Recommended Application Settings
In this article, you'll learn some best practices for configuring applications.
Check the Client ID
Confirm your application code uses the correct Client ID. You can find the Client ID in your application's settings on the Auth0 Dashboard.
Correct application type
Make sure the correct application type is set in your application settings. Setting the correct application type helps Auth0 check for certain security risks.
Flag third-party applications
You should flag first-party and third-party applications. First-party applications can be configured from the Applications page of the Auth0 dashboard. Third-party applications must be created using the Auth0 Management API and have the
is_first_party attribute set to false.
Set JWT token expiration
Set the ID Token expiration time in your Application Settings. By default ID Tokens expire after 10 hours.
Once issued, an ID Token cannot be revoked. So use a short expiration time and renew the session, if the user remains active.
Do not use wildcards or localhost in callbacks or origins fields
Do not use wildcard or localhost URLs in your application callbacks or allowed origins fields. Using redirect URLs with wildcards can make your application vulnerable to attacks.
Register logout redirect URLs
To redirect users after logout, register the redirect URL in your tenant or application settings. Auth0 only redirects to whitelisted URLs after logout.
You should register redirect URLs in your tenant settings. If you need different redirects for each application, you can whitelist the URLs in your application settings.
Advanced application settings
RS256 signature algorithm
Make sure that RS256 is the signature method for signing JSON Web Tokens (JWT). The JWT signature method can be found under Applications > Settings > Advanced Settings > OAuth on the dashboard.
You can test if an application is OIDC conformant by turning on the OIDC conformant toggle and testing your application.
If you are not using delegation, provide your application's Client ID in the Allowed Apps / APIs field to restrict delegation requests. You can find this field in Applications > Settings > Advanced Settings > OAuth on the dashboard.
Delegation is a deprecated feature and new applications should not use it.
Remove unnecessary grant types
Go to Applications > Settings > Advanced Settings > Grant Types and turn off any unneeded grant type for your application. This prevents someone from issuing authorization requests for unauthorized grant types.
For example, you should turn off the authorization code grant type for a single page application, because it is not appropriate for a public client.