diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5578ad8d..a6284175 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,22 @@
+## [v9.12.0](https://github.com/auth0/auth0.js/tree/v9.12.0) (2019-12-11)
+
+[Full Changelog](https://github.com/auth0/auth0.js/compare/v9.11.3...v9.12.0)
+
+**Added**
+
+- [CAUTH-239] Add getChallenge method [\#1057](https://github.com/auth0/auth0.js/pull/1057) ([jfromaniello](https://github.com/jfromaniello))
+
+**Fixed**
+
+- Fixed passwordless params priority [\#1058](https://github.com/auth0/auth0.js/pull/1058) ([stevehobbsdev](https://github.com/stevehobbsdev))
+- Bugfix for WebExtension [\#1054](https://github.com/auth0/auth0.js/pull/1054) ([STK913](https://github.com/STK913))
+- Readme develop [\#1043](https://github.com/auth0/auth0.js/pull/1043) ([jsoref](https://github.com/jsoref))
+- Fixed typo [\#1039](https://github.com/auth0/auth0.js/pull/1039) ([Nyholm](https://github.com/Nyholm))
+
+**Security**
+
+- [SDK-974] Improved OIDC compliance [\#1059](https://github.com/auth0/auth0.js/pull/1059) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
 ## [v9.11.3](https://github.com/auth0/auth0.js/tree/v9.11.3) (2019-07-23)
 
 **Fixed**
diff --git a/README.md b/README.md
index 9db74773..535811b7 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ From CDN:
 
 ```html
 <!-- Latest patch release -->
-<script src="https://cdn.auth0.com/js/auth0/9.11.3/auth0.min.js"></script>
+<script src="https://cdn.auth0.com/js/auth0/9.12.0/auth0.min.js"></script>
 ```
 
 From [npm](https://npmjs.org):
@@ -65,6 +65,7 @@ Parameters:
 - **responseType {OPTIONAL, string}**: Response type for all authentication requests. It can be any space separated list of the values `code`, `token`, `id_token`. **If you don't provide a global `responseType`, you will have to provide a `responseType` for each method that you use**.
 - **responseMode {OPTIONAL, string}**: The default responseMode used, defaults to `'fragment'`. The `parseHash` method can be used to parse authentication responses using fragment response mode. Supported values are `query`, `fragment` and `form_post`. The `query` value is only supported when `responseType` is `code`.
 - **\_disableDeprecationWarnings {OPTIONAL, boolean}**: Indicates if deprecation warnings should be output to the browser console, defaults to `false`.
+- **maxAge {OPTIONAL, number}**: Used during token validation. Specifies the maximum elapsed time in seconds since the last time the user was actively authenticated by the authorization server. If the elapsed time is greater than this value, the token is considered invalid and the user must be re-authenticated.
 
 ### API
 
@@ -181,10 +182,10 @@ var auth0 = new auth0.Management({
 
 ### API
 
-- **getUser(userId, cb)**: Returns the user profile. [https://auth0.com/docs/api/management/v2#!/Users/get\_users\_by\_id](https://auth0.com/docs/api/management/v2#!/Users/get_users_by_id)
-- **patchUserMetadata(userId, userMetadata, cb)**: Updates the user metadata. It will patch the user metadata with the attributes sent. [https://auth0.com/docs/api/management/v2#!/Users/patch\_users\_by\_id](https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id)
-- **patchUserAttributes(userId, user, cb)**: Updates the user attributes. It will patch the root attributes that the server allows it. To check what attributes can be patched, go to [https://auth0.com/docs/api/management/v2#!/Users/patch\_users\_by\_id](https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id)
-- **linkUser(userId, secondaryUserToken, cb)**: Link two users. [https://auth0.com/docs/api/management/v2#!/Users/post\_identities](https://auth0.com/docs/api/management/v2#!/Users/post_identities)
+- **getUser(userId, cb)**: Returns the user profile. [https://auth0.com/docs/api/management/v2#!/Users/get_users_by_id](https://auth0.com/docs/api/management/v2#!/Users/get_users_by_id)
+- **patchUserMetadata(userId, userMetadata, cb)**: Updates the user metadata. It will patch the user metadata with the attributes sent. [https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id](https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id)
+- **patchUserAttributes(userId, user, cb)**: Updates the user attributes. It will patch the root attributes that the server allows it. To check what attributes can be patched, go to [https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id](https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id)
+- **linkUser(userId, secondaryUserToken, cb)**: Link two users. [https://auth0.com/docs/api/management/v2#!/Users/post_identities](https://auth0.com/docs/api/management/v2#!/Users/post_identities)
 
 ## Documentation
 
diff --git a/docs/Authentication.html b/docs/Authentication.html
index 9f48f5a5..b75e4931 100644
--- a/docs/Authentication.html
+++ b/docs/Authentication.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -488,8 +494,8 @@ <h5>Parameters:</h5>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/Management.html b/docs/Management.html
index f73a5af5..e8b59845 100644
--- a/docs/Management.html
+++ b/docs/Management.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -362,8 +368,8 @@ <h5>Parameters:</h5>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/WebAuth.html b/docs/WebAuth.html
index d99312e2..d313942d 100644
--- a/docs/WebAuth.html
+++ b/docs/WebAuth.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -276,7 +282,7 @@ <h4 class="name" id="WebAuth">
                   <ul class="dummy">
                     <li>
                       <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                      <a href="web-auth_index.js.html#line35">line 35</a>
+                      <a href="web-auth_index.js.html#line39">line 39</a>
                     </li>
                   </ul>
                 </dd>
@@ -525,8 +531,8 @@ <h5>Parameters:</h5>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/authentication_db-connection.js.html b/docs/authentication_db-connection.js.html
index 497a6418..21b8a892 100644
--- a/docs/authentication_db-connection.js.html
+++ b/docs/authentication_db-connection.js.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -279,6 +285,7 @@ <h1 class="page-title">authentication/db-connection.js</h1>
  * @param {Object} options
  * @param {String} options.email user email address
  * @param {String} options.password user password
+ * @param {String} [options.username] user desired username. Required if you use a database connection and you have enabled `Requires Username`
  * @param {String} options.connection name of the connection where the user will be created
  * @param {Object} [options.userMetadata] additional signup attributes used for creating the user. Will be stored in `user_metadata`
  * @param {signUpCallback} cb
@@ -377,8 +384,8 @@ <h1 class="page-title">authentication/db-connection.js</h1>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/authentication_index.js.html b/docs/authentication_index.js.html
index 96c91830..753b22c2 100644
--- a/docs/authentication_index.js.html
+++ b/docs/authentication_index.js.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -516,6 +522,7 @@ <h1 class="page-title">authentication/index.js</h1>
  * @param {Number} [result.expiresIn] number of seconds until the access token expires
  * @param {String} [result.idToken] token that identifies the user
  * @param {String} [result.refreshToken] token that can be used to get new access tokens from Auth0. Note that not all Auth0 Applications can request them or the resource server might not allow them.
+ * @param {Object} [result.appState] values that you receive back on the authentication response
  */
 
 /**
@@ -800,6 +807,28 @@ <h1 class="page-title">authentication/index.js</h1>
     .end(responseHandler(cb, { ignoreCasing: true }));
 };
 
+/**
+ * Makes a call to the `/usernamepassword/challenge` endpoint
+ * and returns the challenge (captcha) if necessary.
+ *
+ * @method getChallenge
+ * @param {callback} cb
+ */
+Authentication.prototype.getChallenge = function(cb) {
+  assert.check(cb, { type: 'function', message: 'cb parameter is not valid' });
+
+  if (!this.baseOptions.state) {
+    return cb();
+  }
+
+  var url = urljoin(this.baseOptions.rootUrl, 'usernamepassword', 'challenge');
+
+  return this.request
+    .post(url)
+    .send({ state: this.baseOptions.state })
+    .end(responseHandler(cb, { ignoreCasing: true }));
+};
+
 /**
  * @callback delegationCallback
  * @param {Error} [err] error returned by Auth0 with the reason why the delegation failed
@@ -874,8 +903,8 @@ <h1 class="page-title">authentication/index.js</h1>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/global.html b/docs/global.html
index 0d2bc529..df9eb5e0 100644
--- a/docs/global.html
+++ b/docs/global.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -285,7 +291,7 @@ <h4 class="name" id="authorize">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line634">line 634</a>
+                    <a href="web-auth_index.js.html#line658">line 658</a>
                   </li>
                 </ul>
               </dd>
@@ -499,6 +505,23 @@ <h5>Parameters:</h5>
                             </p>
                           </td>
                         </tr>
+
+                        <tr>
+                          <td class="name"><code>appState</code></td>
+
+                          <td class="type">
+                            <span class="param-type"><code>Object</code></span>
+                          </td>
+
+                          <td class="attributes">&lt;optional><br /></td>
+
+                          <td class="description last">
+                            <p>
+                              any values that you want back on the
+                              authentication response
+                            </p>
+                          </td>
+                        </tr>
                       </tbody>
                     </table>
                   </td>
@@ -1363,8 +1386,12 @@ <h4 class="name" id="changePassword">
               <dd class="tag-source">
                 <ul class="dummy">
                   <li>
-                    <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line573">line 573</a>
+                    <a href="authentication_db-connection.js.html"
+                      >authentication/db-connection.js</a
+                    >,
+                    <a href="authentication_db-connection.js.html#line78"
+                      >line 78</a
+                    >
                   </li>
                 </ul>
               </dd>
@@ -1488,12 +1515,8 @@ <h4 class="name" id="changePassword">
               <dd class="tag-source">
                 <ul class="dummy">
                   <li>
-                    <a href="authentication_db-connection.js.html"
-                      >authentication/db-connection.js</a
-                    >,
-                    <a href="authentication_db-connection.js.html#line77"
-                      >line 77</a
-                    >
+                    <a href="web-auth_index.js.html">web-auth/index.js</a>,
+                    <a href="web-auth_index.js.html#line597">line 597</a>
                   </li>
                 </ul>
               </dd>
@@ -1619,7 +1642,7 @@ <h4 class="name" id="checkSession">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line510">line 510</a>
+                    <a href="web-auth_index.js.html#line534">line 534</a>
                   </li>
                 </ul>
               </dd>
@@ -1840,7 +1863,7 @@ <h4 class="name" id="crossOriginAuthenticationCallback">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line814">line 814</a>
+                    <a href="web-auth_index.js.html#line839">line 839</a>
                   </li>
                 </ul>
               </dd>
@@ -1869,7 +1892,7 @@ <h4 class="name" id="crossOriginVerification">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line824">line 824</a>
+                    <a href="web-auth_index.js.html#line849">line 849</a>
                   </li>
                 </ul>
               </dd>
@@ -1899,7 +1922,7 @@ <h4 class="name" id="delegation">
                     <a href="authentication_index.js.html"
                       >authentication/index.js</a
                     >,
-                    <a href="authentication_index.js.html#line554">line 554</a>
+                    <a href="authentication_index.js.html#line577">line 577</a>
                   </li>
                 </ul>
               </dd>
@@ -2108,6 +2131,67 @@ <h5>Parameters:</h5>
             </table>
           </div>
 
+          <div class="section-method">
+            <h4 class="name" id="getChallenge">
+              <span class="type-signature"></span>getChallenge<span
+                class="signature"
+                >(cb)</span
+              ><span class="type-signature"></span>
+            </h4>
+
+            <div class="description">
+              <p>
+                Makes a call to the
+                <code>/usernamepassword/challenge</code> endpoint and returns
+                the challenge (captcha) if necessary.
+              </p>
+            </div>
+
+            <dl class="details">
+              <dt class="tag-source">Source:</dt>
+              <dd class="tag-source">
+                <ul class="dummy">
+                  <li>
+                    <a href="authentication_index.js.html"
+                      >authentication/index.js</a
+                    >,
+                    <a href="authentication_index.js.html#line549">line 549</a>
+                  </li>
+                </ul>
+              </dd>
+            </dl>
+
+            <h5>Parameters:</h5>
+
+            <table class="params">
+              <thead>
+                <tr>
+                  <th>Name</th>
+
+                  <th>Type</th>
+
+                  <th class="last">Description</th>
+                </tr>
+              </thead>
+
+              <tbody>
+                <tr>
+                  <td class="name"><code>cb</code></td>
+
+                  <td class="type">
+                    <span class="param-type"
+                      ><code
+                        ><a href="global.html#callback">callback</a></code
+                      ></span
+                    >
+                  </td>
+
+                  <td class="description last"></td>
+                </tr>
+              </tbody>
+            </table>
+          </div>
+
           <div class="section-method">
             <h4 class="name" id="getSSOData">
               <span class="type-signature"></span>getSSOData<span
@@ -2133,7 +2217,7 @@ <h4 class="name" id="getSSOData">
                     <a href="authentication_index.js.html"
                       >authentication/index.js</a
                     >,
-                    <a href="authentication_index.js.html#line454">line 454</a>
+                    <a href="authentication_index.js.html#line455">line 455</a>
                   </li>
                 </ul>
               </dd>
@@ -2372,7 +2456,7 @@ <h4 class="name" id="login">
                     <a href="authentication_index.js.html"
                       >authentication/index.js</a
                     >,
-                    <a href="authentication_index.js.html#line313">line 313</a>
+                    <a href="authentication_index.js.html#line314">line 314</a>
                   </li>
                 </ul>
               </dd>
@@ -2728,34 +2812,16 @@ <h4 class="name" id="login">
 
             <div class="description">
               <p>
-                Logs the user in with username and password using the correct
-                flow based on where it's called from:
+                Performs authentication with username/email and password with a
+                database connection
+              </p>
+              <p>
+                This method is not compatible with API Auth so if you need to
+                fetch API tokens with audience you should use
+                <a href="global.html#authorize"><code>authorize</code></a> or
+                <a href="global.html#login"><code>login</code></a
+                >.
               </p>
-              <ul>
-                <li>
-                  If you're calling this method from the Universal Login Page,
-                  it will use the usernamepassword/login endpoint
-                </li>
-                <li>
-                  If you're calling this method outside the Universal Login
-                  Page, it will use the cross origin authentication
-                  (/co/authenticate) flow You can use either
-                  <code>username</code> or <code>email</code> to identify the
-                  user, but <code>username</code> will take precedence over
-                  <code>email</code>. After the redirect to
-                  <code>redirectUri</code>, use
-                  <a href="global.html#parseHash"><code>parseHash</code></a> to
-                  retrieve the authentication data.
-                  <strong
-                    >Notice that when using the cross origin authentication
-                    flow, some browsers might not be able to successfully
-                    authenticate if 3rd party cookies are disabled.
-                    <a href="https://auth0.com/docs/cross-origin-authentication"
-                      >See here for more information.</a
-                    >.</strong
-                  >
-                </li>
-              </ul>
             </div>
 
             <dl class="details">
@@ -2763,26 +2829,10 @@ <h4 class="name" id="login">
               <dd class="tag-source">
                 <ul class="dummy">
                   <li>
-                    <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line719">line 719</a>
-                  </li>
-                </ul>
-              </dd>
-
-              <dt class="tag-see">See:</dt>
-              <dd class="tag-see">
-                <ul>
-                  <li>
-                    <p>
-                      Requires
-                      <a href="https://auth0.com/docs/api-auth/grant/implicit"
-                        ><code>Implicit</code> grant</a
-                      >. For more information, read
-                      <a
-                        href="https://auth0.com/docs/clients/client-grant-types"
-                        >https://auth0.com/docs/clients/client-grant-types</a
-                      >.
-                    </p>
+                    <a href="web-auth_hosted-pages.js.html"
+                      >web-auth/hosted-pages.js</a
+                    >,
+                    <a href="web-auth_hosted-pages.js.html#line32">line 32</a>
                   </li>
                 </ul>
               </dd>
@@ -2810,12 +2860,6 @@ <h5>Parameters:</h5>
                   </td>
 
                   <td class="description last">
-                    <p>
-                      options used in the
-                      <a href="global.html#authorize"><code>authorize</code></a>
-                      call after the login_ticket is acquired
-                    </p>
-
                     <table class="params">
                       <thead>
                         <tr>
@@ -2831,7 +2875,7 @@ <h5>Parameters:</h5>
 
                       <tbody>
                         <tr>
-                          <td class="name"><code>username</code></td>
+                          <td class="name"><code>redirectUri</code></td>
 
                           <td class="type">
                             <span class="param-type"><code>String</code></span>
@@ -2840,12 +2884,15 @@ <h5>Parameters:</h5>
                           <td class="attributes">&lt;optional><br /></td>
 
                           <td class="description last">
-                            <p>Username (mutually exclusive with email)</p>
+                            <p>
+                              url that the Auth0 will redirect after Auth with
+                              the Authorization Response
+                            </p>
                           </td>
                         </tr>
 
                         <tr>
-                          <td class="name"><code>email</code></td>
+                          <td class="name"><code>responseType</code></td>
 
                           <td class="type">
                             <span class="param-type"><code>String</code></span>
@@ -2854,26 +2901,33 @@ <h5>Parameters:</h5>
                           <td class="attributes">&lt;optional><br /></td>
 
                           <td class="description last">
-                            <p>Email (mutually exclusive with username)</p>
+                            <p>
+                              type of the response used. It can be any of the
+                              values <code>code</code> and <code>token</code>
+                            </p>
                           </td>
                         </tr>
 
                         <tr>
-                          <td class="name"><code>password</code></td>
+                          <td class="name"><code>responseMode</code></td>
 
                           <td class="type">
                             <span class="param-type"><code>String</code></span>
                           </td>
 
-                          <td class="attributes"></td>
+                          <td class="attributes">&lt;optional><br /></td>
 
                           <td class="description last">
-                            <p>Password</p>
+                            <p>
+                              how the AuthN response is encoded and redirected
+                              back to the client. Supported values are
+                              <code>query</code> and <code>fragment</code>
+                            </p>
                           </td>
                         </tr>
 
                         <tr>
-                          <td class="name"><code>realm</code></td>
+                          <td class="name"><code>scope</code></td>
 
                           <td class="type">
                             <span class="param-type"><code>String</code></span>
@@ -2883,8 +2937,8 @@ <h5>Parameters:</h5>
 
                           <td class="description last">
                             <p>
-                              Realm used to authenticate the user, it can be a
-                              realm name or a database connection name
+                              scopes to be requested during AuthN. e.g.
+                              <code>openid email</code>
                             </p>
                           </td>
                         </tr>
@@ -2899,21 +2953,14 @@ <h5>Parameters:</h5>
                   <td class="type">
                     <span class="param-type"
                       ><code
-                        ><a href="global.html#crossOriginLoginCallback"
-                          >crossOriginLoginCallback</a
+                        ><a href="global.html#credentialsCallback"
+                          >credentialsCallback</a
                         ></code
                       ></span
                     >
                   </td>
 
-                  <td class="description last">
-                    <p>
-                      Callback function called only when an authentication
-                      error, like invalid username or password, occurs. For
-                      other types of errors, there will be a redirect to the
-                      <code>redirectUri</code>.
-                    </p>
-                  </td>
+                  <td class="description last"></td>
                 </tr>
               </tbody>
             </table>
@@ -2928,16 +2975,34 @@ <h4 class="name" id="login">
 
             <div class="description">
               <p>
-                Performs authentication with username/email and password with a
-                database connection
-              </p>
-              <p>
-                This method is not compatible with API Auth so if you need to
-                fetch API tokens with audience you should use
-                <a href="global.html#authorize"><code>authorize</code></a> or
-                <a href="global.html#login"><code>login</code></a
-                >.
+                Logs the user in with username and password using the correct
+                flow based on where it's called from:
               </p>
+              <ul>
+                <li>
+                  If you're calling this method from the Universal Login Page,
+                  it will use the usernamepassword/login endpoint
+                </li>
+                <li>
+                  If you're calling this method outside the Universal Login
+                  Page, it will use the cross origin authentication
+                  (/co/authenticate) flow You can use either
+                  <code>username</code> or <code>email</code> to identify the
+                  user, but <code>username</code> will take precedence over
+                  <code>email</code>. After the redirect to
+                  <code>redirectUri</code>, use
+                  <a href="global.html#parseHash"><code>parseHash</code></a> to
+                  retrieve the authentication data.
+                  <strong
+                    >Notice that when using the cross origin authentication
+                    flow, some browsers might not be able to successfully
+                    authenticate if 3rd party cookies are disabled.
+                    <a href="https://auth0.com/docs/cross-origin-authentication"
+                      >See here for more information.</a
+                    >.</strong
+                  >
+                </li>
+              </ul>
             </div>
 
             <dl class="details">
@@ -2945,10 +3010,26 @@ <h4 class="name" id="login">
               <dd class="tag-source">
                 <ul class="dummy">
                   <li>
-                    <a href="web-auth_hosted-pages.js.html"
-                      >web-auth/hosted-pages.js</a
-                    >,
-                    <a href="web-auth_hosted-pages.js.html#line32">line 32</a>
+                    <a href="web-auth_index.js.html">web-auth/index.js</a>,
+                    <a href="web-auth_index.js.html#line744">line 744</a>
+                  </li>
+                </ul>
+              </dd>
+
+              <dt class="tag-see">See:</dt>
+              <dd class="tag-see">
+                <ul>
+                  <li>
+                    <p>
+                      Requires
+                      <a href="https://auth0.com/docs/api-auth/grant/implicit"
+                        ><code>Implicit</code> grant</a
+                      >. For more information, read
+                      <a
+                        href="https://auth0.com/docs/clients/client-grant-types"
+                        >https://auth0.com/docs/clients/client-grant-types</a
+                      >.
+                    </p>
                   </li>
                 </ul>
               </dd>
@@ -2976,6 +3057,12 @@ <h5>Parameters:</h5>
                   </td>
 
                   <td class="description last">
+                    <p>
+                      options used in the
+                      <a href="global.html#authorize"><code>authorize</code></a>
+                      call after the login_ticket is acquired
+                    </p>
+
                     <table class="params">
                       <thead>
                         <tr>
@@ -2991,7 +3078,7 @@ <h5>Parameters:</h5>
 
                       <tbody>
                         <tr>
-                          <td class="name"><code>redirectUri</code></td>
+                          <td class="name"><code>username</code></td>
 
                           <td class="type">
                             <span class="param-type"><code>String</code></span>
@@ -3000,15 +3087,12 @@ <h5>Parameters:</h5>
                           <td class="attributes">&lt;optional><br /></td>
 
                           <td class="description last">
-                            <p>
-                              url that the Auth0 will redirect after Auth with
-                              the Authorization Response
-                            </p>
+                            <p>Username (mutually exclusive with email)</p>
                           </td>
                         </tr>
 
                         <tr>
-                          <td class="name"><code>responseType</code></td>
+                          <td class="name"><code>email</code></td>
 
                           <td class="type">
                             <span class="param-type"><code>String</code></span>
@@ -3017,33 +3101,26 @@ <h5>Parameters:</h5>
                           <td class="attributes">&lt;optional><br /></td>
 
                           <td class="description last">
-                            <p>
-                              type of the response used. It can be any of the
-                              values <code>code</code> and <code>token</code>
-                            </p>
+                            <p>Email (mutually exclusive with username)</p>
                           </td>
                         </tr>
 
                         <tr>
-                          <td class="name"><code>responseMode</code></td>
+                          <td class="name"><code>password</code></td>
 
                           <td class="type">
                             <span class="param-type"><code>String</code></span>
                           </td>
 
-                          <td class="attributes">&lt;optional><br /></td>
+                          <td class="attributes"></td>
 
                           <td class="description last">
-                            <p>
-                              how the AuthN response is encoded and redirected
-                              back to the client. Supported values are
-                              <code>query</code> and <code>fragment</code>
-                            </p>
+                            <p>Password</p>
                           </td>
                         </tr>
 
                         <tr>
-                          <td class="name"><code>scope</code></td>
+                          <td class="name"><code>realm</code></td>
 
                           <td class="type">
                             <span class="param-type"><code>String</code></span>
@@ -3053,8 +3130,8 @@ <h5>Parameters:</h5>
 
                           <td class="description last">
                             <p>
-                              scopes to be requested during AuthN. e.g.
-                              <code>openid email</code>
+                              Realm used to authenticate the user, it can be a
+                              realm name or a database connection name
                             </p>
                           </td>
                         </tr>
@@ -3069,14 +3146,21 @@ <h5>Parameters:</h5>
                   <td class="type">
                     <span class="param-type"
                       ><code
-                        ><a href="global.html#credentialsCallback"
-                          >credentialsCallback</a
+                        ><a href="global.html#crossOriginLoginCallback"
+                          >crossOriginLoginCallback</a
                         ></code
                       ></span
                     >
                   </td>
 
-                  <td class="description last"></td>
+                  <td class="description last">
+                    <p>
+                      Callback function called only when an authentication
+                      error, like invalid username or password, occurs. For
+                      other types of errors, there will be a redirect to the
+                      <code>redirectUri</code>.
+                    </p>
+                  </td>
                 </tr>
               </tbody>
             </table>
@@ -3449,7 +3533,7 @@ <h4 class="name" id="loginWithDefaultDirectory">
                     <a href="authentication_index.js.html"
                       >authentication/index.js</a
                     >,
-                    <a href="authentication_index.js.html#line276">line 276</a>
+                    <a href="authentication_index.js.html#line277">line 277</a>
                   </li>
                 </ul>
               </dd>
@@ -3632,7 +3716,7 @@ <h4 class="name" id="loginWithResourceOwner">
                     <a href="authentication_index.js.html"
                       >authentication/index.js</a
                     >,
-                    <a href="authentication_index.js.html#line402">line 402</a>
+                    <a href="authentication_index.js.html#line403">line 403</a>
                   </li>
                 </ul>
               </dd>
@@ -3818,7 +3902,7 @@ <h4 class="name" id="logout">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line833">line 833</a>
+                    <a href="web-auth_index.js.html#line858">line 858</a>
                   </li>
                 </ul>
               </dd>
@@ -3966,7 +4050,7 @@ <h4 class="name" id="parseHash">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line167">line 167</a>
+                    <a href="web-auth_index.js.html#line176">line 176</a>
                   </li>
                 </ul>
               </dd>
@@ -4139,7 +4223,7 @@ <h4 class="name" id="passwordlessLogin">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line763">line 763</a>
+                    <a href="web-auth_index.js.html#line788">line 788</a>
                   </li>
                 </ul>
               </dd>
@@ -4294,7 +4378,7 @@ <h4 class="name" id="passwordlessStart">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line587">line 587</a>
+                    <a href="web-auth_index.js.html#line611">line 611</a>
                   </li>
                 </ul>
               </dd>
@@ -4361,7 +4445,7 @@ <h5>Parameters:</h5>
                             <p>
                               what will be sent via email which could be
                               <code>link</code> or <code>code</code>. For SMS
-                              <code>code</code> is the only one valud
+                              <code>code</code> is the only one valid
                             </p>
                           </td>
                         </tr>
@@ -4470,8 +4554,8 @@ <h4 class="name" id="passwordlessVerify">
               <dd class="tag-source">
                 <ul class="dummy">
                   <li>
-                    <a href="web-auth_popup.js.html">web-auth/popup.js</a>,
-                    <a href="web-auth_popup.js.html#line252">line 252</a>
+                    <a href="web-auth_index.js.html">web-auth/index.js</a>,
+                    <a href="web-auth_index.js.html#line877">line 877</a>
                   </li>
                 </ul>
               </dd>
@@ -4608,8 +4692,8 @@ <h4 class="name" id="passwordlessVerify">
               <dd class="tag-source">
                 <ul class="dummy">
                   <li>
-                    <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line852">line 852</a>
+                    <a href="web-auth_popup.js.html">web-auth/popup.js</a>,
+                    <a href="web-auth_popup.js.html#line252">line 252</a>
                   </li>
                 </ul>
               </dd>
@@ -4999,7 +5083,7 @@ <h4 class="name" id="renewAuth">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line429">line 429</a>
+                    <a href="web-auth_index.js.html#line453">line 453</a>
                   </li>
                 </ul>
               </dd>
@@ -5418,6 +5502,24 @@ <h5>Parameters:</h5>
                           </td>
                         </tr>
 
+                        <tr>
+                          <td class="name"><code>username</code></td>
+
+                          <td class="type">
+                            <span class="param-type"><code>String</code></span>
+                          </td>
+
+                          <td class="attributes">&lt;optional><br /></td>
+
+                          <td class="description last">
+                            <p>
+                              user desired username. Required if you use a
+                              database connection and you have enabled
+                              <code>Requires Username</code>
+                            </p>
+                          </td>
+                        </tr>
+
                         <tr>
                           <td class="name"><code>connection</code></td>
 
@@ -5492,7 +5594,7 @@ <h4 class="name" id="signup">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line619">line 619</a>
+                    <a href="web-auth_index.js.html#line643">line 643</a>
                   </li>
                 </ul>
               </dd>
@@ -5627,7 +5729,7 @@ <h4 class="name" id="signupAndAuthorize">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line683">line 683</a>
+                    <a href="web-auth_index.js.html#line708">line 708</a>
                   </li>
                 </ul>
               </dd>
@@ -5759,14 +5861,6 @@ <h4 class="name" id="signupAndLogin">
                 Signs up a new user and automatically logs the user in after the
                 signup.
               </p>
-              <p>
-                This method is not compatible with API Auth so if you need to
-                fetch API tokens with audience you should use
-                <a href="global.html#authorize"><code>authorize</code></a> or
-                <a href="global.html#signupAndAuthorize"
-                  ><code>signupAndAuthorize</code></a
-                >.
-              </p>
             </div>
 
             <dl class="details">
@@ -5774,8 +5868,10 @@ <h4 class="name" id="signupAndLogin">
               <dd class="tag-source">
                 <ul class="dummy">
                   <li>
-                    <a href="web-auth_popup.js.html">web-auth/popup.js</a>,
-                    <a href="web-auth_popup.js.html#line286">line 286</a>
+                    <a href="web-auth_hosted-pages.js.html"
+                      >web-auth/hosted-pages.js</a
+                    >,
+                    <a href="web-auth_hosted-pages.js.html#line90">line 90</a>
                   </li>
                 </ul>
               </dd>
@@ -5890,6 +5986,14 @@ <h4 class="name" id="signupAndLogin">
                 Signs up a new user and automatically logs the user in after the
                 signup.
               </p>
+              <p>
+                This method is not compatible with API Auth so if you need to
+                fetch API tokens with audience you should use
+                <a href="global.html#authorize"><code>authorize</code></a> or
+                <a href="global.html#signupAndAuthorize"
+                  ><code>signupAndAuthorize</code></a
+                >.
+              </p>
             </div>
 
             <dl class="details">
@@ -5897,8 +6001,8 @@ <h4 class="name" id="signupAndLogin">
               <dd class="tag-source">
                 <ul class="dummy">
                   <li>
-                    <a href="web-auth_redirect.js.html">web-auth/redirect.js</a
-                    >, <a href="web-auth_redirect.js.html#line37">line 37</a>
+                    <a href="web-auth_popup.js.html">web-auth/popup.js</a>,
+                    <a href="web-auth_popup.js.html#line286">line 286</a>
                   </li>
                 </ul>
               </dd>
@@ -5987,8 +6091,8 @@ <h5>Parameters:</h5>
                   <td class="type">
                     <span class="param-type"
                       ><code
-                        ><a href="global.html#crossOriginLoginCallback"
-                          >crossOriginLoginCallback</a
+                        ><a href="global.html#credentialsCallback"
+                          >credentialsCallback</a
                         ></code
                       ></span
                     >
@@ -6020,10 +6124,8 @@ <h4 class="name" id="signupAndLogin">
               <dd class="tag-source">
                 <ul class="dummy">
                   <li>
-                    <a href="web-auth_hosted-pages.js.html"
-                      >web-auth/hosted-pages.js</a
-                    >,
-                    <a href="web-auth_hosted-pages.js.html#line90">line 90</a>
+                    <a href="web-auth_redirect.js.html">web-auth/redirect.js</a
+                    >, <a href="web-auth_redirect.js.html#line37">line 37</a>
                   </li>
                 </ul>
               </dd>
@@ -6112,8 +6214,8 @@ <h5>Parameters:</h5>
                   <td class="type">
                     <span class="param-type"
                       ><code
-                        ><a href="global.html#credentialsCallback"
-                          >credentialsCallback</a
+                        ><a href="global.html#crossOriginLoginCallback"
+                          >crossOriginLoginCallback</a
                         ></code
                       ></span
                     >
@@ -6148,7 +6250,7 @@ <h4 class="name" id="userInfo">
                     <a href="authentication_index.js.html"
                       >authentication/index.js</a
                     >,
-                    <a href="authentication_index.js.html#line523">line 523</a>
+                    <a href="authentication_index.js.html#line524">line 524</a>
                   </li>
                 </ul>
               </dd>
@@ -6246,7 +6348,7 @@ <h4 class="name" id="validateAuthenticationResponse">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line253">line 253</a>
+                    <a href="web-auth_index.js.html#line262">line 262</a>
                   </li>
                 </ul>
               </dd>
@@ -6537,6 +6639,23 @@ <h5>Parameters:</h5>
                             </p>
                           </td>
                         </tr>
+
+                        <tr>
+                          <td class="name"><code>appState</code></td>
+
+                          <td class="type">
+                            <span class="param-type"><code>Object</code></span>
+                          </td>
+
+                          <td class="attributes">&lt;optional><br /></td>
+
+                          <td class="description last">
+                            <p>
+                              values that you receive back on the authentication
+                              response
+                            </p>
+                          </td>
+                        </tr>
                       </tbody>
                     </table>
                   </td>
@@ -6561,8 +6680,8 @@ <h4 class="name" id="changePasswordCallback">
                     <a href="authentication_db-connection.js.html"
                       >authentication/db-connection.js</a
                     >,
-                    <a href="authentication_db-connection.js.html#line72"
-                      >line 72</a
+                    <a href="authentication_db-connection.js.html#line73"
+                      >line 73</a
                     >
                   </li>
                 </ul>
@@ -6759,7 +6878,7 @@ <h4 class="name" id="crossOriginLoginCallback">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line714">line 714</a>
+                    <a href="web-auth_index.js.html#line739">line 739</a>
                   </li>
                 </ul>
               </dd>
@@ -6820,7 +6939,7 @@ <h4 class="name" id="delegationCallback">
                     <a href="authentication_index.js.html"
                       >authentication/index.js</a
                     >,
-                    <a href="authentication_index.js.html#line548">line 548</a>
+                    <a href="authentication_index.js.html#line571">line 571</a>
                   </li>
                 </ul>
               </dd>
@@ -7013,7 +7132,7 @@ <h4 class="name" id="tokenCallback">
                     <a href="authentication_index.js.html"
                       >authentication/index.js</a
                     >,
-                    <a href="authentication_index.js.html#line266">line 266</a>
+                    <a href="authentication_index.js.html#line267">line 267</a>
                   </li>
                 </ul>
               </dd>
@@ -7241,7 +7360,7 @@ <h4 class="name" id="userInfoCallback">
                     <a href="authentication_index.js.html"
                       >authentication/index.js</a
                     >,
-                    <a href="authentication_index.js.html#line517">line 517</a>
+                    <a href="authentication_index.js.html#line518">line 518</a>
                   </li>
                 </ul>
               </dd>
@@ -7311,7 +7430,7 @@ <h4 class="name" id="validateTokenCallback">
                 <ul class="dummy">
                   <li>
                     <a href="web-auth_index.js.html">web-auth/index.js</a>,
-                    <a href="web-auth_index.js.html#line396">line 396</a>
+                    <a href="web-auth_index.js.html#line419">line 419</a>
                   </li>
                 </ul>
               </dd>
@@ -7371,8 +7490,8 @@ <h5>Parameters:</h5>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/index.html b/docs/index.html
index 3642935f..7d372d3c 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -306,7 +312,7 @@ <h2>Install</h2>
           <pre
             class="prettyprint source lang-html"
           ><code>&lt;!-- Latest patch release -->
-&lt;script src=&quot;https://cdn.auth0.com/js/auth0/9.11.3/auth0.min.js&quot;>&lt;/script>
+&lt;script src=&quot;https://cdn.auth0.com/js/auth0/9.12.0/auth0.min.js&quot;>&lt;/script>
 </code></pre>
           <p>From <a href="https://npmjs.org">npm</a>:</p>
           <pre class="prettyprint source lang-sh"><code>npm install auth0-js
@@ -525,18 +531,25 @@ <h3>API</h3>
               <strong>buildAuthorizeUrl(options)</strong>: Builds and returns
               the <code>/authorize</code> url in order to initialize a new
               authN/authZ transaction.
-              https://auth0.com/docs/api/authentication#database-ad-ldap-passive-
+              <a
+                href="https://auth0.com/docs/api/authentication#database-ad-ldap-passive-"
+                >https://auth0.com/docs/api/authentication#database-ad-ldap-passive-</a
+              >
             </li>
             <li>
               <strong>buildLogoutUrl(options)</strong>: Builds and returns the
               Logout url in order to initialize a new authN/authZ transaction.
-              https://auth0.com/docs/api/authentication#logout
+              <a href="https://auth0.com/docs/api/authentication#logout"
+                >https://auth0.com/docs/api/authentication#logout</a
+              >
             </li>
             <li>
               <strong>loginWithDefaultDirectory(options, cb)</strong>: Makes a
               call to the <code>oauth/token</code> endpoint with
               <code>password</code> grant type.
-              https://auth0.com/docs/api-auth/grant/password
+              <a href="https://auth0.com/docs/api-auth/grant/password"
+                >https://auth0.com/docs/api-auth/grant/password</a
+              >
             </li>
             <li>
               <strong>login(options, cb)</strong>: Makes a call to the
@@ -557,7 +570,7 @@ <h2>auth0.Management</h2>
           <p>
             Provides an API Client for the Auth0 Management API (only methods
             meant to be used from the client with the user token). You should
-            use an access_token with the
+            use an <code>access_token</code> with the
             <code>https://YOUR_DOMAIN.auth0.com/api/v2/</code> audience to make
             this work. For more information, read
             <a
@@ -577,24 +590,36 @@ <h3>API</h3>
           <ul>
             <li>
               <strong>getUser(userId, cb)</strong>: Returns the user profile.
-              https://auth0.com/docs/api/management/v2#!/Users/get_users_by_id
+              <a
+                href="https://auth0.com/docs/api/management/v2#!/Users/get_users_by_id"
+                >https://auth0.com/docs/api/management/v2#!/Users/get_users_by_id</a
+              >
             </li>
             <li>
               <strong>patchUserMetadata(userId, userMetadata, cb)</strong>:
               Updates the user metadata. It will patch the user metadata with
               the attributes sent.
-              https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id
+              <a
+                href="https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id"
+                >https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id</a
+              >
             </li>
             <li>
               <strong>patchUserAttributes(userId, user, cb)</strong>: Updates
               the user attributes. It will patch the root attributes that the
               server allows it. To check what attributes can be patched, go to
-              https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id
+              <a
+                href="https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id"
+                >https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id</a
+              >
             </li>
             <li>
               <strong>linkUser(userId, secondaryUserToken, cb)</strong>: Link
               two users.
-              https://auth0.com/docs/api/management/v2#!/Users/post_identities
+              <a
+                href="https://auth0.com/docs/api/management/v2#!/Users/post_identities"
+                >https://auth0.com/docs/api/management/v2#!/Users/post_identities</a
+              >
             </li>
           </ul>
           <h2>Documentation</h2>
@@ -618,25 +643,40 @@ <h2>Migration</h2>
             >.
           </p>
           <h2>Develop</h2>
+          <p>Run <code>yarn install</code> to set up the environment.</p>
           <p>
-            Run <code>npm start</code> and point your browser to
-            <a href="https://localhost:3000/example"
-              ><code>https://localhost:3000/example</code></a
+            Run <code>yarn start</code> to point your browser to
+            <a href="https://localhost:3000/"
+              ><code>https://localhost:3000/</code></a
             >
-            to run the example page.
+            to verify the example page works.
           </p>
-          <p>Run <code>npm run test</code> to run the test suite.</p>
+          <p>Run <code>yarn test</code> to run the test suite.</p>
+          <p>Run <code>yarn ci:test</code> to run the tests that ci runs.</p>
           <p>
-            Run <code>npm run test:watch</code> to run the test suite while you
+            Run <code>yarn test:watch</code> to run the test suite while you
             work.
           </p>
           <p>
-            Run <code>npm run test:coverage</code> to run the test suite with
+            Run <code>yarn test:coverage</code> to run the test suite with
             coverage report.
           </p>
           <p>
-            Run <code>npm run lint</code> to run the linter and check code
-            styles.
+            Run <code>yarn lint</code> to run the linter and check code styles.
+          </p>
+          <p>
+            Run
+            <code
+              >yarn install &amp;&amp; yarn build &amp;&amp; yarn
+              test:es-check:es5 &amp;&amp; yarn
+              test:es-check:es2015:module</code
+            >
+            to check for JS incompatibility.
+          </p>
+          <p>
+            See <a href=".circleci/config.yml">.circleci/config.yml</a> for
+            additional checks that might be run as part of
+            <a href="https://circleci.com/">circleci integration tests</a>.
           </p>
           <h2>Issue Reporting</h2>
           <p>
@@ -668,8 +708,8 @@ <h2>License</h2>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/management_index.js.html b/docs/management_index.js.html
index 7c1e707d..4c7129e6 100644
--- a/docs/management_index.js.html
+++ b/docs/management_index.js.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -432,8 +438,8 @@ <h1 class="page-title">management/index.js</h1>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/web-auth_cross-origin-authentication.js.html b/docs/web-auth_cross-origin-authentication.js.html
index c51f8fb4..e9dbb6f4 100644
--- a/docs/web-auth_cross-origin-authentication.js.html
+++ b/docs/web-auth_cross-origin-authentication.js.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -420,8 +426,8 @@ <h1 class="page-title">web-auth/cross-origin-authentication.js</h1>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/web-auth_hosted-pages.js.html b/docs/web-auth_hosted-pages.js.html
index e7c81b3c..95ea068e 100644
--- a/docs/web-auth_hosted-pages.js.html
+++ b/docs/web-auth_hosted-pages.js.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -404,8 +410,8 @@ <h1 class="page-title">web-auth/hosted-pages.js</h1>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/web-auth_index.js.html b/docs/web-auth_index.js.html
index 929ee135..26b17dff 100644
--- a/docs/web-auth_index.js.html
+++ b/docs/web-auth_index.js.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -272,6 +278,10 @@ <h1 class="page-title">web-auth/index.js</h1>
 import WebMessageHandler from './web-message-handler';
 import HostedPages from './hosted-pages';
 
+function defaultClock() {
+  return new Date();
+}
+
 /**
  * Handles all the browser's AuthN/AuthZ flows
  * @constructor
@@ -331,6 +341,11 @@ <h1 class="page-title">web-auth/index.js</h1>
         type: 'array',
         message: 'plugins is not valid'
       },
+      maxAge: {
+        optional: true,
+        type: 'number',
+        message: 'maxAge is not valid'
+      },
       _disableDeprecationWarnings: {
         optional: true,
         type: 'boolean',
@@ -594,24 +609,37 @@ <h1 class="page-title">web-auth/index.js</h1>
         }
       );
     }
+
     if (
       validationError.error !== 'invalid_token' ||
-      validationError.errorDescription === 'Nonce does not match.'
+      (validationError.errorDescription &amp;&amp;
+        validationError.errorDescription.indexOf(
+          'Nonce (nonce) claim value mismatch in the ID token'
+        ) > -1)
     ) {
       return callback(validationError);
     }
+
     // if it's an invalid_token error, decode the token
     var decodedToken = new IdTokenVerifier().decode(parsedHash.id_token);
+
     // if the alg is not HS256, return the raw error
     if (decodedToken.header.alg !== 'HS256') {
       return callback(validationError);
     }
+
     if ((decodedToken.payload.nonce || null) !== transactionNonce) {
       return callback({
         error: 'invalid_token',
-        errorDescription: 'Nonce does not match.'
+        errorDescription:
+          'Nonce (nonce) claim value mismatch in the ID token; expected "' +
+          transactionNonce +
+          '", found "' +
+          decodedToken.payload.nonce +
+          '"'
       });
     }
+
     if (!parsedHash.access_token) {
       var noAccessTokenError = {
         error: 'invalid_token',
@@ -620,6 +648,7 @@ <h1 class="page-title">web-auth/index.js</h1>
       };
       return callback(noAccessTokenError);
     }
+
     // if the alg is HS256, use the /userinfo endpoint to build the payload
     return _this.client.userInfo(parsedHash.access_token, function(
       errUserInfo,
@@ -669,7 +698,8 @@ <h1 class="page-title">web-auth/index.js</h1>
     jwksURI: this.baseOptions.jwksURI,
     audience: this.baseOptions.clientID,
     leeway: this.baseOptions.leeway || 0,
-    __disableExpirationCheck: this.baseOptions.__disableExpirationCheck
+    maxAge: this.baseOptions.maxAge,
+    __clock: this.baseOptions.__clock || defaultClock
   });
 
   verifier.verify(token, nonce, function(err, payload) {
@@ -844,7 +874,7 @@ <h1 class="page-title">web-auth/index.js</h1>
  *
  * @method passwordlessStart
  * @param {Object} options
- * @param {String} options.send what will be sent via email which could be `link` or `code`. For SMS `code` is the only one valud
+ * @param {String} options.send what will be sent via email which could be `link` or `code`. For SMS `code` is the only one valid
  * @param {String} [options.phoneNumber] phone number where to send the `code`. This parameter is mutually exclusive with `email`
  * @param {String} [options.email] email where to send the `code` or `link`. This parameter is mutually exclusive with `phoneNumber`
  * @param {String} options.connection name of the passwordless connection
@@ -900,6 +930,7 @@ <h1 class="page-title">web-auth/index.js</h1>
  * @param {String} [options.nonce] value used to mitigate replay attacks when using Implicit Grant. {@link https://auth0.com/docs/api-auth/tutorials/nonce}
  * @param {String} [options.scope] scopes to be requested during Auth. e.g. `openid email`
  * @param {String} [options.audience] identifier of the resource server who will consume the access token issued after Auth
+ * @param {Object} [options.appState] any values that you want back on the authentication response
  * @see {@link https://auth0.com/docs/api/authentication#authorize-client}
  */
 WebAuth.prototype.authorize = function(options) {
@@ -1165,8 +1196,8 @@ <h1 class="page-title">web-auth/index.js</h1>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/web-auth_popup.js.html b/docs/web-auth_popup.js.html
index a9fd9312..ae5dd851 100644
--- a/docs/web-auth_popup.js.html
+++ b/docs/web-auth_popup.js.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -572,8 +578,8 @@ <h1 class="page-title">web-auth/popup.js</h1>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/docs/web-auth_redirect.js.html b/docs/web-auth_redirect.js.html
index 7052c794..619b2771 100644
--- a/docs/web-auth_redirect.js.html
+++ b/docs/web-auth_redirect.js.html
@@ -108,6 +108,12 @@
           ><a href="global.html#delegation">delegation</a></span
         >
       </li>
+      <li class="nav-item">
+        <span class="nav-item-type type-function">F</span
+        ><span class="nav-item-name"
+          ><a href="global.html#getChallenge">getChallenge</a></span
+        >
+      </li>
       <li class="nav-item">
         <span class="nav-item-type type-function">F</span
         ><span class="nav-item-name"
@@ -321,8 +327,8 @@ <h1 class="page-title">web-auth/redirect.js</h1>
 
     <footer>
       Generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.6.3</a> on
-      Tue Jul 23 2019 10:46:01 GMT-0300 (Brasilia Standard Time) using the
-      Minami theme.
+      Wed Dec 11 2019 10:33:27 GMT+0000 (Greenwich Mean Time) using the Minami
+      theme.
     </footer>
 
     <script>
diff --git a/package.json b/package.json
index 87fb06b5..311bd970 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "auth0-js",
-  "version": "9.11.3",
+  "version": "9.12.0",
   "description": "Auth0 headless browser sdk",
   "author": "Auth0",
   "license": "MIT",
diff --git a/src/version.js b/src/version.js
index ba948345..25ee71a5 100644
--- a/src/version.js
+++ b/src/version.js
@@ -1 +1 @@
-module.exports = { raw: '9.11.3' };
+module.exports = { raw: '9.12.0' };