When registered, Auth0 Applications have access to different grant types based on application type. The biggest deciding factor is whether the application is confidential or public.

Additionally, trusted first-party applications have access to additional grant types.

When a Native App or Single-Page App is registered in the Dashboard, it is automatically flagged as a public application, which is indicated by a token_endpoint_auth_method flag set to none.

By default, Auth0 creates public applications with the following grant_types enabled:

• implicit
• authorization_code
• refresh_token

Native Apps can also use the device_code grant type.

When a Regular Web App or Machine-to-Machine (M2M) App is registered in the Dashboard, it is automatically flagged as a confidential application, which is indicated by a token_endpoint_auth_method flag set to anything except none.

By default, Auth0 creates confidential applications with the following grant_types enabled:

• implicit
• authorization_code
• refresh_token
• client_credentials

Trusted first-party applications have the same grant_types enabled as confidential applications, plus the following:

• password
• http://auth0.com/oauth/grant-type/password-realm
• http://auth0.com/oauth/grant-type/mfa-oob
• http://auth0.com/oauth/grant-type/mfa-otp
• http://auth0.com/oauth/grant-type/mfa-recovery-code

For more info about first-party and third-party applications, see Application Types: First-party vs. Third-party.