diff --git a/main/config/navigation/universal-components.json b/main/config/navigation/universal-components.json
index e39e05c905..9429c14f0a 100644
--- a/main/config/navigation/universal-components.json
+++ b/main/config/navigation/universal-components.json
@@ -26,6 +26,14 @@
"docs/get-started/universal-components/web/components/sso-provider-create",
"docs/get-started/universal-components/web/components/sso-provider-edit"
]
+ },
+ {
+ "group": "My Account",
+ "pages": [
+ "docs/get-started/universal-components/web/components/my-account-overview",
+ "docs/get-started/universal-components/web/components/user-mfa-management",
+ "docs/get-started/universal-components/web/components/user-passkey-management"
+ ]
}
]
}
diff --git a/main/docs/get-started/universal-components/web/components/my-account-overview.mdx b/main/docs/get-started/universal-components/web/components/my-account-overview.mdx
new file mode 100644
index 0000000000..7d83c87115
--- /dev/null
+++ b/main/docs/get-started/universal-components/web/components/my-account-overview.mdx
@@ -0,0 +1,367 @@
+---
+title: Build a Self-Service Account Security Interface with My Account API
+description: Learn how to configure Universal Components to build self-service account security interfaces with My Account API.
+sidebarTitle: Build Account Security UI
+---
+
+import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx";
+
+
+
+My Account components allow you to embed a self-service authentication management interface directly into your web application. Your users can enroll and remove multi-factor authentication (MFA) factors and manage passkeys within your web application.
+
+## How it works
+
+My Account components use the My Account API's [authentication methods](/docs/manage-users/my-account-api#manage-authentication-methods) endpoints to render an authentication-management UI inside your application.
+
+
+The [My Account API](/docs/manage-users/my-account-api) currently enforces low [rate limits](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/rate-limit-configurations), especially on free-tier tenants. This may cause errors while using these components.
+
+
+When an authenticated user opens their account settings screen, the Auth0 SDK retrieves an [access token](/docs/secure/tokens/access-tokens) scoped to the My Account API audience.
+
+The components use this token to call the My Account API [`/me/v1/authentication-methods`](/docs/api/myaccount/authentication-methods/get-authentication-methods) as the logged-in user, so each user can only view and modify their own authentication methods.
+
+### Available components
+
+| **Component** | **API endpoint** |
+| :--- | :--- |
+| [**UserMFAMgmt**](/docs/get-started/universal-components/web/components/user-mfa-management) Enroll and delete MFA factors: email OTP, SMS OTP, TOTP (authenticator application), push notifications, passkeys, and recovery codes. | `/me/v1/authentication-methods` |
+| [**UserPasskeyMgmt**](/docs/get-started/universal-components/web/components/user-passkey-management) Register and revoke WebAuthn passkeys. | `/me/v1/authentication-methods` (type: passkey) |
+
+
+* These components create **end-user self-service** interfaces. End users can enroll, list, and remove every authentication method on their own account: email OTP, SMS OTP, TOTP (authenticator application), push notifications, passkeys, and recovery codes.
+* For **delegated admin** interfaces in which a user manages an Auth0 [Organization](/docs/manage-users/organizations), read [Build a Delegated Admin Interface](/docs/get-started/universal-components/web/components/build-delegated-admin).
+
+
+
+
+
+
+## Prerequisites
+
+### Enable My Account API
+
+1. Navigate to [**Dashboard > Applications > APIs**](https://manage.auth0.com/#/apis).
+2. Select **Activate My Account API** to enable it for your tenant.
+
+### Create the application and configure My Account API permissions
+
+1. Navigate to [**Dashboard > Applications > Applications**](https://manage.auth0.com/#/applications), and select **Create Application**.
+2. Select **Single Page Web Applications**.
+3. Select the **Settings** tab and add your **Callback, Logout, and Web Origins URLs**. For example: `http://localhost:5173`.
+4. Select the **API Access** tab.
+5. Select **Edit** for the **Auth0 My Account API** to add the **User-delegated Access** permissions:
+
+ `create:me:authentication_methods`
+ `read:me:authentication_methods`
+ `update:me:authentication_methods`
+ `delete:me:authentication_methods`
+ `read:me:factors`
+
+6. Select **Save** to save the permissions.
+
+
+* The user’s access token only includes permissions that were granted during login.
+* Request all five scopes to allow users to enroll, review, and remove authentication methods.
+
+
+### Set up the database and test user
+
+1. Navigate to [**Dashboard > Authentication > Database**](https://manage.auth0.com/#/connections/database) to create a database connection.
+2. In the **Applications** tab of the database, enable your application.
+3. Navigate to [**Dashboard > User Management > Users**](https://manage.auth0.com/#/users).
+4. Select **Create User** to create a user assigned to the new database connection.
+5. Select **Create** to add the new user; use this new user for testing.
+
+## Configure your application
+
+### Install the component
+
+
+```bash pnpm wrap lines
+pnpm add @auth0/universal-components-react
+```
+
+```bash npm wrap lines
+npm install @auth0/universal-components-react
+```
+
+
+
+The install command also adds the `@auth0/universal-components-core` dependency for shared utilities and Auth0 integration.
+
+
+### Configure environment variables
+
+Create a `.env` file in your project root:
+
+```bash wrap lines
+VITE_AUTH0_DOMAIN=YOUR_TENANT_DOMAIN.auth0.com
+VITE_AUTH0_CLIENT_ID=YOUR_SPA_CLIENT_ID
+```
+
+### Configure Universal Components
+
+Import `Auth0Provider` and `Auth0ComponentProvider` and set `interactiveErrorHandler="popup"` so that MFA enrollment and deletion challenges are handled in a popup rather than redirecting away from the page.
+
+```tsx App.tsx wrap lines
+import { Auth0Provider } from "@auth0/auth0-react";
+import { Auth0ComponentProvider } from "@auth0/universal-components-react/spa";
+
+const domain = import.meta.env.VITE_AUTH0_DOMAIN;
+const clientId = import.meta.env.VITE_AUTH0_CLIENT_ID;
+
+export default function App() {
+ return (
+
+
+ {/* your application */}
+
+
+ );
+}
+```
+
+
+* Users must be authenticated before the My Account components are rendered.
+* Components automatically load the logged-in user's authentication methods from the My Account API.
+
+
+
+You are responsible for ensuring that your use of the My Account API and Universal Components complies with your security policies and applicable laws, including any permissions granted to your end users.
+
+
+
+
+
+
+## Prerequisites
+
+### Enable My Account API
+
+1. Navigate to [**Dashboard > Applications > APIs**](https://manage.auth0.com/#/apis).
+2. Select **Activate My Account API** to enable it for your tenant.
+
+### Create the application and configure My Account API permissions
+
+1. Navigate to [**Dashboard > Applications > Applications**](https://manage.auth0.com/#/applications), and select **Create Application**.
+2. Select **Regular Web Application**.
+3. Select the **Settings** tab and add your **Allowed Callback, and Allowed Logout URLs**. For example: `http://localhost:3000`.
+4. Select the **API Access** tab.
+5. Select **Edit** for the **Auth0 My Account API** to add the **User-delegated Access** permissions:
+
+ `create:me:authentication_methods`
+ `read:me:authentication_methods`
+ `update:me:authentication_methods`
+ `delete:me:authentication_methods`
+ `read:me:factors`
+
+6. Select **Save** to save the permissions.
+
+
+* The user’s access token only includes permissions that were granted during login.
+* Request all five scopes to allow users to enroll, review, and remove authentication methods.
+
+
+### Set up the database and test user
+
+1. Navigate to [**Dashboard > Authentication > Database**](https://manage.auth0.com/#/connections/database) to create a database connection.
+2. In the **Applications** tab of the database, enable your application.
+3. Navigate to [**Dashboard > User Management > Users**](https://manage.auth0.com/#/users).
+4. Select **Create User** to create a user assigned to the new database connection.
+5. Select **Create** to add the new user; use this new user for testing.
+
+## Configure your application
+
+### Install the component
+
+
+```bash pnpm wrap lines
+pnpm add @auth0/universal-components-react
+```
+
+```bash npm wrap lines
+npm install @auth0/universal-components-react
+```
+
+
+
+The install command also adds the `@auth0/universal-components-core` dependency for shared utilities and Auth0 integration.
+
+
+### Configure environment variables
+
+Create a `.env.local` file in your Next.js project root:
+
+```js wrap lines
+NEXT_PUBLIC_AUTH0_DOMAIN=YOUR_TENANT_DOMAIN.auth0.com
+NEXT_PUBLIC_AUTH0_CLIENT_ID=YOUR_RWA_CLIENT_ID
+AUTH0_SECRET=YOUR_AUTH0_SECRET
+AUTH0_ISSUER_BASE_URL="https://YOUR_TENANT_DOMAIN.auth0.com"
+```
+
+For complete Next.js SDK setup, read the [Auth0 Next.js SDK documentation](/docs/quickstart/webapp/nextjs).
+
+### Configure Universal Components
+
+Add `Auth0ComponentProvider` from the `/rwa` subpath to your root layout and set `interactiveErrorHandler="popup"` so that MFA enrollment and deletion challenges are handled in a popup rather than redirecting away from the page.
+
+```tsx app/layout.tsx wrap lines
+import { Auth0ComponentProvider } from "@auth0/universal-components-react/rwa";
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+ return (
+
+
+
+ {children}
+
+
+
+ );
+}
+```
+
+
+* Users must be authenticated before the My Account components are rendered.
+* Components automatically load the logged-in user's authentication methods from the My Account API.
+
+
+
+You are responsible for ensuring that your use of the My Account API and Universal Components complies with your security policies and applicable laws, including any permissions granted to your end users.
+
+
+
+
+
+
+## Prerequisites
+
+### Enable My Account API
+
+1. Navigate to [**Dashboard > Applications > APIs**](https://manage.auth0.com/#/apis).
+2. Select **Activate My Account API** to enable it for your tenant.
+
+### Create the application and configure My Account API permissions
+
+1. Navigate to [**Dashboard > Applications > Applications**](https://manage.auth0.com/#/applications), and select **Create Application**.
+2. Select **Single Page Web Applications**.
+3. Select the **Settings** tab and add your **Callback, Logout, and Web Origins URLs**. For example: `http://localhost:5173`.
+4. Select the **API Access** tab.
+5. Select **Edit** for the **Auth0 My Account API** to add the **User-delegated Access** permissions:
+
+ `create:me:authentication_methods`
+ `read:me:authentication_methods`
+ `update:me:authentication_methods`
+ `delete:me:authentication_methods`
+ `read:me:factors`
+
+6. Select **Save** to save the permissions.
+
+
+* The user’s access token only includes permissions that were granted during login.
+* Request all five scopes to allow users to enroll, review, and remove authentication methods.
+
+
+### Set up the database and test user
+
+1. Navigate to [**Dashboard > Authentication > Database**](https://manage.auth0.com/#/connections/database) to create a database connection.
+2. In the **Applications** tab of the database, enable your application.
+3. Navigate to [**Dashboard > User Management > Users**](https://manage.auth0.com/#/users).
+4. Select **Create User** to create a user assigned to the new database connection.
+5. Select **Create** to add the new user; use this new user for testing.
+
+## Configure your application
+
+### Install the component
+
+Run the shadcn CLI to add the components directly to your project source:
+
+```bash MFA management wrap lines
+npx shadcn@latest add https://auth0-universal-components.vercel.app/r/my-account/user-mfa-management.json
+```
+
+```bash Passkey management wrap lines
+npx shadcn@latest add https://auth0-universal-components.vercel.app/r/my-account/user-passkey-management.json
+```
+
+
+The install command adds the component source into `src/components/auth0/my-account/` along with all UI dependencies and the `@auth0/universal-components-core` dependency for shared utilities and Auth0 integration.
+
+
+
+### Configure environment variables
+
+Create a `.env.local` file in your project root:
+
+```js wrap lines
+VITE_AUTH0_DOMAIN=YOUR_TENANT.auth0.com
+VITE_AUTH0_CLIENT_ID=YOUR_SPA_CLIENT_ID
+```
+
+### Configure Universal Components
+
+Import `Auth0Provider` and `Auth0ComponentProvider` and set `interactiveErrorHandler="popup"` so that MFA enrollment and deletion challenges are handled in a popup rather than redirecting away from the page.
+
+
+```tsx App.tsx wrap lines
+import { Auth0Provider } from "@auth0/auth0-react";
+import { Auth0ComponentProvider } from "@auth0/universal-components-react/spa";
+
+const domain = import.meta.env.VITE_AUTH0_DOMAIN;
+const clientId = import.meta.env.VITE_AUTH0_CLIENT_ID;
+
+export default function App() {
+ return (
+
+
+ {/* your application */}
+
+
+ );
+}
+```
+
+
+* Users must be authenticated before the My Account components are rendered.
+* Components automatically load the logged-in user's authentication methods from the My Account API.
+
+
+
+You are responsible for ensuring that your use of the My Account API and Universal Components complies with your security policies and applicable laws, including any permissions granted to your end users.
+
+
+
+
+
+## Learn more
+
+
+
+ MFA factors reference: props, customization, TypeScript definitions, and advanced subcomponents.
+
+
+
+ Passkey management reference: hooks, message overrides, and CSS class targets.
+
+
+
diff --git a/main/docs/get-started/universal-components/web/components/user-mfa-management.mdx b/main/docs/get-started/universal-components/web/components/user-mfa-management.mdx
new file mode 100644
index 0000000000..e8c3a45d7f
--- /dev/null
+++ b/main/docs/get-started/universal-components/web/components/user-mfa-management.mdx
@@ -0,0 +1,821 @@
+---
+title: User MFA Management
+description: Learn how to render a card-based UI that lets users enroll, view, and delete their own multi-factor authentication factors using the My Account API.
+sidebarTitle: UserMFAMgmt component
+---
+
+import { ComponentLoader } from "/snippets/ComponentLoader.jsx";
+import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx";
+
+
+
+The `UserMFAMgmt` component lets users enroll, view, and delete their own multi-factor authentication factors in a single card-based interface using the [My Account API](/docs/manage-users/my-account-api).
+
+It uses the My Account API’s [authentication methods](/docs/manage-users/my-account-api#manage-authentication-methods) management capabilities to render a complete UI for managing a user’s authentication methods.
+
+With the `UserMFAMgmt` component, you do not need to orchestrate navigation, call API endpoints, or manage [state](/docs/api/authentication/authorization-code-flow/authorize-application#param-state).
+
+## Supported factors
+
+The component handles every authentication method factor configured with the My Account API.
+
+| **Factor** | **What the component renders** |
+|-----------|-------------------------------|
+| [Email OTP](/docs/secure/multi-factor-authentication/configure-mfa-email) | Email input → 6-digit OTP verification |
+| [SMS OTP](/docs/secure/multi-factor-authentication/configure-sms-notifications-for-mfa) | Country-code picker + phone entry → 6-digit OTP verification |
+| [TOTP (Authenticator application)](/docs/secure/multi-factor-authentication/configure-otp) | QR code with manual-entry key → 6-digit OTP verification |
+| [Push notifications](/docs/secure/multi-factor-authentication/enable-push-notifications-for-mfa) | QR code for [Auth0 Guardian](/docs/secure/multi-factor-authentication/auth0-guardian) scan → "waiting for approval" state |
+| [Passkeys](/docs/get-started/universal-components/web/components/user-passkeys-management) | Educational screen → OS biometric prompt → enrolled entry in the list |
+| [Recovery codes](/docs/secure/multi-factor-authentication/configure-recovery-codes-for-mfa) | Display-once code list with a copy action and an "I've saved my codes" confirmation |
+
+## Configure your application
+
+Select your framework to configure environment variables and universal components.
+
+
+
+
+## Setup requirements
+
+Before rendering the `UserMFAMgmt` component, follow [Build Account Security UI](/docs/get-started/universal-components/web/components/my-account-overview) to configure your Auth0 tenant and applications.
+
+### Enable MFA methods and scopes
+
+**Enable MFA methods**
+
+1. Navigato to [**Dashboard > Security > Multi-factor Auth**](https://manage.auth0.com/dashboard/*/security/mfa).
+2. Enable the desired factors. To learn more, read [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors#multi-factor-authentication-factors).
+
+**Add My Account API scopes**
+
+Add the following My Account API scopes to your [application](/docs/get-started/universal-components/web/components/my-account-overview#create-the-application-and-configure-my-account-api-permissions):
+- `enroll:authencicators`
+- `remove:authenticators`
+
+## Install the component
+
+
+```bash pnpm wrap lines
+pnpm add @auth0/universal-components-react
+```
+
+```bash npm wrap lines
+npm install @auth0/universal-components-react
+```
+
+
+
+The install command also adds the `@auth0/universal-components-core` dependency for shared utilities and Auth0 integration.
+
+
+## Get started
+
+```tsx wrap lines
+import { UserMFAMgmt } from "@auth0/universal-components-react";
+
+export function SecurityPage() {
+ return ;
+}
+```
+
+
+- Components are always imported from the root entry `@auth0/universal-components-react`, regardless of framework.
+- Only the `Auth0ComponentProvider` component uses a framework-specific subpath: `/spa` for React applications, `/rwa` for Next.js applications.
+
+
+
+```tsx wrap lines
+import React from "react";
+import { UserMFAMgmt } from "@auth0/universal-components-react";
+import { Auth0Provider } from "@auth0/auth0-react";
+import { Auth0ComponentProvider } from "@auth0/universal-components-react/spa";
+import { analytics } from "./lib/analytics";
+
+function SecurityPage() {
+ return (
+
+ {
+ analytics.track("MFA Factor Enrolled");
+ }}
+ onDelete={() => {
+ analytics.track("MFA Factor Deleted");
+ }}
+ onErrorAction={(error, action) => {
+ console.error(`MFA ${action} failed:`, error.message);
+ }}
+ onBeforeAction={async (action, factorType) => {
+ if (action === "delete") {
+ return await confirmDialog(
+ `Remove your ${factorType} authenticator?`
+ );
+ }
+ return true;
+ }}
+ customMessages={{
+ title: "Two-Factor Authentication",
+ description: "Manage the extra verification methods used to protect your account.",
+ }}
+ styling={{
+ variables: {
+ light: { "--color-primary": "#4f46e5" },
+ dark: { "--color-primary": "#818cf8" },
+ },
+ }}
+ />
+
+ );
+}
+
+export default function App() {
+ const domain = "YOUR_TENANT.auth0.com";
+ const clientId = "YOUR_CLIENT_ID";
+
+ return (
+
+
+
+
+
+ );
+}
+```
+
+
+
+
+
+
+## Setup requirements
+
+Before rendering the `UserMFAMgmt` component, follow [Build Account Security UI](/docs/get-started/universal-components/web/components/my-account-overview) to configure your Auth0 tenant and applications.
+
+### Enable MFA methods and scopes
+
+**Enable MFA methods**
+
+1. Navigato to [**Dashboard > Security > Multi-factor Auth**](https://manage.auth0.com/dashboard/*/security/mfa).
+2. Enable the desired factors. To learn more, read [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors#multi-factor-authentication-factors).
+
+**Add My Account API scopes**
+
+Add the following My Account API scopes to your [application](/docs/get-started/universal-components/web/components/my-account-overview#create-the-application-and-configure-my-account-api-permissions):
+- `enroll:authencicators`
+- `remove:authenticators`
+
+## Install the component
+
+
+```bash pnpm wrap lines
+pnpm add @auth0/universal-components-react
+```
+
+```bash npm wrap lines
+npm install @auth0/universal-components-react
+```
+
+
+
+The install command also adds the `@auth0/universal-components-core` dependency for shared utilities and Auth0 integration.
+
+
+## Get started
+
+```tsx app/security/page.tsx wrap lines
+"use client";
+
+import { UserMFAMgmt } from "@auth0/universal-components-react";
+
+export default function SecurityPage() {
+ return ;
+}
+```
+
+
+```tsx app/security/page.tsx wrap lines
+"use client";
+
+import { UserMFAMgmt } from "@auth0/universal-components-react";
+import { analytics } from "@/lib/analytics";
+
+export default function SecurityPage() {
+ return (
+
+ {
+ analytics.track("MFA Factor Enrolled");
+ }}
+ onDelete={() => {
+ analytics.track("MFA Factor Deleted");
+ }}
+ onErrorAction={(error, action) => {
+ console.error(`MFA ${action} failed:`, error.message);
+ }}
+ customMessages={{ title: "Two-Factor Authentication" }}
+ styling={{
+ variables: {
+ light: { "--color-primary": "#4f46e5" },
+ dark: { "--color-primary": "#818cf8" },
+ },
+ }}
+ />
+
+ );
+}
+```
+
+
+
+
+
+
+## Setup requirements
+
+Before rendering the `UserMFAMgmt` component, follow [Build Account Security UI](/docs/get-started/universal-components/web/components/my-account-overview) to configure your Auth0 tenant and applications.
+
+### Enable MFA methods and scopes
+
+**Enable MFA methods**
+
+1. Navigato to [**Dashboard > Security > Multi-factor Auth**](https://manage.auth0.com/dashboard/*/security/mfa).
+2. Enable the desired factors. To learn more, read [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors#multi-factor-authentication-factors).
+
+**Add My Account API scopes**
+
+Add the following My Account API scopes to your [application](/docs/get-started/universal-components/web/components/my-account-overview#create-the-application-and-configure-my-account-api-permissions):
+- `enroll:authencicators`
+- `remove:authenticators`
+
+## Install the component
+
+```bash wrap lines
+npx shadcn@latest add https://auth0-universal-components.vercel.app/r/my-account/user-mfa-management.json
+```
+
+
+The install command adds the component source into `src/components/auth0/my-account/` along with all UI dependencies and the `@auth0/universal-components-core` dependency for shared utilities and Auth0 integration.
+
+
+## Get started
+
+```tsx wrap lines
+import { UserMFAMgmt } from "@/components/auth0/my-account/user-mfa-management";
+
+export function SecurityPage() {
+ return ;
+}
+```
+
+
+```tsx wrap lines
+import React from "react";
+import { UserMFAMgmt } from "@/components/auth0/my-account/user-mfa-management";
+import { Auth0Provider } from "@auth0/auth0-react";
+import { Auth0ComponentProvider } from "@auth0/universal-components-react/spa";
+import { analytics } from "./lib/analytics";
+
+function SecurityPage() {
+ return (
+
+ {
+ analytics.track("MFA Factor Enrolled");
+ }}
+ onDelete={() => {
+ analytics.track("MFA Factor Deleted");
+ }}
+ onErrorAction={(error, action) => {
+ console.error(`MFA ${action} failed:`, error.message);
+ }}
+ onBeforeAction={async (action, factorType) => {
+ if (action === "delete") {
+ return await confirmDialog(`Remove your ${factorType} authenticator?`);
+ }
+ return true;
+ }}
+ customMessages={{ title: "Two-Factor Authentication" }}
+ styling={{
+ variables: {
+ light: { "--color-primary": "#4f46e5" },
+ dark: { "--color-primary": "#818cf8" },
+ },
+ }}
+ />
+
+ );
+}
+
+export default function App() {
+ const domain = "YOUR_TENANT.auth0.com";
+ const clientId = "YOUR_CLIENT_ID";
+
+ return (
+
+
+
+
+
+ );
+}
+```
+
+
+
+
+
+## Props
+
+### Display props
+
+Display props control how the component renders without affecting its behavior.
+
+
+
+
+ | Prop |
+ Type |
+ Default |
+ Description |
+
+
+
+
+ hideHeader |
+ boolean |
+ false |
+ Hide the component header (title and description). |
+
+
+ readOnly |
+ boolean |
+ false |
+ Disable all mutation actions (enroll and delete). Factors are shown but cannot be added or removed. |
+
+
+ showActiveOnly |
+ boolean |
+ false |
+ Show only factor types that the user has at least one active enrollment for. Factor types with no enrollments are hidden. |
+
+
+ disableEnroll |
+ boolean |
+ false |
+ Hide the enroll button for all factor types. Users can still delete existing factors. |
+
+
+ disableDelete |
+ boolean |
+ false |
+ Hide the delete button on all enrolled factor rows. Users can still enroll new factors. |
+
+
+ factorConfig |
+ Partial <Record<MFAType, { visible?: boolean; enabled?: boolean }>> |
+ {} |
+ Per-factor-type visibility and enabled state. |
+
+
+
+
+
+**factorConfig**
+
+Use `factorConfig` to show or grey-out specific factor types without editing the tenant configuration.
+Each key is a factor type `string`; both fields are optional and default to `true`.
+
+Supported factor type keys: `sms`, `otp`, `email`, `push-notification`, `webauthn-platform`, `webauthn-roaming`, `recovery-code`.
+
+- `visible` render the factor row in the list (`false` to hide).
+- `enabled` render the factor row is interactive (`false` renders it greyed-out and non-interactive).
+
+```tsx wrap lines
+
+```
+
+### Action props
+
+Action props let you hook into the component's lifecycle events and trigger or cancel operations.
+
+
+
+
+ | Prop |
+ Type |
+ Description |
+
+
+
+
+ onEnroll |
+ () => void |
+ Triggered after a factor is successfully enrolled. |
+
+
+ onDelete |
+ () => void |
+ Triggered after a factor is successfully deleted. |
+
+
+ onFetch |
+ () => void |
+ Triggered after the user's factors are successfully loaded. |
+
+
+ onErrorAction |
+ (error: Error, action: 'enroll' | 'delete' | 'confirm') => void |
+ Triggered when any action fails. Use this to surface errors to [logs](/docs/deploy-monitor/logs#logs) or logging system. |
+
+
+ onBeforeAction |
+ (action: 'enroll' | 'delete' | 'confirm', factorType: MFAType) => boolean | Promise<boolean> |
+ Triggered before an action executes. Return false (or a Promise resolving to false) to cancel. |
+
+
+
+
+**onEnroll**
+
+Triggers after a factor enrollment completes successfully. Use this to refresh related UI (for example, an account security score card) or send analytics.
+
+```tsx wrap lines
+ {
+ analytics.track("MFA Factor Enrolled");
+ }}
+/>
+```
+
+**onDelete**
+
+Triggers after a factor is deleted successfully. Use this to refresh any UI that reflects the count of enrolled factors.
+
+```tsx wrap lines
+ {
+ analytics.track("MFA Factor Deleted");
+ }}
+/>
+```
+
+**onFetch**
+
+Triggers after the component's initial factor list load. Useful for showing or hiding adjacent UI that depends on whether the user has any enrolled factors.
+
+```tsx wrap lines
+ {
+ setMFALoaded(true);
+ }}
+/>
+```
+
+**onErrorAction**
+
+Triggers when an enroll, delete, or confirm step fails. The `action` parameter identifies which stage errored: `'enroll'` (initiating enrollment), `'confirm'` (submitting the OTP or QR code), or `'delete'`.
+
+```tsx wrap lines
+ {
+ console.error(`MFA ${action} failed:`, error.message);
+ toast.error(`Something went wrong while trying to ${action} your factor.`);
+ }}
+/>
+```
+
+**onBeforeAction**
+
+Triggers before an action executes. Return `false` or a Promise that resolves to `false` to cancel the operation. The `factorType` parameter identifies which factor type is involved.
+
+- `'delete'` triggers before the built-in confirmation dialog is shown. Return `false` to cancel the deletion without ever showing the dialog.
+- `'enroll'` / `'confirm'` use this for pre-flight checks (for example, rate limiting, policy checks).
+
+```tsx wrap lines
+ {
+ if (action === "delete") {
+ return await confirmDialog(
+ `Remove your ${factorType} authenticator? You may be locked out if this is your only factor.`
+ );
+ }
+ return true;
+ }}
+/>
+```
+### Customize props
+
+Customization props let you adapt copy, validation rules, and styling without modifying source code.
+
+
+
+
+ | Prop |
+ Type |
+ Description |
+
+
+
+
+ customMessages |
+ Partial<MFAMessages> |
+ Override default UI text and translations. |
+
+
+ styling |
+ ComponentStyling<UserMFAMgmtClasses> |
+ CSS variables and class overrides. |
+
+
+ schema |
+ { email?: RegExp; phone?: RegExp } |
+ Custom validation patterns for email and phone number input fields. |
+
+
+
+
+**customMessages**
+
+Customize all text and translations. Every field is optional.
+
+
+**Top-level** `title`, `description`, `enabled` (badge label on enrolled factors), `no_active_mfa` (empty state when `showActiveOnly` is `true`)
+
+**Actions** `enroll` (enroll button label), `delete` (delete button label), `enroll_factor` (success message), `remove_factor` (success message), `deleting` (in-progress label), `cancel`
+
+**Delete confirmation** `delete_mfa_title`, `delete_mfa_content`
+
+**Per factor type** (replace `{factor}` with `sms`, `otp`, `email`, `push-notification`, `webauthn-platform`, `webauthn-roaming`, `recovery-code`) `{factor}.title`, `{factor}.description`, `{factor}.button-text`
+
+**Errors** `errors.factors_loading_error`, `errors.delete_factor`, `errors.failed`
+
+
+```tsx wrap lines
+
+```
+
+**Customize style**
+
+Customize appearance with CSS variables and class overrides. Supports light/dark themes.
+
+
+**Variables**—CSS custom properties
+
+- `common` Applied to both themes
+- `light` Light mode only
+- `dark` Dark mode only
+
+**Class overrides**
+
+- `UserMFAMgmt-card` the outer card wrapping the factor list
+- `UserMFASetupForm-dialogContent` the enrollment multi-step dialog content area
+- `DeleteFactorConfirmation-dialogContent` the delete confirmation dialog content area
+
+
+```tsx wrap lines
+
+```
+
+**schema**
+
+Override the built-in regex patterns used to validate user input during enrollment. Both fields are optional; unset fields keep their default patterns.
+
+- `email` validates the email address entered during email-OTP enrollment (default: standard RFC-5322-style pattern).
+- `phone` validates the phone number entered during SMS enrollment (default: accepts international E.164 format).
+
+```tsx wrap lines
+
+```
+
+## TypeScript definitions
+
+```typescript wrap lines
+type MFAType =
+ | "sms"
+ | "otp"
+ | "email"
+ | "push-notification"
+ | "webauthn-platform"
+ | "webauthn-roaming"
+ | "recovery-code";
+
+interface FactorConfigOptions {
+ visible?: boolean;
+ enabled?: boolean;
+}
+
+interface UserMFAMgmtClasses {
+ "UserMFAMgmt-card"?: string;
+ "UserMFASetupForm-dialogContent"?: string;
+ "DeleteFactorConfirmation-dialogContent"?: string;
+}
+
+interface UserMFAMgmtProps {
+ hideHeader?: boolean;
+ showActiveOnly?: boolean;
+ disableEnroll?: boolean;
+ disableDelete?: boolean;
+ readOnly?: boolean;
+ factorConfig?: Partial>;
+ customMessages?: Partial;
+ styling?: ComponentStyling;
+ schema?: { email?: RegExp; phone?: RegExp };
+ onEnroll?: () => void;
+ onDelete?: () => void;
+ onFetch?: () => void;
+ onErrorAction?: (error: Error, action: "enroll" | "delete" | "confirm") => void;
+ onBeforeAction?: (
+ action: "enroll" | "delete" | "confirm",
+ factorType: MFAType
+ ) => boolean | Promise;
+}
+```
+
+## Advanced customization
+
+The `UserMFAMgmt` component is composed of a stateless view component and a hook. Import them individually to build custom workflows.
+
+### Available subcomponents
+
+For advanced use cases, you can import individual subcomponents to build custom interfaces.
+
+
+
+
+ | Subcomponent |
+ Description |
+
+
+
+
+
+
+ UserMFAMgmtView
+ |
+
+ Stateless view layer; bring your own data and handlers via `useUserMFA`. |
+
+
+
+
+
+**Dialogs (shared sub-components)**
+
+
+
+
+ | Shared sub-components |
+ Description |
+
+
+
+
+
+
+ UserMFASetupForm
+ |
+
+ Multi-step enrollment dialog. Handles the full enrollment flow: contact entry (phone/email), OTP verification, QR-code scanning (for TOTP and push), and recovery-code display. |
+
+
+
+
+ DeleteFactorConfirmation
+ |
+
+ Confirmation dialog shown before a factor is deleted. |
+
+
+
+
+ FactorsList
+ |
+
+ Renders the list of active enrollments within a factor-type row, with per-enrollment delete buttons. |
+
+
+
+
+### Available hooks
+
+
+
+
+ | Hook |
+ Description |
+
+
+
+
+
+
+ useUserMFA
+ |
+
+ Full data and interaction layer: factor query, enrollment mutation, delete mutation, OTP confirmation, dialog state, and all event handlers. |
+
+
+
+
+
+## Learn more
+
+
+
+
+ Manage WebAuthn passkeys with the same lifecycle pattern.
+
+
+
+ Overview, prerequisites, and framework setup for all My Account components.
+
+
+
\ No newline at end of file
diff --git a/main/docs/get-started/universal-components/web/components/user-passkey-management.mdx b/main/docs/get-started/universal-components/web/components/user-passkey-management.mdx
new file mode 100644
index 0000000000..47641a5fc5
--- /dev/null
+++ b/main/docs/get-started/universal-components/web/components/user-passkey-management.mdx
@@ -0,0 +1,646 @@
+---
+title: User Passkey Management
+description: Render a card-based UI that lets users enroll and revoke their own WebAuthn passkeys using the Auth0 My Account API.
+sidebarTitle: UserPasskeyMgmt component
+---
+
+import { ComponentLoader } from "/snippets/ComponentLoader.jsx";
+import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx";
+
+
+
+The `UserPasskeyMgmt` component lets users enroll and revoke [passkeys](/docs/authenticate/database-connections/passkeys) in a single card-based interface using the [My Account API](/docs/manage-users/my-account-api) and requires no props to render.
+The component renders a list of enrolled passkeys, a button to add a new passkey, and a revoke option.
+
+
+## Prerequisites
+
+To enable passkey support:
+
+* **Configure a custom domain on your Auth0 tenant**. Passkeys require a [custom domain](/docs/customize/custom-domains).
+
+* **Enable passkeys on your Auth0 database connection**. To learn how to enable passkeys in your Auth0 tenant, read [Configure Passkeys](/docs/authenticate/database-connections/passkeys/configure-passkey-policy#configure-passkeys).
+
+* **Match origin**. The relying party id must equal your application’s domain or be a registrable parent of it. To learn more, read [Relying party ID for Passkeys](/docs/authenticate/database-connections/passkeys#relying-party-id-for-passkeys)
+
+* **Ensure your application uses HTTPS**. WebAuthn requires that your application is served over HTTPS.
+
+* **Install and configure universal components in your application**. To install and configure universal components, read [Build Account Security UI](/docs/get-started/universal-components/web/components/my-account-overview#prerequisites).
+
+## Configure your application
+
+Select your framework to configure environment variables and universal components.
+
+
+
+
+## Install the component
+
+
+```bash pnpm wrap lines
+pnpm add @auth0/universal-components-react
+```
+
+```bash npm wrap lines
+npm install @auth0/universal-components-react
+```
+
+
+
+The install command also adds the `@auth0/universal-components-core` dependency for shared utilities and Auth0 integration.
+
+
+## Get started
+
+```tsx wrap lines
+import { UserPasskeyMgmt } from "@auth0/universal-components-react";
+
+export function SecurityPage() {
+ return ;
+}
+```
+
+
+- Components are always imported from the root entry `@auth0/universal-components-react`, regardless of framework.
+- Only the `Auth0ComponentProvider` component uses a framework-specific subpath: `/spa` for React applications, `/rwa` for Next.js applications.
+
+
+
+```tsx wrap lines
+import React from "react";
+import { UserPasskeyMgmt } from "@auth0/universal-components-react";
+import { Auth0Provider } from "@auth0/auth0-react";
+import { Auth0ComponentProvider } from "@auth0/universal-components-react/spa";
+import { analytics } from "./lib/analytics";
+
+function SecurityPage() {
+ return (
+
+ {
+ analytics.track("Passkey Enrolled");
+ },
+ }}
+ revokeAction={{
+ onBefore: async (passkey) =>
+ confirmDialog(`Remove passkey "${passkey.name}"?`),
+ onAfter: (passkey) => {
+ analytics.track("Passkey Revoked", { passkeyId: passkey.id });
+ },
+ }}
+ onErrorAction={(error, action) => {
+ console.error(`Passkey ${action} failed:`, error.message);
+ }}
+ customMessages={{
+ header: {
+ title: "Passkeys",
+ description: "Sign in faster and more securely without a password.",
+ },
+ }}
+ styling={{
+ variables: {
+ light: { "--color-primary": "#4f46e5" },
+ dark: { "--color-primary": "#818cf8" },
+ },
+ }}
+ />
+
+ );
+}
+
+export default function App() {
+ const domain = "YOUR_TENANT.auth0.com";
+ const clientId = "YOUR_CLIENT_ID";
+
+ return (
+
+
+
+
+
+ );
+}
+```
+
+
+
+
+
+
+## Install the component
+
+
+```bash pnpm wrap lines
+pnpm add @auth0/universal-components-react
+```
+
+```bash npm wrap lines
+npm install @auth0/universal-components-react
+```
+
+
+
+The install command also adds the `@auth0/universal-components-core` dependency for shared utilities and Auth0 integration.
+
+
+## Get started
+
+```tsx app/security/passkeys/page.tsx wrap lines
+"use client";
+
+import { UserPasskeyMgmt } from "@auth0/universal-components-react";
+
+export default function PasskeysPage() {
+ return ;
+}
+```
+
+
+```tsx app/security/passkeys/page.tsx wrap lines
+"use client";
+
+import { UserPasskeyMgmt } from "@auth0/universal-components-react";
+import { analytics } from "@/lib/analytics";
+
+export default function PasskeysPage() {
+ return (
+
+ {
+ analytics.track("Passkey Enrolled");
+ },
+ }}
+ revokeAction={{
+ onAfter: (passkey) => {
+ analytics.track("Passkey Revoked", { passkeyId: passkey.id });
+ },
+ }}
+ onErrorAction={(error, action) => {
+ console.error(`Passkey ${action} failed:`, error.message);
+ }}
+ customMessages={{
+ header: {
+ title: "Passkeys",
+ description: "Sign in faster and more securely without a password.",
+ },
+ }}
+ styling={{
+ variables: {
+ light: { "--color-primary": "#4f46e5" },
+ dark: { "--color-primary": "#818cf8" },
+ },
+ }}
+ />
+
+ );
+}
+```
+
+
+
+
+
+
+## Install the component
+
+```bash wrap lines
+npx shadcn@latest add https://auth0-universal-components.vercel.app/r/my-account/user-passkey-management.json
+```
+
+
+The install command adds the component source into `src/components/auth0/my-account/` along with all UI dependencies and the `@auth0/universal-components-core` dependency for shared utilities and Auth0 integration.
+
+
+## Get started
+
+```tsx wrap lines
+import { UserPasskeyMgmt } from "@/components/auth0/my-account/user-passkey-management";
+
+export function SecurityPage() {
+ return ;
+}
+```
+
+
+```tsx wrap lines
+import React from "react";
+import { UserPasskeyMgmt } from "@/components/auth0/my-account/user-passkey-management";
+import { Auth0Provider } from "@auth0/auth0-react";
+import { Auth0ComponentProvider } from "@auth0/universal-components-react/spa";
+import { analytics } from "./lib/analytics";
+
+function SecurityPage() {
+ return (
+
+ {
+ analytics.track("Passkey Enrolled");
+ },
+ }}
+ revokeAction={{
+ onBefore: async (passkey) =>
+ confirmDialog(`Remove passkey "${passkey.name}"?`),
+ onAfter: (passkey) => {
+ analytics.track("Passkey Revoked", { passkeyId: passkey.id });
+ },
+ }}
+ onErrorAction={(error, action) => {
+ console.error(`Passkey ${action} failed:`, error.message);
+ }}
+ customMessages={{
+ header: {
+ title: "Passkeys",
+ description: "Sign in faster and more securely without a password.",
+ },
+ }}
+ styling={{
+ variables: {
+ light: { "--color-primary": "#4f46e5" },
+ dark: { "--color-primary": "#818cf8" },
+ },
+ }}
+ />
+
+ );
+}
+
+export default function App() {
+ const domain = "YOUR_TENANT.auth0.com";
+ const clientId = "YOUR_CLIENT_ID";
+
+ return (
+
+
+
+
+
+ );
+}
+```
+
+
+
+
+
+## Props
+
+### Display props
+
+Display props control how the component renders without affecting its behavior.
+
+
+
+
+ | Prop |
+ Type |
+ Default |
+ Description |
+
+
+
+
+ hideHeader |
+ boolean |
+ false |
+ Hide the page-level header (title and description). The section card with the passkey list is always shown. |
+
+
+
+
+### Action props
+
+Action props let you hook into the component’s lifecycle events and trigger or cancel operations.
+
+
+
+
+ | Prop |
+ Type |
+ Description |
+
+
+
+
+ addAction |
+ ComponentAction<void> |
+ Lifecycle hooks for the add-passkey flow. Set disabled: true to hide the add button. |
+
+
+ revokeAction |
+ ComponentAction<Passkey> |
+ Lifecycle hooks for the revoke-passkey flow. Set disabled: true to hide the revoke option. |
+
+
+ onFetch |
+ () => void |
+ Triggered after the passkey list is successfully loaded. |
+
+
+ onErrorAction |
+ (error: Error, action: 'add' | 'revoke') => void |
+ Triggered when an add or revoke action fails. |
+
+
+
+
+
+**addAction**
+
+Controls the add a passkey flow. `onBefore` triggers before the browser WebAuthn prompt is shown; return `false` to cancel (for example, to enforce a passkey limit). `onAfter` triggers after the new passkey is saved.
+
+- `disabled` hide the "Add passkey" button.
+- `onBefore()` runs before the WebAuthn enrollment ceremony. Return `false` to cancel.
+- `onAfter()` runs after the passkey is successfully registered. Use this to refresh session state or send analytics.
+
+```tsx wrap lines
+ {
+ if (passkeys.length >= 5) {
+ toast.error("You can register a maximum of 5 passkeys.");
+ return false;
+ }
+ return true;
+ },
+ onAfter: () => {
+ analytics.track("Passkey Enrolled");
+ },
+ }}
+/>
+```
+
+**revokeAction**
+
+Controls the revoke a passkey flow. The built-in confirmation modal is shown; `onBefore` runs after the user confirms the modal but before the API call, so you can still cancel at that point. `onAfter` triggers after the passkey is deleted from the account.
+
+- `disabled` hides the revoke option from the passkey actions menu.
+- `onBefore(passkey)` runs before the revoke API call. Receives the `Passkey` object. Return `false` to cancel.
+- `onAfter(passkey)` runs after the passkey is successfully revoked. Receives the revoked `Passkey` object.
+
+```tsx wrap lines
+ {
+ auditLog.record({ action: "passkey_revoked", passkeyId: passkey.id });
+ },
+ }}
+/>
+```
+
+**onFetch**
+
+Triggers after the passkey list is successfully loaded on mount. Use this to show or hide adjacent UI that depends on whether the user has any registered passkeys.
+
+```tsx wrap lines
+ {
+ setPasskeysLoaded(true);
+ }}
+/>
+```
+
+**onErrorAction**
+
+Triggers when an add or revoke action fails. The `action` parameter is `'add'` or `'revoke'`. Use this to surface errors in your own toast system or error logging service.
+
+```tsx wrap lines
+ {
+ console.error(`Passkey ${action} failed:`, error.message);
+ toast.error(`Something went wrong while trying to ${action} your passkey.`);
+ }}
+/>
+```
+
+To render the list read-only, set `disabled: true` on both actions:
+
+```tsx wrap lines
+
+```
+
+### Customize props
+
+Customization props let you adapt copy and styling without modifying source code.
+
+
+
+
+ | Prop |
+ Type |
+ Description |
+
+
+
+
+ customMessages |
+ Partial<PasskeyMessages> |
+ Override default UI text and translations. |
+
+
+ styling |
+ ComponentStyling<UserPasskeyMgmtClasses> |
+ CSS variables and class overrides. |
+
+
+
+
+**customMessages**
+
+Customize all text and translations. Every field is optional.
+
+
+- **header**—`title`, `description` (page-level header; hidden when `hideHeader` is `true`)
+- **Top-level card**—`section_title`, `enabled` (badge shown when passkeys are enrolled), `no_passkeys` (empty state message), `add_passkey` (add button label)
+- **List items**—`created_at` (use `${date}` as placeholder), `last_used` (use `${date}` as placeholder)
+- **Actions**—`actions.revoke` (label in the per-passkey actions menu)
+- **Success toasts**—`success.add`, `success.revoke`
+- **Revoke modal**—`modals.revoke.title`, `modals.revoke.consent` (use `${name}` to bold the passkey name), `modals.revoke.cancel`, `modals.revoke.confirm`
+
+
+```tsx wrap lines
+${name}.",
+ cancel: "Cancel",
+ confirm: "Remove",
+ },
+ },
+ }}
+/>
+```
+
+**Customize style**
+
+Customize appearance with CSS variables and class overrides. Supports light/dark themes.
+
+
+**Variables**—CSS custom properties
+
+- `common` Applied to both themes
+- `light` Light mode only
+- `dark` Dark mode only
+
+**Class overrides**
+
+- `UserPasskeyMgmt-root` the outer card container wrapping the passkey list
+- `UserPasskeyMgmt-item` each individual passkey row card
+- `PasskeyActionModal-modalContent` the revoke confirmation modal content area
+
+
+```tsx wrap lines
+
+```
+
+## TypeScript definitions
+
+```typescript wrap lines
+interface Passkey {
+ id: string;
+ name?: string;
+ createdAt?: string;
+ lastUsedAt?: string;
+ deviceInfo?: string;
+}
+
+interface UserPasskeyMgmtClasses {
+ "UserPasskeyMgmt-root"?: string;
+ "UserPasskeyMgmt-item"?: string;
+ "PasskeyActionModal-modalContent"?: string;
+}
+
+// ComponentAction provides before/after hooks and a disabled flag.
+// Both hooks receive the same data type T.
+interface ComponentAction {
+ disabled?: boolean;
+ onBefore?: (data: T, extra?: U) => boolean | Promise;
+ onAfter?: (data: T, extra?: U) => void | Promise;
+}
+
+interface UserPasskeyMgmtProps {
+ hideHeader?: boolean;
+ customMessages?: Partial;
+ styling?: ComponentStyling;
+ addAction?: ComponentAction;
+ revokeAction?: ComponentAction;
+ onFetch?: () => void;
+ onErrorAction?: (error: Error, action: "add" | "revoke") => void;
+}
+```
+
+## Advanced customization
+
+The `UserPasskeyMgmt` component is composed of a stateless view component and a hook. Import them individually to build custom workflows.
+
+### Available subcomponents
+
+For advanced use cases, you can import individual subcomponents to build custom interfaces.
+
+
+
+
+ | Subcomponent |
+ Description |
+
+
+
+
+
+
+ UserPasskeyMgmtView
+ |
+
+ Stateless view layer; bring your own data and handlers via `useUserPasskey`. |
+
+
+
+ PasskeyActionModal
+ |
+
+ The revoke confirmation modal. Can be rendered standalone if you need a custom revoke trigger separate from the passkey list. |
+
+
+
+
+### Available hooks
+
+
+
+
+ | Hook |
+ Description |
+
+
+
+
+
+
+ useUserPasskey
+ |
+
+ Full data and interaction layer: passkey list query, enroll mutation, revoke mutation, modal state, and all event handlers. |
+
+
+
+
+## Learn more
+
+
+
+
+ Manage MFA factors (TOTP, SMS, email OTP, push, recovery codes) alongside passkeys.
+
+
+
+ Overview, prerequisites, and framework setup for all My Account components.
+
+
+