- First-party applications: Owned and operated by your organization. You control their deployment, credentials, and behavior.
- Third-party applications: Owned and operated by an external organization, such as a partner, an independent developer, or an AI agent. You grant them access to your resources, but you cannot directly control what they do with that access.
“Third-party” refers to operational control, not authorship. Many organizations outsource development of their own applications. For example, a contractor building your application does not make it third-party. The key distinction is: who deploys it, who holds the credentials, and who can stop it.
First-party applications
First-party applications are controlled by the same organization or person who owns the Auth0 domain. For example, let’s say you created a Contoso API and an application that logs intocontoso.com and consumes the Contoso API. You would register both the API and application under the same Auth0 domain, and the application would be a first-party application. By default, all applications created via the Auth0 Dashboard are first-party applications.
Third-party applications
Third-party applications are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party applications enable external parties or partners to securely access protected resources behind your API. For example, if a partner company builds a data analytics dashboard to visualize information from your service, they must first register their application in your Auth0 tenant to obtain a and secret. Even though this application is registered within your environment, it is considered third-party because the code and credentials are owned and operated by the partner, not by your organization. All applications created through Dynamic Client Registration are third-party applications. To learn more about third-party applications in Auth0, read Third-Party Applications.First-party vs. third-party in Auth0
The following table summarizes the differences between first-party and third-party applications in Auth0:| First-party | Third-party | |
|---|---|---|
| API access | Follows the API’s configured access policy | Always requires an explicit client grant |
| Auth0 system APIs | Accessible in user flows | Not accessible in user flows |
| User consent | Can be skipped (if enabled on the API) | Always required |
| Grant types | All supported grant types | authorization_code and refresh_token |
| OIDC | Supported | Not supported. Planned for a future release. |
| Rules | Executed | Not supported. Results in error. |
| Non-OAuth protocols (SAML, WsFed) | Supported | Not supported |
| Organizations | Supported | Not supported. Planned for a future release. |
| Client ID format | Standard format | tpc_ prefix |
| Connections | All enabled connections | Domain-level connections |
Application ownership
Application ownership is determined at creation time and cannot be changed afterward. By default, applications are created as first-party, which applies less restrictive security settings. To ensure the appropriate security controls are applied, you must correctly identify applications owned by external parties as third-party when creating them through the Auth0 Dashboard or Management API. To learn how, read Configure Third-Party Applications.Application ownership is immutable. You cannot convert a third-party application to first-party or vice versa.
Check application ownership
To check if an application is first-party or third-party:- Auth0 Dashboard
- Management API
- Navigate to Applications > Applications.
- Select the application. Third-party applications display a badge indicating they are third-party.
