auth0 · agiannelli-auth0 · Nov 5, 2025
diff --git a/main/docs/get-started/applications/configure-jar.mdx b/main/docs/get-started/applications/configure-jar.mdx
@@ -12,6 +12,26 @@ title: Configure JWT-secured Authorization Requests (JAR)
 ---
 import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
 
+export const codeExample1 = `POST https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}/credentials
+Authorization: Bearer [YOUR ACCESS TOKEN]
+Content-Type: application/json
+{
+  "name": "My credentials for JAR",
+  "credential_type": "public_key",
+  "pem": "[YOUR PEM FILE CONTENT]",
+  "alg": "RS256"
+}`;
+
+export const codeExample2 = `PATCH https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}
+Authorization: Bearer [YOUR ACCESS TOKEN]
+Content-Type: application/json
+{
+  "signed_request_object": {
+    "credentials": [{"id": "[YOUR CREDENTIAL ID]"}]
+  }
+}`;
+
+
 <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
 
 To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details.
@@ -106,17 +126,6 @@ When updating an existing application, you need to explicitly create a client cr
 
 {/* codeblockOld.header.login.logInButton codeblockOld.header.login.configureSnippet */}
 
-
-export const codeExample1 = `POST https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}/credentials
-Authorization: Bearer [YOUR ACCESS TOKEN]
-Content-Type: application/json
-{
-  "name": "My credentials for JAR",
-  "credential_type": "public_key",
-  "pem": "[YOUR PEM FILE CONTENT]",
-  "alg": "RS256"
-}`;
-
 <AuthCodeBlock children={codeExample1} language="json" />
 
 
@@ -134,16 +143,6 @@ Then, assign the client credential to the `signed_request_object` client configu
 
 {/* codeblockOld.header.login.logInButton codeblockOld.header.login.configureSnippet */}
 
-
-export const codeExample2 = `PATCH https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}
-Authorization: Bearer [YOUR ACCESS TOKEN]
-Content-Type: application/json
-{
-  "signed_request_object": {
-    "credentials": [{"id": "[YOUR CREDENTIAL ID]"}]
-  }
-}`;
-
 <AuthCodeBlock children={codeExample2} language="json" />
 
 
@@ -156,4 +155,4 @@ Content-Type: application/json
 ## Learn more
 
 * [Authorization Code Flow with JWT-Secured Authorization Requests (JAR)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-jar)
-* [Authorization Code Flow with PAR and JAR](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par-and-jar)
+* [Authorization Code Flow with PAR and JAR](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par-and-jar)
diff --git a/...ocs/get-started/architecture-scenarios/mobile-api/api-implementation-nodejs.mdx b/...ocs/get-started/architecture-scenarios/mobile-api/api-implementation-nodejs.mdx
@@ -11,6 +11,40 @@ title: Node.js API Implementation (Mobile Apps + API)
 ---
 import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
 
+export const codeExample = `// set dependencies - code omitted
+
+// Enable CORS - code omitted
+
+// Create middleware for checking the JWT
+const checkJwt = jwt({
+  // Dynamically provide a signing key based on the kid in the header and the signing keys provided by the JWKS endpoint
+  secret: jwksRsa.expressJwtSecret({
+    cache: true,
+    rateLimit: true,
+    jwksRequestsPerMinute: 5,
+    jwksUri: \`https://{yourDomain}/.well-known/jwks.json\`
+  }),
+
+  // Validate the audience and the issuer
+  audience: '{YOUR_API_IDENTIFIER}', //replace with your API's audience, available at Dashboard > APIs
+  issuer: 'https://{yourDomain}/',
+  algorithms: [ 'RS256' ]
+});
+
+// Enable the use of request body parsing middleware - code omitted
+
+// create timesheets API endpoint - code omitted
+app.post('/timesheets', checkJwt, function(req, res){
+  var timesheet = req.body;
+
+  // Save the timesheet to the database...
+
+  //send the response
+  res.status(201).send(timesheet);
+});
+// launch the API Server at localhost:8080 - code omitted`;
+
+
 This document is part of the Mobile + API Architecture Scenario and it explains how to implement the API in Node.js. The full source code for the Node.js API implementation can be found in [this GitHub repository](https://github.com/auth0-samples/auth0-pnp-exampleco-timesheets/tree/master/timesheets-api/node).
 
 Please refer to the scenario for information on the implemented solution.
@@ -139,38 +173,6 @@ The steps we will follow in our code are:
 
 You can also write some code to actually save the timesheet to a database. This is our sample implementation (some code is omitted for brevity):
 
-export const codeExample = `// set dependencies - code omitted
-
-// Enable CORS - code omitted
-
-// Create middleware for checking the JWT
-const checkJwt = jwt({
-  // Dynamically provide a signing key based on the kid in the header and the signing keys provided by the JWKS endpoint
-  secret: jwksRsa.expressJwtSecret({
-    cache: true,
-    rateLimit: true,
-    jwksRequestsPerMinute: 5,
-    jwksUri: \`https://{yourDomain}/.well-known/jwks.json\`
-  }),
-
-  // Validate the audience and the issuer
-  audience: '{YOUR_API_IDENTIFIER}', //replace with your API's audience, available at Dashboard > APIs
-  issuer: 'https://{yourDomain}/',
-  algorithms: [ 'RS256' ]
-});
-
-// Enable the use of request body parsing middleware - code omitted
-
-// create timesheets API endpoint - code omitted
-app.post('/timesheets', checkJwt, function(req, res){
-  var timesheet = req.body;
-
-  // Save the timesheet to the database...
-
-  //send the response
-  res.status(201).send(timesheet);
-});
-// launch the API Server at localhost:8080 - code omitted`;
 
 <AuthCodeBlock children={codeExample} language="javascript" />
 
@@ -302,4 +304,4 @@ app.get('/timesheets', checkJwt, jwtAuthz(['read:timesheets'], { customUserKey:
 
 
 </Accordion>
-</AccordionGroup>
+</AccordionGroup>
diff --git a/...low/authorization-code-flow/call-your-api-using-the-authorization-code-flow.mdx b/...low/authorization-code-flow/call-your-api-using-the-authorization-code-flow.mdx
@@ -13,6 +13,24 @@ import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
 
 import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
 
+export const codeExample1 = `https://{yourDomain}/authorize?
+    response_type=code&
+    client_id={yourClientId}&
+    redirect_uri={https://yourApp/callback}&
+    scope={scope}&
+    audience={apiAudience}&
+    state={state}`;
+
+export const codeExample2 = `<a href="https://{yourDomain}/authorize?
+  response_type=code&
+  client_id={yourClientId}&
+  redirect_uri={https://yourApp/callback}&  
+  scope=appointments%20contacts&
+  audience=appointments:api&
+  state=xyzABC123">
+  Sign In
+</a>`;
+
 <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
 
 This tutorial will help you call your own API using the Authorization Code Flow. If you want to learn how the flow works and why you should use it, see [Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow). If you want to learn to add login to your regular web app, see [Add Login Using the Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/add-login-auth-code-flow).
@@ -54,14 +72,6 @@ To authorize the user, your app must send the user to the [authorization URL](ht
 
 #### Example authorization URL
 
-export const codeExample1 = `https://{yourDomain}/authorize?
-    response_type=code&
-    client_id={yourClientId}&
-    redirect_uri={https://yourApp/callback}&
-    scope={scope}&
-    audience={apiAudience}&
-    state={state}`;
-
 <AuthCodeBlock children={codeExample1} language="http" />
 
 ##### Parameters
@@ -115,16 +125,6 @@ Note that for authorizing a user when calling a custom API, you:
 
 As an example, your HTML snippet for your authorization URL when adding login to your app might look like:
 
-export const codeExample2 = `<a href="https://{yourDomain}/authorize?
-  response_type=code&
-  client_id={yourClientId}&
-  redirect_uri={https://yourApp/callback}&  
-  scope=appointments%20contacts&
-  audience=appointments:api&
-  state=xyzABC123">
-  Sign In
-</a>`;
-
 <AuthCodeBlock children={codeExample2} language="html" />
 
 #### Response
@@ -867,4 +867,4 @@ Auth0 returns profile information in a structured claim format as defined by the
 
 * [OAuth 2.0 Authorization Framework](/docs/authenticate/protocols/oauth)
 * [OpenID Connect Protocol](/docs/authenticate/protocols/openid-connect-protocol)
-* [Tokens](/docs/secure/tokens)
+* [Tokens](/docs/secure/tokens)