Clients

Overview

An Auth0 client maps to your application and allows to use Auth0 for authentication. The term client does not imply any particular implementation characteristics. Your application can be a native app that executes on a mobile device, a single page app that executes on a browser, or a regular web app that executes on a server.

Client Types

There are four client types in Auth0.

  • Native: Used for mobile, desktop or hybrid apps, than run natively in a device, like Android, Ionic or iOS. For a complete listing of the SDKs Auth0 offers for mobile apps refer to: Native SDKs.

  • Single Page Web Applications: Used for JavaScript front-end apps that run on a browser, like Angular, jQuery or React. For a complete listing of the SDKs Auth0 offers for SPAs refer to: Single Page App SDKs.

  • Regular Web Applications: Used for traditional web applications that run on a server, like ASP .NET, Java or Node.js. For a complete listing of the SDKs Auth0 offers for Web Apps refer to: Web App SDKs.

  • Non Interactive Clients: Used for server to server applications like CLIs, daemons or services running on your backend. Typically you would use this option if you have a service that requires access to an API.

How to configure a Client

Navigate to the dashboard and click on the Clients menu option on the left. By default, you should have one client named Default App. You can either configure this one or create a new one by clicking the + Create Client button.

The Create Client windows pops open. Set a descriptive name for your client and select the client type. The client type should match your application.

Create Client window

After you set the name and client type, click Create.

A new client will be created and you will be redirected to this client's view that has four tabs:

  • Quick Start: Lists all available Quick Starts, filtered by your client's type.

  • Settings: Lists all the available settings for your client.

  • Addons: Add-ons are extensions associated with clients. They are typically third-party APIs used by the client(s) for which Auth0 generates access tokens. For more details refer to: Addons.

  • Connections: Connections are sources of users. They are categorized into Database, Social and Enterprise and can be shared among different clients. For more details refer to: Connections. For a detailed list on the supported Identity Providers refer to: Identity Providers Supported by Auth0.

Client Settings

Click on the Settings tab of your client to review the available settings:

  • Name: The name of your client. This information is editable and you will see in the portal, emails, logs, and so on.

  • Domain: Your Auth0 account name. Note that the domain name is chosen when you create a new Auth0 account and cannot be changed. If you need a different one you have to register for a new account by selecting New Account at the top right menu.

  • Client ID: The unique identifier for your client. This is the ID you will use with when configuring authentication with Auth0. It is generated by the system when you create a new client and it cannot be modified.

  • Client Secret: A base64 encoded string used to sign and validate id_tokens for authentication flows and to gain access to select Auth0 API endpoints. By default, the value is hidden, so check the Reveal Client Secret box to see this value.

Keep it safe

While the Client ID is considered public information, the Client Secret must be kept confidential. If anyone can access your Client Secret they can issue tokens and access resources they shouldn't.

  • Client Type: The type of client you are implementing. Depending on which you choose, the available settings differ to show you only the settings applicable to your Client Type. You can change this value at any time by selecting one of the following: Native, Non Interactive Client, Regular Web Application, or Single Page Application.

  • First Party Client: When a First Party client requests authorized access against an API with the Allow Skipping User Consent flag set, the User Consent dialog will not be shown to the final user. Note that if the hostname of your callbackURL is localhost or 127.0.0.1 the consent dialog will always be displayed.

  • Token Endpoint Authentication Method: Defines the requested authentication method for the token endpoint. Possible values are None (public client without a client secret), Post (client uses HTTP POST parameters) or Basic (client uses HTTP Basic).

  • Allowed Callback URLs: Set of URLs to which Auth0 is allowed to redirect the users after they authenticate. You can specify multiple valid URLs by comma-separating them (typically to handle different environments like QA or testing). You can use the star symbol as a wildcard for subdomains (*.google.com). Make sure to specify the protocol, http:// or https://, otherwise the callback may fail in some cases.

  • Allowed Logout URLs: After a user logs out from Auth0 you can redirect them with the returnTo query parameter. The URL that you use in returnTo must be listed here. You can specify multiple valid URLs by comma-separating them. You can use the star symbol as a wildcard for subdomains (*.google.com). Notice that querystrings and hash information are not taking into account when validating these URLs. Read more about this at: Logout.

  • Allowed Origins (CORS): Set of URLs that will be allowed to make requests from JavaScript to Auth0 API (typically used with CORS). This prevents same-origin policy errors when using Auth0 from within a web browser. By default, all your callback URLs will be allowed. This field allows you to enter other origins if you need to. You can specify multiple valid URLs by comma-separating them. You can use the star symbol as a wildcard for subdomains (*.google.com). Notice that querystrings and hash information are not taking into account when validating these URLs.

  • JWT Expiration (seconds): The amount of time (in seconds) before the Auth0 id_token expires. The default value is 36000, which maps to 10 hours.

  • Use Auth0 instead of the IdP to do Single Sign On: If enabled, this setting prevents Auth0 from redirecting authenticated users with valid sessions to the identity provider (such as Facebook, ADFS, and so on).

How to Delete a Client

Navigate to the Client Settings and scroll to the end of the page. Under the Danger Zone section you can find the Delete Client button. This operation cannot be undone.

Once you click on the button a pop-up window will ask you to confirm the action. Click Yes, delete client to permanently remove the client.

Note: You can also delete a client using the DELETE /api/v2/clients/{id} endpoint of the Management API.

Client Auditing

Auth0 stores log data of both actions taken in the dashboard by the administrators, as well as authentications made by your users. The logs include many of the actions performed by the user like failing to login to a client or requesting a password change. For more details refer to: Logs.

If you use a third-party application for log management, like Sumo Logic, Splunk or Loggly, you can use Auth0 Extensions to export your logs there. For details on the available extensions and how to configure them refer to: Extensions.