OAuth 2.0 Authorization Framework

PSaaS Appliance Infrastructure Requirements: IP/Domain and Port List

The PSaaS Appliance requires certain ports within the cluster to be open and able to access each other, as well as selected external sites.

OAuth roles

Between Cluster Nodes

When possible, instances within a cluster should have full connectivity to each other so that you do not need to introduce new firewall rules if Auth0 adds new features. However, since this isn't possible in every environment, the following table lists the ports that are required to be open and accessible to other PSaaS Appliance instances in the same cluster:

Port Use Required? Notes
27017 Database Yes
7777 Control Yes
9001 Rate Limiting Yes Required if rate limiting is used
8721 Webtask Logging/Control Yes Required for logging and debugging
8701 Webtask Logging/Control Yes Required for logging and debugging
9200, 9300-9400 Elastic Search Yes Required for Elastic Search
3000 Grafana instrumentation No Required if you are using Grafana instrumentation
22 Maintenance No Enables maintenance tasks to be done between nodes
ICMP Healthcheck No Allows healthchecks between nodes

Protocol flow

External Connectivity

Auth0 strives to keep these IP addresses stable, though this is not a given. From time to time, Auth0 may add IP addresses or additional servers. During updates and metrics, you must allow your PSaaS Appliance instances to connect to these addresses.

Use Direction IP/DNS Port Notes Required?
All Inbound Your load balancer IP address (often on internal network) 80/(443 or 4443) For clusters with more than one node, a load balancer is required for resiliency and performance Yes
Webtask Outbound Your load balancer IP address (often on internal network) 443 Allows rules, webtasks, and extensions to call back to Auth0 endpoints Yes
Command Line Interface Inbound and Outbound CLI Applications (often on the internal network) 10121 Allows use of the PSaaS Appliance Command Line Interface No
Updates Outbound ( 443 Provides update packages for PSaaS Appliance instances Yes
Updates Outbound ( 443 Provides updates for PSaaS Appliance Docker Packages Yes
Web extensions, Hooks, and Management Dashboard Outbound 443 Required to run web extensions and Hooks; also required for admins to browse to the Management Dashboard Yes
Examples Outbound 443 Source to download and repackage example applications No
Usage & Telemetry Outbound ( 443 Provides usage and telemetry statistics Yes
Maintenance Inbound Jump Host 22 Allows access to PSaaS Appliance instances for support purposes No
Healthcheck Inbound Monitoring Endpoint 9110 Allows access to Healthcheck endpoints No
DNS Inbound and Outbound Local domain servers 53 Required by the PSaaS Appliance to resolve host names internal and external to your environment Yes
SMTP Outbound SMTP Server(s) 25/587 Allows sending of emails from the Appliance No

Authorization grant types


  • If you are using social providers for logins, the cluster must be able to connect to the social providers' endpoints.
  • The Jump Host IP is stable and provided at the time of setup.