Configure Third-Party Applications

Create third-party applications that allow external developers, partners, or AI agents to access your APIs with enhanced security controls.

Prerequisites

Before creating a third-party application, make sure you have:

An Auth0 tenant with at least one API (resource server) configured
At least one connection promoted to the domain level (for user-facing flows)

Create a third-party application

Create a third-party application using the Auth0 Dashboard or Management API.

Auth0 Dashboard
Management API

Navigate to Applications > Applications.
Select Create Application.
Enter a name for the application and select the application type:
- Regular Web App for server-side confidential clients
- Single Page App for browser-based public clients
- Native for mobile or desktop public clients
Check the This application is owned by a third party toggle.
Select Create.

Dashboard Create Application dialog with third-party toggle enabled

Make a POST request to the /api/v2/clients endpoint with the following request body:

Parameter	Type	Description
`name`	String	Required. The name of the application.
`is_first_party`	Boolean	Indicates whether the application is first-party (`true`) or third-party (`false`).
`app_type`	String	The type of application (e.g., `regular_web`, `native`, `spa`, `non_interactive`).
`callbacks`	Array	A list of allowed callback URLs for the redirect after authentication.
`grant_types`	Array	A list of types of OAuth2 grants this client is allowed to use. Third-party applications are only allowed to use `authorization_code` and `refresh_token`. To learn more, read Supported grant types.
`token_endpoint_auth_method`	String	The authentication method for the token endpoint (e.g., `client_secret_post`).

If successful, Auth0 creates the application with a tpc_ client ID prefix, authorization_code and refresh_token grant types, and sets third_party_security_mode to strict, indicating that enhanced security controls are enabled.

{
  "client_id": "tpc_aBcDeFgHiJkLmNoPqRsTuV",
  "third_party_security_mode": "strict",
  "is_first_party": false,
  "name": "Partner Application",
  "grant_types": ["authorization_code", "refresh_token"],
  ...
}

Parameter	Type	Description
`client_id`	String	The unique identifier for the application with a `tpc` prefix to indicate it’s a third-party application created with strict mode enabled.
`third_party_security_mode`	String	Defines the security profile. Set to `strict` to enforce enhanced security constraints for third-party apps.
`is_first_party`	Boolean	Must be set to `false` when using `strict` security mode to identify the app as third-party.
`name`	String	The display name of the application.
`grant_types`	Array	The OAuth2 grant types this application is authorized to use (e.g., authorization_code).

The third_party_security_mode property is set at creation and cannot be changed. To use a different security mode, create a new application.

Configure API access policies

Third-party applications require explicit client grants to access APIs. You can configure API access policies in the following ways:

Default permissions for all third-party applications
Per-application permissions

Default permissions for all third-party applications

Default permissions define a baseline set of APIs and scopes available to all third-party applications. This is required for Dynamic Client Registration, where you cannot configure access for each application individually.

Auth0 Dashboard
Management API

Navigate to Applications > APIs and select the API.
Go to the Settings tab.
Scroll to Default Permissions for Third Party Apps.
Select Authorized for User Access or Client Access.
Select the scopes to grant, then select Save.

Dashboard API Settings with Default Permissions for Third Party Apps

Make a POST request to the /api/v2/client-grants endpoint with the following request body:

Parameter	Type	Description
`default_for`	String	Specifies if this grant is automatically applied to certain app types. Set to `third_party_clients` to ensure all third-party apps have access to this API by default.
`audience`	String	The unique identifier (URI) of the API the grant is being created for.
`scope`	Array	A list of permissions (scopes) that are allowed as part of this grant.
`subject_type`	String	Defines the type of application access allowed for the API: `user`: Used for user-delegated access, which corresponds to flows that generate a token associated with an end-user. `client`: Used for machine-to-machine access, such as the Client Credentials Flow.

Per-application permissions

To grant a specific third-party application broader or narrower access than the defaults, create a client grant for that application’s client_id: When both a per-application grant and a default grant exist for the same API, the per-application grant takes precedence. To learn more, read Application Access to APIs: Client Grants.

Configure connections

Third-party applications can only authenticate users through domain-level connections. Once a connection is promoted to the domain level, it becomes available to all third-party applications in the tenant. To promote a connection:

Navigate to Auth0 Dashboard > Authentication and select the connection type (Database, Social, Enterprise).
Select the connection you want to use with third-party applications.
Enable the Promote Connection to Domain Level toggle.

To learn more, read Promote Connections to Domain Level.

Configure open redirect protection

Third-party applications with enhanced security controls have Open Redirect Protection enabled by default. When enabled, Auth0 does not:

Redirect to the application’s callback URL on authentication errors
Expose application.callback_domain in email templates

Only disable Open Redirect Protection for third-party applications where the configured callback URIs are trusted. To learn more, read Redirect Protection.

Auth0 Dashboard
Management API

Navigate to Applications > Applications and select the third-party application.
Go to the Settings tab and scroll to Open Redirect Protection.
Toggle the setting on or off.
Select Save.

Dashboard Open Redirect Protection toggle

Set the redirection_policy property when creating or updating the application:

curl --request PATCH \
  --url 'https://{yourDomain}/api/v2/clients/{CLIENT_ID}' \
  --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
  --header 'Content-Type: application/json' \
  --data '{
    "redirection_policy": "allow_always"
  }'

Set to open_redirect_protection to enable (default) or allow_always to disable.

Dynamic Client Registration

All dynamically registered clients are third-party applications. Before enabling DCR, configure default API permissions so that dynamically registered clients can access your APIs.

Auth0 Onboarding

Learn the Basics

Configure Auth0

Plan and Design

Auth0 AI

Universal Components

Configure Third-Party Applications

Prerequisites

Create a third-party application

Configure API access policies

Default permissions for all third-party applications

Per-application permissions

Configure connections

Configure open redirect protection

Dynamic Client Registration

Learn more

Auth0 Onboarding

Learn the Basics

Configure Auth0

Plan and Design

Auth0 AI

Universal Components

​Prerequisites

​Create a third-party application

​Configure API access policies

​Default permissions for all third-party applications

​Per-application permissions

​Configure connections

​Configure open redirect protection

​Dynamic Client Registration

​Learn more

Prerequisites

Create a third-party application

Configure API access policies

Default permissions for all third-party applications

Per-application permissions

Configure connections

Configure open redirect protection

Dynamic Client Registration

Learn more