docs: add security recommendation callout for React SPA setup in Universal Components docs

[chakrihacker]

Description

• Added a security recommendation callout to the React tab in both the Universal Components overview and the Auth0ComponentProvider setup pages
• Callout advises production users to prefer the Next.js proxy mode over React SPA mode to avoid token exposure via XSS

Checklist

• I've read and followed CONTRIBUTING.md.
• I've tested the site build for this change locally.
• I've made appropriate docs updates for any code or config changes.
• I've coordinated with the Product Docs and/or Docs Management team about non-trivial changes.

[github-actions]

Summary

Status	Count
🔍 Total	19
✅ Successful	7
⏳ Timeouts	0
🔀 Redirected	1
👻 Excluded	11
❓ Unknown	0
🚫 Errors	0
⛔ Unsupported	0

Redirects per input

Redirects in main/docs/get-started/universal-components/universal-components-overview.mdx

• [200] https://tailwindcss.com/docs/installation | Redirect: Followed 1 redirect resolving to the final status of: OK. Redirects: https://tailwindcss.com/docs/installation --> https://tailwindcss.com/docs/installation/using-vite
  Full Github Actions output

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
auth0	🟢 Ready	View Preview	Jun 9, 2026, 12:51 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
auth0-docs-staging	🟢 Ready	View Preview	Jun 9, 2026, 12:51 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[Ajeey]

@chakrihacker, has this verbatim been reviewed with @SurajThotakura? I wouldn't use the words like keeps, exposes etc. It needs to be aligned with the overall docs terminology

[SurajThotakura]

I agree with Ajey's point, "exposes them to the browser" and "token theft via XSS" read like a vulnerability report rather than product docs.

Suggested copy:

Security recommendation: For production applications that manage Organization configuration, Auth0 recommends the Next.js setup (Regular Web App). Next.js proxy mode stores tokens server-side, which reduces the attack surface compared to browser-stored tokens in a Single Page Application. If you use React SPA mode, review the Token Storage guidance to understand the tradeoffs.

[SurajThotakura]

@chakrihacker
The anchor [Next.js setup](#next-js) is not resolving properly, it works for the first time but if the user switches the tabs and tries to use this again it breaks.
Link the full next.js tab path directly /docs/get-started/universal-components/auth0-component-provider#next-js

[SurajThotakura]

I agree with Ajey's point, "exposes them to the browser" and "token theft via XSS" read like a vulnerability report rather than product docs.

Suggested copy:

Security recommendation: For production applications that manage Organization configuration, Auth0 recommends the Next.js setup (Regular Web App). Next.js proxy mode stores tokens server-side, which reduces the attack surface compared to browser-stored tokens in a Single Page Application. If you use React SPA mode, review the Token Storage guidance to understand the tradeoffs.

[SurajThotakura]

Same two changes needed here:

• fix the #next-js anchor
• align wording with the revised copy

[rax7389]

@SurajThotakura we should show this for shadcn as well right?