Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0.com/llms.txt

Use this file to discover all available pages before exploring further.

Register an application in Auth0 by importing an externally hosted Client ID Metadata Document (CIMD) from a URL. A CIMD is a JSON file containing client metadata hosted on your domain (e.g., https://example-client.com/mcp-metadata.json). The CIMD URL is the application’s client ID and proves domain ownership, ensuring only trusted tenant administrators can register applications. When you import an application from its CIMD URL, Auth0 fetches, validates, and persists the metadata to register the application as a CIMD client. While Auth0 maintains a record of these settings, the hosted CIMD remains the source of truth; metadata updates are synchronized through manual refreshes. This application registration process is called manual CIMD registration. You can only register third-party applications using manual CIMD, which are subject to enhanced security controls. Once registered, set up your CIMD client as a third-party application in Auth0.

Key benefits

Manual CIMD registration has the following benefits:
  1. Uses asymmetric cryptography (public/private keys) instead of shared symmetric secrets that can be leaked.
  2. Application owners manage client metadata directly in the CIMD; Auth0 simply pulls and persists these updates.
  3. The client ID is the CIMD URL hosted on a secure HTTPS domain, which serves as a human-readable proof of ownership in audit logs.
Third-party applications, including CIMD clients, do not support Organizations. Organizations support for third-party applications will be introduced in a future release.
Rate limits for CIMD clients will be introduced in a future release. You will be able to set a specific rate limit for a CIMD client, as well as a shared rate limit on the aggregated traffic from all CIMD clients in a tenant.

Use cases

Common use cases for manual CIMD registration include:
  • MCP clients: Only need to be registered with CIMD once per deployment. All instances of that deployment use the same registration credentials. To learn how Auth0 secures MCP clients and servers, read Auth for MCP.
  • Third-party integrations: Partner applications, SaaS platforms, and external services that authenticate users on behalf of organizations. These applications manage their own client metadata and cryptographic keys, enabling independent updates and key rotation without sharing secrets.

Example CIMD

The following is an example CIMD for a public MCP client, where "token_endpoint_auth_method": "none":
https://example-client.com/mcp-metadata.json
{
  "client_id": "https://example-client.com/mcp-metadata.json",
  "client_name": "Example MCP Tool Server",
  "description": "MCP server providing tools for data analysis",
  "logo_uri": "https://example-client.com/logo.png",
  "application_type": "web",
  "grant_types": ["authorization_code", "refresh_token"],
  "redirect_uris": [
    "https://example-client.com/callback"
  ],
  "token_endpoint_auth_method": "none",
  "response_types": ["code"]
}
Auth0 automatically maps and validates CIMD fields. To learn more about supported client types, read Prerequisites.

How it works

The following diagram shows the end-to-end manual CIMD registration flow:

Phase 1: Registration

During manual CIMD registration, a tenant admin registers the application by importing its externally hosted CIMD to Auth0:
  1. Application creation: The tenant admin creates a CIMD app in Auth0 by:
    • Selecting Import from URL in the Auth0 Dashboard
    • Making a POST request to the /register endpoint, providing the external_client_id
  2. Metadata fetch: Auth0 makes a GET request to the client’s domain to retrieve the CIMD (client.json).
  3. Security validation: Auth0 maps and validates the CIMD URL against the CIMD URL validation rules and the CIMD against the CIMD validation rules, verifying that the external_client_id matches the CIMD URL, among other checks.
  4. Persistence: Once validated, Auth0 stores the client metadata in the database.
  5. Confirmation: Auth0 returns a success response; the application has been successfully registered as a CIMD client in Auth0.

Phase 2: Authorization

Once registered, the application uses its CIMD URL as its identity during the OAuth flow.
  1. User-initiated task: The user initiates a task that requires the application to access an API.
  2. Authorization request: The application makes a request to the Auth0 Authorization Server, passing its CIMD URL as the client_id.
  3. Client resolution: The Auth0 Authorization Server queries the database to resolve the provided URL (client_id) to the stored client configuration (external_client_id).
  4. User consent: Auth0 displays a consent screen to the user, identifying the application by the client_name retrieved from the CIMD metadata.
  5. Redirection: After the user approves consent, Auth0 redirects the user back to the application with an authorization code.
  6. Code exchange: The application exchanges the authorization code for an access token at the token endpoint.
  7. Authorization complete: The Auth0 Authorization Server returns an access token where the client_id is set to the CIMD URL. The application can now access the API on the user’s behalf.

Prerequisites

Before registering an application with manual CIMD, make sure your tenant and application meet the following requirements:

Tenant configuration

  • Enable CIMD support: Enable the Client ID Metadata Document Registration toggle in your tenant settings to import CIMD via URL.
    • Navigate to Settings > Advanced and scroll down to the Settings section.
    • Toggle on Client ID Metadata Document Registration.
  • Resource Parameter Compatibility Profile (Optional): For MCP clients, we recommend enabling this profile in your tenant settings. This allows the authorization server to handle resource-specific requests (RFC 8707) by checking the resource parameter if the audience is not provided.

Supported client types

You can register the following client types with manual CIMD in Auth0:

Supported authentication methods

CIMD clients cannot use authentication methods based on shared symmetric secrets, such as client_secret_post, client_secret_basic, or client_secret_jwt. Depending on whether the client is public or confidential, Auth0 supports the following authentication methods for CIMD clients:
  • Public clients:
    • No client authentication required at the token endpoint; set token_endpoint_auth_method to none in client metadata
    • Must use Proof Key for Code Exchange (PKCE) for authorization flows
  • Confidential clients:
    • Only Private Key JWT authentication is supported; set token_endpoint_auth_method to private_key_jwt in client metadata
    • Provide a jwks_uri to host public keys. The jwks_uri must share the exact same origin (scheme, host, and port) as the CIMD URL. To learn more, read CIMD JSON validation rules.
Private Key JWT authentication is available only for Enterprise customers. To learn more about Enterprise plans, review Pricing or contact Auth0 Sales.
CIMD clients that use Private Key JWT authentication must implement key rotation by generating a new key pair with a new, unique kid.

Register applications with manual CIMD

When creating an application in Auth0, register it manually with CIMD using the Auth0 Dashboard or Management API.
To register an application with manual CIMD using the Auth0 Dashboard:
  1. Navigate to Applications > Applications.
  2. Select Create Application > Import from URL.
  3. Enter the CIMD URL. Then, select Preview. Auth0 validates the CIMD URL against the CIMD URL validation rules.
  4. If your CIMD URL is valid, Auth0 loads the CIMD and validates it against the CIMD JSON validation rules. Preview your client metadata and troubleshoot it for any validation errors.
  5. Select Create.

Set up CIMD client

Manual CIMD registration is limited to third-party applications (is_first_party: false), which are subject to enhanced security controls. Once you’ve registered your CIMD client, set it up as a third-party application in Auth0: To learn more, read Configure Third-Party Applications.

Refresh client metadata

Once you’ve registered the CIMD client, you can manually refresh client metadata. Auth0 fetches fresh client metadata from the CIMD, which you can preview and save. When you refresh client metadata, Auth0 updates the app_type and grant_types to match the values in the hosted CIMD. To learn more about CIMD fields, read CIMD JSON validation rules. In the Auth0 Dashboard:
  1. Navigate to Applications > Applications and select your CIMD client.
  2. At the top-right corner, select Refresh Client Metadata.
  3. Select Refresh Preview to preview the latest client metadata in the CIMD. Review any validation warnings or errors.
  4. Select Save.

Get CIMD client

To get a CIMD client, make a GET request to the /v2/clients/{clientId} endpoint, where {clientID} is the Auth0-generated client ID assigned to the CIMD client: 
curl --request GET \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID' \
  --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
  --header 'Content-Type: application/json'
Alternatively, pass the external_client_id, or the CIMD URL, as the query parameter to the /v2/clients endpoint: 
curl --request GET \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients?external_client_id=https://mcpserver.example.com/client.json' \
  --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
  --header 'Content-Type: application/json'
If successful, Auth0 returns a response that includes the CIMD client configuration with fields like external_client_id, name, callbacks, token_endpoint_auth_method, and more.

Update CIMD client

You can update the fields in the Auth0 database for a registered CIMD client. Updating the CIMD client in Auth0 does not automatically update the CIMD hosted on the application’s domain. You can only update the following fields for CIMD clients:
FieldDescription
app_typeThe Auth0 application type. For CIMD, this maps from application_type and is restricted to native (for native apps) or regular_web (for web apps).
grant_typesThe OAuth 2.0 grant types allowed. For CIMD, this is restricted to authorization_code and refresh_token. Other types are filtered out during mapping.
jwt_configuration.algThe algorithm used to sign the ID Token. As strict third-party clients, CIMD applications are typically restricted to secure asymmetric algorithms such as RS256, RS512, or PS256.
descriptionA free-text description of the client. Mapped directly from CIMD metadata with a maximum limit of 140 characters.
oidc_conformantMust be enabled for strict third-party clients. This ensures the client follows OIDC specifications and is generally not modifiable for CIMD clients.
allowed_originsA list of URLs allowed for Cross-Origin Resource Sharing (CORS). Typically used by browser-based applications.
web_originsA list of URLs allowed for web-based flows (e.g., Silent Authentication).
refresh_token.*Configuration for refresh token behavior, including rotation_type, leeway, and various lifetime settings. These control how long a refresh token remains valid and if it rotates upon use.
organization_*Settings for organization-specific flows, including usage, require_behaviour, discovery_methods, and default_organization. These determine how the client interacts with Auth0 Organizations.
client_metadataArbitrary key-value pairs used to store additional information about the client that does not map to standard Auth0 properties.
require_proof_of_possessionIndicates if the client must demonstrate proof of possession of a key, often used with DPoP or mTLS.
To update a CIMD client, make a PATCH request to the /v2/clients/{clientId} endpoint, where {clientID} is the Auth0-generated client ID assigned to the CIMD client: 
curl --location --request PATCH \
  'https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
  --data '{
    "description": "This is my test CIMD client"
  }'

CIMD URL validation rules

To pass validation in Auth0, CIMD URLs must meet the following requirements:
CategoryRuleRequirement
ProtocolHTTPS RequiredMust use the https:// scheme.
HostNo Localhostlocalhost, 127.0.0.1, and ::1 are rejected.
Valid HostnameMust contain a non-empty hostname; triple-slashes (e.g., https:///) are forbidden.
PathPath ComponentMust contain a path beyond the root /.
No Dot SegmentsMust not contain . or .. (including encoded %2e) in the path.
ConstraintsLength LimitMaximum of 120 bytes.
No WhitespaceNo leading or trailing whitespace allowed.
FormatMust be a non-empty string parseable as a URL.
ForbiddenNo CredentialsNo username or password allowed in the URL.
No FragmentsFragment identifiers (#) are not permitted.
No QueryQuery strings (?) are not permitted.
No Port 0Port 0 is reserved and forbidden.
EncodingPercent-Encoding% must be followed by exactly two hex digits.

CIMD JSON validation rules

Auth0 applies the following CIMD JSON validation rules:
  • Unsupported properties: Auth0 ignores unsupported properties during mapping and reports them as warnings in the validation response.
  • Inline JWKS: Providing an inline jwks object instead of a jwks_uri is not supported and will trigger an invalid_client_metadata error.
  • Private keys: Any JWKS retrieved via jwks_uri that contains private key material (the d parameter) will be rejected.
  • Fetch security: Both the CIMD document and the jwks_uri are subject to 5KB and 12KB size limits, respectively, and neither supports HTTP redirects.
Auth0 supports the following CIMD properties:
PropertyRequiredTypeValidation RulesAuth0 Mapping
client_idYesStringMust be a valid HTTPS URL that exactly matches the document’s hosted location.external_client_id
client_nameYesStringMust be a non-empty string.name
redirect_urisConditionalString ArrayRequired if grant_types includes authorization_code or implicit. Must be unique HTTPS URIs (loopback allowed for native apps).callbacks
grant_typesYesString ArrayMust include at least one supported type (authorization_code or refresh_token). Unsupported types trigger warnings and are filtered out.grant_types
application_typeNoStringOnly native or web are allowed. Unknown values are rejected. Defaults to web.app_type
token_endpoint_auth_methodNoStringSupports none or private_key_jwt. Symmetric secret methods (e.g., client_secret_post) are forbidden.token_endpoint_auth_method
jwks_uriConditionalStringRequired if token_endpoint_auth_method is private_key_jwt. Must be an HTTPS URL sharing the same origin as the client_id.jwks_uri
logo_uriNoStringMust be a valid HTTP or HTTPS URL.logo_uri
descriptionNoStringFree text with a maximum limit of 140 characters.description
response_typesNoString ArrayValidated for OIDC consistency but not persisted. Generates a warning if it contains code while authorization_code is missing from grant_types.(None)

Security considerations

CIMD client key rotation for private_key_jwt authentication

To successfully rotate keys for CIMD clients using Private Key JWT authentication, generate a new key pair with a new, unique kid. If you rotate your private key and update your JWKS with new key material under the same kid, Auth0’s CIMD registration rejects the new key and preserves the old one. This ensures that key rotation requires explicit addition of new keys rather than silent replacement. Make sure you refresh your key registration in Auth0 after rotating your keys. To learn more, read Rotate signing keys.