: any) {
+      console.error("Failed to verify Auth0 email code", error);
+      const message =
+        error instanceof Error
+          ? error.message
+          : "Failed to verify authentication code";
+      setEmailErrorMessage(message);
+      setEmailStatusMessage(null);
+      setSigningInState({
+        status: "failed",
+        error: message,
+      });
+    } finally {
+      setIsVerifyingCode(false);
+    }
+  }
+
+  return (
+    <LoginWidget
+      onSignIn={handleSignIn}
+      emailLoginState={emailLoginState}
+      onEmailChange={handleEmailChange}
+      onVerifyEmailCode={handleVerifyEmailCode}
+      emailStatusMessage={emailStatusMessage}
+      emailErrorMessage={emailErrorMessage}
+      isEmailVerificationInProgress={isVerifyingCode}
+    />
+  );
 };
 
 export interface AccountWidgetProps {}
diff --git a/apps/demo_web/src/components/widgets/login_widget/login_default_view.tsx b/apps/demo_web/src/components/widgets/login_widget/login_default_view.tsx
index e0f98df7c..466fa0d3e 100644
--- a/apps/demo_web/src/components/widgets/login_widget/login_default_view.tsx
+++ b/apps/demo_web/src/components/widgets/login_widget/login_default_view.tsx
@@ -1,4 +1,4 @@
-import { type FC, Fragment, useState } from "react";
+import { type FC, Fragment, useEffect, useState } from "react";
 import { Button } from "@oko-wallet/oko-common-ui/button";
 import { GoogleIcon } from "@oko-wallet/oko-common-ui/icons/google_icon";
 import { Logo } from "@oko-wallet/oko-common-ui/logo";
@@ -13,20 +13,45 @@ import { MailboxIcon } from "@oko-wallet/oko-common-ui/icons/mailbox";
 import { OkoLogoIcon } from "@oko-wallet-common-ui/icons/oko_logo_icon";
 
 import styles from "./login_widget.module.scss";
+import type { EmailLoginState } from "./login_widget";
 
 export interface LoginDefaultViewProps {
   onSignIn: (
     method: "email" | "google" | "telegram" | "x" | "apple",
     email?: string,
   ) => void;
+  emailLoginState: EmailLoginState;
+  onEmailChange: (email: string) => void;
   onShowSocials: () => void;
+  onVerifyEmailCode: (code: string) => void;
+  statusMessage?: string | null;
+  errorMessage?: string | null;
+  isVerifyingCode?: boolean;
 }
 
 export const LoginDefaultView: FC<LoginDefaultViewProps> = ({
   onSignIn,
+  emailLoginState,
+  onEmailChange,
   onShowSocials,
+  onVerifyEmailCode,
+  statusMessage,
+  errorMessage,
+  isVerifyingCode = false,
 }) => {
-  const [email, setEmail] = useState("");
+  const { stage, email } = emailLoginState;
+  const [code, setCode] = useState("");
+  const isSending = stage === "sending-code";
+  const isAwaitingCode = stage === "receive-code";
+  const isNextDisabled =
+    isSending || isVerifyingCode || email.trim().length === 0;
+  const isVerifyDisabled = isVerifyingCode || code.trim().length === 0;
+
+  useEffect(() => {
+    if (stage === "enter-email") {
+      setCode("");
+    }
+  }, [stage]);
 
   return (
     <Fragment>
@@ -57,22 +82,65 @@ export const LoginDefaultView: FC<LoginDefaultViewProps> = ({
           <MailboxIcon size={20} color={"var(--fg-quaternary)"} />
           <input
             placeholder="your@email.com"
-            onChange={(e) => setEmail(e.target.value)}
+            value={email}
+            onChange={(e) => onEmailChange(e.target.value)}
             className={styles.emailInput}
             type="email"
-            disabled={true}
+            disabled={isSending || isVerifyingCode}
           />
           <Button
             variant="ghost"
             size="md"
             className={styles.loginButton}
             onClick={() => onSignIn("email", email)}
-            disabled={true} // TODO: Remove this once we have email login implemented
+            disabled={isNextDisabled}
           >
-            Next
+            {isSending ? "Sending..." : isAwaitingCode ? "Resend" : "Next"}
           </Button>
         </div>
 
+        {isAwaitingCode ? (
+          <>
+            <Spacing height={12} />
+            <div className={styles.emailLoginMethod}>
+              <MailboxIcon size={20} color={"var(--fg-quaternary)"} />
+              <input
+                placeholder="123456"
+                value={code}
+                onChange={(e) => setCode(e.target.value)}
+                className={styles.emailInput}
+                type="text"
+                inputMode="numeric"
+                disabled={isVerifyingCode}
+              />
+              <Button
+                variant="ghost"
+                size="md"
+                className={styles.loginButton}
+                onClick={() => onVerifyEmailCode(code)}
+                disabled={isVerifyDisabled}
+              >
+                {isVerifyingCode ? "Verifying..." : "Verify"}
+              </Button>
+            </div>
+          </>
+        ) : null}
+
+        {(statusMessage || errorMessage) && (
+          <div className={styles.statusMessage}>
+            {statusMessage ? (
+              <Typography size="xs" weight="medium" color="secondary">
+                {statusMessage}
+              </Typography>
+            ) : null}
+            {errorMessage ? (
+              <Typography size="xs" weight="medium" color="error-primary">
+                {errorMessage}
+              </Typography>
+            ) : null}
+          </div>
+        )}
+
         <Button
           variant="secondary"
           size="md"
diff --git a/apps/demo_web/src/components/widgets/login_widget/login_widget.module.scss b/apps/demo_web/src/components/widgets/login_widget/login_widget.module.scss
index 028a45224..d7f898025 100644
--- a/apps/demo_web/src/components/widgets/login_widget/login_widget.module.scss
+++ b/apps/demo_web/src/components/widgets/login_widget/login_widget.module.scss
@@ -124,3 +124,11 @@
 
   border: none;
 }
+
+.statusMessage {
+  align-self: stretch;
+  margin-top: 8px;
+  display: flex;
+  flex-direction: column;
+  gap: 4px;
+}
diff --git a/apps/demo_web/src/components/widgets/login_widget/login_widget.tsx b/apps/demo_web/src/components/widgets/login_widget/login_widget.tsx
index 753972140..96d0311b2 100644
--- a/apps/demo_web/src/components/widgets/login_widget/login_widget.tsx
+++ b/apps/demo_web/src/components/widgets/login_widget/login_widget.tsx
@@ -4,14 +4,35 @@ import styles from "./login_widget.module.scss";
 import { LoginDefaultView } from "./login_default_view";
 import { LoginSocialsView } from "./login_socials_view";
 
+export type EmailLoginStage = "enter-email" | "sending-code" | "receive-code";
+
+export interface EmailLoginState {
+  stage: EmailLoginStage;
+  email: string;
+}
+
 export interface LoginWidgetProps {
   onSignIn: (
     method: "email" | "google" | "telegram" | "x" | "apple",
     email?: string,
   ) => void;
+  emailLoginState: EmailLoginState;
+  onEmailChange: (email: string) => void;
+  onVerifyEmailCode: (code: string) => void;
+  emailStatusMessage?: string | null;
+  emailErrorMessage?: string | null;
+  isEmailVerificationInProgress?: boolean;
 }
 
-export const LoginWidget: React.FC<LoginWidgetProps> = ({ onSignIn }) => {
+export const LoginWidget: React.FC<LoginWidgetProps> = ({
+  onSignIn,
+  emailLoginState,
+  onEmailChange,
+  onVerifyEmailCode,
+  emailStatusMessage,
+  emailErrorMessage,
+  isEmailVerificationInProgress,
+}) => {
   const [showSocials, setShowSocials] = useState(false);
 
   return (
@@ -19,8 +40,14 @@ export const LoginWidget: React.FC<LoginWidgetProps> = ({ onSignIn }) => {
       <div className={styles.container}>
         {!showSocials ? (
           <LoginDefaultView
-            onSignIn={(m) => onSignIn(m)}
+            onSignIn={(method, email) => onSignIn(method, email)}
+            emailLoginState={emailLoginState}
+            onEmailChange={onEmailChange}
             onShowSocials={() => setShowSocials(true)}
+            onVerifyEmailCode={onVerifyEmailCode}
+            statusMessage={emailStatusMessage}
+            errorMessage={emailErrorMessage}
+            isVerifyingCode={isEmailVerificationInProgress}
           />
         ) : (
           <LoginSocialsView
diff --git a/backend/openapi/src/common/index.ts b/backend/openapi/src/common/index.ts
index 3f949ed16..229164556 100644
--- a/backend/openapi/src/common/index.ts
+++ b/backend/openapi/src/common/index.ts
@@ -60,12 +60,12 @@ export const UserAuthHeaderSchema = z.object({
     }),
 });
 
-export const GoogleAuthHeaderSchema = z.object({
+export const OAuthHeaderSchema = z.object({
   Authorization: z
     .string()
     .regex(/^Bearer\s[\w-]+\.[\w-]+\.[\w-]+$/)
     .openapi({
-      description: "Google OAuth bearer token",
+      description: "OAuth bearer token (Google or Auth0)",
       example: "Bearer ya29.a0AWY7C...",
       param: {
         name: "Authorization",
diff --git a/backend/openapi/src/registry.ts b/backend/openapi/src/registry.ts
index 32f1a4bce..6952ef45c 100644
--- a/backend/openapi/src/registry.ts
+++ b/backend/openapi/src/registry.ts
@@ -31,11 +31,12 @@ registry.registerComponent("securitySchemes", "userAuth", {
   description: "End-user bearer token. Use: 'Authorization: Bearer <JWT>'",
 });
 
-registry.registerComponent("securitySchemes", "googleAuth", {
+registry.registerComponent("securitySchemes", "oauthAuth", {
   type: "http",
   scheme: "bearer",
   bearerFormat: "JWT",
-  description: "Google OAuth bearer token. Use: 'Authorization: Bearer <JWT>'",
+  description:
+    "OAuth bearer token (Google or Auth0). Use: 'Authorization: Bearer <JWT>'",
 });
 
 registry.registerComponent("securitySchemes", "apiKeyAuth", {
diff --git a/backend/openapi/src/tss/request.ts b/backend/openapi/src/tss/request.ts
index ab79c9c0b..5b64f5501 100644
--- a/backend/openapi/src/tss/request.ts
+++ b/backend/openapi/src/tss/request.ts
@@ -2,9 +2,22 @@ import { z } from "zod";
 
 import { registry } from "../registry";
 
+const OAuthTypeSchema = z.enum(["google", "auth0"]).openapi({
+  description: "OAuth provider type",
+  example: "google",
+});
+
+export const SignInRequestSchema = registry.register(
+  "TssUserSignInRequest",
+  z.object({
+    auth_type: OAuthTypeSchema,
+  }),
+);
+
 export const KeygenRequestSchema = registry.register(
   "TssKeygenRequest",
   z.object({
+    auth_type: OAuthTypeSchema,
     keygen_2: z
       .object({
         private_share: z.string().openapi({
@@ -19,3 +32,25 @@ export const KeygenRequestSchema = registry.register(
       }),
   }),
 );
+
+export const ReshareRequestSchema = registry.register(
+  "TssUserReshareRequest",
+  z.object({
+    auth_type: OAuthTypeSchema,
+    public_key: z.string().openapi({
+      description: "Wallet public key in hex format",
+    }),
+    reshared_key_shares: z
+      .array(
+        z.object({
+          name: z.string().openapi({
+            description: "Key share node name",
+          }),
+          endpoint: z.string().openapi({
+            description: "Key share node endpoint",
+          }),
+        }),
+      )
+      .openapi({ description: "Reshared key shares grouped by node" }),
+  }),
+);
diff --git a/backend/tss_api/src/middleware/auth0_auth/client_id.ts b/backend/tss_api/src/middleware/auth0_auth/client_id.ts
new file mode 100644
index 000000000..414daccdf
--- /dev/null
+++ b/backend/tss_api/src/middleware/auth0_auth/client_id.ts
@@ -0,0 +1,2 @@
+export const AUTH0_DOMAIN = "dev-0v00qjwpomau3ldk.us.auth0.com";
+export const AUTH0_CLIENT_ID = "AMtmlNKxJiNY7abqewmq9mjERf2TOlfo";
diff --git a/backend/tss_api/src/middleware/auth0_auth/index.ts b/backend/tss_api/src/middleware/auth0_auth/index.ts
new file mode 100644
index 000000000..af46f2630
--- /dev/null
+++ b/backend/tss_api/src/middleware/auth0_auth/index.ts
@@ -0,0 +1,67 @@
+import type { Request, Response, NextFunction } from "express";
+
+import { validateAuth0IdToken } from "./validate";
+import { AUTH0_CLIENT_ID, AUTH0_DOMAIN } from "./client_id";
+
+export interface Auth0AuthenticatedRequest<T = any> extends Request {
+  body: T;
+}
+
+export async function auth0AuthMiddleware(
+  req: Auth0AuthenticatedRequest,
+  res: Response,
+  next: NextFunction,
+) {
+  const authHeader = req.headers.authorization;
+
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    res
+      .status(401)
+      .json({ error: "Authorization header with Bearer token required" });
+    return;
+  }
+
+  const idToken = authHeader.substring(7).trim();
+
+  try {
+    const result = await validateAuth0IdToken({
+      idToken,
+      clientId: AUTH0_CLIENT_ID,
+      domain: AUTH0_DOMAIN,
+    });
+
+    if (!result.success) {
+      res.status(401).json({ error: result.err });
+      return;
+    }
+
+    if (!result.data) {
+      res.status(500).json({
+        error: "Internal server error: Token info missing after validation",
+      });
+      return;
+    }
+
+    if (!result.data.email || !result.data.sub) {
+      res.status(401).json({
+        error: "Unauthorized: Invalid token",
+      });
+      return;
+    }
+
+    res.locals.oauth_user = {
+      type: "auth0",
+      email: result.data.email,
+      name: result.data.name,
+      sub: result.data.sub,
+    };
+
+    next();
+    return;
+  } catch (error) {
+    res.status(500).json({
+      error: `Auth0 token validation failed: ${error instanceof Error ? error.message : String(error)}`,
+    });
+    return;
+  }
+}
diff --git a/backend/tss_api/src/middleware/auth0_auth/validate.test.ts b/backend/tss_api/src/middleware/auth0_auth/validate.test.ts
new file mode 100644
index 000000000..4d9764792
--- /dev/null
+++ b/backend/tss_api/src/middleware/auth0_auth/validate.test.ts
@@ -0,0 +1,20 @@
+import { validateAuth0IdToken } from "./validate";
+import { AUTH0_CLIENT_ID, AUTH0_DOMAIN } from "./client_id";
+
+describe("validateAuth0IdToken", () => {
+  it("should validate a valid Auth0 ID token", async () => {
+    const idToken = "YOUR_AUTH0_ID_TOKEN_HERE";
+
+    const result = await validateAuth0IdToken({
+      idToken,
+      clientId: AUTH0_CLIENT_ID,
+      domain: AUTH0_DOMAIN,
+    });
+
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.email).toBeTruthy();
+      expect(result.data.sub).toBeTruthy();
+    }
+  });
+});
diff --git a/backend/tss_api/src/middleware/auth0_auth/validate.ts b/backend/tss_api/src/middleware/auth0_auth/validate.ts
new file mode 100644
index 000000000..36a8c11fd
--- /dev/null
+++ b/backend/tss_api/src/middleware/auth0_auth/validate.ts
@@ -0,0 +1,201 @@
+import { createPublicKey, type JsonWebKey } from "crypto";
+import jwt, { type JwtHeader, type JwtPayload } from "jsonwebtoken";
+import type { Result } from "@oko-wallet/stdlib-js";
+
+interface Auth0IdTokenPayload extends JwtPayload {
+  email?: string;
+  email_verified?: boolean;
+  name?: string;
+  nonce?: string;
+}
+
+interface ValidateAuth0IdTokenArgs {
+  idToken: string;
+  clientId: string;
+  domain: string;
+  expectedEmail?: string;
+  expectedNonce?: string;
+}
+
+export interface Auth0UserInfo {
+  email: string;
+  name?: string;
+  sub: string;
+  nonce?: string;
+}
+
+interface Auth0Jwk extends JsonWebKey {
+  kid: string;
+}
+
+const JWKS_CACHE_TTL_MS = 5 * 60 * 1000;
+const jwksCache = new Map<
+  string,
+  {
+    fetchedAt: number;
+    keys: Auth0Jwk[];
+  }
+>();
+
+export async function validateAuth0IdToken(
+  args: ValidateAuth0IdTokenArgs,
+): Promise<Result<Auth0UserInfo, string>> {
+  try {
+    const decoded = jwt.decode(args.idToken, { complete: true });
+    if (!decoded || typeof decoded === "string") {
+      return {
+        success: false,
+        err: "Invalid token format",
+      };
+    }
+
+    const header = decoded.header as JwtHeader;
+    if (!header.kid) {
+      return {
+        success: false,
+        err: "Missing key id in token header",
+      };
+    }
+
+    const jwk = await getSigningKey(args.domain, header.kid);
+    if (!jwk) {
+      return {
+        success: false,
+        err: "Unable to find matching signing key for token",
+      };
+    }
+
+    const publicKey = createPublicKey({
+      key: jwk,
+      format: "jwk",
+    });
+
+    const pem = publicKey.export({
+      type: "spki",
+      format: "pem",
+    }) as string;
+
+    const payload = jwt.verify(args.idToken, pem, {
+      algorithms: ["RS256"],
+      audience: args.clientId,
+      issuer: `https://${args.domain}/`,
+    }) as Auth0IdTokenPayload;
+
+    if (!payload.sub) {
+      return {
+        success: false,
+        err: "Token missing subject claim",
+      };
+    }
+
+    if (!payload.email) {
+      return {
+        success: false,
+        err: "Token missing email claim",
+      };
+    }
+
+    if (!payload.email_verified) {
+      return {
+        success: false,
+        err: "Email not verified in Auth0 token",
+      };
+    }
+
+    if (
+      args.expectedEmail &&
+      normalizeEmail(payload.email) !== normalizeEmail(args.expectedEmail)
+    ) {
+      return {
+        success: false,
+        err: "Email mismatch between request and token",
+      };
+    }
+
+    if (args.expectedNonce && payload.nonce !== args.expectedNonce) {
+      return {
+        success: false,
+        err: "Nonce mismatch",
+      };
+    }
+
+    return {
+      success: true,
+      data: {
+        email: payload.email,
+        name: typeof payload.name === "string" ? payload.name : undefined,
+        sub: payload.sub,
+        nonce: payload.nonce,
+      },
+    };
+  } catch (error) {
+    if (error instanceof jwt.JsonWebTokenError) {
+      return {
+        success: false,
+        err: `Invalid Auth0 token: ${error.message}`,
+      };
+    }
+
+    return {
+      success: false,
+      err: `Failed to validate Auth0 token: ${error instanceof Error ? error.message : String(error)}`,
+    };
+  }
+}
+
+async function getSigningKey(
+  domain: string,
+  kid: string,
+): Promise<Auth0Jwk | null> {
+  const keys = await getJwks(domain);
+  const match = keys.find((key) => key.kid === kid);
+
+  if (match) {
+    return match;
+  }
+
+  const freshKeys = await getJwks(domain, { forceRefresh: true });
+  return freshKeys.find((key) => key.kid === kid) ?? null;
+}
+
+async function getJwks(
+  domain: string,
+  options: { forceRefresh?: boolean } = {},
+): Promise<Auth0Jwk[]> {
+  const cacheKey = domain;
+  const cached = jwksCache.get(cacheKey);
+  const now = Date.now();
+
+  if (
+    !options.forceRefresh &&
+    cached &&
+    now - cached.fetchedAt < JWKS_CACHE_TTL_MS
+  ) {
+    return cached.keys;
+  }
+
+  const response = await fetch(`https://${domain}/.well-known/jwks.json`);
+
+  if (!response.ok) {
+    throw new Error(
+      `Failed to fetch Auth0 JWKS: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const body = (await response.json()) as { keys?: Auth0Jwk[] };
+
+  if (!body.keys || !Array.isArray(body.keys) || body.keys.length === 0) {
+    throw new Error("Auth0 JWKS response missing keys");
+  }
+
+  jwksCache.set(cacheKey, {
+    fetchedAt: now,
+    keys: body.keys,
+  });
+
+  return body.keys;
+}
+
+function normalizeEmail(email: string): string {
+  return email.trim().toLowerCase();
+}
diff --git a/backend/tss_api/src/middleware/google_auth/index.ts b/backend/tss_api/src/middleware/google_auth/index.ts
index 9d289ca66..bd078f87d 100644
--- a/backend/tss_api/src/middleware/google_auth/index.ts
+++ b/backend/tss_api/src/middleware/google_auth/index.ts
@@ -45,7 +45,8 @@ export async function googleAuthMiddleware(
       return;
     }
 
-    res.locals.google_user = {
+    res.locals.oauth_user = {
+      type: "google",
       email: result.data.email,
       name: result.data.name,
       sub: result.data.sub,
diff --git a/backend/tss_api/src/middleware/oauth.ts b/backend/tss_api/src/middleware/oauth.ts
new file mode 100644
index 000000000..5afa7816d
--- /dev/null
+++ b/backend/tss_api/src/middleware/oauth.ts
@@ -0,0 +1,49 @@
+import type { Request, Response, NextFunction } from "express";
+
+import {
+  type GoogleAuthenticatedRequest,
+  googleAuthMiddleware,
+} from "@oko-wallet-tss-api/middleware/google_auth";
+import {
+  type Auth0AuthenticatedRequest,
+  auth0AuthMiddleware,
+} from "@oko-wallet-tss-api/middleware/auth0_auth";
+
+export type OAuthProvider = "google" | "auth0";
+
+export interface OAuthBody {
+  auth_type: OAuthProvider;
+}
+
+export type OAuthAuthenticatedRequest<T = {}> = Request<
+  any,
+  any,
+  OAuthBody & T
+>;
+
+export async function oauthMiddleware(
+  req: OAuthAuthenticatedRequest,
+  res: Response,
+  next: NextFunction,
+) {
+  const authType = req.body?.auth_type as OAuthProvider | undefined;
+
+  if (!authType) {
+    res.status(400).json({
+      error: "auth_type is required in request body",
+    });
+    return;
+  }
+
+  switch (authType) {
+    case "google":
+      return googleAuthMiddleware(req as GoogleAuthenticatedRequest, res, next);
+    case "auth0":
+      return auth0AuthMiddleware(req as Auth0AuthenticatedRequest, res, next);
+    default:
+      res.status(400).json({
+        error: `Invalid auth_type: ${authType}. Must be 'google' or 'auth0'`,
+      });
+      return;
+  }
+}
diff --git a/backend/tss_api/src/middleware/types.ts b/backend/tss_api/src/middleware/types.ts
index 4dde93a1f..40b8cf2e6 100644
--- a/backend/tss_api/src/middleware/types.ts
+++ b/backend/tss_api/src/middleware/types.ts
@@ -1,5 +1,10 @@
 export interface ResponseLocals {
-  google_user: GoogleUser;
+  oauth_user?: OAuthUser;
 }
 
-export interface GoogleUser {}
+export interface OAuthUser {
+  type: "google" | "auth0";
+  email: string;
+  name?: string;
+  sub: string;
+}
diff --git a/backend/tss_api/src/routes/keygen.test.ts b/backend/tss_api/src/routes/keygen.test.ts
index 028ac5974..5923a1090 100644
--- a/backend/tss_api/src/routes/keygen.test.ts
+++ b/backend/tss_api/src/routes/keygen.test.ts
@@ -13,7 +13,7 @@ await jest.unstable_mockModule("@oko-wallet-tss-api/api/keygen", () => ({
   runKeygen: mockRunKeygen,
 }));
 
-const mockGoogleAuthMiddleware = jest.fn((req: any, res: any, next: any) => {
+const mockOauthMiddleware = jest.fn((req: any, res: any, next: any) => {
   if (!req.headers.authorization) {
     return res
       .status(401)
@@ -28,7 +28,11 @@ const mockGoogleAuthMiddleware = jest.fn((req: any, res: any, next: any) => {
   if (token === "invalid_token") {
     return res.status(401).json({ error: "Invalid token" });
   }
-  res.locals.google_user = {
+  if (!req.body?.auth_type) {
+    return res.status(400).json({ error: "auth_type is required in request body" });
+  }
+  res.locals.oauth_user = {
+    type: req.body.auth_type,
     email: "test@example.com",
     name: "Test User",
     sub: "test123",
@@ -37,10 +41,10 @@ const mockGoogleAuthMiddleware = jest.fn((req: any, res: any, next: any) => {
 });
 
 await jest.unstable_mockModule(
-  "@oko-wallet-tss-api/middleware/google_auth",
+  "@oko-wallet-tss-api/middleware/oauth",
   () => ({
-    googleAuthMiddleware: (req: any, res: any, next: any) =>
-      mockGoogleAuthMiddleware(req, res, next),
+    oauthMiddleware: (req: any, res: any, next: any) =>
+      mockOauthMiddleware(req, res, next),
   }),
 );
 
@@ -87,6 +91,7 @@ describe("keygen_route_test", () => {
   const invalidToken = "invalid_token";
 
   const testKeygenBody = {
+    auth_type: "google",
     keygen_2: {
       private_share: "test_private_share",
       public_key: "test_public_key",
diff --git a/backend/tss_api/src/routes/keygen.ts b/backend/tss_api/src/routes/keygen.ts
index 597fc97ef..cf9a86485 100644
--- a/backend/tss_api/src/routes/keygen.ts
+++ b/backend/tss_api/src/routes/keygen.ts
@@ -5,7 +5,7 @@ import type { OkoApiResponse } from "@oko-wallet/oko-types/api_response";
 import type { SignInResponse } from "@oko-wallet/oko-types/user";
 import {
   ErrorResponseSchema,
-  GoogleAuthHeaderSchema,
+  OAuthHeaderSchema,
 } from "@oko-wallet/oko-api-openapi/common";
 import { SignInSuccessResponseSchema } from "@oko-wallet/oko-api-openapi/tss";
 import { registry } from "@oko-wallet/oko-api-openapi";
@@ -13,9 +13,9 @@ import { KeygenRequestSchema } from "@oko-wallet/oko-api-openapi/tss";
 
 import { runKeygen } from "@oko-wallet-tss-api/api/keygen";
 import {
-  type GoogleAuthenticatedRequest,
-  googleAuthMiddleware,
-} from "@oko-wallet-tss-api/middleware/google_auth";
+  type OAuthAuthenticatedRequest,
+  oauthMiddleware,
+} from "@oko-wallet-tss-api/middleware/oauth";
 import { tssActivateMiddleware } from "@oko-wallet-tss-api/middleware/tss_activate";
 
 export function setKeygenRoutes(router: Router) {
@@ -27,9 +27,9 @@ export function setKeygenRoutes(router: Router) {
     description:
       "Creates user and wallet entities by mapping the received key share \
     with the user's email",
-    security: [{ googleAuth: [] }],
+    security: [{ oauthAuth: [] }],
     request: {
-      headers: GoogleAuthHeaderSchema,
+      headers: OAuthHeaderSchema,
       body: {
         required: true,
         content: {
@@ -49,7 +49,7 @@ export function setKeygenRoutes(router: Router) {
         },
       },
       401: {
-        description: "Unauthorized - Invalid or missing Google OAuth token",
+        description: "Unauthorized - Invalid or missing OAuth token",
         content: {
           "application/json": {
             schema: ErrorResponseSchema,
@@ -77,15 +77,24 @@ export function setKeygenRoutes(router: Router) {
   });
   router.post(
     "/keygen",
-    [googleAuthMiddleware, tssActivateMiddleware],
+    [oauthMiddleware, tssActivateMiddleware],
     async (
-      req: GoogleAuthenticatedRequest<KeygenBody>,
+      req: OAuthAuthenticatedRequest<KeygenBody>,
       res: Response<OkoApiResponse<SignInResponse>>,
     ) => {
       const state = req.app.locals;
-      const googleUser = res.locals.google_user;
+      const oauthUser = res.locals.oauth_user;
       const body = req.body;
 
+      if (!oauthUser?.email) {
+        res.status(401).json({
+          success: false,
+          code: "UNAUTHORIZED",
+          msg: "User email not found",
+        });
+        return;
+      }
+
       const jwtConfig = {
         secret: state.jwt_secret,
         expires_in: state.jwt_expires_in,
@@ -95,7 +104,7 @@ export function setKeygenRoutes(router: Router) {
         state.db,
         jwtConfig,
         {
-          email: googleUser.email.toLowerCase(),
+          email: oauthUser.email.toLowerCase(),
           keygen_2: body.keygen_2,
         },
         state.encryption_secret,
diff --git a/backend/tss_api/src/routes/user.test.ts b/backend/tss_api/src/routes/user.test.ts
index d6a0962ac..ee5f3713f 100644
--- a/backend/tss_api/src/routes/user.test.ts
+++ b/backend/tss_api/src/routes/user.test.ts
@@ -21,7 +21,7 @@ import { TEMP_ENC_SECRET } from "@oko-wallet-tss-api/api/utils";
 
 const SSS_THRESHOLD = 2;
 
-const mockGoogleAuthMiddleware = jest.fn((req: any, res: any, next: any) => {
+const mockOauthMiddleware = jest.fn((req: any, res: any, next: any) => {
   if (!req.headers.authorization) {
     return res
       .status(401)
@@ -36,7 +36,11 @@ const mockGoogleAuthMiddleware = jest.fn((req: any, res: any, next: any) => {
   if (token === "invalid_token") {
     return res.status(401).json({ error: "Invalid token" });
   }
-  res.locals.google_user = {
+  if (!req.body?.auth_type) {
+    return res.status(400).json({ error: "auth_type is required in request body" });
+  }
+  res.locals.oauth_user = {
+    type: req.body.auth_type,
     email: "test@example.com",
     name: "Test User",
     sub: "test123",
@@ -45,10 +49,10 @@ const mockGoogleAuthMiddleware = jest.fn((req: any, res: any, next: any) => {
 });
 
 await jest.unstable_mockModule(
-  "@oko-wallet-tss-api/middleware/google_auth",
+  "@oko-wallet-tss-api/middleware/oauth",
   () => ({
-    googleAuthMiddleware: (req: any, res: any, next: any) =>
-      mockGoogleAuthMiddleware(req, res, next),
+    oauthMiddleware: (req: any, res: any, next: any) =>
+      mockOauthMiddleware(req, res, next),
   }),
 );
 
@@ -254,7 +258,9 @@ describe("user_route_test", () => {
     const invalidToken = "invalid_token";
 
     it("should return 401 when no authorization header is provided", async () => {
-      const response = await request(app).post(testEndpoint);
+      const response = await request(app)
+        .post(testEndpoint)
+        .send({ auth_type: "google" });
 
       expect(response.status).toBe(401);
       expect(response.body.error).toBe(
@@ -265,7 +271,8 @@ describe("user_route_test", () => {
     it("should return 401 when invalid token is provided", async () => {
       const response = await request(app)
         .post(testEndpoint)
-        .set("Authorization", `Bearer ${invalidToken}`);
+        .set("Authorization", `Bearer ${invalidToken}`)
+        .send({ auth_type: "google" });
 
       expect(response.status).toBe(401);
       expect(response.body.error).toBe("Invalid token");
@@ -274,7 +281,8 @@ describe("user_route_test", () => {
     it("should return 404 when user does not exist", async () => {
       const response = await request(app)
         .post(testEndpoint)
-        .set("Authorization", `Bearer ${validToken}`);
+        .set("Authorization", `Bearer ${validToken}`)
+        .send({ auth_type: "google" });
 
       expect(response.status).toBe(404);
       expect(response.body).toEqual({
@@ -294,7 +302,8 @@ describe("user_route_test", () => {
 
       const response = await request(app)
         .post(testEndpoint)
-        .set("Authorization", `Bearer ${validToken}`);
+        .set("Authorization", `Bearer ${validToken}`)
+        .send({ auth_type: "google" });
 
       expect(response.status).toBe(404);
       expect(response.body).toEqual({
@@ -335,7 +344,8 @@ describe("user_route_test", () => {
 
       const response = await request(app)
         .post(testEndpoint)
-        .set("Authorization", `Bearer ${validToken}`);
+        .set("Authorization", `Bearer ${validToken}`)
+        .send({ auth_type: "google" });
 
       expect(response.status).toBe(404);
       expect(response.body).toEqual({
@@ -367,7 +377,8 @@ describe("user_route_test", () => {
 
       const response = await request(app)
         .post(testEndpoint)
-        .set("Authorization", `Bearer ${validToken}`);
+        .set("Authorization", `Bearer ${validToken}`)
+        .send({ auth_type: "google" });
 
       expect(response.status).toBe(200);
       expect(response.body.success).toBe(true);
diff --git a/backend/tss_api/src/routes/user.ts b/backend/tss_api/src/routes/user.ts
index 9f84b176a..6697e9228 100644
--- a/backend/tss_api/src/routes/user.ts
+++ b/backend/tss_api/src/routes/user.ts
@@ -10,22 +10,21 @@ import type { OkoApiResponse } from "@oko-wallet/oko-types/api_response";
 import { ErrorCodeMap } from "@oko-wallet/oko-api-error-codes";
 import {
   ErrorResponseSchema,
-  GoogleAuthHeaderSchema,
+  OAuthHeaderSchema,
+  SuccessResponseSchema,
   UserAuthHeaderSchema,
 } from "@oko-wallet/oko-api-openapi/common";
 import {
   CheckEmailRequestSchema,
   CheckEmailSuccessResponseSchema,
+  ReshareRequestSchema,
+  SignInRequestSchema,
   SignInSilentlySuccessResponseSchema,
   SignInSuccessResponseSchema,
 } from "@oko-wallet/oko-api-openapi/tss";
 import { Bytes } from "@oko-wallet/bytes";
 import { registry } from "@oko-wallet/oko-api-openapi";
 
-import {
-  type GoogleAuthenticatedRequest,
-  googleAuthMiddleware,
-} from "@oko-wallet-tss-api/middleware/google_auth";
 import {
   signIn,
   checkEmail,
@@ -33,6 +32,10 @@ import {
 } from "@oko-wallet-tss-api/api/user";
 import { verifyUserToken } from "@oko-wallet-tss-api/api/keplr_auth";
 import { tssActivateMiddleware } from "@oko-wallet-tss-api/middleware/tss_activate";
+import {
+  type OAuthAuthenticatedRequest,
+  oauthMiddleware,
+} from "@oko-wallet-tss-api/middleware/oauth";
 
 export function setUserRoutes(router: Router) {
   registry.registerPath({
@@ -118,12 +121,20 @@ export function setUserRoutes(router: Router) {
     method: "post",
     path: "/tss/v1/user/signin",
     tags: ["TSS"],
-    summary: "Sign in with Google OAuth",
+    summary: "Sign in with OAuth",
     description:
-      "Authenticates user using Google OAuth token and returns user information with JWT token",
-    security: [{ googleAuth: [] }],
+      "Authenticates user using Google or Auth0 OAuth token and returns user information with JWT token",
+    security: [{ oauthAuth: [] }],
     request: {
-      headers: GoogleAuthHeaderSchema,
+      headers: OAuthHeaderSchema,
+      body: {
+        required: true,
+        content: {
+          "application/json": {
+            schema: SignInRequestSchema,
+          },
+        },
+      },
     },
     responses: {
       200: {
@@ -135,7 +146,7 @@ export function setUserRoutes(router: Router) {
         },
       },
       401: {
-        description: "Unauthorized - Invalid or missing Google OAuth token",
+        description: "Unauthorized - Invalid or missing OAuth token or auth_type",
         content: {
           "application/json": {
             schema: ErrorResponseSchema,
@@ -162,15 +173,26 @@ export function setUserRoutes(router: Router) {
   });
   router.post(
     "/user/signin",
-    [googleAuthMiddleware, tssActivateMiddleware],
+    [oauthMiddleware, tssActivateMiddleware],
     async (
-      req: GoogleAuthenticatedRequest,
+      req: OAuthAuthenticatedRequest,
       res: Response<OkoApiResponse<SignInResponse>>,
     ) => {
       const state = req.app.locals;
-      const googleUser = res.locals.google_user;
+      const oauthUser = res.locals.oauth_user;
 
-      const signInRes = await signIn(state.db, googleUser.email.toLowerCase(), {
+      if (!oauthUser?.email) {
+        res.status(401).json({
+          success: false,
+          code: "UNAUTHORIZED",
+          msg: "User email not found",
+        });
+        return;
+      }
+
+      const userEmail = oauthUser.email.toLowerCase();
+
+      const signInRes = await signIn(state.db, userEmail, {
         secret: state.jwt_secret,
         expires_in: state.jwt_expires_in,
       });
@@ -307,17 +329,81 @@ export function setUserRoutes(router: Router) {
     },
   );
 
+  registry.registerPath({
+    method: "post",
+    path: "/tss/v1/user/reshare",
+    tags: ["TSS"],
+    summary: "Reshare wallet key shares",
+    description:
+      "Updates wallet key share nodes after unrecoverable data loss using provided reshared shares",
+    security: [{ oauthAuth: [] }],
+    request: {
+      headers: OAuthHeaderSchema,
+      body: {
+        required: true,
+        content: {
+          "application/json": {
+            schema: ReshareRequestSchema,
+          },
+        },
+      },
+    },
+    responses: {
+      200: {
+        description: "Reshare request accepted",
+        content: {
+          "application/json": {
+            schema: SuccessResponseSchema,
+          },
+        },
+      },
+      400: {
+        description: "Invalid request body",
+        content: {
+          "application/json": {
+            schema: ErrorResponseSchema,
+          },
+        },
+      },
+      401: {
+        description: "Unauthorized - Invalid or missing OAuth token",
+        content: {
+          "application/json": {
+            schema: ErrorResponseSchema,
+          },
+        },
+      },
+      500: {
+        description: "Internal server error",
+        content: {
+          "application/json": {
+            schema: ErrorResponseSchema,
+          },
+        },
+      },
+    },
+  });
+
   router.post(
     "/user/reshare",
-    [googleAuthMiddleware, tssActivateMiddleware],
+    [oauthMiddleware, tssActivateMiddleware],
     async (
-      req: GoogleAuthenticatedRequest<ReshareRequest>,
+      req: OAuthAuthenticatedRequest<ReshareRequest>,
       res: Response<OkoApiResponse<void>>,
     ) => {
       const state = req.app.locals;
-      const googleUser = res.locals.google_user;
+      const oauthUser = res.locals.oauth_user;
       const { public_key, reshared_key_shares } = req.body;
 
+      if (!oauthUser?.email) {
+        res.status(401).json({
+          success: false,
+          code: "UNAUTHORIZED",
+          msg: "User email not found",
+        });
+        return;
+      }
+
       const publicKeyRes = Bytes.fromHexString(public_key, 33);
       if (publicKeyRes.success === false) {
         res.status(400).json({
@@ -328,7 +414,7 @@ export function setUserRoutes(router: Router) {
         return;
       }
 
-      if (reshared_key_shares.length === 0) {
+      if (!reshared_key_shares?.length) {
         res.status(400).json({
           success: false,
           code: "INVALID_REQUEST",
@@ -339,7 +425,7 @@ export function setUserRoutes(router: Router) {
 
       const reshareRes = await updateWalletKSNodesForReshare(
         state.db,
-        googleUser.email.toLowerCase(),
+        oauthUser.email.toLowerCase(),
         publicKeyRes.data,
         reshared_key_shares,
       );
diff --git a/common/oko_types/src/auth/index.ts b/common/oko_types/src/auth/index.ts
index 11f590499..ee04aaf36 100644
--- a/common/oko_types/src/auth/index.ts
+++ b/common/oko_types/src/auth/index.ts
@@ -1,3 +1,9 @@
 export interface TokenResult {
   token: string;
 }
+
+export type OAuthProvider = "google" | "auth0";
+
+export type OAuthRequest<T> = {
+  auth_type: OAuthProvider;
+} & T;
diff --git a/common/oko_types/src/tss/keygen.ts b/common/oko_types/src/tss/keygen.ts
index 487d90c1d..71251dabf 100644
--- a/common/oko_types/src/tss/keygen.ts
+++ b/common/oko_types/src/tss/keygen.ts
@@ -1,5 +1,7 @@
 import type { KeygenOutput } from "@oko-wallet/tecdsa-interface";
 
+import type { OAuthRequest } from "../auth";
+
 export interface KeygenRequest {
   email: string;
   keygen_2: KeygenOutput;
@@ -8,3 +10,5 @@ export interface KeygenRequest {
 export type KeygenBody = {
   keygen_2: KeygenOutput;
 };
+
+export type KeygenRequestBody = OAuthRequest<KeygenBody>;
diff --git a/common/oko_types/src/user/index.ts b/common/oko_types/src/user/index.ts
index 2800fccbe..f969a9719 100644
--- a/common/oko_types/src/user/index.ts
+++ b/common/oko_types/src/user/index.ts
@@ -1,5 +1,6 @@
 import type { NodeNameAndEndpoint } from "../user_key_share";
 import type { KeyShareNodeMetaWithNodeStatusInfo } from "../tss/ks_node";
+import type { OAuthRequest } from "../auth";
 
 export interface User {
   user_id: string;
@@ -53,3 +54,5 @@ export interface ReshareRequest {
   public_key: string;
   reshared_key_shares: NodeNameAndEndpoint[];
 }
+
+export type ReshareRequestBody = OAuthRequest<ReshareRequest>;
diff --git a/crypto/tecdsa/api_lib/src/index.ts b/crypto/tecdsa/api_lib/src/index.ts
index 30143b638..21a1d8513 100644
--- a/crypto/tecdsa/api_lib/src/index.ts
+++ b/crypto/tecdsa/api_lib/src/index.ts
@@ -11,7 +11,7 @@ import type {
   KeygenStep5V2Request,
 } from "@oko-wallet/tecdsa-interface";
 import type {
-  KeygenBody,
+  KeygenRequestBody,
   PresignStep1Response,
   PresignStep2Response,
   PresignStep3Response,
@@ -179,7 +179,7 @@ async function makePostRequest<T, R>(
 
 export async function reqKeygen(
   endpoint: string,
-  payload: KeygenBody,
+  payload: KeygenRequestBody,
   authToken: string,
 ) {
   const resp: OkoApiResponse<SignInResponse> = await makePostRequest(
diff --git a/embed/oko_attached/package.json b/embed/oko_attached/package.json
index 534c43507..c1cf4e1ac 100644
--- a/embed/oko_attached/package.json
+++ b/embed/oko_attached/package.json
@@ -47,6 +47,7 @@
     "@tanstack/react-router": "^1.131.49",
     "@tanstack/react-router-devtools": "^1.131.49",
     "@tanstack/router-plugin": "^1.131.49",
+    "auth0-js": "^9.29.0",
     "bitcoinjs-lib": "^6.1.7",
     "chalk": "*",
     "cosmjs-types": "^0.9.0",
@@ -64,6 +65,7 @@
   "devDependencies": {
     "@oko-wallet/dotenv": "0.0.2-alpha.10",
     "@oko-wallet/oko-common-ui": "workspace:*",
+    "@types/auth0-js": "^9.21.6",
     "@types/node": "*",
     "@types/react": "*",
     "@types/react-dom": "*",
diff --git a/embed/oko_attached/src/app/auth0/callback/page.tsx b/embed/oko_attached/src/app/auth0/callback/page.tsx
new file mode 100644
index 000000000..5826f10cb
--- /dev/null
+++ b/embed/oko_attached/src/app/auth0/callback/page.tsx
@@ -0,0 +1,7 @@
+import React from "react";
+
+import { Auth0Callback } from "@oko-wallet-attached/components/auth0_callback/auth0_callback";
+
+export default function Page() {
+  return <Auth0Callback />;
+}
diff --git a/embed/oko_attached/src/app/auth0/popup/page.tsx b/embed/oko_attached/src/app/auth0/popup/page.tsx
new file mode 100644
index 000000000..b10a8d517
--- /dev/null
+++ b/embed/oko_attached/src/app/auth0/popup/page.tsx
@@ -0,0 +1,7 @@
+import React from "react";
+
+import { Auth0Popup } from "@oko-wallet-attached/components/auth0_popup/auth0_popup";
+
+export default function Page() {
+  return <Auth0Popup />;
+}
diff --git a/embed/oko_attached/src/components/auth0_callback/auth0_callback.tsx b/embed/oko_attached/src/components/auth0_callback/auth0_callback.tsx
new file mode 100644
index 000000000..6bf1ab446
--- /dev/null
+++ b/embed/oko_attached/src/components/auth0_callback/auth0_callback.tsx
@@ -0,0 +1,97 @@
+"use client";
+
+import React, { useEffect, useState } from "react";
+import { LoadingIcon } from "@oko-wallet/oko-common-ui/icons/loading";
+import { Spacing } from "@oko-wallet/oko-common-ui/spacing";
+import { Typography } from "@oko-wallet/oko-common-ui/typography";
+import { OkoLogoIcon } from "@oko-wallet-common-ui/icons/oko_logo_icon";
+import { ErrorIcon } from "@oko-wallet/oko-common-ui/icons/error_icon";
+import { ExternalLinkOutlinedIcon } from "@oko-wallet/oko-common-ui/icons/external_link_outlined";
+import type { Theme } from "@oko-wallet/oko-common-ui/theme";
+
+import styles from "@oko-wallet-attached/components/google_callback/google_callback.module.scss";
+import { getSystemTheme } from "@oko-wallet-attached/components/google_callback/theme";
+import { setColorScheme } from "@oko-wallet-attached/components/attached_initialized/color_scheme";
+import { useAuth0Callback } from "./use_callback";
+
+export const Auth0Callback: React.FC = () => {
+  const [theme, setTheme] = useState<Theme>("light");
+
+  useEffect(() => {
+    const theme = getSystemTheme();
+    setColorScheme(theme);
+    setTheme(theme);
+  }, []);
+
+  const { error } = useAuth0Callback();
+
+  return (
+    <div className={`${styles.wrapper} ${styles.wrapperForSystemTheme}`}>
+      <OkoLogoIcon width={115} height={44} theme={theme} />
+      <Spacing height={56} />
+      {error ? <ErrorMessage error={error} /> : <SuccessMessage />}
+      <Spacing height={60} />
+    </div>
+  );
+};
+
+const SuccessMessage: React.FC = () => {
+  return (
+    <>
+      <LoadingIcon
+        size={50}
+        className={styles.loadingIcon}
+        backgroundColor="var(--bg-tertiary)"
+        color="var(--fg-brand-primary)"
+      />
+      <Spacing height={19} />
+      <Typography size="lg" weight="medium" color="secondary">
+        Redirecting...
+      </Typography>
+      <Spacing height={16} />
+      <Typography size="xs" weight="medium" color="secondary">
+        Received Auth0 tokens. Completing sign-in...
+      </Typography>
+    </>
+  );
+};
+
+const ErrorMessage: React.FC<{ error: string }> = ({ error }) => {
+  return (
+    <>
+      <div className={styles.errorIconContainer}>
+        <div className={styles.ring1} />
+        <div className={styles.ring2} />
+        <ErrorIcon size={28} color="var(--fg-error-primary)" />
+      </div>
+      <Spacing height={32} />
+
+      <a
+        href="https://help.keplr.app/"
+        target="_blank"
+        rel="noopener noreferrer"
+        className={styles.supportLink}
+      >
+        <Typography size="sm" weight="medium" color="secondary">
+          Having problems?
+        </Typography>
+        <Typography
+          className={styles.textUnderline}
+          size="sm"
+          weight="medium"
+          color="secondary"
+        >
+          Get support
+        </Typography>
+        <ExternalLinkOutlinedIcon color="var(--fg-quaternary-hover)" />
+      </a>
+
+      <Spacing height={32} />
+      <div className={styles.errorMessageContainer}>
+        <Typography size="sm" weight="medium" color="error-primary">
+          {error}
+        </Typography>
+      </div>
+    </>
+  );
+};
diff --git a/embed/oko_attached/src/components/auth0_callback/use_callback.tsx b/embed/oko_attached/src/components/auth0_callback/use_callback.tsx
new file mode 100644
index 000000000..22423f8df
--- /dev/null
+++ b/embed/oko_attached/src/components/auth0_callback/use_callback.tsx
@@ -0,0 +1,131 @@
+"use client";
+
+import { useEffect, useState } from "react";
+import type { Result } from "@oko-wallet/stdlib-js";
+import type { OAuthPayload, OAuthState } from "@oko-wallet/oko-sdk-core";
+import type { Auth0DecodedHash } from "auth0-js";
+
+import { getAuth0WebAuth } from "@oko-wallet-attached/config/auth0";
+import type { HandleCallbackError } from "@oko-wallet-attached/components/google_callback/types";
+import { sendOAuthPayloadToEmbeddedWindow } from "@oko-wallet-attached/components/oauth_callback/send_oauth_payload";
+
+export function useAuth0Callback(): { error: string | null } {
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    async function fn() {
+      try {
+        const cbRes = await handleAuth0Callback();
+
+        if (cbRes.success) {
+          window.close();
+        } else {
+          throw new Error(cbRes.err.type);
+        }
+      } catch (err) {
+        setError(err instanceof Error ? err.message : "Unknown error");
+      }
+    }
+
+    fn().then();
+  }, []);
+
+  return { error };
+}
+
+export async function handleAuth0Callback(): Promise<
+  Result<void, HandleCallbackError>
+> {
+  if (!window.opener) {
+    return {
+      success: false,
+      err: {
+        type: "opener_window_not_exists",
+      },
+    };
+  }
+
+  const parsedHash = await parseAuth0Hash();
+  window.history.replaceState(
+    {},
+    document.title,
+    window.location.pathname + window.location.search,
+  );
+
+  const accessToken = parsedHash.accessToken;
+  const idToken = parsedHash.idToken;
+  const stateString = parsedHash.state;
+
+  if (!accessToken || !idToken || !stateString) {
+    return {
+      success: false,
+      err: { type: "params_not_sufficient" },
+    };
+  }
+
+  let oauthState: OAuthState;
+  try {
+    oauthState = JSON.parse(stateString) as OAuthState;
+  } catch (error) {
+    console.error("[attached] Failed to parse Auth0 state", error);
+    return {
+      success: false,
+      err: { type: "params_not_sufficient" },
+    };
+  }
+
+  if (!oauthState.apiKey || !oauthState.targetOrigin) {
+    return {
+      success: false,
+      err: { type: "params_not_sufficient" },
+    };
+  }
+
+  const payload: OAuthPayload = {
+    access_token: accessToken,
+    id_token: idToken,
+    api_key: oauthState.apiKey,
+    target_origin: oauthState.targetOrigin,
+    auth_type: oauthState.provider ?? "auth0",
+  };
+
+  const sendRes = await sendOAuthPayloadToEmbeddedWindow(payload);
+  if (!sendRes.success) {
+    return sendRes;
+  }
+
+  return { success: true, data: void 0 };
+}
+
+async function parseAuth0Hash(): Promise<Auth0DecodedHash> {
+  const hash = window.location.hash;
+
+  if (!hash || hash.length < 2) {
+    throw new Error("Missing callback parameters.");
+  }
+
+  const webAuth = getAuth0WebAuth();
+
+  return await new Promise<Auth0DecodedHash>((resolve, reject) => {
+    webAuth.parseHash({ hash }, (err, result) => {
+      if (err) {
+        reject(
+          new Error(
+            err.error_description ??
+              err.description ??
+              err.error ??
+              "Auth0 callback error",
+          ),
+        );
+        return;
+      }
+
+      if (!result || !result.idToken) {
+        reject(new Error("Missing id_token in callback"));
+        return;
+      }
+
+      resolve(result);
+    });
+  });
+}
diff --git a/embed/oko_attached/src/components/auth0_popup/auth0_popup.tsx b/embed/oko_attached/src/components/auth0_popup/auth0_popup.tsx
new file mode 100644
index 000000000..ed8916f24
--- /dev/null
+++ b/embed/oko_attached/src/components/auth0_popup/auth0_popup.tsx
@@ -0,0 +1,103 @@
+"use client";
+
+import React, { useEffect, useState } from "react";
+import { LoadingIcon } from "@oko-wallet/oko-common-ui/icons/loading";
+import { Spacing } from "@oko-wallet/oko-common-ui/spacing";
+import { Typography } from "@oko-wallet/oko-common-ui/typography";
+import { OkoLogoIcon } from "@oko-wallet-common-ui/icons/oko_logo_icon";
+import { ErrorIcon } from "@oko-wallet/oko-common-ui/icons/error_icon";
+import type { Theme } from "@oko-wallet/oko-common-ui/theme";
+
+import styles from "@oko-wallet-attached/components/google_callback/google_callback.module.scss";
+import { getSystemTheme } from "@oko-wallet-attached/components/google_callback/theme";
+import { setColorScheme } from "@oko-wallet-attached/components/attached_initialized/color_scheme";
+import {
+  getAuth0WebAuth,
+  AUTH0_CONNECTION,
+} from "@oko-wallet-attached/config/auth0";
+
+export const Auth0Popup: React.FC = () => {
+  const [theme, setTheme] = useState<Theme>("light");
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    const systemTheme = getSystemTheme();
+    setColorScheme(systemTheme);
+    setTheme(systemTheme);
+  }, []);
+
+  useEffect(() => {
+    const webAuth = getAuth0WebAuth();
+    const params = new URLSearchParams(window.location.search);
+    const email = params.get("email");
+    const code = params.get("code");
+    const nonce = params.get("nonce");
+    const state = params.get("state");
+
+    if (!email || !code || !nonce || !state) {
+      setError("Missing Auth0 parameters in popup.");
+      return;
+    }
+
+    webAuth.passwordlessLogin(
+      {
+        connection: AUTH0_CONNECTION,
+        email,
+        verificationCode: code,
+        redirectUri: `${window.location.origin}/auth0/callback`,
+        responseType: "token id_token",
+        scope: "openid profile email",
+        nonce,
+        state,
+      },
+      (err) => {
+        if (err) {
+          setError(
+            err.error_description ??
+              err.description ??
+              err.error ??
+              "Auth0 verification failed.",
+          );
+        }
+      },
+    );
+  }, []);
+
+  return (
+    <div className={`${styles.wrapper} ${styles.wrapperForSystemTheme}`}>
+      <OkoLogoIcon width={115} height={44} theme={theme} />
+      <Spacing height={56} />
+      {error ? <ErrorMessage error={error} /> : <LoadingMessage />}
+      <Spacing height={60} />
+    </div>
+  );
+};
+
+const LoadingMessage: React.FC = () => (
+  <>
+    <LoadingIcon
+      size={50}
+      className={styles.loadingIcon}
+      backgroundColor="var(--bg-tertiary)"
+      color="var(--fg-brand-primary)"
+    />
+    <Spacing height={19} />
+    <Typography size="lg" weight="medium" color="secondary">
+      Redirecting to Auth0...
+    </Typography>
+  </>
+);
+
+const ErrorMessage: React.FC<{ error: string }> = ({ error }) => (
+  <>
+    <div className={styles.errorIconContainer}>
+      <div className={styles.ring1} />
+      <div className={styles.ring2} />
+      <ErrorIcon size={28} color="var(--fg-error-primary)" />
+    </div>
+    <Spacing height={32} />
+    <Typography size="sm" weight="medium" color="error-primary">
+      {error}
+    </Typography>
+  </>
+);
diff --git a/embed/oko_attached/src/components/google_callback/use_callback.tsx b/embed/oko_attached/src/components/google_callback/use_callback.tsx
index e4f16a651..21f709580 100644
--- a/embed/oko_attached/src/components/google_callback/use_callback.tsx
+++ b/embed/oko_attached/src/components/google_callback/use_callback.tsx
@@ -1,19 +1,12 @@
 import { useEffect, useState } from "react";
 import type { Result } from "@oko-wallet/stdlib-js";
-import type {
-  OkoWalletMsg,
-  OkoWalletMsgOAuthInfoPass,
-  OAuthPayload,
-} from "@oko-wallet/oko-sdk-core";
+import type { OAuthPayload } from "@oko-wallet/oko-sdk-core";
 import { RedirectUriSearchParamsKey } from "@oko-wallet/oko-sdk-core";
 
-import type {
-  HandleCallbackError,
-  SendMsgToEmbeddedWindowError,
-} from "./types";
-import { sendMsgToWindow } from "@oko-wallet-attached/window_msgs/send";
+import type { HandleCallbackError } from "./types";
 import { postLog } from "@oko-wallet-attached/requests/logging";
 import { errorToLog } from "@oko-wallet-attached/logging/error";
+import { sendOAuthPayloadToEmbeddedWindow } from "@oko-wallet-attached/components/oauth_callback/send_oauth_payload";
 
 export function useGoogleCallback() {
   const [error, setError] = useState<string | null>(null);
@@ -70,34 +63,17 @@ export async function handleGoogleCallback(): Promise<
       id_token: idToken,
       api_key: apiKey,
       target_origin: targetOrigin,
+      auth_type: oauthState.provider ?? "google",
     };
 
-    const msg: OkoWalletMsg = {
-      target: "oko_attached",
-      msg_type: "oauth_info_pass",
-      payload,
-    };
-
-    const sendRes = await sendMsgToEmbeddedWindow(msg);
+    const sendRes = await sendOAuthPayloadToEmbeddedWindow(payload);
 
     if (!sendRes.success) {
-      console.error("[attached] send oauth result fail, err: %o", sendRes.err);
-
-      return {
-        success: false,
-        err: { type: "msg_pass_fail", error: sendRes.err.type },
-      };
-    }
-
-    const ack = sendRes.data;
-
-    if (ack.msg_type !== "oauth_info_pass_ack") {
-      console.error("[attached] wrong oauth sign in result ack msg type");
-
-      return {
-        success: false,
-        err: { type: "wrong_ack_type", msg_type: ack.msg_type },
-      };
+      console.error(
+        "[attached] send oauth result fail, err: %o",
+        sendRes.err,
+      );
+      return sendRes;
     }
   } else {
     console.error("[attached] Params not sufficient");
@@ -118,36 +94,3 @@ function getOAuthStateFromUrl() {
   );
   return oauthState;
 }
-
-// NOTE: This msg needs to bypass host window. If this is not forbidden,
-// whether because of the browser policy or the option in response header,
-// we may later opt in to communicating via Keplr server orchestration
-async function sendMsgToEmbeddedWindow(
-  msg: OkoWalletMsgOAuthInfoPass,
-): Promise<Result<OkoWalletMsg, SendMsgToEmbeddedWindowError>> {
-  const attachedURL = window.location.toString();
-  const targetOrigin = new URL(attachedURL).origin;
-
-  try {
-    for (let idx = 0; idx < window.opener.frames.length; idx += 1) {
-      const frame = window.opener.frames[idx];
-      if (frame.location.origin === targetOrigin) {
-        const ack = await sendMsgToWindow(frame, msg, targetOrigin);
-
-        return { success: true, data: ack };
-      }
-    }
-
-    return {
-      success: false,
-      err: {
-        type: "window_not_found",
-      },
-    };
-  } catch (err: any) {
-    return {
-      success: false,
-      err: { type: "unknown", error: err.toString() },
-    };
-  }
-}
diff --git a/embed/oko_attached/src/components/oauth_callback/send_oauth_payload.ts b/embed/oko_attached/src/components/oauth_callback/send_oauth_payload.ts
new file mode 100644
index 000000000..f988e2ae4
--- /dev/null
+++ b/embed/oko_attached/src/components/oauth_callback/send_oauth_payload.ts
@@ -0,0 +1,85 @@
+import type { Result } from "@oko-wallet/stdlib-js";
+import type {
+  OkoWalletMsg,
+  OkoWalletMsgOAuthInfoPass,
+  OAuthPayload,
+} from "@oko-wallet/oko-sdk-core";
+
+import { sendMsgToWindow } from "@oko-wallet-attached/window_msgs/send";
+import type {
+  HandleCallbackError,
+  SendMsgToEmbeddedWindowError,
+} from "@oko-wallet-attached/components/google_callback/types";
+
+export async function sendOAuthPayloadToEmbeddedWindow(
+  payload: OAuthPayload,
+): Promise<Result<void, HandleCallbackError>> {
+  if (!window.opener) {
+    return {
+      success: false,
+      err: {
+        type: "opener_window_not_exists",
+      },
+    };
+  }
+
+  const msg: OkoWalletMsgOAuthInfoPass = {
+    target: "oko_attached",
+    msg_type: "oauth_info_pass",
+    payload,
+  };
+
+  const sendRes = await sendMsgToEmbeddedWindow(msg);
+
+  if (!sendRes.success) {
+    return {
+      success: false,
+      err: {
+        type: "msg_pass_fail",
+        error: sendRes.err.type,
+      },
+    };
+  }
+
+  const ack = sendRes.data;
+
+  if (ack.msg_type !== "oauth_info_pass_ack") {
+    return {
+      success: false,
+      err: { type: "wrong_ack_type", msg_type: ack.msg_type },
+    };
+  }
+
+  return { success: true, data: void 0 };
+}
+
+async function sendMsgToEmbeddedWindow(
+  msg: OkoWalletMsgOAuthInfoPass,
+): Promise<Result<OkoWalletMsg, SendMsgToEmbeddedWindowError>> {
+  const attachedURL = window.location.toString();
+  const targetOrigin = new URL(attachedURL).origin;
+
+  try {
+    for (let idx = 0; idx < window.opener.frames.length; idx += 1) {
+      const frame = window.opener.frames[idx];
+      if (frame.location.origin === targetOrigin) {
+        const ack = await sendMsgToWindow(frame, msg, targetOrigin);
+
+        return { success: true, data: ack };
+      }
+    }
+
+    return {
+      success: false,
+      err: {
+        type: "window_not_found",
+      },
+    };
+  } catch (err: any) {
+    return {
+      success: false,
+      err: { type: "unknown", error: err.toString() },
+    };
+  }
+}
+
diff --git a/embed/oko_attached/src/config/auth0.ts b/embed/oko_attached/src/config/auth0.ts
new file mode 100644
index 000000000..f892e1bed
--- /dev/null
+++ b/embed/oko_attached/src/config/auth0.ts
@@ -0,0 +1,19 @@
+import auth0 from "auth0-js";
+
+export const AUTH0_DOMAIN = "dev-0v00qjwpomau3ldk.us.auth0.com";
+export const AUTH0_CLIENT_ID = "AMtmlNKxJiNY7abqewmq9mjERf2TOlfo";
+export const AUTH0_CONNECTION = "email";
+
+let instance: auth0.WebAuth | null = null;
+
+export function getAuth0WebAuth(): auth0.WebAuth {
+  if (!instance) {
+    instance = new auth0.WebAuth({
+      domain: AUTH0_DOMAIN,
+      clientID: AUTH0_CLIENT_ID,
+      responseType: "token id_token",
+      scope: "openid profile email",
+    });
+  }
+  return instance;
+}
diff --git a/embed/oko_attached/src/crypto/reshare.ts b/embed/oko_attached/src/crypto/reshare.ts
index cdf9eaa1d..a2ed43854 100644
--- a/embed/oko_attached/src/crypto/reshare.ts
+++ b/embed/oko_attached/src/crypto/reshare.ts
@@ -13,7 +13,8 @@ import {
 } from "@oko-wallet-attached/requests/ks_node";
 import { Bytes, type Bytes33 } from "@oko-wallet/bytes";
 import * as wasmModule from "@oko-wallet/cait-sith-keplr-wasm/pkg/cait_sith_keplr_wasm";
-import type { ReshareRequest } from "@oko-wallet/oko-types/user";
+import type { ReshareRequestBody } from "@oko-wallet/oko-types/user";
+import type { OAuthProvider } from "@oko-wallet/oko-types/auth";
 
 import { hashKeyshareNodeNames } from "./hash";
 import { makeAuthorizedOkoApiRequest } from "@oko-wallet-attached/requests/oko_api";
@@ -22,6 +23,7 @@ export async function reshareUserKeyShares(
   publicKey: Bytes33,
   idToken: string,
   keyshareNodeMeta: KeyShareNodeMetaWithNodeStatusInfo,
+  authType: OAuthProvider,
 ): Promise<Result<string, string>> {
   const splitKSNodes = keyshareNodeMeta.nodes.filter(
     (n) => n.wallet_status === "ACTIVE",
@@ -45,6 +47,7 @@ export async function reshareUserKeyShares(
     idToken,
     splitKSNodes,
     keyshareNodeMeta.threshold,
+    authType,
   );
   if (!splitKeySharesRes.success) {
     const error = splitKeySharesRes.err;
@@ -95,6 +98,7 @@ export async function reshareUserKeyShares(
           idToken,
           publicKey,
           keyShareByNode.share,
+          authType,
         );
       } else {
         return doSendResharedUserKeyShares(
@@ -102,6 +106,7 @@ export async function reshareUserKeyShares(
           idToken,
           publicKey,
           keyShareByNode.share,
+          authType,
         );
       }
     }),
@@ -119,9 +124,10 @@ export async function reshareUserKeyShares(
   }
 
   const updateWalletStatusRes = await makeAuthorizedOkoApiRequest<
-    ReshareRequest,
+    ReshareRequestBody,
     void
   >("user/reshare", idToken, {
+    auth_type: authType,
     public_key: publicKey.toHex(),
     reshared_key_shares: resharedKeyShares.map((keyShare) => keyShare.node),
   });
diff --git a/embed/oko_attached/src/requests/ks_node.ts b/embed/oko_attached/src/requests/ks_node.ts
index b79d97219..e722902b4 100644
--- a/embed/oko_attached/src/requests/ks_node.ts
+++ b/embed/oko_attached/src/requests/ks_node.ts
@@ -1,5 +1,6 @@
 import { type GetKeyShareResponse } from "@oko-wallet/ksn-interface/key_share";
 import type { NodeStatusInfo } from "@oko-wallet/oko-types/tss";
+import type { OAuthProvider } from "@oko-wallet/oko-types/auth";
 import type {
   Point256,
   UserKeySharePointByNode,
@@ -19,6 +20,7 @@ export async function requestSplitShares(
   idToken: string,
   allNodes: NodeStatusInfo[],
   threshold: number,
+  authType: OAuthProvider = "google",
 ): Promise<Result<UserKeySharePointByNode[], RequestSplitSharesError>> {
   const shuffledNodes = [...allNodes];
   for (let i = shuffledNodes.length - 1; i > 0; i -= 1) {
@@ -32,7 +34,9 @@ export async function requestSplitShares(
 
   while (succeeded.length < threshold && nodesToTry.length > 0) {
     const results = await Promise.allSettled(
-      nodesToTry.map((node) => requestSplitShare(publicKey, idToken, node)),
+      nodesToTry.map((node) =>
+        requestSplitShare(publicKey, idToken, node, authType),
+      ),
     );
 
     const failedNodes: NodeStatusInfo[] = [];
@@ -90,6 +94,7 @@ export async function requestSplitShare(
   publicKey: Bytes33,
   idToken: string,
   node: NodeStatusInfo,
+  authType: OAuthProvider,
   maxRetries: number = 2,
 ): Promise<Result<UserKeySharePointByNode, string>> {
   let attempt = 0;
@@ -102,6 +107,7 @@ export async function requestSplitShare(
           "Content-Type": "application/json",
         },
         body: JSON.stringify({
+          auth_type: authType,
           public_key: publicKey.toHex(),
         }),
       });
@@ -174,6 +180,7 @@ export async function doSendUserKeyShares(
   idToken: string,
   publicKey: Bytes33,
   serverShare: Point256,
+  authType: OAuthProvider,
 ): Promise<Result<void, string>> {
   try {
     const serverShareString = encodePoint256ToKeyShareString(serverShare);
@@ -184,6 +191,7 @@ export async function doSendUserKeyShares(
         "Content-Type": "application/json",
       },
       body: JSON.stringify({
+        auth_type: authType,
         curve_type: "secp256k1",
         public_key: publicKey.toHex(),
         share: serverShareString,
@@ -229,6 +237,7 @@ export async function doSendResharedUserKeyShares(
   idToken: string,
   publicKey: Bytes33,
   resharedKeyShare: Point256,
+  authType: OAuthProvider,
 ): Promise<Result<void, string>> {
   try {
     const response = await fetch(`${ksNodeEndpoint}/keyshare/v1/reshare`, {
@@ -238,6 +247,7 @@ export async function doSendResharedUserKeyShares(
         "Content-Type": "application/json",
       },
       body: JSON.stringify({
+        auth_type: authType,
         curve_type: "secp256k1",
         public_key: publicKey.toHex(),
         share: encodePoint256ToKeyShareString(resharedKeyShare),
diff --git a/embed/oko_attached/src/routeTree.gen.ts b/embed/oko_attached/src/routeTree.gen.ts
index fa056d81f..56c92e7b1 100644
--- a/embed/oko_attached/src/routeTree.gen.ts
+++ b/embed/oko_attached/src/routeTree.gen.ts
@@ -11,6 +11,8 @@
 import { Route as rootRouteImport } from './routes/__root'
 import { Route as IndexRouteImport } from './routes/index'
 import { Route as GoogleCallbackIndexRouteImport } from './routes/google/callback/index'
+import { Route as Auth0PopupIndexRouteImport } from './routes/auth0/popup/index'
+import { Route as Auth0CallbackIndexRouteImport } from './routes/auth0/callback/index'
 
 const IndexRoute = IndexRouteImport.update({
   id: '/',
@@ -22,30 +24,53 @@ const GoogleCallbackIndexRoute = GoogleCallbackIndexRouteImport.update({
   path: '/google/callback/',
   getParentRoute: () => rootRouteImport,
 } as any)
+const Auth0PopupIndexRoute = Auth0PopupIndexRouteImport.update({
+  id: '/auth0/popup/',
+  path: '/auth0/popup/',
+  getParentRoute: () => rootRouteImport,
+} as any)
+const Auth0CallbackIndexRoute = Auth0CallbackIndexRouteImport.update({
+  id: '/auth0/callback/',
+  path: '/auth0/callback/',
+  getParentRoute: () => rootRouteImport,
+} as any)
 
 export interface FileRoutesByFullPath {
   '/': typeof IndexRoute
+  '/auth0/callback': typeof Auth0CallbackIndexRoute
+  '/auth0/popup': typeof Auth0PopupIndexRoute
   '/google/callback': typeof GoogleCallbackIndexRoute
 }
 export interface FileRoutesByTo {
   '/': typeof IndexRoute
+  '/auth0/callback': typeof Auth0CallbackIndexRoute
+  '/auth0/popup': typeof Auth0PopupIndexRoute
   '/google/callback': typeof GoogleCallbackIndexRoute
 }
 export interface FileRoutesById {
   __root__: typeof rootRouteImport
   '/': typeof IndexRoute
+  '/auth0/callback/': typeof Auth0CallbackIndexRoute
+  '/auth0/popup/': typeof Auth0PopupIndexRoute
   '/google/callback/': typeof GoogleCallbackIndexRoute
 }
 export interface FileRouteTypes {
   fileRoutesByFullPath: FileRoutesByFullPath
-  fullPaths: '/' | '/google/callback'
+  fullPaths: '/' | '/auth0/callback' | '/auth0/popup' | '/google/callback'
   fileRoutesByTo: FileRoutesByTo
-  to: '/' | '/google/callback'
-  id: '__root__' | '/' | '/google/callback/'
+  to: '/' | '/auth0/callback' | '/auth0/popup' | '/google/callback'
+  id:
+    | '__root__'
+    | '/'
+    | '/auth0/callback/'
+    | '/auth0/popup/'
+    | '/google/callback/'
   fileRoutesById: FileRoutesById
 }
 export interface RootRouteChildren {
   IndexRoute: typeof IndexRoute
+  Auth0CallbackIndexRoute: typeof Auth0CallbackIndexRoute
+  Auth0PopupIndexRoute: typeof Auth0PopupIndexRoute
   GoogleCallbackIndexRoute: typeof GoogleCallbackIndexRoute
 }
 
@@ -65,11 +90,27 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof GoogleCallbackIndexRouteImport
       parentRoute: typeof rootRouteImport
     }
+    '/auth0/popup/': {
+      id: '/auth0/popup/'
+      path: '/auth0/popup'
+      fullPath: '/auth0/popup'
+      preLoaderRoute: typeof Auth0PopupIndexRouteImport
+      parentRoute: typeof rootRouteImport
+    }
+    '/auth0/callback/': {
+      id: '/auth0/callback/'
+      path: '/auth0/callback'
+      fullPath: '/auth0/callback'
+      preLoaderRoute: typeof Auth0CallbackIndexRouteImport
+      parentRoute: typeof rootRouteImport
+    }
   }
 }
 
 const rootRouteChildren: RootRouteChildren = {
   IndexRoute: IndexRoute,
+  Auth0CallbackIndexRoute: Auth0CallbackIndexRoute,
+  Auth0PopupIndexRoute: Auth0PopupIndexRoute,
   GoogleCallbackIndexRoute: GoogleCallbackIndexRoute,
 }
 export const routeTree = rootRouteImport
diff --git a/embed/oko_attached/src/routes/auth0/callback/index.tsx b/embed/oko_attached/src/routes/auth0/callback/index.tsx
new file mode 100644
index 000000000..baa36dcd1
--- /dev/null
+++ b/embed/oko_attached/src/routes/auth0/callback/index.tsx
@@ -0,0 +1,7 @@
+import { createFileRoute } from "@tanstack/react-router";
+
+import { Auth0Callback } from "@oko-wallet-attached/components/auth0_callback/auth0_callback";
+
+export const Route = createFileRoute("/auth0/callback/")({
+  component: Auth0Callback,
+});
diff --git a/embed/oko_attached/src/routes/auth0/popup/index.tsx b/embed/oko_attached/src/routes/auth0/popup/index.tsx
new file mode 100644
index 000000000..bd0959cb0
--- /dev/null
+++ b/embed/oko_attached/src/routes/auth0/popup/index.tsx
@@ -0,0 +1,7 @@
+import { createFileRoute } from "@tanstack/react-router";
+
+import { Auth0Popup } from "@oko-wallet-attached/components/auth0_popup/auth0_popup";
+
+export const Route = createFileRoute("/auth0/popup/")({
+  component: Auth0Popup,
+});
diff --git a/embed/oko_attached/src/window_msgs/auth0_email_send_code.ts b/embed/oko_attached/src/window_msgs/auth0_email_send_code.ts
new file mode 100644
index 000000000..2a3b4c0a6
--- /dev/null
+++ b/embed/oko_attached/src/window_msgs/auth0_email_send_code.ts
@@ -0,0 +1,74 @@
+import type {
+  OkoWalletMsgAuth0EmailSendCode,
+  OkoWalletMsgAuth0EmailSendCodeAck,
+} from "@oko-wallet/oko-sdk-core";
+
+import { OKO_SDK_TARGET } from "./target";
+import type { MsgEventContext } from "./types";
+import {
+  getAuth0WebAuth,
+  AUTH0_CONNECTION,
+} from "@oko-wallet-attached/config/auth0";
+
+export async function handleAuth0EmailSendCode(
+  ctx: MsgEventContext,
+  message: OkoWalletMsgAuth0EmailSendCode,
+) {
+  const { port } = ctx;
+
+  let payload: OkoWalletMsgAuth0EmailSendCodeAck["payload"];
+
+  try {
+    const email = message.payload.email?.trim();
+
+    if (!email) {
+      throw new Error("Email is required for Auth0 email sign in");
+    }
+
+    const webAuth = getAuth0WebAuth();
+
+    await new Promise<void>((resolve, reject) => {
+      webAuth.passwordlessStart(
+        {
+          connection: AUTH0_CONNECTION,
+          send: "code",
+          email,
+        },
+        (err) => {
+          if (err) {
+            reject(
+              err.description ??
+                err.error_description ??
+                err.error ??
+                "Failed to send Auth0 email code",
+            );
+            return;
+          }
+
+          resolve();
+        },
+      );
+    });
+
+    payload = {
+      success: true,
+      data: null,
+    };
+  } catch (error) {
+    const errorMessage =
+      error instanceof Error ? error.message : String(error ?? "Unknown error");
+
+    payload = {
+      success: false,
+      err: errorMessage,
+    };
+  }
+
+  const ack: OkoWalletMsgAuth0EmailSendCodeAck = {
+    target: OKO_SDK_TARGET,
+    msg_type: "auth0_email_send_code_ack",
+    payload,
+  };
+
+  port.postMessage(ack);
+}
diff --git a/embed/oko_attached/src/window_msgs/index.ts b/embed/oko_attached/src/window_msgs/index.ts
index 9c15ad84b..03d8487e2 100644
--- a/embed/oko_attached/src/window_msgs/index.ts
+++ b/embed/oko_attached/src/window_msgs/index.ts
@@ -9,6 +9,7 @@ import { handleGetEmail } from "./get_email";
 import { handleGetCosmosChain } from "./get_cosmos_chain_info";
 import { handleOAuthInfoPass } from "./oauth_info_pass";
 import { handleGetEthChain } from "./get_eth_chain_info";
+import { handleAuth0EmailSendCode } from "./auth0_email_send_code";
 
 export function makeMsgHandler() {
   return async function msgHandler(event: MessageEvent) {
@@ -59,6 +60,11 @@ export function makeMsgHandler() {
         break;
       }
 
+      case "auth0_email_send_code": {
+        await handleAuth0EmailSendCode(ctx, message);
+        break;
+      }
+
       case "sign_out": {
         await handleSignOut(ctx);
         break;
diff --git a/embed/oko_attached/src/window_msgs/oauth_info_pass/errors.ts b/embed/oko_attached/src/window_msgs/oauth_info_pass/errors.ts
new file mode 100644
index 000000000..1a27a3aed
--- /dev/null
+++ b/embed/oko_attached/src/window_msgs/oauth_info_pass/errors.ts
@@ -0,0 +1,36 @@
+import type {
+  OkoWalletMsgOAuthInfoPass,
+  OkoWalletMsgOAuthSignInUpdate,
+  OAuthSignInError,
+} from "@oko-wallet/oko-sdk-core";
+
+import { postLog } from "@oko-wallet-attached/requests/logging";
+import { sendMsgToWindow } from "@oko-wallet-attached/window_msgs/send";
+import { OKO_SDK_TARGET } from "@oko-wallet-attached/window_msgs/target";
+
+export async function bail(
+  message: OkoWalletMsgOAuthInfoPass,
+  err: OAuthSignInError,
+) {
+  postLog(
+    {
+      level: "error",
+      message: "[attached] handling oauth sign-in fail",
+      error: {
+        name: "oauth_sign_in_error",
+        message: JSON.stringify(err),
+      },
+    },
+    { console: true },
+  );
+
+  const updateMsg: OkoWalletMsgOAuthSignInUpdate = {
+    target: OKO_SDK_TARGET,
+    msg_type: "oauth_sign_in_update",
+    payload: { success: false, err },
+  };
+
+  const hostOrigin = message.payload.target_origin;
+  await sendMsgToWindow(window.parent, updateMsg, hostOrigin);
+}
+
diff --git a/embed/oko_attached/src/window_msgs/oauth_info_pass/index.ts b/embed/oko_attached/src/window_msgs/oauth_info_pass/index.ts
index e04f85ef2..a17262f9d 100644
--- a/embed/oko_attached/src/window_msgs/oauth_info_pass/index.ts
+++ b/embed/oko_attached/src/window_msgs/oauth_info_pass/index.ts
@@ -1,3 +1,4 @@
+import type { Result } from "@oko-wallet/stdlib-js";
 import type {
   OkoWalletMsgOAuthInfoPass,
   OkoWalletMsgOAuthInfoPassAck,
@@ -5,27 +6,28 @@ import type {
   OAuthSignInError,
 } from "@oko-wallet/oko-sdk-core";
 
+import { sendMsgToWindow } from "../send";
 import {
   OKO_ATTACHED_POPUP,
   OKO_SDK_TARGET,
 } from "@oko-wallet-attached/window_msgs/target";
+import type { MsgEventContext } from "@oko-wallet-attached/window_msgs/types";
 import { useAppState } from "@oko-wallet-attached/store/app";
-import { postLog } from "@oko-wallet-attached/requests/logging";
-import type {
-  GoogleTokenInfo,
-  MsgEventContext,
-} from "@oko-wallet-attached/window_msgs/types";
+import {
+  setUserId,
+  setUserProperties,
+} from "@oko-wallet-attached/analytics/amplitude";
+import type { UserSignInResult } from "@oko-wallet-attached/window_msgs/types";
 import {
   checkUserExists,
   handleExistingUser,
   handleNewUser,
   handleReshare,
 } from "./user";
-import { sendMsgToWindow } from "../send";
-import {
-  setUserId,
-  setUserProperties,
-} from "@oko-wallet-attached/analytics/amplitude";
+import { bail } from "./errors";
+import type { OAuthProvider } from "@oko-wallet/oko-types/auth";
+import { verifyIdToken } from "./token";
+import type { CheckEmailResponse } from "@oko-wallet/oko-types/user";
 
 export async function handleOAuthInfoPass(
   ctx: MsgEventContext,
@@ -58,24 +60,30 @@ export async function handleOAuthInfoPass(
       return;
     }
 
-    const idToken = message.payload.id_token;
-    const tokenInfo = await verifyGoogleIdToken(idToken);
-    if (tokenInfo.nonce !== nonceRegistered) {
-      await bail(message, { type: "vendor_token_verification_failed" });
-      return;
-    }
-
-    const apiKey = message.payload?.api_key;
+    const apiKey = message.payload.api_key;
     if (!apiKey) {
       await bail(message, { type: "api_key_missing" });
       return;
     }
     appState.setApiKey(hostOrigin, apiKey);
 
+    const authType: OAuthProvider = message.payload.auth_type;
+    const idToken = message.payload.id_token;
+
+    const tokenInfoRes = await verifyIdToken(
+      authType,
+      idToken,
+      nonceRegistered,
+    );
+    if (!tokenInfoRes.success) {
+      await bail(message, { type: "vendor_token_verification_failed" });
+      return;
+    }
+    const tokenInfo = tokenInfoRes.data;
+
     const userExistsRes = await checkUserExists(tokenInfo.email);
     if (!userExistsRes.success) {
-      console.log(22, userExistsRes);
-
+      console.log("checkUserExists failed", userExistsRes);
       await bail(message, {
         type: "check_user_request_fail",
         error: userExistsRes.err.toString(),
@@ -84,7 +92,6 @@ export async function handleOAuthInfoPass(
     }
 
     const userExistsResp = userExistsRes.data;
-
     if (!userExistsResp.success) {
       await bail(message, {
         type: "check_user_request_fail",
@@ -92,7 +99,6 @@ export async function handleOAuthInfoPass(
       });
       return;
     }
-
     const userExists = userExistsResp.data;
 
     // Highest-priority guard: global active nodes below threshold → block all flows
@@ -103,72 +109,28 @@ export async function handleOAuthInfoPass(
       return;
     }
 
-    // new user sign up flow
-    if (!userExists.exists) {
-      const signInRes = await handleNewUser(
-        idToken,
-        userExists.keyshare_node_meta,
-      );
-      if (!signInRes.success) {
-        await bail(message, signInRes.err);
-        return;
-      }
-      const result = signInRes.data;
-      appState.setKeyshare_1(hostOrigin, result.keyshare_1);
-      appState.setAuthToken(hostOrigin, result.jwtToken);
-      appState.setWallet(hostOrigin, {
-        walletId: result.walletId,
-        publicKey: result.publicKey,
-        email: tokenInfo.email,
-      });
-
-      hasSignedIn = true;
-      isNewUser = true;
-    }
-    // existing user sign in or reshare flow
-    else {
-      // reshare flow
-      if (userExists.needs_reshare) {
-        const signInRes = await handleReshare(
-          idToken,
-          userExists.keyshare_node_meta,
-        );
-        console.log(
-          "[attached] handleReshare result: %s",
-          JSON.stringify(signInRes, null, 2),
-        );
-        if (!signInRes.success) {
-          await bail(message, signInRes.err);
-          return;
-        }
-        const result = signInRes.data;
-        appState.setKeyshare_1(hostOrigin, result.keyshare_1);
-        appState.setAuthToken(hostOrigin, result.jwtToken);
-        appState.setWallet(hostOrigin, {
-          walletId: result.walletId,
-          publicKey: result.publicKey,
-          email: tokenInfo.email,
-        });
-      } else {
-        const signInRes = await handleExistingUser(
-          idToken,
-          userExists.keyshare_node_meta,
-        );
-        if (!signInRes.success) {
-          await bail(message, signInRes.err);
-          return;
-        }
-        const result = signInRes.data;
-        appState.setKeyshare_1(hostOrigin, result.keyshare_1);
-        appState.setAuthToken(hostOrigin, result.jwtToken);
-        appState.setWallet(hostOrigin, {
-          walletId: result.walletId,
-          publicKey: result.publicKey,
-          email: tokenInfo.email,
-        });
-      }
+    const handleUserSignInRes = await handleUserSignIn(
+      idToken,
+      userExists,
+      authType,
+    );
+    if (!handleUserSignInRes.success) {
+      await bail(message, handleUserSignInRes.err);
+      return;
     }
 
+    const signInResult = handleUserSignInRes.data;
+    appState.setKeyshare_1(hostOrigin, signInResult.keyshare_1);
+    appState.setAuthToken(hostOrigin, signInResult.jwtToken);
+    appState.setWallet(hostOrigin, {
+      walletId: signInResult.walletId,
+      publicKey: signInResult.publicKey,
+      email: tokenInfo.email,
+    });
+
+    hasSignedIn = true;
+    isNewUser = signInResult.isNewUser;
+
     const updateMsg: OkoWalletMsgOAuthSignInUpdate = {
       target: OKO_SDK_TARGET,
       msg_type: "oauth_sign_in_update",
@@ -186,12 +148,13 @@ export async function handleOAuthInfoPass(
         setUserId(wallet.walletId);
         if (isNewUser) {
           setUserProperties({
-            authType: "google",
+            authType: message.payload.auth_type,
             createdOrigin: hostOrigin,
           });
         }
       }
     }
+
     const infoPassAck: OkoWalletMsgOAuthInfoPassAck = {
       target: OKO_ATTACHED_POPUP,
       msg_type: "oauth_info_pass_ack",
@@ -199,45 +162,54 @@ export async function handleOAuthInfoPass(
     };
 
     port.postMessage(infoPassAck);
-
     appState.setNonce(hostOrigin, null);
   }
 }
 
-async function verifyGoogleIdToken(idToken: string): Promise<GoogleTokenInfo> {
-  const response = await fetch(
-    `https://oauth2.googleapis.com/tokeninfo?id_token=${idToken}`,
-  );
-
-  if (!response.ok) {
-    throw new Error(`Google authentication is invalid. Please sign in again.`);
+export async function handleUserSignIn(
+  idToken: string,
+  userExists: CheckEmailResponse,
+  authType: OAuthProvider,
+): Promise<Result<UserSignInResult, OAuthSignInError>> {
+  const meta = userExists.keyshare_node_meta;
+
+  // use user sign up flow
+  if (!userExists.exists) {
+    const signInRes = await handleNewUser(idToken, meta, authType);
+    if (!signInRes.success) {
+      return {
+        success: false,
+        err: signInRes.err,
+      };
+    }
+    return {
+      success: true,
+      data: signInRes.data,
+    };
+  }
+  // existing user sign in or reshare flow
+  else {
+    // reshare flow
+    if (userExists.needs_reshare) {
+      const signInRes = await handleReshare(idToken, meta, authType);
+      if (!signInRes.success) {
+        throw signInRes.err;
+      }
+      return {
+        success: true,
+        data: signInRes.data,
+      };
+    }
+    // sign in flow
+    else {
+      const signInRes = await handleExistingUser(idToken, meta, authType);
+      if (!signInRes.success) {
+        throw signInRes.err;
+      }
+      return {
+        success: true,
+        data: signInRes.data,
+      };
+    }
   }
-
-  return await response.json();
-}
-
-async function bail(message: OkoWalletMsgOAuthInfoPass, err: OAuthSignInError) {
-  postLog(
-    {
-      level: "error",
-      message: "[attached] handling oauth sign-in fail",
-      error: {
-        name: "oauth_sign_in_error",
-        message: JSON.stringify(err),
-      },
-    },
-    { console: true },
-  );
-
-  const updateMsg: OkoWalletMsgOAuthSignInUpdate = {
-    target: OKO_SDK_TARGET,
-    msg_type: "oauth_sign_in_update",
-    payload: { success: false, err },
-  };
-
-  // NOTE: The origin here is taken from the payload because sometimes that
-  // callback comes from a different window in the attached. In that case,
-  // `event.origin` comes from the origin of the attached
-  const hostOrigin = message.payload.target_origin;
-  await sendMsgToWindow(window.parent, updateMsg, hostOrigin);
 }
diff --git a/embed/oko_attached/src/window_msgs/oauth_info_pass/token.ts b/embed/oko_attached/src/window_msgs/oauth_info_pass/token.ts
new file mode 100644
index 000000000..1d075f0e8
--- /dev/null
+++ b/embed/oko_attached/src/window_msgs/oauth_info_pass/token.ts
@@ -0,0 +1,142 @@
+import type { Result } from "@oko-wallet/stdlib-js";
+import type { OAuthProvider } from "@oko-wallet/oko-types/auth";
+
+import type {
+  GoogleTokenInfo,
+  Auth0TokenInfo,
+  TokenInfo,
+} from "@oko-wallet-attached/window_msgs/types";
+import {
+  AUTH0_CLIENT_ID,
+  AUTH0_DOMAIN,
+} from "@oko-wallet-attached/config/auth0";
+
+export async function verifyIdToken(
+  authType: OAuthProvider,
+  idToken: string,
+  nonce: string,
+): Promise<Result<TokenInfo, string>> {
+  try {
+    if (authType === "auth0") {
+      const auth0TokenInfo = await verifyAuth0IdToken(idToken, nonce);
+      return {
+        success: true,
+        data: {
+          provider: "auth0",
+          email: auth0TokenInfo.email,
+          email_verified: auth0TokenInfo.email_verified,
+          nonce: auth0TokenInfo.nonce,
+          name: auth0TokenInfo.name,
+          sub: auth0TokenInfo.sub,
+        },
+      };
+    }
+
+    if (authType === "google") {
+      const googleTokenInfo = await verifyGoogleIdToken(idToken, nonce);
+      return {
+        success: true,
+        data: {
+          provider: "google",
+          email: googleTokenInfo.email,
+          email_verified: googleTokenInfo.email_verified === "true",
+          nonce: googleTokenInfo.nonce,
+          name: googleTokenInfo.name,
+          sub: googleTokenInfo.sub,
+        },
+      };
+    }
+
+    return {
+      success: false,
+      err: `Invalid authentication type: ${authType}`,
+    };
+  } catch (error) {
+    return {
+      success: false,
+      err: `Failed to verify id token: ${error}`,
+    };
+  }
+}
+
+async function verifyGoogleIdToken(
+  idToken: string,
+  nonce: string,
+): Promise<GoogleTokenInfo> {
+  const response = await fetch(
+    `https://oauth2.googleapis.com/tokeninfo?id_token=${idToken}`,
+  );
+
+  if (!response.ok) {
+    throw new Error(`Google authentication is invalid. Please sign in again.`);
+  }
+
+  const googleTokenInfo = (await response.json()) as GoogleTokenInfo;
+  if (googleTokenInfo.nonce !== nonce) {
+    throw new Error("Google token nonce mismatch");
+  }
+
+  return googleTokenInfo;
+}
+
+async function verifyAuth0IdToken(
+  idToken: string,
+  nonce: string,
+): Promise<Auth0TokenInfo> {
+  const payload = decodeAuth0IdToken(idToken);
+
+  if (payload.iss !== `https://${AUTH0_DOMAIN}/`) {
+    throw new Error("Invalid Auth0 token issuer");
+  }
+
+  const audiences = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
+  if (!audiences.filter(Boolean).includes(AUTH0_CLIENT_ID)) {
+    throw new Error("Invalid Auth0 token audience");
+  }
+
+  const exp = Number(payload.exp);
+  if (exp && Math.floor(Date.now() / 1000) >= exp) {
+    throw new Error("Auth0 token has expired");
+  }
+
+  if (!payload.email) {
+    throw new Error("Auth0 token missing email claim");
+  }
+
+  if (!payload.email_verified) {
+    throw new Error("Auth0 token email not verified");
+  }
+
+  if (payload.nonce !== nonce) {
+    throw new Error("Auth0 token nonce mismatch");
+  }
+
+  return payload;
+}
+
+function decodeAuth0IdToken(idToken: string): Auth0TokenInfo {
+  const segments = idToken.split(".");
+  if (segments.length < 2) {
+    throw new Error("Invalid Auth0 id_token");
+  }
+
+  const textDecoder = new TextDecoder();
+
+  try {
+    let base64 = segments[1].replace(/-/g, "+").replace(/_/g, "/");
+    const pad = base64.length % 4;
+    if (pad) {
+      base64 += "=".repeat(4 - pad);
+    }
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i += 1) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+
+    const payloadJson = textDecoder.decode(bytes);
+    return JSON.parse(payloadJson) as Auth0TokenInfo;
+  } catch (error) {
+    throw new Error(`Failed to decode Auth0 id_token: ${error}`);
+  }
+}
diff --git a/embed/oko_attached/src/window_msgs/oauth_info_pass/user.ts b/embed/oko_attached/src/window_msgs/oauth_info_pass/user.ts
index dd96a0677..e58f3faa8 100644
--- a/embed/oko_attached/src/window_msgs/oauth_info_pass/user.ts
+++ b/embed/oko_attached/src/window_msgs/oauth_info_pass/user.ts
@@ -4,10 +4,11 @@ import type {
   SignInResponse,
 } from "@oko-wallet/oko-types/user";
 import type {
-  KeygenBody,
+  KeygenRequestBody,
   KeyShareNodeMetaWithNodeStatusInfo,
   WalletKSNodeStatus,
 } from "@oko-wallet/oko-types/tss";
+import type { OAuthProvider } from "@oko-wallet/oko-types/auth";
 import type { Result } from "@oko-wallet/stdlib-js";
 import type { OkoApiResponse } from "@oko-wallet/oko-types/api_response";
 import { type OAuthSignInError } from "@oko-wallet/oko-sdk-core";
@@ -36,12 +37,15 @@ import { Bytes } from "@oko-wallet/bytes";
 export async function handleExistingUser(
   idToken: string,
   keyshareNodeMeta: KeyShareNodeMetaWithNodeStatusInfo,
+  authType: OAuthProvider,
 ): Promise<Result<UserSignInResult, OAuthSignInError>> {
   // 1. sign in to api server
   const signInRes = await makeAuthorizedOkoApiRequest<any, SignInResponse>(
     "user/signin",
     idToken,
-    {},
+    {
+      auth_type: authType,
+    },
   );
   if (!signInRes.success) {
     console.error("[attached] sign in failed, err: %s", signInRes.err);
@@ -84,6 +88,7 @@ export async function handleExistingUser(
     idToken,
     keyshareNodeMeta.nodes,
     keyshareNodeMeta.threshold,
+    authType,
   );
   if (!requestSharesRes.success) {
     const error = requestSharesRes.err;
@@ -112,6 +117,7 @@ export async function handleExistingUser(
         publicKey,
         idToken,
         updatedNodeMeta,
+        authType,
       );
       if (keyshare_1_res.success === false) {
         console.error("[attached] reshare failed, err: %s", keyshare_1_res.err);
@@ -132,6 +138,7 @@ export async function handleExistingUser(
           walletId: signInResp.user.wallet_id,
           jwtToken: signInResp.token,
           keyshare_1: keyshare_1_res.data,
+          isNewUser: false,
         },
       };
     }
@@ -171,6 +178,7 @@ user pk: ${signInResp.user.public_key}`,
       walletId: signInResp.user.wallet_id,
       jwtToken: signInResp.token,
       keyshare_1: keyshare_1_res.data,
+      isNewUser: false,
     },
   };
 }
@@ -178,6 +186,7 @@ user pk: ${signInResp.user.public_key}`,
 export async function handleNewUser(
   idToken: string,
   keyshareNodeMeta: KeyShareNodeMetaWithNodeStatusInfo,
+  authType: OAuthProvider,
 ): Promise<Result<UserSignInResult, OAuthSignInError>> {
   // TODO: @jinwoo, (wip) importing secret key
   // const keygenRes = keygenOptions?.secretKeyImport
@@ -212,6 +221,7 @@ export async function handleNewUser(
         idToken,
         publicKey,
         keyShareByNode.share,
+        authType,
       ),
     ),
   );
@@ -228,7 +238,8 @@ export async function handleNewUser(
     };
   }
 
-  const keygenRequest: KeygenBody = {
+  const keygenRequest: KeygenRequestBody = {
+    auth_type: authType,
     keygen_2: {
       public_key: publicKey.toHex(),
       private_share: keygen_2.tss_private_share.toHex(),
@@ -250,6 +261,7 @@ export async function handleNewUser(
       walletId: reqKeygenRes.data.user.wallet_id,
       jwtToken: reqKeygenRes.data.token,
       keyshare_1: keygen_1.tss_private_share.toHex(),
+      isNewUser: true,
     },
   };
 }
@@ -257,11 +269,14 @@ export async function handleNewUser(
 export async function handleReshare(
   idToken: string,
   keyshareNodeMeta: KeyShareNodeMetaWithNodeStatusInfo,
+  authType: OAuthProvider,
 ): Promise<Result<UserSignInResult, OAuthSignInError>> {
   const signInRes = await makeAuthorizedOkoApiRequest<any, SignInResponse>(
     "user/signin",
     idToken,
-    {},
+    {
+      auth_type: authType,
+    },
   );
   if (!signInRes.success) {
     console.error("[attached] sign in failed, err: %s", signInRes.err);
@@ -301,6 +316,7 @@ export async function handleReshare(
     publicKey,
     idToken,
     keyshareNodeMeta,
+    authType,
   );
   if (keyshare_1_res.success === false) {
     console.error("[attached] reshare failed, err: %s", keyshare_1_res.err);
@@ -321,6 +337,7 @@ export async function handleReshare(
       walletId: signInResp.user.wallet_id,
       jwtToken: signInResp.token,
       keyshare_1: keyshare_1_res.data,
+      isNewUser: false,
     },
   };
 }
diff --git a/embed/oko_attached/src/window_msgs/types.ts b/embed/oko_attached/src/window_msgs/types.ts
index 7abc5f5f5..04a97f762 100644
--- a/embed/oko_attached/src/window_msgs/types.ts
+++ b/embed/oko_attached/src/window_msgs/types.ts
@@ -1,3 +1,5 @@
+import type { OAuthProvider } from "@oko-wallet/oko-types/auth";
+
 export interface MsgEventContext {
   port: MessagePort;
   hostOrigin: string;
@@ -26,9 +28,30 @@ export interface GoogleTokenInfo {
   typ: string;
 }
 
+export interface Auth0TokenInfo {
+  email: string;
+  email_verified: boolean;
+  nonce: string;
+  name: string;
+  sub: string;
+  iss: string;
+  aud: string | string[];
+  exp: number;
+}
+
+export interface TokenInfo {
+  provider: OAuthProvider;
+  email: string;
+  email_verified: boolean;
+  nonce?: string;
+  name?: string;
+  sub?: string;
+}
+
 export interface UserSignInResult {
   publicKey: string;
   walletId: string;
   jwtToken: string;
   keyshare_1: string;
+  isNewUser: boolean;
 }
diff --git a/key_share_node/server/package.json b/key_share_node/server/package.json
index 03915b0f9..655587173 100644
--- a/key_share_node/server/package.json
+++ b/key_share_node/server/package.json
@@ -25,6 +25,7 @@
     "express": "^4.21.1",
     "express-rate-limit": "^8.0.1",
     "helmet": "^8.0.0",
+    "jsonwebtoken": "^9.0.2",
     "morgan": "^1.10.0",
     "pg": "^8.16.3",
     "swagger-ui-express": "^5.0.1",
@@ -38,6 +39,7 @@
     "@types/express": "^4.17.20",
     "@types/express-rate-limit": "^6.0.2",
     "@types/jest": "^29.5.13",
+    "@types/jsonwebtoken": "^9.0.7",
     "@types/morgan": "^1.9.9",
     "@types/node": "^22.7.5",
     "@types/pg": "^8",
diff --git a/key_share_node/server/src/auth/auth0/client_id.ts b/key_share_node/server/src/auth/auth0/client_id.ts
new file mode 100644
index 000000000..a7d79d672
--- /dev/null
+++ b/key_share_node/server/src/auth/auth0/client_id.ts
@@ -0,0 +1,3 @@
+export const AUTH0_DOMAIN = "dev-0v00qjwpomau3ldk.us.auth0.com";
+export const AUTH0_CLIENT_ID = "AMtmlNKxJiNY7abqewmq9mjERf2TOlfo";
+
diff --git a/key_share_node/server/src/auth/auth0/index.ts b/key_share_node/server/src/auth/auth0/index.ts
new file mode 100644
index 000000000..41436b93a
--- /dev/null
+++ b/key_share_node/server/src/auth/auth0/index.ts
@@ -0,0 +1,213 @@
+import { createPublicKey, type JsonWebKey } from "crypto";
+import jwt, { type JwtHeader, type JwtPayload } from "jsonwebtoken";
+import type { Result } from "@oko-wallet/stdlib-js";
+
+import { AUTH0_CLIENT_ID, AUTH0_DOMAIN } from "./client_id";
+import type { OAuthValidationFail } from "../types";
+
+interface Auth0IdTokenPayload extends JwtPayload {
+  email?: string;
+  email_verified?: boolean | string;
+  name?: string;
+}
+
+export interface Auth0TokenInfo {
+  email: string;
+  name?: string;
+  sub: string;
+}
+
+interface Auth0Jwk extends JsonWebKey {
+  kid: string;
+}
+
+const JWKS_CACHE_TTL_MS = 5 * 60 * 1000;
+const jwksCache = new Map<
+  string,
+  {
+    fetchedAt: number;
+    keys: Auth0Jwk[];
+  }
+>();
+
+export async function validateAuth0Token(
+  idToken: string,
+): Promise<Result<Auth0TokenInfo, OAuthValidationFail>> {
+  try {
+    const decoded = jwt.decode(idToken, { complete: true });
+
+    if (!decoded || typeof decoded === "string") {
+      return {
+        success: false,
+        err: {
+          type: "invalid_token",
+          message: "Invalid token format",
+        },
+      };
+    }
+
+    const header = decoded.header as JwtHeader;
+
+    if (!header.kid) {
+      return {
+        success: false,
+        err: {
+          type: "invalid_token",
+          message: "Missing key id in token header",
+        },
+      };
+    }
+
+    const jwk = await getSigningKey(AUTH0_DOMAIN, header.kid);
+
+    if (!jwk) {
+      return {
+        success: false,
+        err: {
+          type: "invalid_token",
+          message: "Unable to find signing key for token",
+        },
+      };
+    }
+
+    const publicKey = createPublicKey({
+      key: jwk,
+      format: "jwk",
+    });
+
+    const pem = publicKey.export({
+      type: "spki",
+      format: "pem",
+    }) as string;
+
+    const payload = jwt.verify(idToken, pem, {
+      algorithms: ["RS256"],
+      audience: AUTH0_CLIENT_ID,
+      issuer: `https://${AUTH0_DOMAIN}/`,
+    }) as Auth0IdTokenPayload;
+
+    if (!payload.sub) {
+      return {
+        success: false,
+        err: {
+          type: "invalid_token",
+          message: "Token missing subject claim",
+        },
+      };
+    }
+
+    if (!payload.email) {
+      return {
+        success: false,
+        err: {
+          type: "invalid_token",
+          message: "Token missing email claim",
+        },
+      };
+    }
+
+    const emailVerified =
+      payload.email_verified === true || payload.email_verified === "true";
+
+    if (!emailVerified) {
+      return {
+        success: false,
+        err: {
+          type: "email_not_verified",
+          message: "Email address is not verified",
+        },
+      };
+    }
+
+    return {
+      success: true,
+      data: {
+        email: payload.email,
+        name: typeof payload.name === "string" ? payload.name : undefined,
+        sub: payload.sub,
+      },
+    };
+  } catch (error) {
+    if (error instanceof jwt.TokenExpiredError) {
+      return {
+        success: false,
+        err: {
+          type: "token_expired",
+          message: "Token has expired",
+        },
+      };
+    }
+
+    if (error instanceof jwt.JsonWebTokenError) {
+      return {
+        success: false,
+        err: {
+          type: "invalid_token",
+          message: error.message,
+        },
+      };
+    }
+
+    return {
+      success: false,
+      err: {
+        type: "unknown",
+        message: `Token validation failed: ${error instanceof Error ? error.message : String(error)}`,
+      },
+    };
+  }
+}
+
+async function getSigningKey(
+  domain: string,
+  kid: string,
+): Promise<Auth0Jwk | null> {
+  const keys = await getJwks(domain);
+  const match = keys.find((key) => key.kid === kid);
+
+  if (match) {
+    return match;
+  }
+
+  const freshKeys = await getJwks(domain, { forceRefresh: true });
+  return freshKeys.find((key) => key.kid === kid) ?? null;
+}
+
+async function getJwks(
+  domain: string,
+  options: { forceRefresh?: boolean } = {},
+): Promise<Auth0Jwk[]> {
+  const cacheKey = domain;
+  const cached = jwksCache.get(cacheKey);
+  const now = Date.now();
+
+  if (
+    !options.forceRefresh &&
+    cached &&
+    now - cached.fetchedAt < JWKS_CACHE_TTL_MS
+  ) {
+    return cached.keys;
+  }
+
+  const response = await fetch(`https://${domain}/.well-known/jwks.json`);
+
+  if (!response.ok) {
+    throw new Error(
+      `Failed to fetch Auth0 JWKS: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const body = (await response.json()) as { keys?: Auth0Jwk[] };
+
+  const keys = body.keys ?? [];
+  if (!Array.isArray(keys) || keys.length === 0) {
+    throw new Error("Auth0 JWKS response missing keys");
+  }
+
+  jwksCache.set(cacheKey, {
+    fetchedAt: now,
+    keys,
+  });
+
+  return keys;
+}
diff --git a/key_share_node/server/src/auth/client_id.ts b/key_share_node/server/src/auth/google/client_id.ts
similarity index 100%
rename from key_share_node/server/src/auth/client_id.ts
rename to key_share_node/server/src/auth/google/client_id.ts
diff --git a/key_share_node/server/src/auth/google.ts b/key_share_node/server/src/auth/google/index.ts
similarity index 95%
rename from key_share_node/server/src/auth/google.ts
rename to key_share_node/server/src/auth/google/index.ts
index aacac8aed..66c50ed19 100644
--- a/key_share_node/server/src/auth/google.ts
+++ b/key_share_node/server/src/auth/google/index.ts
@@ -2,9 +2,9 @@ import type { Result } from "@oko-wallet/stdlib-js";
 import type { GoogleTokenInfo } from "@oko-wallet/ksn-interface/auth";
 
 import { GOOGLE_CLIENT_ID } from "./client_id";
-import type { OAuthValidationFail } from "./types";
+import type { OAuthValidationFail } from "../types";
 
-export async function validateOAuthToken(
+export async function validateGoogleOAuthToken(
   idToken: string,
 ): Promise<Result<GoogleTokenInfo, OAuthValidationFail>> {
   try {
diff --git a/key_share_node/server/src/auth/index.ts b/key_share_node/server/src/auth/index.ts
index 910d4ed8c..3fdd81734 100644
--- a/key_share_node/server/src/auth/index.ts
+++ b/key_share_node/server/src/auth/index.ts
@@ -1 +1,3 @@
-export * from "./google";
+export { validateGoogleOAuthToken } from "./google";
+export { validateAuth0Token } from "./auth0";
+export type { OAuthProvider, OAuthUser, OAuthValidationFail } from "./types";
diff --git a/key_share_node/server/src/auth/types.ts b/key_share_node/server/src/auth/types.ts
index 230d44ce8..80673b08f 100644
--- a/key_share_node/server/src/auth/types.ts
+++ b/key_share_node/server/src/auth/types.ts
@@ -1,3 +1,12 @@
+export type OAuthProvider = "google" | "auth0";
+
+export interface OAuthUser {
+  type: OAuthProvider;
+  email: string;
+  name?: string;
+  sub: string;
+}
+
 export type OAuthValidationFail =
   | {
       type: "client_id_not_same";
diff --git a/key_share_node/server/src/middlewares/auth.ts b/key_share_node/server/src/middlewares/auth.ts
index f10fa1de9..f1a6d08ca 100644
--- a/key_share_node/server/src/middlewares/auth.ts
+++ b/key_share_node/server/src/middlewares/auth.ts
@@ -1,18 +1,20 @@
 import type { Request, Response, NextFunction } from "express";
 import type { KSNodeApiErrorResponse } from "@oko-wallet/ksn-interface/response";
 
-import { validateOAuthToken } from "@oko-wallet-ksn-server/auth";
+import type { OAuthProvider } from "@oko-wallet-ksn-server/auth/types";
+import {
+  validateAuth0Token,
+  validateGoogleOAuthToken,
+} from "@oko-wallet-ksn-server/auth";
 import { ErrorCodeMap } from "@oko-wallet-ksn-server/error";
 import type { ResponseLocal } from "@oko-wallet-ksn-server/routes/io";
 
-export interface AuthenticatedRequest<T = any> extends Request {
-  user?: {
-    email: string;
-    name: string;
-    sub: string;
-  };
-  body: T;
-}
+type OAuthBody = {
+  auth_type?: OAuthProvider;
+};
+
+export interface AuthenticatedRequest<T = any>
+  extends Request<any, any, T & OAuthBody> {}
 
 export async function bearerTokenMiddleware(
   req: AuthenticatedRequest,
@@ -20,6 +22,7 @@ export async function bearerTokenMiddleware(
   next: NextFunction,
 ) {
   const authHeader = req.headers.authorization;
+  const authType = req.body?.auth_type;
 
   if (!authHeader || !authHeader.startsWith("Bearer ")) {
     const errorRes: KSNodeApiErrorResponse = {
@@ -33,8 +36,34 @@ export async function bearerTokenMiddleware(
 
   const idToken = authHeader.substring(7); // skip "Bearer "
 
+  if (!authType) {
+    const errorRes: KSNodeApiErrorResponse = {
+      success: false,
+      code: "UNAUTHORIZED",
+      msg: "auth_type is required in request body",
+    };
+    res.status(ErrorCodeMap[errorRes.code]).json(errorRes);
+    return;
+  }
+
   try {
-    const result = await validateOAuthToken(idToken);
+    let result;
+    switch (authType) {
+      case "google":
+        result = await validateGoogleOAuthToken(idToken);
+        break;
+      case "auth0":
+        result = await validateAuth0Token(idToken);
+        break;
+      default:
+        const errorRes: KSNodeApiErrorResponse = {
+          success: false,
+          code: "UNAUTHORIZED",
+          msg: `Invalid auth_type: ${authType}. Must be 'google' or 'auth0'`,
+        };
+        res.status(ErrorCodeMap[errorRes.code]).json(errorRes);
+        return;
+    }
 
     if (!result.success) {
       const errorRes: KSNodeApiErrorResponse = {
@@ -66,7 +95,8 @@ export async function bearerTokenMiddleware(
       return;
     }
 
-    res.locals.google_user = {
+    res.locals.oauth_user = {
+      type: authType,
       email: result.data.email,
       name: result.data.name,
       sub: result.data.sub,
diff --git a/key_share_node/server/src/openapi/registry.ts b/key_share_node/server/src/openapi/registry.ts
index c7aa5e227..c33096044 100644
--- a/key_share_node/server/src/openapi/registry.ts
+++ b/key_share_node/server/src/openapi/registry.ts
@@ -9,11 +9,11 @@ extendZodWithOpenApi(z);
 
 export const registry = new OpenAPIRegistry();
 
-registry.registerComponent("securitySchemes", "googleAuth", {
+registry.registerComponent("securitySchemes", "oauthAuth", {
   type: "http",
   scheme: "bearer",
   bearerFormat: "JWT",
-  description: "Google OAuth bearer token",
+  description: "OAuth bearer token (Google or Auth0)",
 });
 
 export function getOpenApiDocument() {
diff --git a/key_share_node/server/src/openapi/schema/key_share.ts b/key_share_node/server/src/openapi/schema/key_share.ts
index 5b8b0faaa..f7a5e3cb7 100644
--- a/key_share_node/server/src/openapi/schema/key_share.ts
+++ b/key_share_node/server/src/openapi/schema/key_share.ts
@@ -1,6 +1,11 @@
 import { registry } from "../registry";
 import { z } from "zod";
 
+const oauthProviderSchema = z
+  .enum(["google", "auth0"])
+  .describe("OAuth provider type")
+  .openapi({ example: "google" });
+
 const curveTypeSchema = z
   .enum(["secp256k1"])
   .describe("The curve type for the key share");
@@ -19,6 +24,7 @@ export const RegisterKeyShareBodySchema = registry.register(
   "RegisterKeyShareBody",
   z
     .object({
+      auth_type: oauthProviderSchema,
       curve_type: curveTypeSchema,
       public_key: publicKeySchema,
       share: shareSchema,
@@ -32,6 +38,7 @@ export const GetKeyShareRequestBodySchema = registry.register(
   "GetKeyShareRequestBody",
   z
     .object({
+      auth_type: oauthProviderSchema,
       public_key: publicKeySchema,
     })
     .openapi("GetKeyShareRequestBody", {
@@ -87,6 +94,7 @@ export const ReshareKeyShareBodySchema = registry.register(
   "ReshareKeyShareBody",
   z
     .object({
+      auth_type: oauthProviderSchema,
       curve_type: curveTypeSchema,
       public_key: publicKeySchema,
       share: shareSchema.describe(
diff --git a/key_share_node/server/src/routes/io.ts b/key_share_node/server/src/routes/io.ts
index 61959286d..36c724a9e 100644
--- a/key_share_node/server/src/routes/io.ts
+++ b/key_share_node/server/src/routes/io.ts
@@ -1,13 +1,18 @@
 import type { Request } from "express";
+import type { OAuthProvider } from "@oko-wallet-ksn-server/auth/types";
 
-export interface KSNodeRequest<T = any> extends Request {
-  body: T;
-}
+type OAuthBody = {
+  auth_type?: OAuthProvider;
+};
+
+export interface KSNodeRequest<T = any>
+  extends Request<any, any, T & OAuthBody> {}
 
 export interface ResponseLocal {
-  google_user: {
+  oauth_user: {
+    type: OAuthProvider;
     email: string;
-    name: string;
+    name?: string;
     sub: string;
   };
 }
diff --git a/key_share_node/server/src/routes/key_share/index.ts b/key_share_node/server/src/routes/key_share/index.ts
index 6a3bb6c14..354e499f8 100644
--- a/key_share_node/server/src/routes/key_share/index.ts
+++ b/key_share_node/server/src/routes/key_share/index.ts
@@ -21,8 +21,10 @@ import {
   type AuthenticatedRequest,
 } from "@oko-wallet-ksn-server/middlewares";
 import { ErrorCodeMap } from "@oko-wallet-ksn-server/error";
-import type { ResponseLocal } from "@oko-wallet-ksn-server/routes/io";
-import type { KSNodeRequest } from "@oko-wallet-ksn-server/routes/io";
+import type {
+  ResponseLocal,
+  KSNodeRequest,
+} from "@oko-wallet-ksn-server/routes/io";
 import { registry } from "@oko-wallet-ksn-server/openapi/registry";
 import {
   CheckKeyShareRequestBodySchema,
@@ -44,7 +46,7 @@ export function makeKeyshareRouter() {
     tags: ["Key Share"],
     summary: "Register a new key share",
     description: "Register a new key share for the authenticated user.",
-    security: [{ googleAuth: [] }],
+    security: [{ oauthAuth: [] }],
     request: {
       body: {
         required: true,
@@ -141,7 +143,7 @@ export function makeKeyshareRouter() {
       req: AuthenticatedRequest<RegisterKeyShareBody>,
       res: Response<KSNodeApiResponse<void>, ResponseLocal>,
     ) => {
-      const googleUser = res.locals.google_user;
+      const oauthUser = res.locals.oauth_user;
       const state = req.app.locals;
       const body = req.body;
 
@@ -168,7 +170,7 @@ export function makeKeyshareRouter() {
       const registerKeyShareRes = await registerKeyShare(
         state.db,
         {
-          email: googleUser.email,
+          email: oauthUser.email,
           curve_type: body.curve_type,
           public_key: publicKeyBytesRes.data,
           share: shareBytes,
@@ -197,7 +199,7 @@ export function makeKeyshareRouter() {
     tags: ["Key Share"],
     summary: "Get a key share",
     description: "Retrieve a key share for the authenticated user.",
-    security: [{ googleAuth: [] }],
+    security: [{ oauthAuth: [] }],
     request: {
       body: {
         required: true,
@@ -281,7 +283,7 @@ export function makeKeyshareRouter() {
       req: AuthenticatedRequest<GetKeyShareRequestBody>,
       res: Response<KSNodeApiResponse<GetKeyShareResponse>>,
     ) => {
-      const googleUser = res.locals.google_user;
+      const oauthUser = res.locals.oauth_user;
       const state = req.app.locals;
 
       const publicKeyBytesRes = Bytes.fromHexString(req.body.public_key, 33);
@@ -296,7 +298,7 @@ export function makeKeyshareRouter() {
       const getKeyShareRes = await getKeyShare(
         state.db,
         {
-          email: googleUser.email,
+          email: oauthUser.email,
           public_key: publicKeyBytesRes.data,
         },
         state.encryptionSecret,
@@ -412,7 +414,7 @@ export function makeKeyshareRouter() {
     summary: "Create or update a key share",
     description:
       "Creates a new key share if it does not exist, or updates an existing key share with a new encrypted share.",
-    security: [{ googleAuth: [] }],
+    security: [{ oauthAuth: [] }],
     request: {
       body: {
         required: true,
@@ -531,7 +533,7 @@ export function makeKeyshareRouter() {
       req: AuthenticatedRequest<ReshareKeyShareBody>,
       res: Response<KSNodeApiResponse<void>, ResponseLocal>,
     ) => {
-      const googleUser = res.locals.google_user;
+      const oauthUser = res.locals.oauth_user;
       const state = req.app.locals;
       const body = req.body;
 
@@ -558,7 +560,7 @@ export function makeKeyshareRouter() {
       const reshareKeyShareRes = await reshareKeyShare(
         state.db,
         {
-          email: googleUser.email,
+          email: oauthUser.email,
           curve_type: body.curve_type,
           public_key: publicKeyBytesRes.data,
           share: shareBytes,
diff --git a/sdk/oko_sdk_core/src/methods/complete_email_sign_in.ts b/sdk/oko_sdk_core/src/methods/complete_email_sign_in.ts
new file mode 100644
index 000000000..55cb080cc
--- /dev/null
+++ b/sdk/oko_sdk_core/src/methods/complete_email_sign_in.ts
@@ -0,0 +1,155 @@
+import type {
+  OkoWalletInterface,
+  OkoWalletMsg,
+  OkoWalletMsgOAuthSignInUpdate,
+  OAuthState,
+  OkoWalletMsgOAuthSignInUpdateAck,
+} from "@oko-wallet-sdk-core/types";
+import { OKO_ATTACHED_TARGET } from "@oko-wallet-sdk-core/window_msg/target";
+
+const FIVE_MINS_MS = 5 * 60 * 1000;
+
+export async function completeEmailSignIn(
+  this: OkoWalletInterface,
+  email: string,
+  code: string,
+): Promise<void> {
+  await this.waitUntilInitialized;
+
+  const result = await tryAuth0EmailSignIn(
+    email,
+    code,
+    this.sdkEndpoint,
+    this.apiKey,
+    this.sendMsgToIframe.bind(this),
+  );
+
+  if (!result.payload.success) {
+    throw new Error(result.payload.err.type);
+  }
+
+  const publicKey = await this.getPublicKey();
+  const userEmail = await this.getEmail();
+
+  if (publicKey && userEmail) {
+    console.log("[oko] emit CORE__accountsChanged (auth0 email)");
+
+    this.eventEmitter.emit({
+      type: "CORE__accountsChanged",
+      email: userEmail,
+      publicKey,
+    });
+  }
+}
+
+async function tryAuth0EmailSignIn(
+  email: string,
+  code: string,
+  sdkEndpoint: string,
+  apiKey: string,
+  sendMsgToIframe: (msg: OkoWalletMsg) => Promise<OkoWalletMsg>,
+): Promise<OkoWalletMsgOAuthSignInUpdate> {
+  const baseUrl = new URL(sdkEndpoint);
+  const attachedOrigin = baseUrl.origin;
+  const redirectUri = `${attachedOrigin}/auth0/callback`;
+
+  console.debug("[oko] Auth0 email sign in");
+  console.debug("[oko] redirectUri: %s", redirectUri);
+
+  const nonce = Array.from(crypto.getRandomValues(new Uint8Array(8)))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+
+  const nonceAckPromise = sendMsgToIframe({
+    target: OKO_ATTACHED_TARGET,
+    msg_type: "set_oauth_nonce",
+    payload: nonce,
+  });
+
+  const oauthState: OAuthState & { email: string } = {
+    apiKey,
+    targetOrigin: window.location.origin,
+    email,
+    provider: "auth0",
+  };
+  const oauthStateString = JSON.stringify(oauthState);
+
+  console.debug("[oko] oauthStateString: %s", oauthStateString);
+
+  const popupUrl = new URL(`${attachedOrigin}/auth0/popup`);
+  popupUrl.searchParams.set("email", email);
+  popupUrl.searchParams.set("code", code);
+  popupUrl.searchParams.set("nonce", nonce);
+  popupUrl.searchParams.set("state", oauthStateString);
+
+  const popup = window.open(
+    popupUrl.toString(),
+    "auth0_email_oauth",
+    "width=1200,height=800",
+  );
+
+  if (!popup) {
+    throw new Error("Failed to open new window for Auth0 email sign in");
+  }
+
+  const ack = await nonceAckPromise;
+  if (ack.msg_type !== "set_oauth_nonce_ack" || !ack.payload.success) {
+    throw new Error("Failed to set nonce for Auth0 email sign in");
+  }
+
+  return new Promise<OkoWalletMsgOAuthSignInUpdate>((resolve, reject) => {
+    let timeout: number;
+
+    function onMessage(event: MessageEvent) {
+      if (event.ports.length < 1) {
+        return;
+      }
+
+      const port = event.ports[0];
+      const data = event.data as OkoWalletMsg;
+
+      if (data.msg_type === "oauth_sign_in_update") {
+        console.log("[oko] oauth_sign_in_update recv, %o", data);
+
+        const msg: OkoWalletMsgOAuthSignInUpdateAck = {
+          target: "oko_attached",
+          msg_type: "oauth_sign_in_update_ack",
+          payload: null,
+        };
+
+        port.postMessage(msg);
+
+        if (data.payload.success) {
+          resolve(data);
+        } else {
+          reject(new Error(data.payload.err.type));
+        }
+
+        cleanup();
+      }
+    }
+    window.addEventListener("message", onMessage);
+
+    timeout = window.setTimeout(() => {
+      cleanup();
+      reject(new Error("Timeout: no response within 5 minutes"));
+      closePopup(popup);
+    }, FIVE_MINS_MS);
+
+    function cleanup() {
+      console.log("[oko] clean up oauth sign in listener");
+
+      // window.clearTimeout(focusTimer);
+      // window.removeEventListener("focus", onFocus);
+
+      window.clearTimeout(timeout);
+      window.removeEventListener("message", onMessage);
+    }
+  });
+}
+
+function closePopup(popup: Window) {
+  if (popup && !popup.closed) {
+    popup.close();
+  }
+}
diff --git a/sdk/oko_sdk_core/src/methods/sign_in.ts b/sdk/oko_sdk_core/src/methods/sign_in.ts
index 51becca75..01f5819b5 100644
--- a/sdk/oko_sdk_core/src/methods/sign_in.ts
+++ b/sdk/oko_sdk_core/src/methods/sign_in.ts
@@ -90,6 +90,7 @@ async function tryGoogleSignIn(
   const oauthState: OAuthState = {
     apiKey,
     targetOrigin: window.location.origin,
+    provider: "google",
   };
   const oauthStateString = JSON.stringify(oauthState);
 
diff --git a/sdk/oko_sdk_core/src/methods/start_email_sign_in.ts b/sdk/oko_sdk_core/src/methods/start_email_sign_in.ts
new file mode 100644
index 000000000..faabbc0ed
--- /dev/null
+++ b/sdk/oko_sdk_core/src/methods/start_email_sign_in.ts
@@ -0,0 +1,29 @@
+import type {
+  OkoWalletInterface,
+  OkoWalletMsgAuth0EmailSendCodeAck,
+} from "@oko-wallet-sdk-core/types";
+import { OKO_ATTACHED_TARGET } from "@oko-wallet-sdk-core/window_msg/target";
+
+export async function startEmailSignIn(
+  this: OkoWalletInterface,
+  email: string,
+): Promise<void> {
+  await this.waitUntilInitialized;
+
+  const response = await this.sendMsgToIframe({
+    target: OKO_ATTACHED_TARGET,
+    msg_type: "auth0_email_send_code",
+    payload: {
+      email,
+    },
+  });
+
+  if (response.msg_type !== "auth0_email_send_code_ack") {
+    throw new Error(`Unexpected response: ${response.msg_type}`);
+  }
+
+  const ack = response as OkoWalletMsgAuth0EmailSendCodeAck;
+  if (!ack.payload.success) {
+    throw new Error(ack.payload.err);
+  }
+}
diff --git a/sdk/oko_sdk_core/src/oko.ts b/sdk/oko_sdk_core/src/oko.ts
index 4b13b9c29..7bea76ef7 100644
--- a/sdk/oko_sdk_core/src/oko.ts
+++ b/sdk/oko_sdk_core/src/oko.ts
@@ -6,6 +6,8 @@ import { getPublicKey } from "./methods/get_public_key";
 import { getEmail } from "./methods/get_email";
 import { closeModal } from "./methods/close_modal";
 import { on } from "./methods/on";
+import { startEmailSignIn } from "./methods/start_email_sign_in";
+import { completeEmailSignIn } from "./methods/complete_email_sign_in";
 import type { OkoWalletInterface } from "./types";
 import { init } from "./static/init";
 import { OkoWallet } from "./constructor";
@@ -21,6 +23,8 @@ ptype.signIn = signIn;
 ptype.signOut = signOut;
 ptype.getPublicKey = getPublicKey;
 ptype.getEmail = getEmail;
+ptype.startEmailSignIn = startEmailSignIn;
+ptype.completeEmailSignIn = completeEmailSignIn;
 ptype.on = on;
 
 export { OkoWallet };
diff --git a/sdk/oko_sdk_core/src/types/msg/index.ts b/sdk/oko_sdk_core/src/types/msg/index.ts
index 61fedb8f1..a8278f5a0 100644
--- a/sdk/oko_sdk_core/src/types/msg/index.ts
+++ b/sdk/oko_sdk_core/src/types/msg/index.ts
@@ -46,6 +46,35 @@ export type OkoWalletMsgOAuthSignInUpdateAck = {
   payload: null;
 };
 
+export type OkoWalletMsgAuth0EmailSendCode = {
+  target: "oko_attached";
+  msg_type: "auth0_email_send_code";
+  payload: {
+    email: string;
+  };
+};
+
+export type OkoWalletMsgAuth0EmailSendCodeAck = {
+  target: "oko_sdk";
+  msg_type: "auth0_email_send_code_ack";
+  payload: Result<null, string>;
+};
+
+export type OkoWalletMsgAuth0EmailVerify = {
+  target: "oko_attached";
+  msg_type: "auth0_email_verify";
+  payload: {
+    email: string;
+    code: string;
+  };
+};
+
+export type OkoWalletMsgAuth0EmailVerifyAck = {
+  target: "oko_sdk";
+  msg_type: "auth0_email_verify_ack";
+  payload: Result<null, string>;
+};
+
 export type OkoWalletMsgOAuthInfoPass = {
   target: "oko_attached";
   msg_type: "oauth_info_pass";
@@ -167,6 +196,10 @@ export type OkoWalletMsg =
   | OkoWalletMsgSetOAuthNonceAck
   | OkoWalletMsgOAuthSignInUpdate
   | OkoWalletMsgOAuthSignInUpdateAck
+  | OkoWalletMsgAuth0EmailSendCode
+  | OkoWalletMsgAuth0EmailSendCodeAck
+  | OkoWalletMsgAuth0EmailVerify
+  | OkoWalletMsgAuth0EmailVerifyAck
   | OkoWalletMsgOAuthInfoPass
   | OkoWalletMsgOAuthInfoPassAck
   | OkoWalletMsgSignOut
diff --git a/sdk/oko_sdk_core/src/types/oauth.ts b/sdk/oko_sdk_core/src/types/oauth.ts
index bbe77f1ca..0c7a973a6 100644
--- a/sdk/oko_sdk_core/src/types/oauth.ts
+++ b/sdk/oko_sdk_core/src/types/oauth.ts
@@ -1,6 +1,9 @@
+export type OAuthProvider = "google" | "auth0";
+
 export type OAuthState = {
   apiKey: string;
   targetOrigin: string;
+  provider?: OAuthProvider;
 };
 
 export enum RedirectUriSearchParamsKey {
@@ -12,4 +15,5 @@ export interface OAuthPayload {
   id_token: string;
   api_key: string;
   target_origin: string;
+  auth_type: OAuthProvider;
 }
diff --git a/sdk/oko_sdk_core/src/types/oko_wallet.ts b/sdk/oko_sdk_core/src/types/oko_wallet.ts
index 8db0ae112..5cad3e2ec 100644
--- a/sdk/oko_sdk_core/src/types/oko_wallet.ts
+++ b/sdk/oko_sdk_core/src/types/oko_wallet.ts
@@ -34,6 +34,8 @@ export interface OkoWalletInterface {
   signOut: () => Promise<void>;
   getPublicKey: () => Promise<string | null>;
   getEmail: () => Promise<string | null>;
+  startEmailSignIn: (email: string) => Promise<void>;
+  completeEmailSignIn: (email: string, code: string) => Promise<void>;
   on: (handlerDef: OkoWalletCoreEventHandler2) => void;
 }
 
diff --git a/yarn.lock b/yarn.lock
index b53342ece..830c25dc9 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -10134,6 +10134,7 @@ __metadata:
     "@types/node": "npm:*"
     "@types/react": "npm:*"
     "@types/react-dom": "npm:*"
+    auth0-js: "npm:^9.28.1"
     dotenv: "npm:*"
     next: "npm:^15.4.5"
     react: "npm:*"
@@ -10241,6 +10242,7 @@ __metadata:
     "@types/express": "npm:^4.17.20"
     "@types/express-rate-limit": "npm:^6.0.2"
     "@types/jest": "npm:^29.5.13"
+    "@types/jsonwebtoken": "npm:^9.0.7"
     "@types/morgan": "npm:^1.9.9"
     "@types/node": "npm:^22.7.5"
     "@types/pg": "npm:^8"
@@ -10258,6 +10260,7 @@ __metadata:
     express-rate-limit: "npm:^8.0.1"
     helmet: "npm:^8.0.0"
     jest: "npm:*"
+    jsonwebtoken: "npm:^9.0.2"
     morgan: "npm:^1.10.0"
     pg: "npm:^8.16.3"
     supertest: "npm:*"
@@ -10525,10 +10528,12 @@ __metadata:
     "@tanstack/react-router": "npm:^1.131.49"
     "@tanstack/react-router-devtools": "npm:^1.131.49"
     "@tanstack/router-plugin": "npm:^1.131.49"
+    "@types/auth0-js": "npm:^9.21.6"
     "@types/node": "npm:*"
     "@types/react": "npm:*"
     "@types/react-dom": "npm:*"
     "@vitejs/plugin-react": "npm:^5.0.3"
+    auth0-js: "npm:^9.29.0"
     biome: "npm:*"
     bitcoinjs-lib: "npm:^6.1.7"
     chalk: "npm:*"
@@ -14703,6 +14708,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/auth0-js@npm:^9.21.6":
+  version: 9.21.6
+  resolution: "@types/auth0-js@npm:9.21.6"
+  checksum: 10c0/3899ad7c2734cfcdaeaf564e297897b3b228b88a289ea2a99c55d3ccaa03a4da26905e2f31181fdb53d6f8de4744faee43be1e65c6df81073604b21c409848b8
+  languageName: node
+  linkType: hard
+
 "@types/babel__core@npm:^7.1.14, @types/babel__core@npm:^7.20.5":
   version: 7.20.5
   resolution: "@types/babel__core@npm:7.20.5"
@@ -15080,7 +15092,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@types/jsonwebtoken@npm:*":
+"@types/jsonwebtoken@npm:*, @types/jsonwebtoken@npm:^9.0.7":
   version: 9.0.10
   resolution: "@types/jsonwebtoken@npm:9.0.10"
   dependencies:
@@ -17887,6 +17899,22 @@ __metadata:
   languageName: node
   linkType: hard
 
+"auth0-js@npm:^9.28.1, auth0-js@npm:^9.29.0":
+  version: 9.29.0
+  resolution: "auth0-js@npm:9.29.0"
+  dependencies:
+    base64-js: "npm:^1.5.1"
+    idtoken-verifier: "npm:^2.2.4"
+    js-cookie: "npm:^2.2.0"
+    minimist: "npm:^1.2.5"
+    qs: "npm:^6.10.1"
+    superagent: "npm:^10.2.3"
+    url-join: "npm:^4.0.1"
+    winchan: "npm:^0.2.2"
+  checksum: 10c0/a9dccc0f2b2f46fb79850bbb890c0be20c75c7c3b3e856b7e9d4d1222a256f9260c9991f2ffcd1713e40face1c8a844b01448902bf076276f155f19c7139236d
+  languageName: node
+  linkType: hard
+
 "autoprefixer@npm:^10.4.19, autoprefixer@npm:^10.4.21":
   version: 10.4.21
   resolution: "autoprefixer@npm:10.4.21"
@@ -18265,7 +18293,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"base64-js@npm:^1.3.0, base64-js@npm:^1.3.1":
+"base64-js@npm:^1.3.0, base64-js@npm:^1.3.1, base64-js@npm:^1.5.1":
   version: 1.5.1
   resolution: "base64-js@npm:1.5.1"
   checksum: 10c0/f23823513b63173a001030fae4f2dabe283b99a9d324ade3ad3d148e218134676f1ee8568c877cd79ec1c53158dcf2d2ba527a97c606618928ba99dd930102bf
@@ -20657,7 +20685,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"crypto-js@npm:^4.0.0":
+"crypto-js@npm:^4.0.0, crypto-js@npm:^4.2.0":
   version: 4.2.0
   resolution: "crypto-js@npm:4.2.0"
   checksum: 10c0/8fbdf9d56f47aea0794ab87b0eb9833baf80b01a7c5c1b0edc7faf25f662fb69ab18dc2199e2afcac54670ff0cd9607a9045a3f7a80336cccd18d77a55b9fdf0
@@ -22466,6 +22494,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"es6-promise@npm:^4.2.8":
+  version: 4.2.8
+  resolution: "es6-promise@npm:4.2.8"
+  checksum: 10c0/2373d9c5e9a93bdd9f9ed32ff5cb6dd3dd785368d1c21e9bbbfd07d16345b3774ae260f2bd24c8f836a6903f432b4151e7816a7fa8891ccb4e1a55a028ec42c3
+  languageName: node
+  linkType: hard
+
 "esast-util-from-estree@npm:^2.0.0":
   version: 2.0.0
   resolution: "esast-util-from-estree@npm:2.0.0"
@@ -25826,6 +25861,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"idtoken-verifier@npm:^2.2.4":
+  version: 2.2.4
+  resolution: "idtoken-verifier@npm:2.2.4"
+  dependencies:
+    base64-js: "npm:^1.5.1"
+    crypto-js: "npm:^4.2.0"
+    es6-promise: "npm:^4.2.8"
+    jsbn: "npm:^1.1.0"
+    unfetch: "npm:^4.2.0"
+    url-join: "npm:^4.0.1"
+  checksum: 10c0/f7d117d6d3325a4c50db9d59145109fb2216c064dce7eb0128ebcd638424dcc73ad365e964cb870718e05904542e471960d1daca00242ac27428f0a742780443
+  languageName: node
+  linkType: hard
+
 "ieee754@npm:^1.1.13, ieee754@npm:^1.2.1":
   version: 1.2.1
   resolution: "ieee754@npm:1.2.1"
@@ -28029,6 +28078,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"js-cookie@npm:^2.2.0":
+  version: 2.2.1
+  resolution: "js-cookie@npm:2.2.1"
+  checksum: 10c0/ee67fc0f8495d0800b851910b5eb5bf49d3033adff6493d55b5c097ca6da46f7fe666b10e2ecb13cfcaf5b88d71c205ce00a7e646de791689bfd053bbb36a376
+  languageName: node
+  linkType: hard
+
 "js-cookie@npm:^3.0.5":
   version: 3.0.5
   resolution: "js-cookie@npm:3.0.5"
@@ -28087,6 +28143,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jsbn@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "jsbn@npm:1.1.0"
+  checksum: 10c0/4f907fb78d7b712e11dea8c165fe0921f81a657d3443dde75359ed52eb2b5d33ce6773d97985a089f09a65edd80b11cb75c767b57ba47391fee4c969f7215c96
+  languageName: node
+  linkType: hard
+
 "jsbn@npm:~0.1.0":
   version: 0.1.1
   resolution: "jsbn@npm:0.1.1"
@@ -28298,7 +28361,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"jsonwebtoken@npm:*":
+"jsonwebtoken@npm:*, jsonwebtoken@npm:^9.0.2":
   version: 9.0.2
   resolution: "jsonwebtoken@npm:9.0.2"
   dependencies:
@@ -35015,7 +35078,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"qs@npm:^6.11.2, qs@npm:^6.12.3, qs@npm:^6.14.0":
+"qs@npm:^6.10.1, qs@npm:^6.11.2, qs@npm:^6.12.3, qs@npm:^6.14.0":
   version: 6.14.0
   resolution: "qs@npm:6.14.0"
   dependencies:
@@ -39795,6 +39858,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"unfetch@npm:^4.2.0":
+  version: 4.2.0
+  resolution: "unfetch@npm:4.2.0"
+  checksum: 10c0/a5c0a896a6f09f278b868075aea65652ad185db30e827cb7df45826fe5ab850124bf9c44c4dafca4bf0c55a0844b17031e8243467fcc38dd7a7d435007151f1b
+  languageName: node
+  linkType: hard
+
 "unicode-byte-truncate@npm:^1.0.0":
   version: 1.0.0
   resolution: "unicode-byte-truncate@npm:1.0.0"
@@ -40225,6 +40295,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"url-join@npm:^4.0.1":
+  version: 4.0.1
+  resolution: "url-join@npm:4.0.1"
+  checksum: 10c0/ac65e2c7c562d7b49b68edddcf55385d3e922bc1dd5d90419ea40b53b6de1607d1e45ceb71efb9d60da02c681d13c6cb3a1aa8b13fc0c989dfc219df97ee992d
+  languageName: node
+  linkType: hard
+
 "url-loader@npm:^4.1.1":
   version: 4.1.1
   resolution: "url-loader@npm:4.1.1"
@@ -41291,6 +41368,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"winchan@npm:^0.2.2":
+  version: 0.2.2
+  resolution: "winchan@npm:0.2.2"
+  checksum: 10c0/dcd234e796c81d0637df63e52cafaf8b27f825120b759d519108d895b4054e530b315b44cedd04fc56748e26a4b747940d1694d8304732bc1ea7fd18a97c1635
+  languageName: node
+  linkType: hard
+
 "winston-daily-rotate-file@npm:*, winston-daily-rotate-file@npm:^5.0.0":
   version: 5.0.0
   resolution: "winston-daily-rotate-file@npm:5.0.0"