Application Types

Heads up! As part of our efforts to improve security and standards-based interoperability, we have implemented several new features in our authentication flows and made changes to existing ones. For an overview of these changes, and details on how you adopt them, refer to Introducing OIDC Conformant Authentication.

When working with Auth0 applications, which are used to represent your applications, there are several terms you should know in terms of how applications are classified:

Confidential vs public applications

The OAuth 2.0 specification defines two types of applications: public and confidential.

When creating an application through the Dashboard, Auth0 will ask you what type of application you want the application to represent and use that information to determine the application type.

Check your application type

You can use the Management API's Get a Client endpoint to check your existing Application's type. If the application is first party, the is_first_party equals true, else false. Be sure to replace CLIENT_ID with the ID of your application.

curl --request GET \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN'
var client = new RestClient("https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN");
IRestResponse response = client.Execute(request);
package main

import (

func main() {

	url := "https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party"

	req, _ := http.NewRequest("GET", url, nil)

	req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)


HttpResponse<String> response = Unirest.get("https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party")
  .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party",
  "method": "GET",
  "headers": {
    "authorization": "Bearer MGMT_API_ACCESS_TOKEN"

$.ajax(settings).done(function (response) {
var request = require("request");

var options = { method: 'GET',
  url: 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID',
  qs: { include_fields: 'true', fields: 'is_first_party' },
  headers: { authorization: 'Bearer MGMT_API_ACCESS_TOKEN' } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN" };

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party"]
[request setHTTPMethod:@"GET"];
[request setAllHTTPHeaderFields:headers];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party",
    "authorization: Bearer MGMT_API_ACCESS_TOKEN"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
import http.client

conn = http.client.HTTPSConnection("")

headers = { 'authorization': "Bearer MGMT_API_ACCESS_TOKEN" }

conn.request("GET", "/YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party", headers=headers)

res = conn.getresponse()
data =

require 'uri'
require 'net/http'

url = URI("https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =
request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN'

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["authorization": "Bearer MGMT_API_ACCESS_TOKEN"]

var request = NSMutableURLRequest(URL: NSURL(string: "https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "GET"
request.allHTTPHeaderFields = headers

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? NSHTTPURLResponse


See Access Tokens for the Management API for instructions on obtaining the Access Token required to call the Management API.

Confidential applications

Confidential applications are able to hold credentials (such as a client ID and secret) in a secure way without exposing them to unauthorized parties. This means that you will need a trusted backend server to store the secret(s).

The following application types use confidential applications:

All of these grants require applications to authenticate by specifying their client ID and secret when calling the token endpoint.

Since confidential applications are capable of holding secrets, you can choose to have ID Tokens issued to them that have been signed in one of two ways:

  • Symmetrically using their client secret (HS256)
  • Asymmetrically using a private key (RS256)

Public applications

Public applications cannot hold credentials securely. The following application types use public applications:

Since public applications are unable to hold secrets, ID Tokens issued to them must be:

  • Signed asymmetrically using a private key (RS256)
  • Verified using the public key corresponding to the private key used to sign the token

First vs third-party applications

First-party and third-party refer to the ownership of the application. This has implications in terms of who has administrative access to your Auth0 domain.

First-party applications

First-party applications are those controlled by the same organization or person who owns the Auth0 domain. For example, if you wanted to access the Contoso API, you'd use a first-party applications to log into

All applications created via the Dashboard are first-party by default.

Third-party applications

Third-party applications are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party applications enable external parties or partners to access protected resources behind your API securely. For example, if you were to create a developer center that allows users to obtain credentials to integrate their apps with your API (this functionality is similar to those provided by well-known APIs such as Facebook, Twitter, and GitHub), you would use a third-party applications.

Third-party applications must be created through the Management API by setting is_first_party to false.

Third party applications have the following characteristics:

How to get a Management APIv2 Token

In order to access the Management APIv2 endpoints from a third party applications, you need a Management APIv2 Token. To get one you can use any of the API Authorization Flows, with the following request parameters:

  • audience=https://YOUR_AUTH0_DOMAIN/api/v2/
  • scope=read:current_user update:current_user_metadata