Application Settings Best Practices

Here are some best practices for configuring Application Settings on the Dashboard.

Make sure to select the correct application type in your application settings to help Auth0 check for certain security risks.

Third-party applications must be created using the Auth0 Management API and have the is_first_party attribute set to false.

By default, ID tokens expire after 10 hours (36000 seconds). Once issued, an ID token cannot be revoked, so instead of longer expiration times, use a short expiration time and renew the session if the user remains active.

If you are using the Organizations feature, for production applications, you can use {org_name} as a placeholder to dynamically specify a registered organization’s name in a URL (https://{org_name}.exampleco.com). URLs with the {org_name} placeholder should only be used on domains that you fully control (for example, https://{org_name}.exampleco.com where you control the exampleco.com domain).

Do not use wildcard placeholders or localhost URLs in your application callbacks or allowed origins fields. Using redirect URLs with wildcard placeholders can make your application vulnerable to attacks. Instead, URLs with the {org_name} placeholder should be preferred, where relevant.

To learn more, see Placeholders for Subdomains.

To redirect users after logout, register the redirect URL in your tenant or application settings. Auth0 only redirects to whitelisted URLs after logout. If you need different redirects for each application, you can add the URLs to the AllowList in your application settings.

Make sure that RS256 is the signature method for signing JSON web tokens (JWTs). The JWT signature method can be found under Auth0 Dashboard > Applications > Applications. Scroll to the bottom of the Settings page, and select Show Advanced Settings, then select the OAuth view. To learn more, see Auth0 Blog: Navigating RS256 and JWKS.

(For tenants created before 27 December 2017.) If your application is not OIDC conformant, migrate your applications to be OIDC conformant. Newer tenants can only use OIDC conformant behavior.

Test by turning on the OIDC conformant toggle and testing your application.

By default, delegation is disabled for tenants without an add-on in use as of 8 June 2017. Legacy tenants who currently use an add-on that requires delegation may continue to use this feature. If delegation functionality is changed or removed from service at some point, customers who currently use it will be notified beforehand and given ample time to migrate.

If you are not using delegation, provide your application's client ID in the Allowed Apps / APIs field to restrict delegation requests.

Turn off unneeded grant types for your application to prevent someone from issuing authorization requests for unauthorized grant types.

Docs