> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Hosted Login vs. Embedded Login

> Describes the differences between hosted login (Universal Login) and embedded login.

When you design the login experience for your application, you’ll need to decide if you want it to be hosted ([Universal Login](/docs/authenticate/login/auth0-universal-login)) or embedded.

## Hosted login

In a hosted login flow, the application redirects the user to the <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=authorization+server">authorization server</Tooltip> to perform authentication, and then the authorization server returns the user to the application.

### Universal Login flow

In the typical user authentication experience with <Tooltip tip="Universal Login: Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity." cta="View Glossary" href="/docs/glossary?term=Universal+Login">Universal Login</Tooltip>:

1. Your application triggers an authentication request by invoking an Auth0 SDK’s login method or by calling the [Auth0 Authentication API Login endpoint](https://auth0.com/docs/api/authentication/login/) directly.
2. Your application redirects the user to the Auth0 authorization server (your Auth0 tenant).
3. Auth0 checks for a session cookie on the [Auth0 Session Layer](/docs/manage-users/sessions/session-layers).

   * If a session cookie is not found, Auth0 redirects the user to Universal Login to authenticate and creates an associated session cookie.
   * If a session cookie is found, Auth0 uses it to authenticate the user.
4. Auth0 returns the user to your application with an [ID token](/docs/secure/tokens/id-tokens) and an [access token](/docs/secure/tokens/access-tokens).

## Embedded login

In an embedded login flow, the user authenticates directly within your application. The application serves the login form, collects the user’s credentials, sends that data to the authentication provider, and then receives a response with the user’s <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> and <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip>.

For web applications, embedded login uses [cross-origin authentication](/docs/authenticate/login/cross-origin-authentication) unless you [configure a custom domain](/docs/customize/custom-domains) for your Auth0 tenant. Cross-origin authentication uses third-party cookies to allow for secure authentication transactions across different origins.

## Feature comparison

| Feature                                                 | Hosted                                                                                                                                                                                                                                                                                              | Embedded                                                                                                                                                                                                                                                                                                                                                              |
| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **[Single Sign-on](/docs/authenticate/single-sign-on)** | Full support with Universal Login through the use of [session cookies](/docs/manage-users/sessions) on the Auth0 Authorization Server (your Auth0 tenant).                                                                                                                                          | Limited support. Web applications that use the [Lock](/docs/libraries/lock/lock-api-reference#checksession-) or [Auth0.js](/docs/libraries/auth0js#using-checksession-to-acquire-new-tokens) libraries can share sessions. Native applications can share sessions with web applications through [Native to Web SSO](/docs/authenticate/single-sign-on/native-to-web). |
| **[Customization](/docs/customize)**                    | Universal Login allows you to easily customize many parts of the experience (including theming, page templates, text elements, and prompts).<br /><br />Full customization is supported through [Advanced Customizations for Universal Login.](/docs/customize/login-pages/advanced-customizations) | Highest degree of customization, since you fully control the UI/UX of your application.                                                                                                                                                                                                                                                                               |
| **Feature management**                                  | Features can be centrally managed within the Auth0 Dashboard or through the Auth0 Management API.<br /><br />For example, when you enable/disable MFA in your Dashboard, it will be immediately reflected in subsequent user logins.                                                                | Features must be managed for each application individually.<br /><br />For example, if you wanted to implement MFA for your web application and for your native application, you’d have to update and release new versions for both.                                                                                                                                  |
| **User experience**                                     | Users are redirected between your application and the Auth0 Authorization Server during authentication.<br /><br />For native applications, this requires implementation of universal/deep links.                                                                                                   | Users remain in your application during authentication.                                                                                                                                                                                                                                                                                                               |
| **Security and maintenance**                            | Auth0 monitors security trends and updates Universal Login accordingly.                                                                                                                                                                                                                             | You are responsible for following security best practices and implementing provided technologies accordingly.                                                                                                                                                                                                                                                         |

## Best practice

According to [RFC 8252: OAuth 2.0 for Native Apps on IETF](https://www.rfc-editor.org/rfc/rfc8252.txt), only external user-agents (such as the browser) should be used by native applications for authentication flows.