- Enhanced security controls: Auth0 enforces enhanced security controls for third-party applications, ensuring external applications can only access resources you explicitly authorize. Features intended for first-party use cases are not available.
- User Consent: Auth0 always requires user consent when a third-party application requests access to APIs. Consent cannot be skipped.
- Connections: Third-party applications can only authenticate users through domain-level connections. To learn more, read Promote Connections to Domain Level.
Use cases
Common third-party application use cases include:- Partner integrations: External partners build applications that call your APIs on the user’s behalf. For example, a CRM vendor integrates with your platform so that mutual customers can sync data between both products.
- AI agents and MCP clients: AI-powered tools such as Claude Code, VS Code with Copilot, or custom MCP servers connect to your APIs to perform actions on the user’s behalf. To learn more, read Auth for MCP.
- Developer ecosystems: You expose APIs for external developers to build applications on your platform, whether through a developer portal, a marketplace, or Dynamic Client Registration.
- Cross App Access (XAA): A workforce application in another organization’s tenant accesses your APIs through a trust relationship, where the requesting application is modeled as a third-party application in your tenant. To learn more, read Cross App Access.
Supported client types
Third-party applications support both confidential and public client types:| Client type | Application type | Use case |
|---|---|---|
| Confidential | Regular Web App | Server-side partner integrations |
| Public | Single Page App | Browser-based partner widgets |
| Public | Native | Mobile partner applications |
Supported grant types
Third-party applications support:authorization_codewith mandatory PKCErefresh_token
client_credentials are planned for a future release.