So technically, you can use Auth0 for sessions. However, those uses are not optimal in terms of security cause Auth0 (like cognito, firebase, okta....) does nothing to detect compromise of those session tokens. That is the reason why it's recommended to not expose Auth0's access tokens on the frontend client, cause if they are compromised, that user is screwed. Instead, if you have a backend app, use the authorisation code grant flow to get the access and refresh tokens of Auth0 on your backend and keep them there. This way, the chances of those getting compromised is significantly less. If you do this, you need to manage sessions on your own. Sure.. those session tokens can be compromised and your APIs will be affected, but in that case you can build stuff to detect token theft cause you have that control.