engineering

Auth0 Relay for Mobile + Rails

Bridged React Native Expo and Rails through an Auth0 relay that decodes tokens and hydrates user context in one roundtrip.

View Source

Key Metrics

  • Platforms linkedMobile ↔ Rails
  • Token roundtrip<2s
  • Profile coverage100%

What happened?

Implemented Auth0 universal login in the mobile app, added a Rails relay endpoint that validates JWTs, looks up profiles via the Auth0 sub, and returns sanitized user payloads back to Expo. The relay also provisions missing users and caches claims for faster follow-up requests.

Tech & Impact

  • React Native
  • Rails
  • Auth0
  • TypeScript

Eliminated duplicate credential flows and gave the mobile team a single secure handshake—Auth0 issues the token, Rails verifies and hydrates profile data, and the app renders immediately without direct database access.

Sequence overview

Expo handles the Auth0 login, Rails validates the token, and the app receives a hydrated profile—no direct database access from the device.

Expo app requests profile through Auth0 and the Rails relayExpo Mobile AppAuth0 TenantRails RelayPostgresID tokenPOST /relay with JWTProfile lookup

  • Expo app triggers universal login

    Mobile user taps sign-in, Expo opens the Auth0 hosted page, and completes authentication.

  • Auth0 returns ID token

    Auth0 issues a signed JWT containing the user sub and claims; token stays on-device.

  • Rails relay validates

    App posts the JWT to Rails. A JWTDecoder module verifies signature, expiry, and audience before continuing.

  • Hydrate profile + respond

    Rails looks up the profile via the Auth0 sub, provisions if missing, and replies with sanitized JSON for the app to render.

Practices baked into the relay

Guardrails that keep the token exchange safe and debuggable.

  • JWTDecoder service

    Wraps json-jwt verification, caches JWKs, and raises on signature or audience mismatch.

  • Relay contract tests

    RSpec + Playwright tests cover happy path, expired tokens, and unlinked profiles.

  • Idempotent provisioning

    If the sub is new, Rails seeds the profile then returns the same payload format for Expo.

  • Thin mobile client

    Expo only handles UI states—authorization logic lives server-side for easier auditing.

Lightweight ERD

Core tables touched by the relay. Mobile devices read through Rails—never directly from the database.

Auth0 relay entity relationship diagramAuth0 Identitysub, emailUsersid, name, auth0_subProfilesuser_id, avatar, roles

Supplement this case study

Ready-made prompts for extra artefacts when you want to deepen the story.

Sequence demo

Record a screen capture showing the login modal, token post, and profile render in the app.

Relay code snippet

Share sanitized Ruby service objects (JWT decoder, profile serializer) to highlight reusable pieces.

ERD deep dive

Drop in a link or image detailing the users, identities, and device tables if stakeholders need the full schema.