Client Settings: Regular Web Applications

This document lists the settings for a Regular Web App Client; if you're using a different Client type, please use the drop-down to select the appropriate doc.

When creating an Auth0 Client, you'll be asked to indicate the type of Client you want to create.

Window for selecting client type

If you're working with a traditional web app that has the ability to refresh its pages, you'll want to create a Regular Web Applications Client.


  • Name: The name of your client. This information is editable and you will see in the portal, emails, logs, and so on.

  • Domain: Your Auth0 account name. Note that the domain name is chosen when you create a new Auth0 account and cannot be changed. If you need a different one you have to register for a new account by selecting New Account at the top right menu.

  • Client ID: The unique identifier for your client. This is the ID you will use with when configuring authentication with Auth0. It is generated by the system when you create a new client and it cannot be modified.

  • Client Secret: A string used to sign and validate id_tokens for authentication flows and to gain access to select Auth0 API endpoints. By default, the value is hidden, so check the Reveal Client Secret box to see this value.

    While the Client ID is considered public information, the Client Secret must be kept confidential. If anyone can access your Client Secret they can issue tokens and access resources they shouldn't.

  • Description: A free-text description of the Client's purpose with a maximum of 140 characters.

  • Client Type: The type of client you are implementing. If you're working with a traditional web app that has the ability to refresh its pages, use a Regular Web Applications Client.

  • Token Endpoint Authentication Method: Defines the requested authentication method for the token endpoint. Possible values are None (public client without a client secret), Post (client uses HTTP POST parameters) or Basic (client uses HTTP Basic).

  • Allowed Callback URLs: Set of URLs to which Auth0 is allowed to redirect the users after they authenticate. You can specify multiple valid URLs by comma-separating them (typically to handle different environments like QA or testing). You can use the star symbol as a wildcard for subdomains (* Make sure to specify the protocol, http:// or https://, otherwise the callback may fail in some cases.

  • Allowed Logout URLs: After a user logs out from Auth0 you can redirect them with the returnTo query parameter. The URL that you use in returnTo must be listed here. You can specify multiple valid URLs by comma-separating them. You can use the star symbol as a wildcard for subdomains (* Notice that querystrings and hash information are not taking into account when validating these URLs. Read more about this at: Logout.

  • Allowed Origins (CORS): Set of URLs that will be allowed to make requests from JavaScript to Auth0 API (typically used with CORS). This prevents same-origin policy errors when using Auth0 from within a web browser. By default, all your callback URLs will be allowed. This field allows you to enter other origins if you need to. You can specify multiple valid URLs by comma-separating them. You can use the star symbol as a wildcard for subdomains (* Notice that paths, querystrings and hash information are not taken into account when validating these URLs (and may, in fact, cause the match to fail).

  • JWT Expiration (seconds): The amount of time (in seconds) before the Auth0 id_token expires. The default value is 36000, which maps to 10 hours.

  • Use Auth0 instead of the IdP to do Single Sign On: If enabled, this setting prevents Auth0 from redirecting authenticated users with valid sessions to the identity provider (such as Facebook, ADFS, and so on).

Client Settings Page

Advanced Settings

The Advanced Settings section allows you to:

  • Manage or add Client Metadata, Mobile, OAuth, and WS-Federation settings
  • Obtain certificates and token endpoint information
  • Set the grant type(s) for the Client

Advanced Client Settings Page

Application Metadata

Application metadata are custom string keys and values (each of which has a character maximum of 255), set on a per application basis. Metadata is exposed in the Client object as client_metadata, and in Rules as context.clientMetadata

You can create up to 10 sets of metadata.

Mobile Settings

If you're developing a mobile application, you can provide the necessary iOS/Android parameters here.

When developing iOS apps, you'll provide your Team ID and App Bundle Identifier.

When developing Android apps, you'll provide your App Package Name and your Key Hashes.


Set the OAuth-related settings on this tab:

  • By default, all apps/APIs can make a delegation request, but if you want to explicitly grant permissions to selected apps/APIs, you can do so in Allowed APPs/APIs.

  • Set the algorithm used (HS256 or RS256) for signing your JSON Web Tokens.

  • Toggle the switch to indicate if your client is OIDC Conformant or not.

  • Toggle the Trust Token Endpoint IP Header setting; if this is enabled, the auth0-forwarded-for is set as trusted and used as a source of end user IP information for protection against brute-force attacks on the token endpoint.

Grant Types

Set the authorization grant types allowed for the client. See Client Grant Types for additional information about each grant type.


The sample script provides a basis for you to make changes to your WS-Federation settings.


This page provides you with the Auth0 signing certificate, fingerprint, and thumbprint. You can also download a certificate if needed for an integration you're configuring.


This section provides you with a complete list of the OAuth, SAML, and WS-Federation endpoints for your Auth0 account.