When working with Auth0 clients, which are used to represent your applications, there are several terms you should know in terms of how clients are classified:
- Confidential vs. public
- First vs. third-party
Confidential vs. Public Clients
The OAuth 2.0 specification defines two types of clients: public and confidential.
When creating a client through the Dashboard, Auth0 will ask you what type of application it you want the client to represent and use that information to determine the client type.
Confidential clients are able to hold credentials, such as a client ID and secret, in a secure way without exposing it to unauthorized parties. This means that you will need a trusted backend server to store the secret(s).
The following application types use confidential clients:
- Web applications with a secure backend using the Authorization Code grant, Password or Password Realm grants
- Non-interactive clients using the Client Credentials grant
All of these grants require clients to authenticate by specifying their client ID and secret when calling the token endpoint.
Since confidential clients are capable of holding secrets, you can choose to have ID token issues to them that have been signed:
- Symmetrically using their client secret (
- Asymmetrically using a private key (
Public clients cannot hold credentials securely. The following application types use public clients:
- Native desktop or mobile applications using the Authorization Code grant with PKCE
Since public clients are unable to hold secrets, ID tokens issued to them must be:
- Signed asymmetrically using a private key (
- Verified using the public key corresponding to the private key used to sign the token
First vs. Third-Party Clients
First-party and third-party refer to the ownership of the application. This has implications in terms of whom has administrative access to your Auth0 domain.
First-party clients are those controlled by the same organization or person who owns the Auth0 domain. For example, if you wanted to access the Contoso API, you'd use a first-party client to log into
All clients created via the Dashboard are, by default, first-party.
Third-party clients are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party clients enable external parties or partners to access protected resources behind your API securely. For example, if you create a developer center that allows users to obtain credentials to integrate their apps with your API (this functionality is similar to those provided by well-known APIs such as Facebook, Twitter, and GitHub), you'd use a third-party client.