Client Types

Heads up! As part of our efforts to improve security and standards-based interoperability, we have implemented several new features in our authentication flows and made changes to existing ones. For an overview of these changes, and details on how you adopt them, refer to Introducing OIDC Conformant Authentication.

When working with Auth0 clients, which are used to represent your applications, there are several terms you should know in terms of how clients are classified:

  • Confidential vs. public
  • First vs. third-party

Confidential vs. Public Clients

The OAuth 2.0 specification defines two types of clients: public and confidential.

When creating a client through the Dashboard, Auth0 will ask you what type of application you want the client to represent and use that information to determine the client type.

Checking Your Client Type

You can use the Management API's Get a Client endpoint to check your existing Client's type. If the client is first party, the is_first_party equals true, else false. Be sure to replace CLIENT_ID with the ID of your Client.

curl --request GET \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN'
var client = new RestClient("https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN");
IRestResponse response = client.Execute(request);
package main

import (

func main() {

	url := "https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party"

	req, _ := http.NewRequest("GET", url, nil)

	req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)


HttpResponse<String> response = Unirest.get("https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party")
  .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party",
  "method": "GET",
  "headers": {
    "authorization": "Bearer MGMT_API_ACCESS_TOKEN"

$.ajax(settings).done(function (response) {
var request = require("request");

var options = { method: 'GET',
  url: 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID',
  qs: { include_fields: 'true', fields: 'is_first_party' },
  headers: { authorization: 'Bearer MGMT_API_ACCESS_TOKEN' } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN" };

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party"]
[request setHTTPMethod:@"GET"];
[request setAllHTTPHeaderFields:headers];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party",
    "authorization: Bearer MGMT_API_ACCESS_TOKEN"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
import http.client

conn = http.client.HTTPSConnection("")

headers = { 'authorization': "Bearer MGMT_API_ACCESS_TOKEN" }

conn.request("GET", "/YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party", headers=headers)

res = conn.getresponse()
data =

require 'uri'
require 'net/http'

url = URI("https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =
request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN'

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["authorization": "Bearer MGMT_API_ACCESS_TOKEN"]

var request = NSMutableURLRequest(URL: NSURL(string: "https://YOUR_AUTH0_DOMAIN/api/v2/clients/CLIENT_ID?include_fields=true&fields=is_first_party")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "GET"
request.allHTTPHeaderFields = headers

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? NSHTTPURLResponse


See The Auth0 Management APIv2 Token for instructions on obtaining the access token required to call the Management API.

Confidential Clients

Confidential clients are able to hold credentials (such as a client ID and secret) in a secure way without exposing them to unauthorized parties. This means that you will need a trusted backend server to store the secret(s).

The following application types use confidential clients:

All of these grants require clients to authenticate by specifying their client ID and secret when calling the token endpoint.

Since confidential clients are capable of holding secrets, you can choose to have ID tokens issued to them that have been signed in one of two ways:

  • Symmetrically using their client secret (HS256)
  • Asymmetrically using a private key (RS256)

Public Clients

Public clients cannot hold credentials securely. The following application types use public clients:

Since public clients are unable to hold secrets, ID tokens issued to them must be:

  • Signed asymmetrically using a private key (RS256)
  • Verified using the public key corresponding to the private key used to sign the token

First vs. Third-Party Clients

First-party and third-party refer to the ownership of the application. This has implications in terms of who has administrative access to your Auth0 domain.

First-Party Client

First-party clients are those controlled by the same organization or person who owns the Auth0 domain. For example, if you wanted to access the Contoso API, you'd use a first-party client to log into

All clients created via the Dashboard are first-party by default.

Third-Party Client

Third-party clients are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party clients enable external parties or partners to access protected resources behind your API securely. For example, if you were to create a developer center that allows users to obtain credentials to integrate their apps with your API (this functionality is similar to those provided by well-known APIs such as Facebook, Twitter, and GitHub), you would use a third-party client.

Third-party clients must be created through the Management API by setting is_first_party to false. Additionally, Auth0 considers all clients created via Dynamic Client Registration to be third-party.

Was this article helpful?