Name: The name of your application. Editable, and will be seen in the portal, emails, logs, and so on.
Domain: Your Auth0 tenant name. You choose this when you create a new Auth0 tenant, and it cannot be changed. If you need a different domain, you must register for a new tenant by selecting + Create Tenant in the top-right menu.
Client ID: The unique identifier for your application. You will use this when configuring authentication with Auth0. Generated by the system when you create a new application and cannot be modified.
Client Secret: A string used to sign and validate ID Tokens for authentication flows and to gain access to select Auth0 API endpoints. By default, the value is hidden, so check the Reveal Client Secret box to see it.
Description: A free-text description of the Application's purpose. Maximum of 140 characters.
Application Logo: The URL to a logo (recommended size: 150x150 pixels) to be displayed for the application. Appears in several areas, including the list of applications in the Dashboard and customized consent forms.
Application Type: The Auth0 application type. Determines which settings you can configure using the Dashboard. Not editable for M2M Apps. Sometimes disabled for other Auth0 application types if the selected grant types are only allowed for the currently selected application type.
Token Endpoint Authentication Method: Defines the requested authentication method for the token endpoint. Possible values are
None(public client without a client secret),
Post(client uses HTTP POST parameters), and
Basic(client uses HTTP Basic). Only editable for Regular Web Apps and M2M Apps.
Allowed Callback URLs: Set of URLs to which Auth0 is allowed to redirect users after they authenticate. You can specify multiple valid URLs by comma-separating them (typically, to handle different environments like QA or testing). For production environments, verify that the URLs do not point to localhost. You can use the star symbol as a wildcard for subdomains (
*.google.com). Make sure to specify the protocol,
https://; otherwise, the callback may fail in some cases.
Application Login URI: In some scenarios Auth0 will need your application to start the OIDC login flow. This URI should point to a route in your application that starts the flow, by redirecting to the
/authorizeendpoint. It would usually take the form of 'https://myapp.org/login'. Learn more.
Allowed Web Origins: List of URLs from where an authorization request using
web_messageas the response mode can originate from. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost.
Allowed Logout URLs: List of URLs to which you can redirect users after they log out from Auth0. Use the
returnToquery parameter to redirect them. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost. You can use the star symbol as a wildcard for subdomains (
*.google.com). Querystrings and hash information are not taken into account when validating these URLs. For more info, see Logout.
*.google.com). Paths, querystrings, and hash information are not taken into account when validating these URLs (and may, in fact, cause the match to fail).
JWT Expiration (seconds): The amount of time (in seconds) before the Auth0 ID Token expires. The default value is
36000, which maps to 10 hours.
Use Auth0 instead of the IdP to do Single Sign-on: If enabled, this setting prevents Auth0 from redirecting authenticated users with valid sessions to the identity provider (such as Facebook or ADFS). Legacy tenants only.
The Advanced Settings section allows you to:
- Manage or add Application Metadata, Device, OAuth, and WS-Federation settings
- Obtain certificates and token endpoint information
- Set the grant type(s) for the Application
Application metadata are custom string keys and values (each of which has a character maximum of 255), set on a per application basis. Metadata is exposed in the Application object as client_metadata, and in Rules as context.clientMetadata.
You can create up to 10 sets of metadata.
If you're developing a mobile application, you can provide the necessary iOS/Android parameters here.
When developing iOS apps, you'll provide your Team ID and App Bundle Identifier.
When developing Android apps, you'll provide your App Package Name and your Key Hashes.
Set the OAuth-related settings on this tab:
By default, all apps/APIs can make a delegation request, but if you want to explicitly grant permissions to selected apps/APIs, you can do so in Allowed Apps/APIs.
Set the algorithm used (HS256 or RS256) for signing your JSON Web Tokens. For more info, see Signing Algorithms.
Toggle the Trust Token Endpoint IP Header setting; if this is enabled, the
auth0-forwarded-foris set as trusted and used as a source of end user IP information for protection against brute-force attacks on the token endpoint. This setting is only available for Regular Web Apps and M2M Apps.
Toggle the switch to indicate if your application is OIDC Conformant or not. Applications flagged as OIDC Conformant will strictly follow the OIDC specification.
Set the location URL for Cross-Origin Verification Fallback. This is the location of the page that will be rendered inside an iframe to perform the token verification when third-party cookies are not enabled in the browser. Must be in the same domain where the embedded login form is hosted and must have an
Select grant types to enable or disable for your application. Available grant types are based on the application type.
Manage or add WS-Federation settings.
Manage or add the signing certificate, and its fingerprint and thumbprint.
View endpoint information for OAuth, SAML, and WS-Fed.