Using Passwordless Authentication on Android with SMS

Application Types - First-party vs. third-party

Applications can be classified as either first-party or third-party, which refers to the ownership of the application. The main difference relates to who has administrative access to your Auth0 domain.


First-party applications

First-party applications are those controlled by the same organization or person who owns the Auth0 domain.

For example, let's say you created both a Contoso API and an application that logs into and consumes the Contoso API. You would register both the API and application under the same Auth0 domain, and the application would be a first-party application.

By default, all applications created via the Auth0 Dashboard are first-party applications.

Open an account with Twilio

Third-party applications

Third-party applications are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party applications enable external parties or partners to securely access protected resources behind your API.

For example, let's say you created a developer center that allows users to obtain credentials so they can integrate their apps with your API. (This functionality is similar to the log-in capabilities provided by well-known APIs such as Facebook, Twitter, and GitHub.) In this case, the applications calling your developer center would be third-party applications.

Third-party applications must be created through the Auth0 Management API by setting is_first_party to false.

Configure the connection

Characteristics of Third-Party Applications

Multi-language support

Third-party applications cannot skip user consent when consuming APIs. Because anyone can create an application, requiring a final user to provide consent improves security.

Message syntax

ID Tokens

ID Tokens generated for third-party applications hold minimum user profile information.

Enable your apps


Third-party applications can use only tenant-level connections (domain connections). Learn how to enable third-party applications.


When used with the Management APIv2

Third-party applications cannot use ID Tokens to invoke Management API endpoints. Instead, they should get a Management API Access Token with the current_user_* scopes required by each endpoint:

Keep reading