Client and application types

Heads up! As part of our efforts to improve security and standards-based interoperability, we have implemented several new features in our authentication flows and made changes to existing ones. For an overview of these changes, and details on how you adopt them, refer to Introducing OIDC Conformant Authentication.

The OAuth 2.0 specification defines two types of clients: public and confidential. When creating a client through the management dashboard, Auth0 will ask you what type of application it represents and use that information to determine the client type.

Confidential clients

Confidential clients are able to hold credentials, i.e. a client ID and secret, in a secure way without exposing it to users or attackers. This means that a trusted backend server is needed to store the secrets. The following application types are confidential clients:

Both of these grants require clients to authenticate by specifying their client ID and secret when calling the token endpoint.

Since confidential clients are able to hold secrets, they can choose to have ID tokens issued to them signed symmetrically with their client secret (HS256) or asymmetrically using a private key (RS256).

Public clients

Public clients are not able to hold credentials in a secure way without exposing them to users or attackers. The following application types are confidential clients:

Since public clients are unable to hold secrets, ID tokens issued to them must be signed asymmetrically using a private key (RS256) and verified by using the corresponding public key.