Applications in Auth0
The term application or app in Auth0 does not imply any particular implementation characteristics. For example, it could be a native app that executes on a mobile device, a single-page application that executes on a browser, or a regular web applicatioa that executes on a server.
Auth0 categorizes apps based on these characteristics:
Application type: To add authentication to your application, you must register it in the Auth0 Dashboard and select from one of the following application types:
Regular web application: Traditional web apps that perform most of their application logic on the server (such as Express.js or ASP.NET). To learn how to set up a regular web application, see Register Regular Web Applications.
Native application: Mobile or Desktop applications that run natively in a device (such as iOS or Android). To learn how to set up a native application, see Register Native Applications.
Machine-to-machine (M2M) application: Non-interactive applications, such as command-line tools, daemons, IoT devices, or services running on your backend. Typically, you use this option if you have a service that requires access to an API. To learn how to set up a native application, see Register Machine-to-Machine Applications.
Credential security: According to the OAuth 2.0 spec, apps can be classified as either public or confidential; confidential apps can hold credentials securely, while public apps cannot. See Confidential and Public Applications for details.
Ownership: Whether an app is classified as first- or third-party depends on app ownership and control. First-party apps are controlled by the same organization or person that owns the Auth0 domain. Third-party apps enable external parties or partners to securely access protected resources behind your API. To learn more, see First-Party and Third-Party Applications.
Manage app settings
In addition to setting up applications in the Dashboard, you can also set up applications programmatically as described in the OpenID Connect (OIDC) Dynamic Client Registration 1.0 specification. To learn more, see Dynamic Client Registration.
By default, Auth0 enables all connections associated with your tenant when you create a new application. To change this, update application connections in the Application Settings in the Dashboard.
You can monitor apps and perform end-to-end testing using your own tests. Auth0 stores log data including Dashboard administrator actions, successful and failed user authentications, and password change requests. You can use Auth0 Extensions to export your log data and use tools like Sumo Logic, Splunk, or Loggly to analyze and store your log data.
You can remove an application using the Dashboard or the Management API.
Manage client secrets
A client secret is a secret known only to your application and the authorization server. It protects your resources by only granting tokens to authorized requestors.
Protect your client secrets and never include them in mobile or browser-based apps. If your client secret is ever compromised, you should rotate to a new one and update all authorized apps with the new client secret.
Auth0 provides many different authentication and authorization grant types or flows and allows you to indicate which grant types are appropriate based on the
grant_types property of your Auth0-registered app. See Application Grant Types for more details.