API Authentication and Authorization

At some point, your APIs will need to allow limited access to users, servers, or servers on behalf of users.

Auth0's API authorization features allow you to manage the authorization requirements for server-to-server and client-to-server applications.

By using the OAuth 2.0 authorization framework, you can give your own applications or third-party applications limited access to your APIs on behalf of the application itself.

Using Auth0, you can easily support different flows in your own APIs without worrying about the OAuth 2.0/OpenID Connect specification, or the many other technical aspects of API authorization.


Several participants in the OAuth 2.0 specification can be identified:

  • Authorization Server: Auth0, in this case
  • Resource Servers: your APIs
  • Clients: the consumers of your APIs, which can include third-party applications or your own customers
  • Resource Owner: the user of your APIs and of the applications
  • User Agent: the user's browser or mobile app

Using different grants (or flows), these participants will interact to grant Clients limited access to the Resource Servers you are building. As a result, the Client will obtain an access_token that can be used to call the Resource Server on behalf of the user or of the Client itself.

Supported flows


See the following tutorial for a step-by-step guide on using Auth0 to implement the OAuth 2.0 authorization framework within your applications to enable the API Authorization scenarios.

Note: At this moment we only have tutorials for the Client Credentials Grant exchange. Tutorials for other grant types are on the making. In the meantime, if you need assistance or more information please contact our Support Center.


Implicit Grant

Authorization Code

Authorization Code (with PKCE)

Client Credentials

Additional Information