> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-fix-docs-5546-update-db-search.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Lock documentation on setting authentication parameters.

# Lock Authentication Parameters

You can send parameters when starting a login by adding them to the options object. The example below adds a `state` parameter with a value equal to `'foo'`.

```js lines theme={null}
var options = {
  auth: {
    params: {state: 'foo'},
  }
};
```

The above example would be analogous to triggering the login with `https://{yourDomain}/authorize?state=foo&...`.

The following parameters are supported: `scope`, `device`, `nonce` and `state`.

## Supported parameters

### scope \{string}

```js lines theme={null}
var options = {
  auth: {
    params: {scope: 'openid email user_metadata app_metadata picture'},
  }
};
```

There are different values supported for scope. Keep in mind that <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWTs">JWTs</Tooltip> are sent on every API request, so it is desirable to keep them as small as possible.

The default `scope` value in Lock is `openid profile email`. This minimum scope value is required to make the **Last time you logged in with** feature work correctly.

<Card title="Running Lock locally">
  If you don't manually specify at least the default scope of `openid profile email` when initializing Lock, and you are running your website from `http://localhost` or `http://127.0.0.1`, you will get the following error in the browser console:

  `Consent required. When using getSSOData, the user has to be authenticated with the following scope: openid profile email`

  That will **not** happen when you run your application in production or if you specify the `openid profile email` scope. You can read more about this in the [User consent and third-party applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications) document.
</Card>

For more information about scopes, see the [scopes documentation page](/docs/get-started/apis/scopes).

#### Example: retrieve a token

In Lock, if you wish to receive a token with the ability to fetch the user's profile data, you should add the `scope` parameter.

```js lines theme={null}
var options = {
  auth: {
    params: {
        scope: 'openid profile'
    }
  }
};
```

There is also a `connectionScopes` configuration option for Lock, which allows you to specify scopes on any specific connection. This will be useful if you want to initially start with a set of scopes (defined on the dashboard), but later on request additional permissions or attributes from a specific connection. Read more about it on the [Lock Configuration Options](/docs/libraries/lock/lock-configuration) page.

### state \{string}

The `state` parameter is an arbitrary state value that will be maintained across redirects. It is useful to mitigate [XSRF attacks](https://en.wikipedia.org/wiki/Cross-site_request_forgery) and for any contextual information, [such as a return url](/docs/authenticate/login/logout/redirect-users-after-logout) that you might need after the authentication process is finished. If a custom state parameter is not provided, Lock will automatically generate one. For more information, see [State Parameter](/docs/secure/attack-protection/state-parameters).

### nonce \{string}

The `nonce` parameter is used to help prevent replay attacks, and will be automatically generated by Lock if a custom value is not provided.

### device \{string}

The `device` parameter sets the name of the device or browser requesting authentication.