Application Settings Best Practices
Here are some best practices for configuring Application Settings on the Dashboard.
Make sure to select the correct application type in your application settings to help Auth0 check for certain security risks.
Third-party applications must be created using the Auth0 Management API and have the
is_first_party attribute set to
ID token expiration
By default, ID tokens expire after 10 hours (36000 seconds). Once issued, an ID token cannot be revoked, so instead of longer expiration times, use a short expiration time and renew the session if the user remains active.
Wildcards or localhost URLs
Do not use wildcard or localhost URLs in your application callbacks or allowed origins fields. Using redirect URLs with wildcards can make your application vulnerable to attacks.
Logout redirect URLs
To redirect users after logout, register the redirect URL in your tenant or application settings. Auth0 only redirects to whitelisted URLs after logout. If you need different redirects for each application, you can add the URLs to the AllowList in your application settings.
RS256 signature algorithm
Make sure that RS256 is the signature method for signing JSON web tokens (JWTs). The JWT signature method can be found under Applications > Settings > Advanced Settings > OAuth. See Auth0 Blog: Navigating RS256 and JWKS for more information.
(For tenants created before 27 December 2017.) If your application is not OIDC conformant, migrate your applications to be OIDC conformant. Newer tenants can only use OIDC conformant behavior.
Test by turning on the OIDC conformant toggle and testing your application.
If you are not using delegation, provide your application's client ID in the Allowed Apps / APIs field to restrict delegation requests.
Turn off unneeded grant types for your application to prevent someone from issuing authorization requests for unauthorized grant types.