# Get Started Source: https://auth0.com/docs/get-started Learn the basics and begin building your authentication solution. Welcome to Auth0, an identity platform to manage access to your applications. If you’re new to identity and access management (IAM), learn some of the basics and plan the solution that best fits your technology and needs. If you’re familiar with IAM, you can jump in and start building. *** ## Start Building ##### To get up and running swiftly, choose your application type for a step-by-step quickstart tutorial. Mobile or Desktop app that runs natively on a device e.g., iOS, Android JavaScript web app that runs in the browser e.g., AngularJS + Node.js, React Traditional web app that runs on the server e.g., Express.js, ASP.NET An API or service protected by Auth0 e.g., Express.js API, ASP.NET API An AI agent to call external APIs on the user’s behalf and use human-in-the-loop controls e.g., LangChain, LlamaIndex *** ## Learn the Basics ##### Build your knowledge of IAM technology and Auth0. Explore topics related to the fundamentals of identity and access management. Discover different use cases. Create and connect the building blocks of your IAM solution. *** ## Configure Auth0 ##### Define how Auth0 works with your applications and APIs. Control who can access your Auth0 Dashboard. Learn about Auth0 Teams, including how to enable Teams, view and manage tenants, and manage tenant members. Describes how to configure options in Auth0 Dashboard's profile section. Configure the behavior of your Auth0 tenant. Control the details of how Auth0 works with your applications. Manage access for resource requests made to your APIs. Administer your team members’ access to your Auth0 Dashboard. *** ## Plan and Design ##### Learn about Auth0 flows and architecture so you can make informed decisions about your Auth0 implementation. Explore the different flows of information that drive authentication and authorization. Read about real-world customer implementations of Auth0. Get personalized help deploying and maintaining solutions from Auth0 specialists. *** ## Auth0 AI ##### Use the Auth0 AI product suite to learn about Auth0, integrate with AI agents, and improve your tenant’s security posture. Learn about Auth0 Guide, an AI-powered chatbot that answers your questions about Auth0. Learn how to leverage Auth0 for AI Agents to secure every layer of your GenAI stack. Learn how to integrate Auth0 with Model Context Protocol (MCP). Learn how to use AI tools to search and index the Auth0 knowledge base. # APIs Source: https://auth0.com/docs/get-started/apis Explore key topics related to working with APIs. An API is an entity that represents an external resource, capable of accepting and responding to protected resource requests made by applications. In the [OAuth2 specification](https://tools.ietf.org/html/rfc6749), an API maps to the **Resource Server**. At some point, your custom APIs will need to allow limited access to their protected resources on behalf of users. Authorization refers to the process of verifying what a user has access to. While often used interchangeably with [authentication](/docs/authenticate), authorization represents a fundamentally different function. To learn more, read [Authentication and Authorization](/docs/get-started/identity-fundamentals/authentication-and-authorization). In authorization, a user or application is granted access to an API after the API determines the extent of the permissions that it should assign. Usually, authorization occurs after identity is successfully validated through authentication so that the API has some idea of what sort of access it should grant. Authorization can be determined through the use of [policies](/docs/manage-users/access-control/authorization-policies) and [rules](/docs/manage-users/access-control/rules-for-authorization-policies), which can be used with [role-based access control (RBAC)](/docs/manage-users/access-control/rbac). Regardless of whether RBAC is used, requested access is transmitted to the API via scopes and granted access is returned in issued Access Tokens. The application can then use the Access Token to access the API's protected resources. The same Access Token can be used to access the API's resources without having to authenticate again until it expires. ## API permissions Since only the API can know all of the possible actions that it can handle, it should have its own internal access control system in which it defines its own permissions. To determine a calling application's effective permissions, an API should combine incoming scopes with the permissions assigned within its own internal access control system and make access control decisions accordingly. ## Configure an API To protect an API, you must register an API using the Auth0 Dashboard. To learn more, see [Register APIs](/docs/get-started/auth0-overview/set-up-apis). Before you register any APIs in the Auth0 Dashboard, one API will already exist: the **Auth0 Management API**. To learn more about the features of the Management API and its available endpoints, see [Management API](https://auth0.com/docs/api/management/v2). ## Learn more * [API Scopes](/docs/get-started/apis/scopes/api-scopes) * [Which OAuth 2.0 Flow Should I Use?](/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use) * [Tokens](/docs/secure/tokens) * [Register APIs](/docs/get-started/auth0-overview/set-up-apis) * [API Settings](/docs/get-started/apis/api-settings) # Add API Permissions Source: https://auth0.com/docs/get-started/apis/add-api-permissions Learn how to add permissions to APIs using the Auth Dashboard or the Management API. You can add permissions to an API using the Auth0 Dashboard or the Management API. By default, any user of any application can ask for any permission defined here. You can implement access policies to limit this behavior via [rules](/docs/customize/rules). ## Use the Dashboard 1. Go to [Dashboard > Applications > APIs](https://manage.auth0.com/#/apis) and click the name of the API to view. Dashboard Applications APIs List 2. Go to the **Permissions** tab and enter a permission name and description for the permission you want to add. Be sure not to use any reserved permission names (see Reserved names section). Dashboard Add API Permissions API Define Permissions Screen 3. Click **Add**. Remember that individual Applications may need permissions and/or scopes updated to interact properly with the API. ## Use the Management API Patching the permissions with an empty object removes the permissions completely. Make a `PATCH` call to the [Update Resource Server endpoint](https://auth0.com/docs/api/management/v2/resource-servers/patch-resource-servers-by-id). Be sure to replace `API_ID`, `MGMT_API_ACCESS_TOKEN`, `PERMISSION_NAME`, and `PERMISSION_DESC` placeholder values with your API ID, Management API Access Token, permission name(s), and permission description(s), respectively. Be sure not to use any reserved permission names (see Reserved names section). ```bash cURL theme={null} curl --request PATCH \ --url 'https://{yourDomain}/api/v2/resource-servers/API_ID' \ --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \ --header 'cache-control: no-cache' \ --header 'content-type: application/json' \ --data '{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/resource-servers/API_ID"); var request = new RestRequest(Method.PATCH); request.AddHeader("content-type", "application/json"); request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN"); request.AddHeader("cache-control", "no-cache"); request.AddParameter("application/json", "{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "strings" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/resource-servers/API_ID" payload := strings.NewReader("{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }") req, _ := http.NewRequest("PATCH", url, payload) req.Header.Add("content-type", "application/json") req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN") req.Header.Add("cache-control", "no-cache") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/resource-servers/API_ID") .header("content-type", "application/json") .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN") .header("cache-control", "no-cache") .body("{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'PATCH', url: 'https://{yourDomain}/api/v2/resource-servers/API_ID', headers: { 'content-type': 'application/json', authorization: 'Bearer MGMT_API_ACCESS_TOKEN', 'cache-control': 'no-cache' }, data: { scopes: [ {value: 'PERMISSION_NAME', description: 'PERMISSION_DESC'}, {value: 'PERMISSION_NAME', description: 'PERMISSION_DESC'} ] } }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"content-type": @"application/json", @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN", @"cache-control": @"no-cache" }; NSDictionary *parameters = @{ @"scopes": @[ @{ @"value": @"PERMISSION_NAME", @"description": @"PERMISSION_DESC" }, @{ @"value": @"PERMISSION_NAME", @"description": @"PERMISSION_DESC" } ] }; NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil]; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/resource-servers/API_ID"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"PATCH"]; [request setAllHTTPHeaderFields:headers]; [request setHTTPBody:postData]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/resource-servers/API_ID", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "PATCH", CURLOPT_POSTFIELDS => "{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }", CURLOPT_HTTPHEADER => [ "authorization: Bearer MGMT_API_ACCESS_TOKEN", "cache-control: no-cache", "content-type: application/json" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") payload = "{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }" headers = { 'content-type': "application/json", 'authorization': "Bearer MGMT_API_ACCESS_TOKEN", 'cache-control': "no-cache" } conn.request("PATCH", "/{yourDomain}/api/v2/resource-servers/API_ID", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/resource-servers/API_ID") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Patch.new(url) request["content-type"] = 'application/json' request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN' request["cache-control"] = 'no-cache' request.body = "{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }" response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = [ "content-type": "application/json", "authorization": "Bearer MGMT_API_ACCESS_TOKEN", "cache-control": "no-cache" ] let parameters = ["scopes": [ [ "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" ], [ "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" ] ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/resource-servers/API_ID")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PATCH" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ``` When adding or updating scopes, Management API requires that you pass all scopes you would to include. If any of the existing scopes are not passed, they will be removed.
Value Description
API\_ID ID of the API for which you want to delete permissions.
MGMT\_API\_ACCESS\_TOKEN Access Token for the Management API with the scope update:resource\_servers.
PERMISSION\_NAME Name(s) of the permission(s) you want to keep for the specified API.
PERMISSION\_DESC User-friendly description(s) of the permission(s) you want to keep for the specified API.
## Reserved names The following permission names are reserved and cannot be set as custom API permissions: * address * created\_at * email * email\_verified * family\_name * given\_name * identities * name * nickname * offline\_access * openid * phone * picture * profile ## Learn more * [Customize Consent Prompts](/docs/customize/login-pages/customize-consent-prompts) * [Configure Logical API for Multiple APIs](/docs/get-started/apis/set-logical-api) * [Role-Based Access Control](/docs/manage-users/access-control/rbac) * [Enable Role-Based Access Control for APIs](/docs/get-started/apis/enable-role-based-access-control-for-apis) * [Check API Calls](/docs/troubleshoot/authentication-issues/check-api-calls) # API Access Policies for Applications Source: https://auth0.com/docs/get-started/apis/api-access-policies-for-applications Learn how to configure API Access Policies for Applications. API Access Policies for Applications enables you to control how applications access your APIs registered in Auth0. These policies define how applications interact with an API, such as whether they can successfully obtain an access token to access the API’s resources. You can configure the application API access policy for each API registered in the Auth0 Dashboard. To learn more, read [Configure API application access policy](#configure-api-application-access-policy). ## User access vs. client access You can configure separate application API access policies for user access and client (machine-to-machine) access: * **Client access**: used for machine-to-machine access, which corresponds to the [Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow). * **User access**: used for all access flows that generate an access token associated with an end-user, allowing the application to access an API on the user’s behalf. User access flows do not include the Client Credentials Flow. To learn more about user access flows, read [Authentication and Authorization Flows](/docs/get-started/authentication-and-authorization-flow). ## Application API access policies The application API access policies are:
Policy Description Access Flow
Allow When configured for an API, any application in your tenant can get an access token to the API. No specific grant is required. The default for user access when you create an API. You can only configure `allow_all` for user access.
Allow via client-grant When configured for an API, only applications with a client grant defined can get an access token for the API. The client grant establishes the maximum permissions an application can request from the API. To learn more about how to create and manage client grants, read Application Access to APIs: Client Grants. The default for the Client Credentials Flow when you create an API.
Deny When configured for an API, no application can get an access token to the API, regardless of any other settings or grants. Access is completely restricted. You can configure deny\_all for both user and client access.
When configuring an API’s application access policy, Auth0 recommends using `Allow via client-grant`, which follows a least privilege principle approach. To learn more, read [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants). When you set the application access policy for an API to `Allow via client-grant`, you must explicitly provide the required scopes as part of the token request. This does not apply to refresh token requests, where if you omit the scopes, the authorization server assumes the application wants all the scopes it was granted in the original access token. As a result, the authorization server returns an access token with the same scopes originally granted by the resource owner. ## Configure API application access policy You can configure an API’s application access policy using the Auth0 Dashboard or the Management API. ### Auth0 Dashboard To configure an API’s application access policy: 1. Navigate to [Dashboard > Applications > APIs](https://manage.auth0.com/#/apis) and select your API. 2. Select the **Application Access** tab. 3. Select the **Application Access Policy** to configure the **user** and **client** access. * Configure the **user access** policy to **Allow**, **Allow via client-grant**, or **Deny**. * **Allow**: Applications are allowed to access the API on the user’s behalf. * **Allow via client-grant**: Applications must have a client grant to access the API on the user’s behalf. * **Deny**: Applications are denied access to the API on the user’s behalf. * Configure the **client access** policy to **Allow via client-grant** or **Deny**. * **Allow via client-grant**: Machine-to-machine applications are allowed to access this API as long as they have the corresponding client grant. * **Deny**: Restricts machine-to-machine access to this API. 4. Select **Save** to save the **Application Access Policy**. 5. When **Allow via client-grant** is the policy configured for the API, select **Edit** to authorize **User Access**, **Client Access**, or both for each individual Application. * Configure the **User Access Authorization** to **Unauthorized**, **Authorized**, or **All**. * **Unauthorized**: No permission allowed. * **Authorized**: Select desired permissions. * **All**: Include all existing and future permissions. * Configure the **Client Credential Access Authorization** to **Unauthorized**, **Authorized**, or **All**. * **Unauthorized**: No permission allowed. * **Authorized**: Select desired permissions. * **All**: Include all existing and future permissions. 6. Select **Save** to save the **Application Access** settings. ### Auth0 Management API You can configure an API’s application access policy by updating its `subject_type_authorization` property on the `resource-servers` collection of the [Management API](/docs/api/management/v2/resource-servers/patch-resource-servers-by-id). The `subject_type_authorization` object contains two nested objects, `user` and `client`, each with a policy attribute that you can set to one of the three access policies defined in [Application API access policies](#application-api-access-policies). #### Existing API To configure the application access policy for an existing API, make a `PATCH` request to the `/resource-servers/{id}` endpoint and pass a `subject_type_authorization` object that specifies the policies for both user and client access types. The following code sample demonstrates how to set different access policies for user and client access types for an existing API: * The user policy is set to `require_client_grant`, meaning applications must have a client grant to access the API on the user’s behalf. * The client policy is set to `deny_all`, which restricts machine-to-machine access to this API. #### New API To configure the application access policy when creating a new API, make a `POST` request to the `/resource-servers` endpoint and pass a `subject_type_authorization` object that specifies the policies for both user and client access types. The following code sample demonstrates how to set different access policies for user and client access types when creating a new API: * The user policy is set to `require_client_grant`, meaning applications must have a client grant to access the API on the user’s behalf. * The client policy is set to `deny_all`, which restricts machine-to-machine access to this API. ## Learn more * [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants) # API Settings Source: https://auth0.com/docs/get-started/apis/api-settings Describes the settings related to APIs available in the Auth0 Dashboard. Use the **Settings** tab in the Auth0 Dashboard at [Dashboard > Applications > APIs](https://manage.auth0.com/#/apis) to configure registered APIs that you can consume from your authorized applications. To configure an API's settings, click **...** next to an API in the list and select **Settings** or click the API name. To learn how to create and register an API, read [Register APIs](/docs/get-started/auth0-overview/set-up-apis). Dashboard Applications APIs List ## Settings Use the settings on this tab to configure token expiration, role-based access control (RBAC), and other access settings. Click **Save** at the bottom of the tab to save changes. ### General Settings These fields were set when you initially registered the API, except in the case of the Auth0 Management API. You can only modify the **Name**. Dashboard Applications APIs Settings Tab General Settings * **Id**: A unique alphanumeric string generated by Auth0. This information is read-only, and you will only need it if you will be working directly with [Auth0's Management API Resource Servers endpoints](https://auth0.com/docs/api/management/v2#!/Resource_Servers/get_resource_servers_by_id). * **Name**: A friendly name for the API. Does not affect any functionality. The following characters are not allowed: `< >`. * **Identifier**: A unique identifier for your API. This value is set upon API creation and cannot be modified afterward. We recommend using a URL, but this doesn't have to be a publicly available URL; Auth0 will not call your API at all. ### Token Settings Dashboard - API - Token Settings - Expiration * **Maximum Access Token Lifetime (Seconds)**: The amount of time (in seconds) before an access token expires. The default value is 86400 seconds (24 hours). The maximum value you can set is 2592000 seconds (30 days). * **Implicit / Hybrid Flow Access Token Lifetime (Seconds)**: The amount of time (in seconds) before an access token issued using an implicit or hybrid flow expires. The default value is 86400 seconds (24 hours). The value cannot exceed the maximum access token lifetime. * **JSON Web Token (JWT) Profile**: The profile determines the format of the access tokens issued for the API. The available values are `Auth0` and `RFC 9068`. To learn more, read [Access Token Profiles](/docs/secure/tokens/access-tokens/access-token-profiles). * **JSON Web Token (JWT) Signing Algorithm**: The algorithm with which to sign the tokens. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. The available values are [`HS256`](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) and [`RS256`](https://en.wikipedia.org/wiki/Public-key_cryptography). If you select `RS256` (recommended), the token will be signed with your tenant's private key. This value is set when your API is created and cannot be modified afterward. To learn more about signing algorithms and how they work in Auth0, read [Signing Algorithms](/docs/get-started/applications/signing-algorithms). The signature is part of a JWT. If you are unfamiliar with JWT structure, please see [JSON Web Token Structure](/docs/secure/tokens/json-web-tokens/json-web-token-structure). * **JSON Web Encryption (JWE):** When enabled, issued access tokens are encrypted using JSON Web Encryption (JWE). format. To learn more, read [JSON Web Encryption](/docs/secure/tokens/access-tokens/json-web-encryption). ### RBAC Settings Auth0 Dashboard API Settings RBAC toggle * **Enable RBAC**: Enable this setting for RBAC policies to be enforced for the API. To learn more, read [Role-Based Access Control](/docs/manage-users/access-control/rbac) and [Enable Role-Based Access Control for APIs](/docs/get-started/apis/enable-role-based-access-control-for-apis). For troubleshooting help, review [Troubleshoot Role-Based Access Control and Authorization](/docs/troubleshoot/authentication-issues/troubleshoot-rbac-authorization). * **Add Permissions in the Access Token**: Enable this setting to add the Permissions claim to the access token. This setting is only available if you enable RBAC. You can configure permissions on the **Permissions** tab. ### Access Settings Dashboard Applications APIs Settings Tab Access Settings * **Allow Skipping User Consent**: Enable this setting for the API to skip user consent for applications flagged as "first party." * **Allow Offline Access**: Enable this setting to allow applications to ask for refresh tokens for the API. ## Permissions Use the settings on the **Permissions** tab to define the permissions (scopes) that the API will use. To learn more, read [Add API Permissions](/docs/get-started/apis/add-api-permissions) and [Delete API Permissions](/docs/get-started/apis/delete-api-permissions). Dashboard Add API Permissions API Define Permissions Screen ## Machine-to-Machine Applications If you have machine-to-machine applications, they will appear in a list on this tab. Use the toggles to authorize applications in the list. To learn more, read [Register Machine-to-Machine Applications](/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps). Dashboard Applications API Machine-to-Machine Applications ## Test A test application is automatically created by Auth0 to allow to tests with the API. To learn how to create more test machine-to-machine applications for Management API testing, read [Create Machine-to-Machine Applications for Testing](/docs/get-started/apis/create-m2m-app-test). Dashboard Applications APIs Test Tab ## Management API Explorer If you view the **Settings** for the Auth0 Management API, you will see an additional tab called **API Explorer**. Dashboard Applications APIs Management API Explorer For troubleshooting help, review [Check API Calls](/docs/troubleshoot/authentication-issues/check-api-calls). ## Learn more * [Register APIs](/docs/get-started/auth0-overview/set-up-apis) * [Tokens](/docs/secure/tokens) * [Signing Algorithms](/docs/get-started/applications/signing-algorithms) * [API Scopes](/docs/get-started/apis/scopes/api-scopes) * [Configure Logical API for Multiple APIs](/docs/get-started/apis/set-logical-api) * [Create Machine-to-Machine Applications for Testing](/docs/get-started/apis/create-m2m-app-test) # Configure Access Token Profile Source: https://auth0.com/docs/get-started/apis/configure-access-token-profile Learn how to configure an access token profile for your API. You can choose which access token profile to use for your APIs: the Auth0 token profile or the RFC 9068 token profile. The access token profile you configure determines the format of the access tokens issued for the API. By default, Auth0 issues access tokens using the Auth0 token profile. The Auth0 token profile issues access tokens that are formatted as [JSON Web Tokens (JWTs)](/docs/secure/tokens/json-web-tokens), which contain information about an entity in the form of claims. Auth0 also supports the RFC 9068 token profile. The RFC 9068 token profile issues access tokens formatted as JWTs following the [IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068)](https://datatracker.ietf.org/doc/html/rfc9068). To learn more about the differences between these token profiles, read [Access Token Profiles](/docs/secure/tokens/access-tokens/access-token-profiles). When you [register an API](/docs/get-started/auth0-overview/set-up-apis), you can select the access token profile in the Auth0 Dashboard. After you’ve registered the API, you can configure the access token profile anytime using the [Management API](https://auth0.com/docs/api/management/v2) and the [Auth0 Dashboard](https://manage.auth0.com/). ## Configure access token profile for an API 1. Go to [Dashboard > Applications > APIs](https://manage.auth0.com/#/apis) and click the name of the API to view. 2. Scroll to **Access Token Settings** and select the access token profile under **JSON Web Token (JWT) Profile**. The selected profile determines the format and claims of access tokens issued for the API. The supported values are `Auth0` and `RFC 9068`. To read more about the difference between the two profiles, read [Access Token Profiles](/docs/secure/tokens/access-tokens/access-token-profiles). 3. Click **Save**. When using the Management API, we refer to access token profiles as token dialects. To configure your access token profile, set the `token_dialect` parameter for an API using the Management API. The following code sample makes a PATCH request to the [Update a resource server endpoint](https://auth0.com/docs/api/management/v2/resource-servers/patch-resource-servers-by-id): Replace the `API_ID`, `MGMT_API_ACCESS_TOKEN`, and `TOKEN_DIALECT` with their respective values, as described in the following table:
Parameter Description
API\_ID ID of the API for which you want to update the token dialect.
MGMT\_API\_ACCESS\_TOKEN Access Token for the Management API with the scope update:resource\_servers.
TOKEN\_DIALECT Dialect of the access token for the specified API. To learn more, read Token dialect options.
#### Token dialect options Auth0 supports the following token dialects:
Value Description
access\_token The default Auth0 token profile generates an access token formatted as a JSON Web Token (JWT). To learn more, read Access Token Profiles.
access\_token\_authz The default Auth0 token profile (access\_token) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs.
rfc9068\_profile The RFC 9068 token profile generates an access token formatted as a JWT following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). To learn more, read Access Token Profiles.
rfc9068\_profile\_authz The RFC 9068 profile (rfc9068\_profile) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs.
# Configure JSON Web Encryption (JWE) Source: https://auth0.com/docs/get-started/apis/configure-json-web-encryption Learn how to configure JSON Web Encryption (JWE) for an API. To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details. By default, Auth0 issues access tokens that are formatted as a signed [JSON Web Token (JWT)](/docs/secure/tokens/json-web-tokens), meaning that while they are integrity protected, clients and other intermediaries can still inspect them. This can lead to a loss of information privacy on data intended only to be exposed to a resource server. To prevent unauthorized inspection of access tokens, Auth0 supports the use of nested JWT access tokens, where access information is signed in a JWT and then encrypted and represented with JSON Web Encryption (JWE). Resource servers are expected to both decrypt these access tokens and verify the signature of the JWT payload while the information is opaque to any other parties. ## Generate RSA key pair Before configuring an API to use JWE, you must [generate an RSA key pair](/docs/secure/application-credentials/generate-rsa-key-pair). The private key must be kept secret. Upload the public key to Auth0 encoded in PEM format as described in [Generate RSA Key Pair](/docs/secure/application-credentials/generate-rsa-key-pair). Only the resource server or API server can securely access the private key to decrypt the access token. ## Configure JWE for an API Use the [Auth0 Dashboard](https://manage.auth0.com/) to configure JWE for your API. To begin, enable the **JSON Web Encryption (JWE)** toggle under **Token Settings** for your API. When prompted, add a JSON Web Encryption (JWE) key: * Enter a friendly name for easy identification. * Upload a certificate with the public key encoded in PEM format. * Select the encryption algorithm. * (Optional) Enter a key identifier. Click **Add** to save the JWE key, which will generate a thumbprint of the certificate. Use the [Auth0 Management API](https://auth0.com/docs/api/management/v2) to configure JWE for a resource server or API server. You must configure JWE for each API, so each API has its own public encryption key. The following POST request configures a new API to receive encrypted access tokens: ```bash lines theme={null} curl -X POST --location "https://{domain}/api/v2/resource-servers" \ -H "Authorization: Bearer {managementAccessToken}" \ -H "Content-Type: application/json" \ --data-raw '{ "name": "{apiName}", "identifier": "{apiIdentifier}", "token_encryption": { "format": "compact-nested-jwe", "encryption_key": { "name": "{credentialName}", "pem": "{pem}", "alg": "{alg}", "kid": "{kid}" } } }' ``` The following table explains what the different parameters mean:
Parameter Required? Description
apiName Required The name of your new API.
apiIdentifier Required The unique identifier for your API. This will be used as your token audience.
credentialName Optional The name for your public key.
pem Required Public key encoded in PEM format.
alg Required The encryption algorithm must be either RSA-OAEP-256, RSA-OAEP-384, or RSA-OAEP-512.
kid Optional The identifier used to write to the kid header in your JWE token. This can be used to identify the key used for encryption during key rotation.
The response contains the `id` property which uniquely identifies the resource server. The response also contains a generated `thumbprint_sha256` field that can be used to identify the credential. Auth0 will not return key material after initial creation (in this case, your PEM). There are many ways to generate the `thumbprint_sha256`. For more information, see the [RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://datatracker.ietf.org/doc/html/rfc8705#name-jwt-certificate-thumbprint-). To ensure that you generated the correct `thumbprint_sha256`, you can use the following Node.js code sample to extract the thumbprint: ```javascript lines theme={null} const fs = require('fs'); const crypto = require('crypto'); const { calculateJwkThumbprint, exportJWK } = require('jose'); const publicKeyObject = crypto.createPublicKey(fs.readFileSync('./my_cert.pem')); exportJWK(publicKeyObject).then((jwk) => { calculateJwkThumbprint(jwk, 'sha256').then((thumbprint) => { console.log(thumbprint); }); }); ``` ## Learn more * [JSON Web Encryption](/docs/secure/tokens/access-tokens/json-web-encryption) # Configure Rich Authorization Requests (RAR) Source: https://auth0.com/docs/get-started/apis/configure-rich-authorization-requests Learn how to configure Rich Authorization Requests (RAR) for a resource server. Using [Rich Authorization Requests (RAR)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar), clients can request and obtain fine-grained authorization data from resource owners, such as end users, during the [Authorization Code Flow with Pushed Authorization Requests (PAR)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par) and [Client-Initiated Backchannel Authentication Flow](/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow). Rich Authorization Requests use the `authorization_details` parameter. This parameter accepts a JSON array of objects which may include detailed information about the authorization being requested, such as the specific resources or actions the client wants to access on behalf of the user. You can render the requested `authorization_details` to the user using either: * The browser, by using a [customized consent prompt](#set-customized-consent-prompt) * A mobile application when using push notifications with the [Auth0 Guardian SDK or Auth0 Guardian app](/docs/secure/multi-factor-authentication/auth0-guardian) To configure Rich Authorization Requests for a resource server, you must: 1. [Register `authorization_details` types](#register-authorization_details-types) for the resource server. 2. [Configure the API Access policies](#configure-the-api-access-policies) to allow your app to request those types. 3. [Set the customized consent prompt](#set-customized-consent-prompt) to render the `authorization_details`. 4. [Optional: Configure the consent policy for the resource server](#optional-configure-consent-policy-for-the-resource-server). ## Register `authorization_details` types Each object in the JSON array must have a `type` field, which describes the shape of the object. An `authorization_details` array may contain multiple entries of the same `type`. ### Auth0 Guardian app If you’re using the Auth0 Guardian app, then the `authorization_details` parameter value must have only one object in the array, and that object must conform to the following Auth0 schema:
Field Description Example
type Specifies the type of authorization request:
  • urn:auth0:schemas:authorization-details: The Auth0 URN indicates that the request will use the Auth0 schema.
  • v1: The schema version.
  • user-profile: Customer-provided value indicating that the request is for user profile information.
 urn:auth0:schemas:authorization-details:v1:user-profile
instruction A human-readable message to the user approving the request. Please approve the request.
properties A JSON object containing the specific user attributes or claims being requested. Each key (e.g., email, full\_name) represents a particular user profile field:
  • display: A boolean value that determines whether the property should be shown to the user in the consent dialog. If true, it will be displayed; if false, it's an internal-only property not meant for user view.
  • name: The human-readable name for the property (e.g., "Email Address").
  • display\_order: An integer that dictates the order in which properties will be shown in the consent dialog.
  • description: An optional, short explanation of the property's purpose.
  • `value`: The actual data value for the property (e.g., "[user@example.com](mailto:user@example.com)", "John Doe"). The data type can vary (string, integer, boolean, etc.).
 `"properties": { "stringPropertyForDisplay": { "display": true, "name": "A String:", "display_order": "1", "value": "Value 1"} }`
The following is an example `authorization_details` type with the Auth0 schema: ```json lines theme={null} { "type": "urn:auth0:schemas:authorization-details:v1:user-profile", "instruction": "An instruction to the user", "properties": { "stringPropertyForDisplay": { "display": true, "name": "A String:", "display_order": 1, "value": "Value 1" }, "numericPropertyForDisplay": { "display": true, "name": "A Number:", "display_order": 2, "description": "An optional description", "value": 100.00 }, "booleanPropertyForDisplay": { "display": true, "name": "A Boolean:", "display_order": 3, "value": true }, "hiddenProperty": { "display": false, "value": "This value should not be displayed" } } } ``` ### Other notification channels The `authorization_details` type does not need to use the Auth0 schema if you aren't using the Auth0 Guardian app. If you are displaying the `authorization_details` using a customized consent prompt or your own custom mobile app with the Auth0 Guardian SDK, then the following requirements apply: * Maximum 5Kb * Must be valid JSON * Must be an array of objects * Maximum of 5 entries in the array * Every object must have a `type` property (that is pre-registered on the API) * Maximum of 10 properties per object * Maximum character length of property names is 255 * Maximum character length of property value is 255 * Maximum of 5 levels of nested objects * Property names can only contain the following characters: `a-zA-Z0-9_.-` The following is an example `authorization_details` of type `money_transfer` that does not use the Auth0 schema. It contains the following object fields: * `instructedAmount`: The amount of money in USD to be transferred. * `sourceAccount`: The source bank account from which the money will be transferred. * `destinationAccount`: The destination bank account to which the money will be transferred. * `beneficiary`: The recipient of the money transfer. * `subject`: The subject line of the money transfer. ```json lines theme={null} { "type": "money_transfer", "instructedAmount": {"amount": 2500, "currency": "USD"}, "sourceAccount": "xxxxxxxxxxx1234", "destinationAccount": "xxxxxxxxxxx9876", "beneficiary": "Hanna Herwitz", "subject": "A Lannister Always Pays His Debts" } ``` You must register `authorization_details` types for a resource server, which is similar to registering allowed scopes. You can register `authorization_details` types with the [Auth0 Dashboard](https://manage.auth0.com/) or [Management API](https://auth0.com/docs/api/management/v2). To add `authorization_details` in the Auth0 Dashboard: 1. Navigate to [Auth0 Dashboard > Applications > APIs](https://manage.auth0.com/#/apis). 2. Select the **Permissions** tab. 3. Under **Add an Authorization Details type**, you can add multiple `authorization_details` types for your resource server. Enter an `authorization_details` type 4. Select the **+Add** option. You can see the `authorization_details` types for your resource server under **List of Authorization Details Types**: To register  `authorization_details` types with an existing resource server, make a `PATCH` request to the [Update a resource server](https://auth0.com/docs/api/management/v2/resource-servers/patch-resource-servers-by-id) endpoint. The following code sample adds the `payment_initiation` and `money_transfer` types under `authorization_details` for a resource server: ```bash lines theme={null} curl --location --request PATCH 'https://$tenant/api/v2/resource-servers/$resource-server-id' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "authorization_details": [{"type": "payment_initiation"}, {"type": "money_transfer"}] }' ``` To create a new resource server with a registered `authorization_details` type, make a `POST` request to the `/resource-servers` endpoint. The following `POST` request creates a new resource server with `authorization_details` type `payment_initiation`: ```bash lines theme={null} curl --location --request POST 'https://$tenant/api/v2/resource-servers' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "Payments API", "identifier": "https://payments.api/", "authorization_details": [{"type": "payment_initiation"}] }' ``` ## Configure the API Access policies [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications) control what applications can access your APIs and what scopes or `authorization_details` types they are allowed to access. You can check your API's current policy using the Management API. Make a `GET` request to the [Get a resource server](https://auth0.com/docs/api/management/v2/resource-servers/get-resource-servers-by-id) endpoint and check the `subject_type_authorization` property in the response: ```bash lines theme={null} curl --location --request GET 'https://$tenant/api/v2/resource-servers/$resource-server-id' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' ``` The `subject_type_authorization` property has values for `client.policy` and `user.policy`: * If the policy value is `allow_all`, then applications or users can request all `authorization_details` types registered for the API. * If the policy value is `require_client_grant`, then each type of `authorization_details` must be explicitly allowed by the client grant for that application. * If the policy value is `deny_all`, then no application or user can request any of the `authorization_details` types registered for the API. To learn more on how to manage client grants for applications, read [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants) . ## Set customized consent prompt You can render the `authorization_details` of a Rich Authorization Request in the consent prompt. To do so, configure the `customized-consent` prompt with the appropriate template partials. You can set the customized consent prompt using the Auth0 CLI or Management API. ### Auth0 CLI To configure the customized consent partials, run the `auth0 ul customize` command with the appropriate flags in your terminal: ```bash lines theme={null} auth0 ul customize ``` To learn more, read the [auth0 universal-login customize documentation](https://auth0.github.io/auth0-cli/auth0_universal-login_customize.html). ### Management API To configure the customized consent partials, make a `PUT` request to the `/prompts/customized-consent/partials` endpoint: ```bash lines theme={null} curl --location --request PUT "https://$tenant/api/v2/prompts/customized-consent/partials" \ --header "Authorization: Bearer $management_access_token" \ --header "Content-Type: application/json" \ --data '{ "customized-consent": { "form-content": "
Operation Details
Transaction Type
{{ transaction.params.authorization_details[0].type }}
Amount
{{ transaction.params.authorization_details[0].instructedAmount.amount }} {{ transaction.params.authorization_details[0].instructedAmount.currency }}
Recipient
{{ transaction.params.authorization_details[0].beneficiary }}
Destination Account
{{ transaction.params.authorization_details[0].destinationAccount }}
" } }' ``` The customized consent template renders the `authorization_details` in the following consent prompt that Auth0 shows to the end user: In the [email notifications with CIBA and RAR flow](/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow/email-notifications-with-ciba), you need to customize the consent prompt to show the approval or rejection screens to the user: User accepts the authentication request User accepts the authentication request To learn more about how to customize the consent prompt, read: * [Customize Universal Login Pages](/docs/customize/login-pages/universal-login/customize-templates) * [Customize Universal Login with the No-Code Editor](/docs/customize/login-pages/universal-login/customize-themes) * [Set partials for a prompt API documentation](/docs/api/management/v2/prompts/put-partials) ## Optional: Configure consent policy for the resource server The resource server's consent policy determines whether Auth0 stores the `authorization_details` values and makes them available to mobile applications when a push notification is sent. Review Auth0's standard consent policy behavior for a request containing `authorization_details`:
Flow Push notification sent Behavior
Any No The customized consent prompt is shown.
Authorization Code Flow with PAR Yes

No consent prompt is shown. The consent must be shown on the mobile application that receives the push notification challenge.

If the Auth0 Guardian app is used, it will automatically display the `authorization_details` to the user.

If a custom mobile app is used, the `authorization_details` can be retreived using the Auth0 Guardian SDK.

Client-Initiated Backchannel Authentication Flow Yes

If the Auth0 Guardian App is being used to authorize the CIBA request, the `authorization_details` will be fetched automatically and displayed.

If a custom mobile app is used to authorize the CIBA request, the `authorization_details` can be retreived using the Auth0 Guardian SDK.

If the CIBA request is being authorized using a web link (e.g. from an email), then the customized consent prompt will be shown.

Customers may choose to trigger a push notification as a second factor for the CIBA request when the user is approving it by a web link, in which case the behavior is the same as above. The Auth0 Guardian app automatically displays the `authorization_details` to the user again, while custom mobile apps can choose to retrieve the `authorization_details` using the Auth0 Guardian SDK.

Customers can also set the `consent_policy` to `transactional-authorization-with-mfa`, which has the following behavior:
Flow Push notification sent Behaviour
Authorization Code Flow with PAR No The customized consent prompt is shown.
Authorization Code Flow with PAR Yes

No consent prompt is shown. The customer solution must show the consent using their own user interface. Auth0 will allocate a unique ID for the request and expose it to the Post-Login Action as `event.transaction.linking_id` along with the `event.transaction.requested_authorization_details`.

If the Auth0 Guardian App is used, the `authorization_details` will NOT be displayed.

If a custom mobile app is used, the push notification will include the `linking_id`, allowing application builders to retrieve the `authorization_details` from their own APIs if required.

Client-Initiated Backchannel Authentication Flow Any CIBA flow is not supported with `transactional-authorization-with-mfa` consent policy
You can set the consent policy for a resource server with the [Auth0 Dashboard](https://manage.auth0.com/) or [Management API](https://auth0.com/docs/api/management/v2). Set the consent policy in your API settings using the Auth0 Dashboard. 1. Navigate to [Auth0 Dashboard > Applications > APIs](https://manage.auth0.com/#/apis). 2. Select the **Settings** tab. 3. Under **Access Settings**, choose the **Standard** consent policy. 4. Save your changes. Dashboard > Applications > APIs > Settings > Access Settings To set the consent policy for a resource server or API using the Management API, send a `PATCH` request to the [Update a resource server](https://auth0.com/docs/api/management/v2/resource-servers/patch-resource-servers-by-id) endpoint. In the `PATCH` request, set the `consent_policy` to `standard`: ```bash wrap lines theme={null} curl --location --request PATCH 'https://$tenant/api/v2/resource-servers/$resource-server-id' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "consent_policy": "standard" }' ``` # Create Machine-to-Machine Applications for Testing Source: https://auth0.com/docs/get-started/apis/create-m2m-app-test Learn how to register and authorize a test machine-to-machine application for calling Management API endpoints using Access Tokens. When you create an account, a default Management API instance is created in the API section of the Auth0 Dashboard. A sample machine-to-machine test application is automatically created. The following instructions allow you to create another test application to use with this Management API instance and use the generated test token before building your own Production setup. You should note, the test token located under API Explorer is for testing access to the Management API only. To learn more about Management API tokens, review [Get Management API Access Tokens for Production](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production). If you are interested in using the test token, visit [Get Management API Access Tokens for Testing](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-testing) 1. Go to [Dashboard > Applications > APIs](https://manage.auth0.com/#/apis) and select **Auth0 Management API**. 2. Select the **API Explorer** tab. 3. Click **Create & Authorize a Test Application**. A new application has been created and is authorized to access the Management API. Dashboard Applications APIs Auth0 Management API Explorer Tab Authorize and Test The application created in the steps above has been granted all the Management API scopes. This means that it can access all endpoints for testing purposes. However, applications do not generally allow access to all scopes but only authorizes scopes that are required. Each machine-to-machine application that accesses an API must be granted a set of [Scopes](/docs/get-started/apis/scopes/api-scopes). Scopes are permissions that should be granted by the owner. Each [Auth0 Management API v2](https://auth0.com/docs/api/management/v2) endpoint requires specific scopes. To see the required scopes/permissions for each endpoint, go to the [Management API Explorer](https://auth0.com/docs/api/management/v2#!) and find the endpoint you want to call. Each endpoint has a section called **Scopes** listing all the scopes that the endpoint accepts. ## Example: Get All Connections endpoint The [Get All Connections](https://auth0.com/docs/api/management/v2#!/Clients/get_connections) endpoint accepts the `read:connections` scope while the [Create a Connection](https://auth0.com/docs/api/management/v2#!/Clients/post_connections) endpoint accepts the `write:connections` scope. Our machine-to-machine token should only need the `read:connections` scope in order to access data from that endpoint. If you have multiple applications that should access the Management API, then you should create separate machine-to-machine applications for each application in Auth0 instead of just a single machine-to-machine application. ## Learn more * [Get Management API Access Tokens for Testing](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-testing) * [Get Management API Access Tokens for Production](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production) * [Get Management API Access Tokens for Single-Page Applications](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-tokens-for-single-page-applications) * [Applications in Auth0](/docs/get-started/applications) # Delete API Permissions Source: https://auth0.com/docs/get-started/apis/delete-api-permissions Learn how to delete permissions from APIs using the Auth0 Dashboard or the Management API. You can delete permissions from an API using the Auth0 Dashboard or the Management API. ## Use the Dashboard 1. Go to [Dashboard > Applications > APIs](https://manage.auth0.com/#/apis) and click the name of the API to view. Dashboard Applications APIs List 2. Go to the **Permissions** tab and click the trashcan icon next to the permission you want to remove and confirm. Dashboard Add API Permissions API Define Permissions Screen ## Use the Management API Make a PATCH call to the [Update Resource Server endpoint](https://auth0.com/docs/api/management/v2#!/Resource_Servers/patch_resource_servers_by_id) that includes all permissions you want to keep and excludes all permissions you want to delete. Replace `API_ID,` `MGMT_API_ACCESS_TOKEN`, `PERMISSION_NAME`, and `PERMISSION_DESC` placeholder values with your API ID, Management API Access Token, permission name(s), and permission description(s), respectively. ```bash cURL theme={null} curl --request PATCH \ --url 'https://{yourDomain}/api/v2/resource-servers/API_ID' \ --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \ --header 'cache-control: no-cache' \ --header 'content-type: application/json' \ --data '{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/resource-servers/API_ID"); var request = new RestRequest(Method.PATCH); request.AddHeader("content-type", "application/json"); request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN"); request.AddHeader("cache-control", "no-cache"); request.AddParameter("application/json", "{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "strings" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/resource-servers/API_ID" payload := strings.NewReader("{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }") req, _ := http.NewRequest("PATCH", url, payload) req.Header.Add("content-type", "application/json") req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN") req.Header.Add("cache-control", "no-cache") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/resource-servers/API_ID") .header("content-type", "application/json") .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN") .header("cache-control", "no-cache") .body("{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'PATCH', url: 'https://{yourDomain}/api/v2/resource-servers/API_ID', headers: { 'content-type': 'application/json', authorization: 'Bearer MGMT_API_ACCESS_TOKEN', 'cache-control': 'no-cache' }, data: { scopes: [ {value: 'PERMISSION_NAME', description: 'PERMISSION_DESC'}, {value: 'PERMISSION_NAME', description: 'PERMISSION_DESC'} ] } }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"content-type": @"application/json", @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN", @"cache-control": @"no-cache" }; NSDictionary *parameters = @{ @"scopes": @[ @{ @"value": @"PERMISSION_NAME", @"description": @"PERMISSION_DESC" }, @{ @"value": @"PERMISSION_NAME", @"description": @"PERMISSION_DESC" } ] }; NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil]; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/resource-servers/API_ID"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"PATCH"]; [request setAllHTTPHeaderFields:headers]; [request setHTTPBody:postData]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/resource-servers/API_ID", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "PATCH", CURLOPT_POSTFIELDS => "{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }", CURLOPT_HTTPHEADER => [ "authorization: Bearer MGMT_API_ACCESS_TOKEN", "cache-control: no-cache", "content-type: application/json" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") payload = "{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }" headers = { 'content-type': "application/json", 'authorization': "Bearer MGMT_API_ACCESS_TOKEN", 'cache-control': "no-cache" } conn.request("PATCH", "/{yourDomain}/api/v2/resource-servers/API_ID", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/resource-servers/API_ID") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Patch.new(url) request["content-type"] = 'application/json' request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN' request["cache-control"] = 'no-cache' request.body = "{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }" response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = [ "content-type": "application/json", "authorization": "Bearer MGMT_API_ACCESS_TOKEN", "cache-control": "no-cache" ] let parameters = ["scopes": [ [ "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" ], [ "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" ] ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/resource-servers/API_ID")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PATCH" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```
Value Description
API\_ID ID of the API for which you want to delete permissions.
MGMT\_API\_ACCESS\_TOKEN Access Token for the Management API with the scope update:resource\_servers.
PERMISSION\_NAME Name(s) of the permission(s) you want to keep for the specified API.
PERMISSION\_DESC User-friendly description(s) of the permission(s) you want to keep for the specified API.
## Learn more * [Customize Consent Prompts](/docs/customize/login-pages/customize-consent-prompts) * [Configure Logical API for Multiple APIs](/docs/get-started/apis/set-logical-api) * [Role-Based Access Control](/docs/manage-users/access-control/rbac) * [Enable Role-Based Access Control for APIs](/docs/get-started/apis/enable-role-based-access-control-for-apis) # Enable Role-Based Access Control for APIs Source: https://auth0.com/docs/get-started/apis/enable-role-based-access-control-for-apis Learn how to enable role-based access control (RBAC) for an API using the Auth0 Dashboard or the Management API. You can enable [role-based access control (RBAC)](/docs/manage-users/access-control/rbac) using the Auth0 Dashboard or the Management API. This enables the API Authorization Core feature set. When RBAC is enabled, the `scope` claim of the access token includes an intersection of the requested permissions and the permissions assigned to the user, regardless of whether permissions are also included in the access token. When RBAC is disabled, an application can request any permission defined for the API, and the `scope` claim includes all requested permissions. If you configure any [Actions](/docs/customize/actions) that modify access token scopes, they will override the scopes set by RBAC. ## Dashboard 1. Go to [Dashboard > Applications > APIs](https://manage.auth0.com/#/apis) and click the name of the API to view. Dashboard Applications APIs List 2. Scroll to **RBAC Settings** and enable the **Enable RBAC** toggle. Auth0 Dashboard API Settings RBAC toggle 3. To include all permissions assigned to the user in the `permissions` claim of the access token, enable the **Add Permissions in the Access Token** toggle, and click **Save**. Including permissions in the access token allows you to make minimal calls to retrieve permissions, but increases token size. Once you’ve enabled the **Add Permissions in the Access Token** toggle, Auth0 also updates your token dialect based on the [access token profile](/docs/secure/tokens/access-tokens/access-token-profiles) you’ve set for the API: * If your token dialect is `access_token`, Auth0 updates it to `access_token_authz`, which is equivalent to the `access_token` profile with the `permissions` claim included. * If your token dialect is `rfc9068_profile`, Auth0 updates it to `rfc9068_profile_authz`, which is equivalent to the `rfc9068_profile` with the `permissions` claim included. To learn more about the available token dialects, read [Token dialect options](#token-dialect-options). ## Management API To enable RBAC using the Management API, make a PATCH request to the [Update a resource server endpoint](https://auth0.com/docs/api/management/v2/resource-servers/patch-resource-servers-by-id). In the PATCH request, set `enforce_policies` to `true`: ```bash cURL theme={null} curl --request PATCH \ --url 'https://{yourDomain}/api/v2/resource-servers/API_ID' \ --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \ --header 'cache-control: no-cache' \ --header 'content-type: application/json' \ --data '{ "enforce_policies": "true", "token_dialect": "TOKEN_DIALECT" }' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/resource-servers/API_ID"); var request = new RestRequest(Method.PATCH); request.AddHeader("content-type", "application/json"); request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN"); request.AddHeader("cache-control", "no-cache"); request.AddParameter("application/json", "{ "enforce_policies": "true", "token_dialect": "TOKEN_DIALECT" }", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "strings" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/resource-servers/API_ID" payload := strings.NewReader("{ "enforce_policies": "true", "token_dialect": "TOKEN_DIALECT" }") req, _ := http.NewRequest("PATCH", url, payload) req.Header.Add("content-type", "application/json") req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN") req.Header.Add("cache-control", "no-cache") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/resource-servers/API_ID") .header("content-type", "application/json") .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN") .header("cache-control", "no-cache") .body("{ "enforce_policies": "true", "token_dialect": "TOKEN_DIALECT" }") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'PATCH', url: 'https://{yourDomain}/api/v2/resource-servers/API_ID', headers: { 'content-type': 'application/json', authorization: 'Bearer MGMT_API_ACCESS_TOKEN', 'cache-control': 'no-cache' }, data: {enforce_policies: 'true', token_dialect: 'TOKEN_DIALECT'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"content-type": @"application/json", @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN", @"cache-control": @"no-cache" }; NSDictionary *parameters = @{ @"enforce_policies": @"true", @"token_dialect": @"TOKEN_DIALECT" }; NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil]; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/resource-servers/API_ID"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"PATCH"]; [request setAllHTTPHeaderFields:headers]; [request setHTTPBody:postData]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/resource-servers/API_ID", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "PATCH", CURLOPT_POSTFIELDS => "{ "enforce_policies": "true", "token_dialect": "TOKEN_DIALECT" }", CURLOPT_HTTPHEADER => [ "authorization: Bearer MGMT_API_ACCESS_TOKEN", "cache-control: no-cache", "content-type: application/json" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") payload = "{ "enforce_policies": "true", "token_dialect": "TOKEN_DIALECT" }" headers = { 'content-type': "application/json", 'authorization': "Bearer MGMT_API_ACCESS_TOKEN", 'cache-control': "no-cache" } conn.request("PATCH", "/{yourDomain}/api/v2/resource-servers/API_ID", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/resource-servers/API_ID") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Patch.new(url) request["content-type"] = 'application/json' request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN' request["cache-control"] = 'no-cache' request.body = "{ "enforce_policies": "true", "token_dialect": "TOKEN_DIALECT" }" response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = [ "content-type": "application/json", "authorization": "Bearer MGMT_API_ACCESS_TOKEN", "cache-control": "no-cache" ] let parameters = [ "enforce_policies": "true", "token_dialect": "TOKEN_DIALECT" ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/resource-servers/API_ID")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PATCH" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ``` Replace `API_ID`, `MGMT_API_ACCESS_TOKEN`, and `TOKEN_DIALECT` with their respective values, as shown in the following table:
Parameter Description
API\_ID ID of the API for which you want to enable RBAC.
MGMT\_API\_ACCESS\_TOKEN Access Token for the Management API with the scope update:resource\_servers.
TOKEN\_DIALECT Dialect of the access token for the specified API. To learn more, read Token dialect options.
### Token dialect options Auth0 supports the following token dialects:
Value Description
access\_token The Auth0 default token profile generates an access token formatted as a JSON Web Token (JWT). In the scope claim of the access token, includes an intersection of the requested permissions and the permissions assigned to the user. No permissions claim is passed. To learn more, read Access Token Profiles.
access\_token\_authz The Auth0 default token profile (access\_token) with the permissions claim. In the scope claim of the access token, includes an intersection of the requested permissions and the permissions assigned to the user. In the permissions claim of the access token, includes all permissions assigned to the user. Allows you to make minimal calls to retrieve permissions, but increases token size.
rfc9068\_profile The RFC 9068 token profile generates an access token formatted as a JWT following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). In the scope claim of the access token, includes an intersection of the requested permissions and the permissions assigned to the user. No permissions claim is passed. To learn more, read Access Token Profiles.
rfc9068\_profile\_authz The RFC 9068 token profile (rfc9068\_profile) with the permissions claim. In the scope claim of the access token, includes an intersection of the requested permissions and the permissions assigned to the user. In the permissions claim of the access token, includes all permissions assigned to the user. Allows you to make minimal calls to retrieve permissions, but increases token size.
## Learn more * [Manage Role-Based Access Control Users](/docs/manage-users/access-control/configure-core-rbac/rbac-users) * [Manage Role-Based Access Control Permissions](/docs/manage-users/access-control/configure-core-rbac/manage-permissions) * [Sample Use Cases: Role-Based Access Control](/docs/manage-users/access-control/sample-use-cases-role-based-access-control) * [Troubleshoot Role-Based Access Control and Authorization](/docs/troubleshoot/authentication-issues/troubleshoot-rbac-authorization) # Scopes Source: https://auth0.com/docs/get-started/apis/scopes Understand the principle of scopes and explore general examples of their use. Different pieces of user information are often stored across a number of online resources. Users may upload and store photos with a service like Flickr, keep digital files on Dropbox, and store contacts and events in Google Calendar or on Facebook. Often, new applications will want to make use of the information that has already been created in an online resource. To do so, the application must ask for authorization to access this information on a user's behalf. Scopes define the specific actions applications can be allowed to do on a user's behalf. ## Ways to use scopes When an app requests permission to access a resource through an authorization server, it uses the `scope` parameter to specify what access it needs, and the authorization server uses the `scope` parameter to respond with the access that was actually granted (if the granted access was different from what was requested). Generally, you use scopes in three ways: * From an application, to verify the identity of a user and get basic profile information about the user, such as their email or picture. In this scenario, the scopes available to you include those implemented by the OpenID Connect (OIDC) protocol. To learn more, read [OpenID Connect Scopes](/docs/get-started/apis/scopes/openid-connect-scopes). * In an [API](/docs/api), to implement access control. In this case, you need to define custom scopes for your API and then identify these scopes so that calling applications can use them. To learn more, read [API Scopes](/docs/get-started/apis/scopes/api-scopes). * From an application, to call an API that has implemented its own custom scopes. In this case, you need to know which custom scopes are defined for the API you are calling. To see examples of calling a custom API from an application, read [Sample Use Cases: Scopes and Claims](/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims) ## Best practices Understand your use case and choose the most restrictive scopes possible. If you are requesting scopes, make sure you ask for enough access for your application to function, but only request what you absolutely need. Are you establishing a user's identity or asking the user to allow you to interact with their data? There's a big difference between importing a user's Facebook profile information and posting to their wall. By only requesting what you need, you are more likely to gain user consent when required since users are more likely to grant access for limited, clearly specified scopes. Similarly, when creating custom scopes for an API, consider what levels of granular access applications may need and design accordingly. ## Requested scopes versus granted scopes In certain cases, users get to consent to the access being requested. While usually, the scopes returned will be identical to those requested, users can edit granted scopes (both during initial consent and sometimes after, depending on the resource), thereby granting an app less access than it requested. As an application developer, you should be aware of this possibility and handle these cases in your app. For example, your app could warn the user that they will see reduced functionality. It could also send the user back through the authorization flow to ask for additional permissions. But again, remember that when asked for consent, users can always say no. By default, Auth0 skips user consent for first-party applications, which are applications that are registered under the same Auth0 domain as the API they are calling; however, you can configure your API in Auth0 to require user consent from first-party applications. Third-party applications, which are external applications, require user consent. ## Learn more * [OpenID Connect Scopes](/docs/get-started/apis/scopes/openid-connect-scopes) * [API Scopes](/docs/get-started/apis/scopes/api-scopes) * [Sample Use Cases: Scopes and Claims](/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims) * [Enable Role-Based Access Control for APIs](/docs/get-started/apis/enable-role-based-access-control-for-apis) # API Scopes Source: https://auth0.com/docs/get-started/apis/scopes/api-scopes Understand the principle of scopes and how it is used with APIs. As an API developer, you need to: 1. Decide which information you would like applications to be able to access on a user's behalf. 2. Define these access levels as custom scopes. (To learn what scopes are read [Scopes](/docs/get-started/apis/scopes).) 3. Identify these scopes so that calling applications can use them. ## Ways to use API scopes You can use API scopes in different ways: * In an API where the calling application is a third-party, or external, application. In this case, the calling application will request authorization from the user to access the requested scopes, and the user will approve or deny the request. * In an API where the calling application is a first-party application, or application that is registered under the same Auth0 domain as the API it is calling. In this case, by default, user consent is not requested, but you may configure consent to be required. * In an API where the calling application is a back-end service, whether third-party or first-party, and no user exists. In this case, user consent is never requested. All of these examples use scopes to limit access through use of a token. If you so choose, your API may also use additional logic beyond the token to enforce more extensive access control. For an example showing how to request custom API access for your application, read [Sample Use Cases: Scopes and Claims](/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims). ### Example: An API called by a third-party application Let's say you are building an API that provides bank account information to online payment applications. At various times, apps may need to read account balances or transfer funds. To do this, you create two scopes for your API: one that authorizes read access to an account balance (`read:balance`), one that authorizes fund transfers (`transfer:funds`). Your API is registered with Auth0. A calling application will request authorization from the user to access the requested scopes, and the user will approve or deny the request. The app may request read access to the user's balance by including the `read:balance` scope in its request, access to make fund transfers by including the `transfer:funds` scope in its request, or access to both read the user's balance and transfer funds by including both the `read:balance` and `transfer:funds` scopes in its request. Now, when the app calls your API, it will include a token which verifies that the user has provided authorization to access their content and also indicates which scopes the user has approved. Your API should respect the approved scopes and only release information that was authorized by the user to the calling application. ### Example: An API called by a first-party application Let's say you are building an API that provides data to an events application, which you have also written. You [implement role-based access control (RBAC)](/docs/manage-users/access-control/rbac), creating a role of `organizer` and a role of `participant`. Users with a role of `organizer` need to create and update events, whereas users with a role of `participant` need to view events and register for events. To do this, you create four scopes for your API: one that authorizes create access for events(`create:events`), one that authorizes update access for events (`update:events`), one that authorizes read-only access for events (`view:events`), and one that authorizes registration access for events (`register:events`). Both your API and event application are registered with Auth0, and the **Allow Skipping User Consent** for first-party applications option is enabled for your API. You have installed the Authorization Extension and configured an `organizer` role and created the `create:events` and `update:events` scopes for it, and assigned it to User A. You have also configured a `participant` role and created the `view:events` and `register:events` scopes for it, and assigned it to User B. User A authenticates with the calling application, which requests the necessary scopes, but because it is a first-party application, user consent will not be requested. The app may request any combination of `create:events`, `update:events`, `view:events`, and `register:events` scopes, but User A is recognized as having the role of `organizer` and therefore is only granted the `create:events` and `update:events` scopes. Now, when the app calls your API, it will include a token which verifies that it has authorization for only the scopes associated with the role of the authenticated user. ### Example: An API called by a back-end service Let's say you work for a hospital and have an API that produces large amounts of imaging data whenever a patient gets an MRI. You store the imaging data locally for six months, but the hospital needs the images to be stored long-term for the purpose of regulatory compliance. Because of this, the hospital has a service that copies imaging data to an offsite cold storage solution on a nightly basis and deletes all local medical data after six months of storage. To do this, you create two scopes for your API: one that authorizes read access to your imaging data (`read:images`) and one that authorizes delete access to your imaging data (`delete:images`). Your API and automated service are registered with Auth0, and you have authorized the automated service to request tokens for your API. The calling automated service will request the necessary scopes, but because there is no user, consent will not be requested. The service may request read access to your imaging data by including the `read:images` scope in its request, delete access by including the `delete:images` scope in its request, or both read and delete access by including the `read:images` and `delete:images` scopes in its request. Now, when the automated service calls your API, it will include a token which verifies that it has authorization for the requested scopes. ## Limit API scopes An application can include any scope defined for an API in its request. Instead of allowing all available scopes to be requested, however, you can control how applications access your APIs using [API access policies for applications](/docs/get-started/apis/api-access-policies-for-applications). ## Learn more * [Sample Use Cases: Scopes and Claims](/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims) * [Add API Permissions](/docs/get-started/apis/add-api-permissions) * [Customize Consent Prompts](/docs/customize/login-pages/customize-consent-prompts) * [Configure Logical API for Multiple APIs](/docs/get-started/apis/set-logical-api) * [Get Management API Access Tokens for Production](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production) * [Get Management API Access Tokens for Testing](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-testing) # OpenID Connect Scopes Source: https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes Understand scopes and claims used with the OpenID Connect (OIDC) protocol. This document discusses scopes included within the OpenID Connect (OIDC) authentication protocol. For more info about OIDC itself, read [OpenID Connect Protocol](/docs/authenticate/protocols/openid-connect-protocol). OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request depend on which user attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in an ID Token and are also available through the [`/userinfo` endpoint](https://auth0.com/docs/api/authentication#get-user-info). For example, let's say you have built a regular web application, registered it with Auth0, and have configured it to allow a user to log in using a username and password. Once a user logs in to your app, you want to auto-generate and send a personalized welcome email, including the user's name. 1. A user clicks **Login** within your app. 2. Your app redirects the user to the Auth0 Authorization Server (`/authorize` endpoint), including the following scopes: * `openid` (required; to indicate that the application intends to use OIDC to verify the user's identity) * `profile` (so you can personalize the email with the user's name) * `email` (so you know where to send the welcome email) 3. Your Auth0 Authorization Server redirects the user to the login prompt. 4. The user authenticates and sees a consent page listing the scopes Auth0 will give to your app, which include access to their profile information and email address. 5. The user accepts and authorizes your app to have this level of access to their information stored by Auth0. 6. Your app now has access to the user's profile information and email address. ## Standard claims Standard claims are intended to provide an application with user details, such as name, email, and picture, and are pre-defined for the OIDC protocol. These claims are returned in an ID Token and are also available through the [`/userinfo` endpoint](https://auth0.com/docs/api/authentication#get-user-info). You can also create custom claims, which are claims that you define, control, and add to a token using [Auth0 Actions](/docs/customize/actions/actions-overview). To learn more, read [JSON Web Token Claims](/docs/secure/tokens/json-web-tokens/json-web-token-claims). The basic (and required) scope for OIDC is `openid`, which indicates that an application intends to use the OIDC protocol to verify a user's identity. Beyond that, an application can ask for additional scopes by listing the requested scope names in the `scope` parameter, separated by spaces. Standard claims included in the most commonly-used scopes are listed below, but for a full list of available standard claims, read [OIDC specification: Standard Claims on openid.net](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). For a full list of Scopes, see [OIDC specification: Requesting Claims Using Scope Values on openid.net](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims).
Scope Claims
openid (required) Returns the sub claim, which uniquely identifies the user. In an ID Token, iss, aud, exp, iat, and at\_hash claims will also be present. To learn more about the ID Token claims, read ID Token Structure.
profile Returns claims that represent basic profile information, including name, family\_name, given\_name, middle\_name, nickname, picture, and updated\_at.
email Returns the email claim, which contains the user's email address, and email\_verified, which is a boolean indicating whether the email address was verified by the user.
For an example showing how to request standard claims for your application, read [Sample Use Cases: Scopes and Claims](/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims). ## Learn more * [Sample Use Cases: Scopes and Claims](/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims) * [Scopes](/docs/get-started/apis/scopes) * [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims) # Sample Use Cases: Scopes and Claims Source: https://auth0.com/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims Learn how to use scopes and claims with applications and APIs. In these examples, we use the [Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow) to authenticate a user and request the necessary permissions (scopes) and tokens. For details on the request parameters or to learn how to fully implement this flow, read our tutorial: [Add Login to Regular Web Applications](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/add-login-auth-code-flow). ## Authenticate a user and request standard claims In this example, we want to authenticate a user and get user details that will allow us to personalize our user interface. To do this, we need to get an ID token that contains the user's name, nickname, profile picture, and email information. 1. Initiate the authentication flow by sending the user to the authorization URL: Notice that in this example: * The `response_type` parameter includes one value: * `code`: because we are using the regular web app flow, our initial request is for an authorization code; when we request our tokens using this code, we will receive the ID Token we need for authentication. * The `scope` parameter includes three values; the requested OIDC scopes: * `openid`: to indicate that the application intends to use OIDC to verify the user's identity. * `profile`: to get `name`, `nickname`, and `picture`. * `email`: to get `email` and `email_verified`. 2. After the user consents (if necessary) and Auth0 redirects back to your app, [request tokens](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/add-login-auth-code-flow). 3. Extract the ID token from the response and [decode it](/docs/secure/tokens/id-tokens). You should see the following claims: Your app can now retrieve the user attributes and use them to personalize your UI. ## Request custom API access In this example, we request a custom scope for a calendar API that will authorize the calling application to read appointments for the user. To do this, we want to get an access token containing the proper scope to read appointments from the API. Note that requesting an access token is not dependent on requesting an ID token. Before using a custom API, you need to know what scopes are available for the API you are calling. If the custom API is under your control, you need to register both your application and API with Auth0 and [define the scopes for your API using the Auth0 Dashboard](/docs/get-started/apis/scopes/api-scopes). You can also use defined permissions to [customize the consent prompt](/docs/customize/login-pages/customize-consent-prompts) for your users. 1. Initiate the authorization flow by sending the user to the authorization URL: Notice that in this example: * The `response_type` parameter still includes one value: * `code`: because we are using the regular web app flow, our initial request is for an authorization code; when we request our tokens using this code, we will receive the Access Token that we can use to call our API. * the `scope` parameter includes one value; the requested API scope: * `read:appointments`: to allow us to read the user's appointments from the API. * The `audience` parameter is new and includes one value: * The unique identifier of the API from which we want to read the user's appointments. 2. As in the previous example, after the user consents (if necessary) and Auth0 redirects back to your app, [request tokens](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/add-login-auth-code-flow). 3. Extract the access token from the response, and call the API using the access token as credentials. ## Authenticate a user and request standard claims and custom API access In this example, we combine our previous two examples to authenticate a user, request standard claims, and also request a custom scope for a calendar API that will allow the calling application to read appointments for the user. To do this, get two tokens: * ID token that contains: * User name * Nickname * Profile picture * Email information * Access token that contains the proper scope to read appointments from the API. Note that requesting an access token is not dependent on requesting an ID token. Before using a custom API, you need to know what scopes are available for the API you are calling. If the custom API is under your control, you need to register both your application and API with Auth0 and [define the scopes for your API using the Auth0 Dashboard](/docs/get-started/apis/scopes/api-scopes). You can also use defined permissions to [customize the consent prompt](/docs/customize/login-pages/customize-consent-prompts) for your users. 1. Initiate the authentication flow by sending the user to the authorization URL: Notice that in this example: * The `response_type` parameter still includes one value: * `code`: because we are using the regular web app flow, our initial request is for an authorization code; when we request our tokens using this code, we will receive both the ID token we need for authentication and the access token that we can use to call our API. * The `scope` parameter is used for both OIDC scopes and API scopes, so now includes four values: * `openid`: to indicate that the application intends to use OIDC to verify the user's identity. * `profile`: to get `name`, `nickname`, and `picture`. * `email`: to get `email` and `email_verified`. * `read:appointments`: to allow us to read the user's appointments from the API. * the `audience` parameter includes one value: * The unique identifier of the API from which we want to read the user's appointments 2. As in the previous examples, after the user consents (if necessary) and Auth0 redirects back to your app, request tokens. 3. Extract the ID token from the response, decode it, and retrieve the user attributes and use them to personalize your UI. 4. Extract the access token from the response, and call the API using the access token as credentials. ## Add custom claims to a token In this example, we add a user's favorite color and preferred contact method to the ID Token. To do this, we create an [Action](/docs/customize/actions) to customize the ID token by adding these [claims](/docs/secure/tokens/json-web-tokens/create-custom-claims). Once added, we will also be able to obtain the custom claims when calling the `/userinfo` endpoint (though the Action will run only during the authentication process). Auth0 allows namespaced and non-namespaced claims, but certain restrictions apply (see [General restrictions](/docs/secure/tokens/json-web-tokens/create-custom-claims#general-restrictions)). To avoid name collisions, we recommend using namespaced claims. In case of collisions, the transaction won't fail, but your custom claim won't be added to your tokens. Suppose that: * At some point, the user selected a `preferred_contact` method of `email` and a `favorite_color` of `red`, and we saved it as part of the user's `user_metadata`. * We've used the [Management API](https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id) or the Dashboard to set application-specific information for this user. In this case, the Auth0-stored [normalized user profile](/docs/manage-users/user-accounts/user-profiles/normalized-user-profiles) is: ```json lines theme={null} { "email": "jane@example.com", "email_verified": true, "user_id": "custom|123", "favorite_color": "blue", "user_metadata": { "preferred_contact": "email" } } ``` For this profile, Auth0 would normally return the following ID Token claims to your application: ```json lines theme={null} { "email": "jane@example.com", "email_verified": true, "iss": "https://my-domain.auth0.com/", "sub": "custom|123", "aud": "my_client_id", "iat": 1311280970, "exp": 1311281970 } ``` Notice that in this example: * The `sub` claim contains the value of the `user_id` property. * Neither the `favorite_color` nor `user_metadata` properties are present because OpenID Connect (OIDC) does not define standard claims that represent `favorite_color` or `user_metadata`. To receive the custom data, we'll need to [create a new Action](/docs/customize/actions/write-your-first-action) to customize the token with a [custom claims](/docs/secure/tokens/json-web-tokens/create-custom-claims) that represent these properties from the user profile. 1. Navigate to [Auth0 Dashboard > Actions > Library](https://manage.auth0.com/#/actions/library), and select **Build Custom**. 2. Enter a descriptive **Name** for your Action (for example, `Add user metadata to tokens`), select the `Login / Post Login` trigger because you’ll be adding the Action to the Login flow, then select **Create**. 3. Locate the Actions Code Editor, copy the following JavaScript code into it, and select **Save Draft** to save your changes: ```javascript lines theme={null} exports.onExecutePostLogin = async (event, api) => { const namespace = 'https://myapp.example.com'; const { favorite_color, preferred_contact } = event.user.user_metadata; if (event.authorization) { // Set claims api.idToken.setCustomClaim(`${namespace}/favorite_color`, favorite_color); api.idToken.setCustomClaim(`${namespace}/preferred_contact`, preferred_contact); } }; ``` 4. From the Actions Code Editor sidebar, select Test (play icon), then select **Run** to [test your code](/docs/customize/actions/test-actions). 5. When you’re ready for the Action to go live, select **Deploy**. Finally, add the Action you created to the [Login Flow](https://manage.auth0.com/#/actions/flows/login/). To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in [Write Your First Action](/docs/customize/actions/write-your-first-action). With this Action enabled, Auth0 will include the `favorite_color` and `preferred_contac`t custom claims in the ID Token: ```json lines theme={null} { "email": "jane@example.com", "email_verified": true, "iss": "https://my-domain.auth0.com/", "sub": "custom|123", "aud": "my_client_id", "iat": 1311280970, "exp": 1311281970, "https://myapp.example.com/favorite_color": "red", "https://myapp.example.com/preferred_contact": "email" } ``` When creating your Action, make sure to set some logic that determines when to include additional claims. Injecting custom claims into every ID Token that is issued is not ideal. This example shows custom claims being added to an ID Token, which uses the `api.idToken.setCustomClaims` method. To add these claims to an Access Token, use the `api.accessToken.setCustomClaim` method. To learn more about the event object for the trigger, read [Actions Triggers: post-login - Event Object](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-event-object). To learn more about tokens, read [Tokens](/docs/secure/tokens). ## Learn more * [OpenID Connect Scopes](/docs/get-started/apis/scopes/openid-connect-scopes) * [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims) * [API Scopes](/docs/get-started/apis/scopes/api-scopes) * [Configure Logical API for Multiple APIs](/docs/get-started/apis/set-logical-api) # Configure Logical API for Multiple APIs Source: https://auth0.com/docs/get-started/apis/set-logical-api Learn how to use a single logical API in Auth0 to represent and control access to multiple APIs. If you have multiple distinct API implementations that are all logically a part of the same API, you can simplify your authorization process by representing them with a single logical API in the Auth0 Dashboard. Doing this allows you to implement just one authorization flow, while still controlling access to the individual APIs by assigning the appropriate scopes. The following sections describe how to use and represent multiple APIs as a single Resource Server in Auth0. We will use the following sample application in the examples. The sample application uses a microservices architecture and contains: * 2 Node.js APIs: `contacts` and `calendar` (you can think of them as microservices) * 1 Resource Server representing the 2 APIs * 2 Namespaced scopes: `read:contacts` and `read:calendar` * The Implicit Grant flow to obtain an `access_token` that works for both APIs We will represent the two APIs using just one Auth0 API called `Organizer Service`. We will then create two scopes to demonstrate how you can use the [Implicit Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce) to access the `calendar` and `contacts` APIs from the SPA. You need to complete the following steps: 1. Enable a connection for your application 2. Create a test user 3. Register a logical API in Auth0 4. Configure scopes for the logical API 5. Grant access to the logical API 6. (Optional) Implement single logout (SLO) or single sign-on (SSO) ## Prerequisites * [Register your application](/docs/get-started/auth0-overview/create-applications/single-page-web-apps). * Select an **Application Type** of **Single-Page App**. * Add **Allowed Callback URLs** of `http://localhost:3000` and `http://localhost:3000/callback.html`. * Download the [sample application](https://github.com/auth0-samples/auth0-api-auth-implicit-sample). To learn how to set up the sample app, read the [README](https://github.com/auth0-samples/auth0-api-auth-implicit-sample#readme). ## Enable a connection for your application You will need a source of users for your newly-registered application, so you will need to configure a [connection](/docs/authenticate/identity-providers). For the purpose of this sample, we'll create a simple [Database Connection](/docs/authenticate/database-connections) that asks only for the user's email address and a password. To learn more, read [Set Up Database Connections](/docs/get-started/applications/set-up-database-connections). ## Create a test user Since you're working with a newly-created connection, there won't be any users associated with it. Before we can test the sample application's login process, we'll need to create and associate a user with the connection, so make sure you choose your newly-created Connection when you create your user. To learn more, read [Create Users](/docs/manage-users/user-accounts/create-users). ## Register a logical API in Auth0 Register a single logical API that you will use to represent the multiple APIs contained within the sample application. For the purpose of this sample, call your API `Organizer Service` and set its unique identifier to `organize`. By default, the signing algorithm for the tokens obtained for this API is **RS256**, which you should leave as is. To learn more, read [Register APIs](/docs/get-started/auth0-overview/set-up-apis). ## Configure permissions for the logical API To allow the logical API to represent the APIs included within the sample application, you will need to create the proper permissions (scopes). Scopes allow you to define which API actions will be accessible to calling applications. One scope will represent one API/action combination. For the purpose of this sample, you want calling applications to be able to `read` from one API called `calendar` and another one called `contacts`, so you will need to create the following permissions: * `read:calendar` * `read:contacts` You can think of each one as a microservice. To learn more, read [Add API Permissions](/docs/get-started/apis/add-api-permissions) and [API Scopes](/docs/get-started/apis/scopes/api-scopes). ## Grant access to the logical API You are now ready to provide access to your APIs by allowing the logical API to obtain Access Tokens. By including the necessary scopes, you can control an application's access to the APIs represented by the logical API. The following steps use the [Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) to reflect the sample. However, you can use whichever flow best suits your needs. For example: * If you have a **Machine-to-Machine Application**, you can authorize it to request Access Tokens for your API by executing a [Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow). * If you are building a **Native App**, you can implement the [Authorization Code Flow with Proof Key for Code Exchange (PKCE)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). To learn about Authorization flows, read [Authentication and Authorization Flows](/docs/get-started/authentication-and-authorization-flow). 1. The user clicks Login within the SPA, and the app redirects the user to the Auth0 Authorization Server (`/authorize` endpoint). To learn more about the call's parameters, see our tutorial: [Call Your API Using the Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce/call-your-api-using-the-authorization-code-flow-with-pkce). Example application sign in page 2. Your Auth0 Authorization Server redirects the user to the login page, where the user authenticates using one of the configured login options. Lock login page 3. If this is the first time the user has been through this flow, they see a consent prompt listing the permissions Auth0 will give to the SPA. In this case, the user is asked to consent to the app reading their contacts and calendar. Example application Lock Consent screen 4. If the user consents, Auth0 redirects the user back to the SPA with tokens in the hash fragment of the URI. The SPA can now extract the tokens from the hash fragment using JavaScript and use the Access Token to call your APIs on behalf of the user. ```javascript lines theme={null} function getParameterByName(name) { var match = RegExp('[#&]' + name + '=([^&]*)').exec(window.location.hash); return match && decodeURIComponent(match[1].replace(/\+/g, ' ')); } function getAccessToken() { return getParameterByName('access_token'); } ``` In our sample, after you successfully log in, you will see buttons that allow you to call either of your APIs using the Access Token obtained from the logical API. Example application user authorized screen ### Implement single logout (SLO) or single sign-on (SSO) In some multi-application scenarios, where Single Logout is desired (a user logging out of one application needs to be logged out of other applications), an application can be set up to periodically poll Auth0 using `checkSession()` to see if a session exists. If the session does not exist, you can then log the user out of the application. The same polling method can be used to implement silent authentication for a Single Sign-on (SSO) scenario. The poll interval between checks to `checkSession()` should be at least 15 minutes between calls to avoid any issues in the future with rate limiting of this call. ## Learn more * [Register APIs](/docs/get-started/auth0-overview/set-up-apis) * [Add API Permissions](/docs/get-started/apis/add-api-permissions) * [API Scopes](/docs/get-started/apis/scopes/api-scopes) * [Check API Calls](/docs/troubleshoot/authentication-issues/check-api-calls) # Applications in Auth0 Source: https://auth0.com/docs/get-started/applications Learn the basics of registering and configuring your applications in Auth0. The term **application** or **app** in Auth0 does not imply any particular implementation characteristics. For example, it could be a native app that executes on a mobile device, a single-page application that executes on a browser, or a regular web application that executes on a server. Auth0 categorizes apps based on these characteristics: * **Application type**: To add authentication to your application, you must register it in the Auth0 Dashboard and select from one of the following application types: * **Regular web application**: Traditional web apps that perform most of their application logic on the server (such as Express.js or ASP.NET). To learn how to set up a regular web application, read [Register Regular Web Applications](/docs/get-started/auth0-overview/create-applications/regular-web-apps). * **Single page web application (SPA)**: JavaScript apps that perform most of their user interface logic in a web browser, communicating with a web server primarily using APIs (such as AngularJS + Node.js or React). To learn how to set up a Single-page web application, read [Register Single-Page Web Applications](/docs/get-started/auth0-overview/create-applications/single-page-web-apps). * **Native application**: Mobile or Desktop applications that run natively on a device (such as iOS or Android). To learn how to set up a native application, read [Register Native Applications](/docs/get-started/auth0-overview/create-applications/native-apps). * **Machine to machine (M2M) application**: Non-interactive applications, such as command-line tools, daemons, IoT devices, or services running on your backend. Typically, you use this option if you have a service that requires access to an API. To learn how to set up a native application, read [Register Machine-to-Machine Applications](/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps). * **Credential security**: According to the [OAuth 2.0 spec](https://tools.ietf.org/html/rfc6749#section-2.1), apps can be classified as either public or confidential; confidential apps can hold credentials securely, while public apps cannot. To learn more, read [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications). * **Ownership**: Whether an app is classified as first- or third-party depends on app ownership and control. First-party apps are controlled by the same organization or person that owns the Auth0 domain. Third-party apps enable external parties or partners to securely access protected resources behind your API. To learn more, read [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications). ## Manage applications settings You register applications in [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications/\{yourClientId}/settings). In addition to setting up applications in the Dashboard, you can also set up applications programmatically as described in the [OpenID Connect (OIDC) Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) specification. You can set up a more complex configuration that allows users to log in differently for different apps. To learn more, read [Multi-Tenant Application Best Practices](/docs/get-started/auth0-overview/create-tenants/multi-tenant-apps-best-practices) and [Create Multiple Tenants](/docs/get-started/auth0-overview/create-tenants/create-multiple-tenants). By default, Auth0 enables all connections associated with your tenant when you create a new application. To change this, [update application connections](/docs/get-started/applications/update-application-connections) in the **Application Settings** in the Dashboard. ## Monitor applications You can [monitor apps](/docs/deploy-monitor/monitor/monitor-applications) and perform end-to-end testing using your own tests. Auth0 stores [log data](/docs/deploy-monitor/logs) including Dashboard administrator actions, successful and failed user authentications, and password change requests. You can use log streaming in [Auth0 Marketplace](https://marketplace.auth0.com/features/log-streaming) to export your log data and use tools like Sumo Logic, Splunk, or Mixpanel to analyze and store your log data. ## Remove applications You can [remove an application](/docs/get-started/applications/remove-applications) using the Dashboard or the Management API. ## Manage client secrets A client secret is a secret known only to your application and the authorization server. It protects your resources by only granting [tokens](/docs/secure/tokens) to authorized requestors. Protect your client secrets and **never** include them in mobile or browser-based apps. If your client secret is ever compromised, you should [rotate to a new one](/docs/get-started/applications/rotate-client-secret) and update all authorized apps with the new client secret. ## Grant types Auth0 provides many different authentication and authorization grant types or flows and allows you to indicate which grant types are appropriate based on the `grant_types` property of your Auth0-registered app. To learn more, read [Application Grant Types](/docs/get-started/applications/application-grant-types). ## Learn more * [Application Settings](/docs/get-started/applications/application-settings) * [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications) * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [Application Grant Types](/docs/get-started/applications/application-grant-types) * [Subdomain URL Placeholders](/docs/get-started/applications/wildcards-for-subdomains) * [Dynamic Application Registration](/docs/get-started/applications/dynamic-client-registration) # Application Access to APIs: Client Grants Source: https://auth0.com/docs/get-started/applications/application-access-to-apis-client-grants Learn about Client Grants In Auth0, you can control how applications access your APIs using [application API access policies](/docs/get-started/apis/api-access-policies-for-applications) and client grants. A client grant provides fine-grained application access to an API. It associates: * An API identified by its `audience` or unique identifier. * An application identified by its `client_id`. * A list of permissions such as scopes and/or `authorization_details_types` that the application is allowed to request for the specified audience. To learn more about the list of attributes you can define in a client grant, read [Client grant attributes](#client-grant-attributes). To learn how to define and manage client grants, read [Configure client grants](#configure-client-grants). ## Application API access policies and client grants When you configure an API's [application access policy](/docs/get-started/apis/api-access-policies-for-applications) to `require_client_grant`, only applications with a client grant defined can get an access token for the API. The client grant establishes the maximum permissions an application can request from the API by following the least privilege principle approach. As a result, Auth0 recommends using `require_client_grant` when configuring an API’s application access policy. ### Example: Social Media API To illustrate how client grants follow the least privilege principle approach, say you have a Social Media API with the permissions: `read:posts`, `write:posts`, `read:friends`, and `delete:posts`. You create an application and define a client grant with the permissions: `read:posts` and `write:posts`. This client grant now serves as a hard ceiling. Even though the Social Media API has other permissions, your application can never request or be granted `read:friends` or `delete:posts`. ## User access vs. client access In user and client access, client grants define the final set of permissions that control an application’s access to an API. The client grant’s `subject_type` attribute determines the type of application access allowed for an API. An application can have up to two client grants for a single API: * When you set `subject_type` to `client`, you define its machine-to-machine permissions. * When you set `subject_type` to `user`, you define its permissions to act on the user’s behalf. The following table explains how client grants control application access to APIs based on the access type flow:
Access type subject\_type attribute Description
Client credential access (Machine-to-machine access) Set subject\_type to client. The client grant directly authorizes the application to access the API on its own behalf instead of the end user’s behalf. The permissions you define in the client grant are the ones the application is authorized to receive in the access token.
User access Set subject\_type to user. The client grant defines the maximum permissions the application can request from the API. The final permissions in the access token issued to the application on the user’s behalf are the intersection of the permissions:

To learn more about user access flows, read Authentication and Authorization Flows. User access flows do not include the Client Credentials Flow.
You can modify the final scopes granted by the authorization server to the application or user using [Actions](/docs/customize/actions). ## Client grant attributes A client grant has several attributes that you can define to configure application access to APIs using the Auth0 Management API:
Attribute Description
id Unique identifier of the client grant.
audience Unique identifier of the API the client grant is for.
client\_id The unique ID of the application that is being granted access.
scopes An array of strings representing the permissions the application can request.
authorization\_details\_types An array of strings representing rich authorization data types that the application can request. This attribute can only be specified for user access flows.
subject\_type The type of application access the client grant allows for:
  • user: used for user access, which corresponds to all flows that generate a token associated with an end user.
  • client: used for machine access, which corresponds to the Client Credentials Flow.
allow\_all\_scopes Boolean. Indicates if all scopes defined on the API are allowed for the application. Future defined scopes, for the API, are automatically permitted.
organization\_usage Determines how the application may use organizations when accessing the API via the Client Credentials Flow. Possible values are: deny, allow, or require.

To learn more about the Organization settings, read Organizations for M2M Applications: Define Organization Behavior.
allow\_any\_organization Determines whether the application can access any organization when using the Client Credentials Flow.

To learn more about the Organization settings, read Organizations for M2M Applications: Define Organization Behavior.
## Configure client grants You can configure client grants using the Auth0 Dashboard or the Management API. ### Auth0 Dashboard To configure client grants using the Auth0 Dashboard: 1. Navigate to [Dashboard > Applications](https://manage.auth0.com/#/applications). 2. Select the **Application** you want to configure. 3. Select the **APIs** tab. 4. Select **Edit** to authorize **User Access**, **Client Access**, or both. For application-level authorization settings to take effect, you must set API Access Policy to Allow via client-grant. To learn more read, [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications). * Configure the **User Access Authorization** to **Unauthorized**, **Authorized**, or **All**. * **Unauthorized**: No permission allowed. * **Authorized**: Select desired permissions. * **All**: Include all existing and future permissions. * Configure the **Client Credential Access Authorization** to **Unauthorized**, **Authorized**, or **All**. * **Unauthorized**: No permission allowed. * **Authorized**: Select desired permissions. * **All**: Include all existing and future permissions. 5. Select **Save** to save the **Application’s API** settings. ### Auth0 Management API To configure client grants, use the `/client-grants` endpoint. #### Create client grant To create a new client grant, make a [`POST`](https://auth0.com/docs/api/management/v2/client-grants/post-client-grants) request to the `/client-grants` endpoint. The following code sample creates a client grant for an application to access the `https://api.my-service.com` API. The `subject_type` is `user`, which means the client grant is for user access, and allows the application to request the `read:item` scope and the `payment` authorization details type. #### Update client grant To update an existing client grant, make a [`PATCH`](https://auth0.com/docs/api/management/v2/client-grants/patch-client-grants-by-id) request to `/client-grants/{id}`. The following code sample updates an existing client grant to expand its permissions. The application can now also request the `update:item` scope and an additional `credits_transfer` authorization details type. #### Delete client grant To delete a client grant, make a [`DELETE`](https://auth0.com/docs/api/management/v2/client-grants/delete-client-grants-by-id) request to `/client-grants/{id}`. The following code sample removes the client grant which revokes the application's access to the API: #### Retrieve client grants You can also query and paginate through the `client-grants` collections by using parameters like `client_id`, `audience`, or `subject_type`. The following code sample retrieves all client grants that allow for user access to the `https://api.my-service.com` API. ## Learn more * [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications) * [Application Grant Types](/docs/get-started/applications/application-grant-types) # Application Grant Types Source: https://auth0.com/docs/get-started/applications/application-grant-types Describes grant types and how they relate to applications. Application grant types (or flows) are methods through which applications can gain [Access Tokens](/docs/secure/tokens/access-tokens) and by which you grant limited access to your resources to another entity without exposing credentials. The [OAuth 2.0 protocol](/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use) supports several types of grants, which allow different types of access. Based on the needs of your application, some grant types are more appropriate than others. Auth0 provides many different authentication and authorization flows and allows you to indicate which grant types are appropriate based on the `grant_types` property of your application. For example, if you want to secure a mobile application, the [Authorization Code Flow with Proof Key for Code Exchange (PKCE)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce) is the most appropriate. Alternatively, if you want to secure a client-side application, such as a single-page application (SPA), and aren't passing tokens between servers, the [Implicit Flow with Form Post](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) is the most appropriate. Various grant types are valid when registering applications. These can be divided into the following categories: * **Specification-conforming grants**: Grants defined by and conforming to external specifications, such as OpenID Connect (OIDC). * **Auth0 extension grants**: Auth0-specific grants that conform to the [OAuth extension mechanism](https://tools.ietf.org/html/rfc6749#section-4.5) to support additional clients or to provide a bridge between OAuth and other trust frameworks. * **Auth0 legacy grants**: Traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative. ## Available grant types ### Specification-conforming grants
Grant Type Description
implicit Implicit Grant
authorization\_code Authorization Code Grant
client\_credentials Client Credentials Grant
password Resource Owner Password Grant
refresh\_token Use Refresh Tokens
urn:ietf:params:oauth:grant-type:device\_code Device Authorization Grant
### Auth0 extension grants | **Grant Type** | **Description** | | --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | | **`http://auth0.com/oauth/grant-type/password-realm`** | Use an extension grant similar to the Resource Owner Password Grant that includes the ability to indicate a specific realm | | **`http://auth0.com/oauth/grant-type/mfa-oob`** | Multi-factor Authentication OOB Grant Request | | **`http://auth0.com/oauth/grant-type/mfa-otp`** | Multi-factor Authentication OTP Grant Request | | **`http://auth0.com/oauth/grant-type/mfa-recovery-code`** | Multi-factor Authentication Recovery Grant Request | | **`http://auth0.com/oauth/grant-type/passwordless/otp`** | Embedded Passwordless Login Grant Request | ### Auth0 legacy grants Legacy grants include: * `http://auth0.com/oauth/legacy/grant-type/ro` * `http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer` * `http://auth0.com/oauth/legacy/grant-type/delegation/refresh_token` * `http://auth0.com/oauth/legacy/grant-type/delegation/id_token` * `http://auth0.com/oauth/legacy/grant-type/access_token` Legacy grant types are traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative. As of 08 June 2017, all applications were given a `grant_types` property that must be populated. To avoid changes in functionality for Auth0 customers at that time, we populated the `grant_types` property for all existing applications with all Auth0 legacy, Auth0 extension, and specification-conforming grant types. At this time, new Auth0 customers were no longer able to add legacy grant types to their applications. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. If you were a customer prior to 8 June 2017, you can [enable a legacy grant type](/docs/get-started/applications/update-grant-types) using either the Auth0 Dashboard or the Auth0 Management API. If you're currently using a legacy grant type, refer to the chart below to see which of the secure alternatives you should use instead. For example, if you're implementing Passwordless Authentication, use [Universal Login](/docs/authenticate/login/auth0-universal-login) instead of the `oauth/ro` endpoint. ## Grant type mapping When registered, applications have access to different grant types based on their application type, specifically whether the application is confidential or public. Additionally, trusted first-party applications have access to additional grant types. ### Public applications When a Native Application or Single-Page Application (SPA) is registered in the Dashboard, it's automatically flagged as a public application, which is indicated by the `token_endpoint_auth_method` flag being set to `none`. By default, Auth0 creates public applications with the following `grant_types` enabled: * `implicit` * `authorization_code` * `refresh_token` Native Apps can also use the `device_code` grant type. Public applications cannot use the `client_credentials` grant type. To use this grant type, you must configure the application to be confidential rather than public. Use the Auth0 Management API [Update a client](https://auth0.com/docs/api/management/v2#!/Clients/patch_clients_by_id) endpoint to set the `token_endpoint_auth_method` to `client_secret_post,` `client_secret_basic`, or `private_key_jwt`. To learn more, read [Application Credentials](/docs/secure/application-credentials). ### Confidential applications When a Regular Web Application or Machine-to-Machine (M2M) Application is registered in the Auth0 Dashboard, it's automatically flagged as a confidential application, which is indicated by the `token_endpoint_auth_method` flag being set to anything except `none`. By default, Auth0 creates confidential applications with the following `grant_types` enabled: * `implicit` * `authorization_code` * `refresh_token` * `client_credentials` ### Trusted first-party applications Trusted first-party applications have the same `grant_types` enabled as confidential applications, along with the following: * `password` * `http://auth0.com/oauth/grant-type/password-realm` * `http://auth0.com/oauth/grant-type/mfa-oob` * `http://auth0.com/oauth/grant-type/mfa-otp` * `http://auth0.com/oauth/grant-type/mfa-recovery-code` If you are using the Dashboard to enable or disable these grant types, be aware that all the Password and MFA grant types are enabled when you add the `Password` or `MFA` grant type to your application. You cannot select them individually. ## Learn more * [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications) * [Enable Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications) * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [Subdomain URL Placeholders](/docs/get-started/applications/wildcards-for-subdomains) # Application Settings Source: https://auth0.com/docs/get-started/applications/application-settings Describe the settings related to applications available in the Auth0 Dashboard. On the [Applications](https://manage.auth0.com/#/applications) page of the Dashboard, locate your application in the list, and click its name to view the available settings. Dashboard Applications List ## Basic settings When you edit an existing application's settings or create a new application, you enter information about the application in the **Settings** view. ### Basic Information Dashboard Applications Application Settings Tab Basic Information * **Name**: The name of your application. Editable, and will be seen in the portal, emails, logs, and so on. * **Domain**: Your Auth0 tenant name. You choose this when you create a new Auth0 tenant, and it cannot be changed. If you need a different domain, you must register for a new tenant by selecting **+ Create Tenant** in the top-right menu. * **Client ID**: The unique identifier for your application. You will use this when configuring authentication with Auth0. Generated by the system when you create a new application and cannot be modified. * **Client Secret**: A string used to sign and validate ID Tokens for authentication flows and to gain access to select Auth0 API endpoints. By default, the value is hidden, so check the **Reveal Client Secret** box to see it. While the Client ID is considered public information, the Client Secret **must be kept confidential**. If anyone can access your Client Secret, they can issue tokens and access resources they shouldn't be able to access. * **Description**: A free-text description of the Application's purpose. Maximum of 140 characters. ### Application Properties Dashboard Applications Application Settings Tab Application Properties * **Application Logo**: The URL of a logo (recommended size: 150x150 pixels) to display for the application. Appears in several areas, including the list of applications in the Dashboard and customized consent forms. If none is set the default badge for this type of application will be shown. * **Application Type**: The Auth0 application type determines which settings you can configure using the Dashboard. (Not editable for M2M apps. Sometimes disabled for other Auth0 application types if the selected grant types are only allowed for the currently selected application type.) Use the drop-down to select from the following types: * [Machine to Machine](/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps): Non-interactive applications, such as command-line tools, daemons, IoT devices, or services running on your backend. Typically, you use this option if you have a service that requires access to an API. * [Native App](/docs/get-started/auth0-overview/create-applications/native-apps): Mobile or Desktop applications that run natively in a device (such as iOS or Android). * [Regular Web App](/docs/get-started/auth0-overview/create-applications/regular-web-apps): Traditional web apps that perform most of their application logic on the server (such as Express.js or ASP.NET). * [Single Page App](/docs/get-started/auth0-overview/create-applications/single-page-web-apps): JavaScript apps that perform most of their user interface logic in a web browser, communicating with a web server primarily using APIs (such as AngularJS + Node.js or React). ### Application URIs Dashboard Applications Application Settings Application URIs * **Application Login URI**: In some scenarios, Auth0 will need your application to redirect to your application's login page. This URI needs to point to a route in your application that redirects to your tenant's `/authorize` [endpoint](https://auth0.com/docs/api/authentication#authorize-application). It would usually take the form of `https://myapp.org/login`. To learn more, read [Configure Default Login Routes](/docs/authenticate/login/auth0-universal-login/configure-default-login-routes). * **Allowed Callback URLs**: Set of URLs to which Auth0 is allowed to redirect users after they authenticate. You can specify multiple valid URLs by comma-separating them (typically, to handle different environments like QA or testing). For production environments, verify that the URLs do not point to localhost. You can use the following placeholders in this field: * [**Wildcards**](/docs/get-started/applications/wildcards-for-subdomains#wildcard-url-placeholders): Use `*` for subdomains (`*.google.com`) *Not recommended for production environments.* * [**Organization placeholders**](/docs/get-started/applications/wildcards-for-subdomains#organization-url-placeholders): Use `{organization_name}` to dynamically specify a registered organization's name (for example, `https://{organization_name}.example.com`). * [**Custom Domain placeholders**](/docs/get-started/applications/wildcards-for-subdomains#custom-domain-url-placeholders): Use `{custom.domain.metadata.KEY}` to dynamically populate the URL based on metadata from the custom domain used in the request (for example, `https://{custom_domain.metadata.public_app_url}/callback`). The first URL listed in this field is taken as the default callback URL when the corresponding protocol flow does not explicitly specify one. This applies specifically to SAML, WS-Fed, and SAML IdP-initiated SSO flows. Do not use wildcard placeholders or localhost URLs in your application callbacks or allowed origins fields. Using redirect URLs with wildcard placeholders can make your application vulnerable to attacks. To learn more, read [Unvalidated Redirects and Forwards Cheat Sheet on owasp.org](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet). Instead, URLs with the `{organization_name}` placeholder should be preferred, where relevant. To learn more, read [Subdomain URL Placeholders](/docs/get-started/applications/wildcards-for-subdomains). * **Allowed Logout URLs**: After a user logs out from Auth0, you can redirect them with the `returnTo` query parameter. The URL that you use in `returnTo` must be listed here. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost. * [**Wildcards**](/docs/get-started/applications/wildcards-for-subdomains#wildcard-url-placeholders): Use `*` for subdomains (`*.google.com`) *Not recommended for production environments.* * [**Custom Domain placeholders**](/docs/get-started/applications/wildcards-for-subdomains#custom-domain-url-placeholders): Use `{custom.domain.metadata.KEY}` to dynamically populate the URL based on metadata from the custom domain used in the request (for example, `https://{custom_domain.metadata.public_app_url}/callback`). * **Allowed Web Origins**: List of URLs from where an authorization request using [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication), [Device Flow](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow), and `web_message` as the response mode can originate from. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost. Paths, query strings, and hash information are not taken into account when validating these URLs (and may, in fact, cause the match to fail). You can provide up to 100 URLs in the **Allowed Web Origins** field. * [**Wildcards**](/docs/get-started/applications/wildcards-for-subdomains#wildcard-url-placeholders): Use `*` for subdomains (`*.google.com`) *Not recommended for production environments.* * [**Custom Domain placeholders**](/docs/get-started/applications/wildcards-for-subdomains#custom-domain-url-placeholders): Use `{custom.domain.metadata.KEY`} to dynamically populate the URL based on metadata from the custom domain used in the request (for example, `https://{custom_domain.metadata.public_app_url}/callback`). * **Allowed Origins (CORS)**: List of URLs that are allowed to make Cross-Origin Resource Sharing (CORS) requests to Auth0. * [**Custom Domain placeholders**](/docs/get-started/applications/wildcards-for-subdomains#custom-domain-url-placeholders): Use `{custom.domain.metadata.KEY}` to dynamically populate the URL based on metadata from the custom domain used in the request (for example, `https://{custom_domain.metadata.public_app_url}/callback`). If you configure your Application URLs exclusively using Custom Domain placeholders, authentication requests made via your tenant's canonical domain (for example, [https://your-tenant.us.auth0.com](https://your-tenant.us.auth0.com)) will fail. This occurs because the canonical domain does not have the custom metadata required to resolve the placeholder. Ensure your application uses the specific Custom Domain for authentication, or provide a static fallback URL if canonical domain usage is required. ### ID Token In the **ID Token** section, enter the **ID Token Expiration** (in seconds) which is the amount of time before the Auth0 `id_token` expires. The default value is 36000 seconds which is 10 hours. **Use Auth0 instead of the IdP to do Single Sign-on**: If enabled, this setting prevents Auth0 from redirecting authenticated users with valid sessions to the identity provider (such as Facebook or ADFS). **Legacy tenants only.** ### Refresh Token Rotation In the **Refresh Token Rotation** section, enable or disable rotation. When enabled, as a result of exchanging a refresh token, a new refresh token will be issued and the existing token will be invalidated. This allows for automatic detection of token reuse if the token is leaked. In addition, enter the **Rotation Overlap Period** (in seconds). This interval is the allowable leeway time that the same `refresh_token` can be used to request an `access_token` without triggering automatic reuse detection. To learn more, read [Refresh Token Rotation](/docs/secure/tokens/refresh-tokens/refresh-token-rotation). Dashboard Applications Applications Settings Tab Refresh Token Rotation ### Refresh Token Expiration In the **Refresh Token Expiration** section, enable or disable absolute and inactivity expiration and set the lifetimes (in seconds) for each. To learn more, read [Configure Refresh Token Expiration](/docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration). Dashboard Applications Applications Settings Tab Refresh Token Expiration ## Advanced settings The **Advanced Settings** section allows you to: * Manage or add application metadata, device, OAuth, and WS-Federation settings * Obtain certificates and Token endpoint information * Set the grant type(s) for the application ### Application Metadata Application metadata are custom string keys and values (each of which has a character maximum of 255), set on a per-application basis. Metadata is exposed in the application object as `client_metadata`, and in rules as `context.clientMetadata`. You can create up to 10 sets of metadata. Dashboard Applications Applications Settings Tab Advanced Settings Application Metadata Tab ### Device Settings If you're developing a mobile application, enter the necessary iOS/Android parameters. * When developing iOS apps, you'll provide your **Team ID** and **App ID**. To learn more, read [Enable Universal Links Support in Apple Xcode](/docs/get-started/applications/enable-universal-links-support-in-apple-xcode). * When developing Android apps, you'll provide your **App Package Name** and your **Key Hashes**. To learn more, read [Enable Android App Links Support](/docs/get-started/applications/enable-android-app-links-support). Dashboard Applications Application Settings Tab Advanced Settings Device Settings Tab ### OAuth Dashboard Applications Application Settings Tab Advanced Settings OAuth Tab * By default, all apps/APIs can make a delegation request, but if you want to explicitly grant permissions to selected apps/APIs, you can do so in **Allowed Apps/APIs**. * For customers using the Highly Regulated Identity add-on, use the **Compliance Enforcement Level** setting to set your level of compliance. For more information, review [Configure FAPI Compliance](/docs/get-started/applications/configure-fapi-compliance). * **Non-Verifiable Callback URI End-User Confirmation**: Use this setting to control whether the user is prompted to confirm login when a Non-verifiable URI is used as callback. Auth0 recommends that you do not skip end-user confirmation in these cases. This setting takes precedence over the tenant setting with the same name. To learn more, read [Measures Against Application Impersonation](/docs/secure/security-guidance/measures-against-app-impersonation.mdx). * Set the algorithm used ([**HS256**](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) or [**RS256**](https://en.wikipedia.org/wiki/Public-key_cryptography)) for signing your JSON web tokens. To learn more, read [JSON Web Token Signing Algorithms](/docs/get-started/applications/signing-algorithms). When selecting `RS256` (recommended), the token will be signed with your tenant's private key. * Toggle the **Trust Token Endpoint IP Header** setting; if this is enabled, the `auth0-forwarded-for` is set as trusted and used as a source of end user IP information for protection against brute-force attacks on the Token endpoint. This setting is only available for Regular Web Apps and M2M Apps. * Toggle the switch to indicate if your application is **OIDC Conformant** or not. Applications flagged as OIDC Conformant will strictly follow the OIDC specification. For troubleshooting help, read [Troubleshoot Invalid Token Errors](/docs/troubleshoot/basic-issues/invalid-token-errors). ### Grant Types Select grant types to enable or disable for your application. Available grant types are based on the application type. Dashboard Applications Application Settings Tab Advanced Settings Grant Types tab ### WS-Federation Manage or add WS-Federation settings. Dashboard Applications Application Settings Tab Advanced WS-Federation tab ### Certificates Manage or add the signing certificate, and its fingerprint and thumbprint. Dashboard Applications Advanced Settings Certificates tab ### Endpoints View endpoint information for OAuth, SAML, and WS-Fed, such as Authorization and Metadata URLs. ## Learn more * [Create Applications](/docs/get-started/auth0-overview/create-applications) * [Remove Applications](/docs/get-started/applications/remove-applications) * [Configure Applications with OIDC Discovery](/docs/get-started/applications/configure-applications-with-oidc-discovery) * [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications) * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [Check Error Messages](/docs/troubleshoot/basic-issues/check-error-messages) # Change Application Signing Algorithms Source: https://auth0.com/docs/get-started/applications/change-application-signing-algorithms Describes how to change an application's signing algorithm using the Auth0 Dashboard. You can change your application's signing algorithm using the Dashboard. 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and select the name of the application to view. Dashboard Applications List 2. Scroll to the bottom of the **Settings** tab and select **Show Advanced Settings**. 3. Go to the **OAuth** tab. Dashboard Applications Application Settings Tab Advanced Settings OAuth Tab 4. Locate **JsonWebToken Signature Algorithm** and select the appropriate signing algorithm for the application. 5. Click **Save Changes**. ## Learn more * [Signing Keys](/docs/get-started/tenant-settings/signing-keys) * [View Signing Certificates](/docs/get-started/tenant-settings/signing-keys/view-signing-certificates) * [Rotate Signing Keys](/docs/get-started/tenant-settings/signing-keys/rotate-signing-keys) * [Revoke Signing Keys](/docs/get-started/tenant-settings/signing-keys/revoke-signing-keys) * [Signing Algorithms](/docs/get-started/applications/signing-algorithms) # Confidential and Public Applications Source: https://auth0.com/docs/get-started/applications/confidential-and-public-applications Describes the difference between confidential and public application types. According to the [OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749#section-2.1), applications can be classified as either confidential or public. The main difference relates to whether or not the application is able to hold credentials (such as a client ID and secret) securely. This affects the type of authentication the applications can use. When you create an application using the Dashboard, Auth0 will ask you what Auth0 application type you want to assign to the new application and use that information to determine whether the application is confidential or public. To learn more, read [Check if Application is Confidential or Public](/docs/get-started/applications/confidential-and-public-applications/view-application-type). ## Confidential applications Confidential applications can hold credentials in a secure way without exposing them to unauthorized parties. They require a trusted backend server to store the secret(s). ### Grant types Confidential applications use a trusted backend server and can use grant types that require specifying their Client ID and Client Secret (or alternative registered credentials) for authentication when calling the Auth0 Authentication API [Get Token](https://auth0.com/docs/api/authentication#get-token) endpoint. Confidential applications can use Client Secret Post, Client Secret Basic, or [Private Key JWT](/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt) authentication methods. These are considered confidential applications: * A web application with a secure backend that uses the [Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow), [Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow), or Resource Owner Password Flow with realm support * A machine-to-machine (M2M) application that uses the [Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow) ### ID tokens Because confidential applications are capable of holding secrets, you can have ID tokens issued to them that have signed in one of two ways: * Symmetrically, using their client secret (`HS256`) * Asymmetrically, using a private key (`RS256`) ## Public applications Public applications **cannot** hold credentials securely. ### Grant types Public applications can only use grant types that do not require the use of their client secret. They can't send a client secret because they can't maintain the confidentiality of the credentials required. These are public applications: * A native desktop or mobile application that uses the [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce) * A JavaScript-based client-side web application (such as a single-page app) that uses the [Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) grant ### ID tokens Because public applications are unable to hold secrets, [ID tokens](/docs/secure/tokens/id-tokens) issued to them must be: * Signed asymmetrically using a private key (`RS256`) * Verified using the public key corresponding to the private key used to sign the token ## Learn more * [Check if Application is Confidential or Public](/docs/get-started/applications/confidential-and-public-applications/view-application-type) * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) # Enable Third-Party Applications Source: https://auth0.com/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications Describes how to enable third-party applications for your tenant. You can enable third-party applications for your tenant. See [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) for details on the differences between the two types of applications. 1. [Update your application's ownership to third-party](/docs/get-started/applications/confidential-and-public-applications/update-application-ownership) in Auth0. By default, applications registered in Auth0 are first-party applications. If you want your application to be a third-party application, you must update its ownership. 2. [Promote the connections you will use with third-party applications to domain level](/docs/authenticate/identity-providers/promote-connections-to-domain-level) in Auth0. Third-party applications can only authenticate users from [connections](/docs/authenticate/identity-providers) flagged as domain-level connections. Domain-level connections can be enabled for selected first-party applications while also being open to all third-party application users for authentication. 3. Update your application's login page. If you use [Lock](/docs/libraries/lock) in the [Universal Login Page](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/classic-experience), you must also: 1. Upgrade to Lock version 11 or later. 2. Set the `__useTenantInfo: config.isThirdPartyClient` flag when instantiating Lock. 3. For Private Cloud users only: Set the [`configurationBaseUrl` option](/docs/libraries/lock/lock-configuration#configurationbaseurl-string-) to `https://{config.auth0Domain}/` when instantiating Lock. ## Access token current\_user\_\* scopes Neither first- nor third-party applications can use ID tokens to invoke Management API endpoints. Instead, they should get access tokens with the following `current_user_*` scopes required by each endpoint:
Scope Endpoint
read:current\_user List or search users
Get a user
Get user MFA enrollments
update:current\_user\_metadata Update a user
Delete a user's multi-factor provider
create:current\_user\_device\_credentials Create a device public key
delete:current\_user\_device\_credentials Delete a device credential
update:current\_user\_identities Link a user account
Unlink a user identity
## Script example ```html lines expandable theme={null} ... ``` ## Learn more * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) * [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level) # First-Party and Third-Party Applications Source: https://auth0.com/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications Describes the difference between confidential and public application types. Applications can be classified as either first-party or third-party, which refers to the ownership of the application. The main difference relates to who has administrative access to your Auth0 domain. ## First-party applications First-party applications are those controlled by the same organization or person who owns the Auth0 domain. For example, let's say you created both a Contoso API and an application that logs into `contoso.com` and consumes the Contoso API. You would register both the API and application under the same Auth0 domain, and the application would be a first-party application. By default, all applications created via the [Auth0 Dashboard](https://manage.auth0.com/#/applications) are first-party applications. ## Third-party applications Third-party applications are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party applications enable external parties or partners to securely access protected resources behind your API. An example of this is with Facebook, let's say you created an application to get a client ID and secret to integrate with your service. That application is considered third-party because it is not owned by Facebook but a third-party that wants to integrate with Facebook APIs and services. All applications created through [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) will be third-party. Third-party applications cannot be created using the Dashboard, but must be created through the Auth0 Management API by setting `is_first_party` to `false`. Third-party applications have the following unique characteristics: * **User Consent**: You must require user consent when consuming APIs because anyone can create an application. Requiring the user to provide consent improves security. * **ID Tokens**: [ID tokens](/docs/secure/tokens/id-tokens) generated for third-party applications hold only minimum user profile information. * **Connections**: You can only use tenant-level connections or domain connections. For more information, see [Enable Third-party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications). ## Learn more * [Update Application Ownership](/docs/get-started/applications/confidential-and-public-applications/update-application-ownership) * [Check if Application is Confidential or Public](/docs/get-started/applications/confidential-and-public-applications/view-application-type) * [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) # Update Application Ownership Source: https://auth0.com/docs/get-started/applications/confidential-and-public-applications/update-application-ownership Learn how to update application ownership using the Auth0 Management API. This will let you specify whether an application is registered with Auth0 as a first-party or third-party application. You can use Auth0's Management API to update application ownership, which allows you to specify whether an application is registered with Auth0 as a first-party or third-party application. Make a `PATCH` call to the [Update a Client endpoint](https://auth0.com/docs/api/management/v2#!/Clients/patch_clients_by_id). Be sure to replace `{YOUR_CLIENT_ID}`, `{YOUR_MANAGEMENT_API_ACCESS_TOKEN}`, and `{OWNERSHIP_BOOLEN}` placeholder values with your client ID, Management API Access Token, and boolean representing the application's ownership, respectively. ```bash cURL theme={null} curl --request PATCH \ --url 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}' \ --header 'authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \ --header 'cache-control: no-cache' \ --header 'content-type: application/json' \ --data '{ "is_first_party": "{OWNERSHIP_BOOLEN}" }' ``` ```csharp C# theme={null} var client = new RestClient("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}"); var request = new RestRequest(Method.PATCH); request.AddHeader("content-type", "application/json"); request.AddHeader("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}"); request.AddHeader("cache-control", "no-cache"); request.AddParameter("application/json", "{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "strings" "net/http" "io/ioutil" ) func main() { url := "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}" payload := strings.NewReader("{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }") req, _ := http.NewRequest("PATCH", url, payload) req.Header.Add("content-type", "application/json") req.Header.Add("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}") req.Header.Add("cache-control", "no-cache") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.patch("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}") .header("content-type", "application/json") .header("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}") .header("cache-control", "no-cache") .body("{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'PATCH', url: 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}', headers: { 'content-type': 'application/json', authorization: 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}', 'cache-control': 'no-cache' }, data: {is_first_party: '{OWNERSHIP_BOOLEAN}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "PATCH", CURLOPT_POSTFIELDS => "{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }", CURLOPT_HTTPHEADER => [ "authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}", "cache-control: no-cache", "content-type: application/json" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") payload = "{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }" headers = { 'content-type': "application/json", 'authorization': "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}", 'cache-control': "no-cache" } conn.request("PATCH", "/{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Patch.new(url) request["content-type"] = 'application/json' request["authorization"] = 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' request["cache-control"] = 'no-cache' request.body = "{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }" response = http.request(request) puts response.read_body ```
Value Description
YOUR\_CLIENT\_ID Τhe ID of the application to be updated.
YOUR\_MANAGEMENT\_API\_ACCESS\_TOKEN Access Tokens for the Management API with the scope update:clients.
OWNERSHIP\_BOOLEAN The ownership you would like to specify for the application. If the application is first-party, is\_first\_party should have a value of true. If the application is third-party, is\_first\_party should have a value of false.
## Learn more * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [View Application Ownership](/docs/get-started/applications/confidential-and-public-applications/view-application-ownership) * [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) * [Enable Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications) # User Consent and Third-Party Applications Source: https://auth0.com/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications Learn how to decouple APIs from applications that consume them and define third-party apps that you don't control or may not trust. The [OIDC](/docs/authenticate/protocols/openid-connect-protocol)-conformant authentication pipeline supports defining resource servers (such as APIs) as entities separate from applications. This lets you decouple APIs from the applications that consume them, and also lets you define [third-party applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) that allow external parties to securely access protected resources behind your API. ## Consent dialog If a user authenticates through a third-party application and the application requests authorization to access the user's information or perform some action at an API on their behalf, the user will see a consent dialog. For example, this request: ```http lines theme={null} GET /authorize? client_id=some_third_party_client &redirect_uri=https://fabrikam.com/contoso_social &response_type=token id_token &__scope=openid profile email read:posts write:posts__ &__audience=https://social.contoso.com__ &nonce=... &state=... ``` Will result in this user consent dialog: Authorization - User consent and applications - consent-dialog If the user allows the application's request, this creates a user grant, which represents the user's consent to this combination of application, resource server, and requested scopes. The application then receives a successful authentication response from Auth0 as usual. Once consent has been given, the user won't see the consent dialog during subsequent logins until consent is revoked explicitly. ## Scope descriptions By default, the consent page will use the scopes' names to prompt for the user's consent. As shown below, you should define scopes using the `action:resource_name` format. Authorization - User consent and applications - Consent scopes The consent page groups scopes for the same resource and displays all actions for that resource in a single line. For example, the configuration above would result in **Posts: read and write your posts**. If you would like to display the **Description** field instead, you can do so by setting the tenant's `use_scope_descriptions_for_consent` to `true`. This will affect consent prompts for all of the APIs on that tenant. To set the `use_scope_descriptions_for_consent` flag, you will need to make the appropriate call to the API: ```bash cURL theme={null} curl --request PATCH \ --url 'https://{YOUR_DOMAIN}/api/v2/tenants/settings' \ --header 'authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \ --header 'cache-control: no-cache' \ --header 'content-type: application/json' \ --data '{ "flags": { "use_scope_descriptions_for_consent": true } }' ``` ```csharp C# theme={null} var client = new RestClient("https://{YOUR_DOMAIN}/api/v2/tenants/settings"); var request = new RestRequest(Method.PATCH); request.AddHeader("content-type", "application/json"); request.AddHeader("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}"); request.AddHeader("cache-control", "no-cache"); request.AddParameter("application/json", "{ "flags": { "use_scope_descriptions_for_consent": true } }", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "strings" "net/http" "io/ioutil" ) func main() { url := "https://{YOUR_DOMAIN}/api/v2/tenants/settings" payload := strings.NewReader("{ "flags": { "use_scope_descriptions_for_consent": true } }") req, _ := http.NewRequest("PATCH", url, payload) req.Header.Add("content-type", "application/json") req.Header.Add("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}") req.Header.Add("cache-control", "no-cache") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.patch("https://{YOUR_DOMAIN}/api/v2/tenants/settings") .header("content-type", "application/json") .header("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}") .header("cache-control", "no-cache") .body("{ "flags": { "use_scope_descriptions_for_consent": true } }") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'PATCH', url: 'https://{YOUR_DOMAIN}/api/v2/tenants/settings', headers: { 'content-type': 'application/json', authorization: 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}', 'cache-control': 'no-cache' }, data: {flags: {use_scope_descriptions_for_consent: true}} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{YOUR_DOMAIN}/api/v2/tenants/settings", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "PATCH", CURLOPT_POSTFIELDS => "{ "flags": { "use_scope_descriptions_for_consent": true } }", CURLOPT_HTTPHEADER => [ "authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}", "cache-control: no-cache", "content-type: application/json" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") payload = "{ "flags": { "use_scope_descriptions_for_consent": true } }" headers = { 'content-type': "application/json", 'authorization': "Bearer API2_ACCESS_TOKEN", 'cache-control': "no-cache" } conn.request("PATCH", "/{YOUR_DOMAIN}/api/v2/tenants/settings", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{YOUR_DOMAIN}/api/v2/tenants/settings") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Patch.new(url) request["content-type"] = 'application/json' request["authorization"] = 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' request["cache-control"] = 'no-cache' request.body = "{ "flags": { "use_scope_descriptions_for_consent": true } }" response = http.request(request) puts response.read_body ``` ## Handle rejected permissions If a user decides to reject consent to the application, they will be redirected to the `redirect_uri` specified in the request with an `access_denied` error: ```http lines theme={null} HTTP/1.1 302 Found Location: https://fabrikam.com/contoso_social# error=access_denied &state=... ``` ## Skip consent for first-party applications First-party applications can skip the consent dialog, but only if the API they are trying to access on behalf of the user has the **Allow Skipping User Consent** option enabled. To navigate to the **Allow Skipping User Consent** toggle, select **Applications > APIs > (select the api) > Settings > Access Settings.** Note that this option only allows verifiable first-party applications to skip consent at the moment. As `localhost` is never a verifiable first-party (because any malicious application may run on `localhost` for a user), Auth0 will always display the consent dialog for applications running on `localhost` regardless of whether they are marked as first-party applications. During development, you can work around this by modifying your `/etc/hosts` file to add an entry such as the following: `127.0.0.1 myapp.example` Similarly, you cannot skip consent (even for first-party applications) if `localhost` is used in the application's `redirect_uri` parameter and is present in any of the application's **Allowed Callback URLs** (found in [Dashboard > Applications > Settings](https://manage.auth0.com/#/applications)). Since third-party applications are assumed to be untrusted, they are not able to skip consent dialogs. ## Revoke consent If a user has provided consent but you would like to revoke it: 1. Go to [Auth0 Dashboard > User Management > Users](https://manage.auth0.com/#/users), and click the user for whom you would like to revoke consent. 2. Click the **Authorized Applications** tab, 3. Click **Revoke** next to the appropriate application. ## Password-based flows When using the [Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow), no consent dialog is involved because the user directly provides their password to the application, which is equivalent to granting the application full access to the user's account. ## Force users to provide consent When redirecting to the `/authorize` endpoint, including the `prompt=consent` parameter will force users to provide consent, even if they have an existing user grant for the application and requested scopes. ## Learn more * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [View Application Ownership](/docs/get-started/applications/confidential-and-public-applications/view-application-ownership) * [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications) * [Enable Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications) * [Application Grant Types](/docs/get-started/applications/application-grant-types) # View Application Ownership Source: https://auth0.com/docs/get-started/applications/confidential-and-public-applications/view-application-ownership Learn how to check whether an application is registered with Auth0 as a first-party or third-party app using the Auth0 Management API. You can use Auth0's Management API to check whether an application is registered with Auth0 as a first-party or third-party application. Make a `GET` call to the [Get a Client endpoint](https://auth0.com/docs/api/management/v2#!/Clients/get_clients_by_id). Be sure to replace `{YOUR_CLIENT_ID}` and `{YOUR_MANAGEMENT_API_ACCESS_TOKEN}` placeholder values with your client ID and Management API Access Token, respectively. ```bash cURL theme={null} curl --request GET \ --url 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true' \ --header 'authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' ``` ```csharp C# theme={null} var client = new RestClient("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true"); var request = new RestRequest(Method.GET); request.AddHeader("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}"); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "net/http" "io/ioutil" ) func main() { url := "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true" req, _ := http.NewRequest("GET", url, nil) req.Header.Add("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.get("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true") .header("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'GET', url: 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}', params: {fields: 'is_first_party', include_fields: 'true'}, headers: {authorization: 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "GET", CURLOPT_HTTPHEADER => [ "authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") headers = { 'authorization': "Bearer {YOUR_MANAGEMENT_API_ACCES_TOKEN}" } conn.request("GET", "/{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true", headers=headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Get.new(url) request["authorization"] = 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' response = http.request(request) puts response.read_body ```
Value Description
YOUR\_CLIENT\_ID Τhe ID of the application to be updated.
YOUR\_MANAGEMENT\_API\_ACCESS\_TOKEN Access Tokens for the Management API with the scope read:clients.
If the application is first-party, the `is_first_party` field will have a value of `true`. If the application is third-party, the `is_first_party` field will have a value of `false`. ## Learn more * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [Update Application Ownership](/docs/get-started/applications/confidential-and-public-applications/update-application-ownership) * [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) * [Enable Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications) # Check if Application is Confidential or Public Source: https://auth0.com/docs/get-started/applications/confidential-and-public-applications/view-application-type Describes how to check whether an application is registered with Auth0 as a confidential or public app using the Auth0 Management Dashboard. You can check whether an application is registered with Auth0 as a confidential or public application. To learn more, read [Confidential and Public Application](/docs/get-started/applications/confidential-and-public-applications). Auth0 determines if an application is confidential or public based on the **Authentication Method** setting, which defines how an application authenticates against the Auth0 Authentication API [Get Token](https://auth0.com/docs/api/authentication/authorization-code-flow/get-token) endpoint. 1. In the Auth0 Dashboard, go to [Applications > Applications](https://manage.auth0.com/#/applications), and then select the name of the application to view. 2. If the **Credentials** view is not available, the application is a public application. 3. If the **Credentials** view is available, then select it and locate the **Authentication Method** field. Configure Private Key JWT Authentication - Auth0 Dashboard instructions Use the applicable method: * **None**: Public application without a client secret. * **Client Secret Post**: Application using POST request body parameters to send a client secret. * **Client Secret Basic**: Application using the HTTP BASIC authentication scheme to send a client secret. * **Private Key JWT**: Application using asymmetric authentication. These values map to confidential and public applications as follows:
Application Type Example Token Endpoint Authentication Method
Public Single-page or native None
Confidential Regular web or machine-to-machine Basic, Post, Private Key JWT, Unspecified
Public applications cannot maintain the confidentiality of the credentials required for Token endpoint authentication methods like **Post** and **Basic**. # Configure Application Metadata Source: https://auth0.com/docs/get-started/applications/configure-application-metadata Learn how to configure, update, and delete application metadata (client_metadata and clientMetadata) in the Auth0 Dashboard Applications Advanced Settings. Application metadata is optional and consists of customizable keys and values (max 255 characters each), that you can set for each application. Metadata is exposed in the `Client` object as `client_metadata`, and in Rules as `context.clientMetadata`. You might store, for example, the URL for the application’s home page (a field that Auth0 doesn’t provide by default in the application settings). Client metadata is stored as part of the application (client) properties. To learn more about data types, field names, and storage limitations, read [Metadata Field Names and Data Types](/docs/manage-users/user-accounts/metadata/metadata-fields-data). Where to store the secret depends on the scope of the secret: * Is it just one secret per application? Then `client_metadata` would be a good place. * Is it the same secret for the whole system (i.e., for all applications or many)? Then the rule’s configuration values might be a better choice * Is it a different secret for each user? Then storing in `app_metadata` might be better. Claims in the ID token are not encrypted, so depending on the flow that you use, the user might be able to get the token and inspect the contents. Auth0 does **not** recommend storing a secret in that way. Existing applications will have no value for this property. You can access application metadata in [Actions](/docs/customize/actions): ```js lines theme={null} exports.onExecutePostLogin = async (event, api) => { if (event.client.metadata.SKIP_VERIFICATION === "yes"){ return; } // ... continue this Action } ``` ... or in [Rules](/docs/customize/rules): ```javascript lines theme={null} function applicationMetadataExample (user, context, callback){ context.clientMetadata = context.clientMetadata || {}; if (context.clientMetadata.SKIP_VERIFICATION === "yes"){ return callback(); } // ... continue this Rule } ``` You can read and add to the application metadata using either the Dashboard or the Management API. To learn how to manage client metadata with the Management API, read [Manage Metadata Using the Management API](/docs/manage-users/user-accounts/metadata/manage-metadata-api). ## Add application metadata key/value pairs 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and select the application. 2. Scroll down and click **Advanced Settings**. 3. On the **Application Metadata** tab, enter the key's name and value, then click **Add**. Dashboard Applications Applications Settings Tab Advanced Settings Application Metadata Tab 4. Click **Save Changes**. ## Update application metadata value 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and select the application. 2. Scroll down and click **Advanced Settings**. 3. On the **Application Metadata** tab, enter the key's name that you want to change and enter a new value, then click **Add**. 4. Click **Save Changes** ## Delete application metadata 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and select the application. 2. Scroll down and click **Advanced Settings**. 3. On the **Application Metadata** tab locate the key/value pair you want to delete and click the trash can icon. 4. Confirm the deletion. 5. Click **Save Changes**. ## Learn more * [Metadata Field Names and Data Types](/docs/manage-users/user-accounts/metadata/metadata-fields-data) * [Manage Metadata Using the Management API](/docs/manage-users/user-accounts/metadata/manage-metadata-api) * [Manage Metadata with Rules](/docs/manage-users/user-accounts/metadata/manage-metadata-rules) * [Rotate Client Secrets](/docs/get-started/applications/rotate-client-secret) # Configure Applications with OIDC Discovery Source: https://auth0.com/docs/get-started/applications/configure-applications-with-oidc-discovery Describes how to use OpenID Connect (OIDC) discovery to configure applications with Auth0 using SDKs. [OpenID Connect (OIDC) Discovery](https://openid.net/specs/openid-connect-discovery-1_0-final.html#RFC5785) documents contain metadata about the identity provider (IdP). Adding discovery to your SDK to point your application to the `./wellknown` endpoint to consume information about your IdP could help configure your integration with the IdP. Integrating OIDC discovery into your SDK provides: * Exposed endpoints of the IdP * Standard [OIDC supported claims and scope](/docs/get-started/apis/scopes/openid-connect-scopes) (this excludes [custom claims](/docs/secure/tokens/json-web-tokens/create-custom-claims) and scopes defined in your tenant) * Features supported by the IdP You can configure applications with the [OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-discovery-1_0.html) discovery documents found at: `https://{yourDomain}/.well-known/openid-configuration`. ### Sample response ### Sample implementation For example, this is how to configure OIDC middleware for Katana v3 (OWIN): 1. Install the nuget package: **Microsoft.Owin.Security.OpenIdConnect** (v3.x.x) 2. Go to `App_Start\Startup.Auth.cs` and replace your implementation with the following: ## RSA algorithm for JWTs The OIDC middleware does not support JWTs signed with symmetric keys. Make sure you configure your app to use the RSA algorithm using public/private keys. 1. Go to [Dashboard > Settings](https://manage.auth0.com/#/applications/\{YOUR_AUTH0_CLIENT_ID}/settings). 2. Scroll down to **Advanced Settings**. 3. Under the **OAuth** tab, set `RS256` as **Json Web Token(JWT) Signature Algorithm** and click **Save**. With this setting, Auth0 will issue JWTs signed with your private signing key. Your app will verify them with your public signing key. ## Configure applications with OAuth 2.0 Authorization Server Metadata If your application or SDK references the [OAuth RFC-8414](https://www.rfc-editor.org/rfc/rfc8414) Authorization Server Metadata specification, you can use the OAuth alias to fetch metadata about the IdP: `/.well-known/oauth-authorization-server`. For example, the [Auth0 Model Context Protocol Server](/docs/get-started/auth0-mcp-server) recommends all OAuth applications reference the OAuth Authorization Server Metadata specification. ## Learn more * [JSON Web Tokens](/docs/secure/tokens/json-web-tokens) * [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims) # Configure Client-Initiated Backchannel Authentication Source: https://auth0.com/docs/get-started/applications/configure-client-initiated-backchannel-authentication Learn how to configure Client-Initiated Backchannel Authentication for your tenant. To use Client-Initiated Backchannel Authentication (CIBA) features, you must have an Enterprise Plan or an appropriate add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details. The [Client-Initiated Backchannel Authentication (CIBA) flow](/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow) is a decoupled authentication and authorization flow defined by the OpenID Foundation. You can use the CIBA flow in asynchronous workflows where the device initiating the CIBA request (the consumption device) is different from the device used by the user to authenticate (the authentication device). To configure CIBA in Auth0, you need to: * [Configure the CIBA grant type for your application](#configure-ciba-grant-type-for-your-application) * [Enable notification channel(s) for your application](#enable-notification-channels-for-your-application) * [Configure the notification channel for CIBA](#configure-notification-channel) ## Prerequisites Before configuring CIBA for your application, make sure you set an [authentication method](/docs/secure/application-credentials#application-authentication-methods) for your application. You can use any authenticatino method, including mTLS authentication, Private Key JWT, and Client Secret authentication, with the CIBA flow. To set the authentication method for your application, read [Credential Settings](/docs/get-started/applications/credentials). ## Configure CIBA grant type for your application You can configure the CIBA grant type for your application with the [Auth0 Dashboard](https://manage.auth0.com/) or [Management API](https://auth0.com/docs/api/management/v2). There are some restrictions on the types of clients that can use the CIBA grant type. You can only use the CIBA grant type if: * The client is a first-party client i.e. the `is_first_party` property is `true`. * The client is confidential with an authentication mechanism, i.e. the `token_endpoint_auth_method` property must not be set to `none`. * The client must be OIDC conformant i.e. the `oidc_conformant` must be `true`. This is the default for all new clients. Once you enable the CIBA grant type, the configuration settings for the [notification channels](#enable-notification-channels-for-your-application) available to your application will become visible. To configure CIBA for your application with the Auth0 Dashboard: 1. Navigate to **Applications > Applications** in the Auth0 Dashboard. 2. Create an application and then enable **Client Initiated Backchannel Authentication (CIBA)** under the **Grant Types** tab: 3. Click **Save Changes**. To configure CIBA for your application using the Management API, use the [Update a Client](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id) endpoint to add the `urn:openid:params:grant-type:ciba` grant type to the list of grant types on the client object: ```bash lines theme={null} curl --location --request PATCH 'https://{YOUR_DOMAIN}.auth0.com/api/v2/clients/{YOUR_CLIENT_ID}' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \ --data '{ "grant_types": [ "authorization_code", "refresh_token", "urn:openid:params:grant-type:ciba" ] }' ``` You can also use our Go Management API SDK library. To learn more, read [SDKs](/docs/libraries): ```go lines theme={null} myClient := &Client{ Name: auth0.Stringf("CIBA-enabled-client"), Description: auth0.String("This is a CIBA enabled client."), GrantTypes: &[]string{"urn:openid:params:grant-type:ciba"}, } err := api.Client.Create(context.Background(), myClient) ``` ## Enable notification channels for your application To use Client-Initiated Backchannel Authentication (CIBA) features, you must have an Enterprise Plan or an appropriate add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details. Once you have enabled the CIBA grant type for your application, you can configure which notification channels are enabled for the CIBA flow. If you have enabled multiple notification channels, CIBA uses the value of the `requested_expiry` parameter to determine which notification channel to use. The `requested_expiry` determines the maximum duration for which the CIBA session should be valid in seconds: * [Mobile push notifications](#configure-mobile-push-notifications): If you set your `requested_expiry` to a value of 300 seconds or lower, CIBA uses the mobile push notification channel if enabled. * [Email notifications](#configure-email-notifications): If you set your `requested_expiry` to a value between 301 and 259200 seconds (72 hours), CIBA uses the email notification channel if enabled. To configure the notification channel for your application with the Auth0 Dashboard: * Navigate to **Applications > Applications**. * In your application settings, go to the **Client Initiated Backchannel Authentication (CIBA)** section and select the notification channel(s) to enable. Make a `PATCH` request to the `/api/v2/clients` endpoint for your client application and set the notification channels for the CIBA flow. The following code sample enables the `guardian-push` notification channel for the CIBA flow: ```bash lines theme={null} curl -L --request PATCH 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}' \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H "Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}" \ -d '{ "async_approval_notification_channels":["guardian-push"] }' ``` ## Configure notification channel Once you have enabled the notification channel(s) for your client application, configure the notification channel for the CIBA flow: * [Configure mobile push notifications](#configure-mobile-push-notifications) * [Configure email notifications](#configure-email-notifications) ### Configure mobile push notifications To send mobile push notifications with CIBA, you can use: * The Auth0 Guardian app * A custom app integrated with the Auth0 Guardian SDK You can select which app to use when [enabling Auth0 Guardian push notifications](/docs/get-started/applications/configure-client-initiated-backchannel-authentication#enable-auth0-guardian-push-notifications). If you want to use a custom app, you need to integrate it with the [Auth0 Guardian SDK](/docs/secure/multi-factor-authentication/auth0-guardian#guardian-sdks). This allows the authorizing user to approve push notification challenges initiated by the CIBA flow in your custom app. To configure mobile push notifications, make sure you: * [Enable Auth0 Guardian push notifications](#enable-auth0-guardian-push-notifications) * [Enroll the authorizing user in MFA using push notifications](#enroll-the-authorizing-user-in-mfa-using-push-notifications) #### Enable Auth0 Guardian push notifications Use the Auth0 Dashboard to enable the [Auth0 Guardian Push Notification](/docs/secure/multi-factor-authentication/auth0-guardian#enroll-in-push-notifications) factor for your tenant. In the Auth0 Dashboard: * Select **Security > Multi-factor Auth.** * Enable **Push Notification using Auth0 Guardian**. This may require some MFA configuration settings. To learn more, read [Configure Push Notifications for MFA](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-push-notifications-for-mfa). * For **Push Notification App**, select your desired app. * Click **Save**. #### Enroll the authorizing user in MFA using push notifications If the user is not enrolled to use MFA push notifications, Auth0 falls back to using email notifications, if configured, instead of rejecting the CIBA request. For both the Auth0 Guardian app and a custom app, you must [enroll the authorizing user in MFA using push notifications](/docs/secure/multi-factor-authentication/auth0-guardian#enroll-in-push-notifications). To verify if the user is enrolled in the Auth0 Dashboard, navigate to **User Management > Users** and click on the user: If you have set Multi-factor Authentication as always required for your tenant, users are prompted to enroll for MFA at their next login. You can also use [Actions](https://auth0.com/blog/using-actions-to-customize-your-mfa-factors/) to prompt for MFA enrollment. ### Configure email notifications To use email notifications with CIBA, you need the Auth0 for AI Agents add-on with a paid plan. To learn more, read [Auth0 Pricing](https://auth0.com/pricing). You can send email notifications with the CIBA flow. To configure email notifications with CIBA, make sure you: * [Configure your email provider](#configure-your-email-provider) * [Configure your email template](#configure-your-email-template) to use the **Asynchronous Approval** template * [Ensure the authorizing user has a verified email address](#ensure-the-authorizing-user-has-a-verified-email-address) #### Configure your email provider While you can use Auth0’s built-in email provider to test email delivery in your development and test environments, you must set up your own email provider to use email notifications with CIBA in a production environment. To learn how to set up your own email provider, read [Customize emails](/docs/customize/email). #### Configure your email template To configure the **Asynchronous Approval** email template: 1. Navigate to **Branding > Email Templates**. 2. For **Template**, select **Asynchronous Approval** from the dropdown menu. 3. Fill in the rest of the template settings by following the [Configure template fields](/docs/customize/email/email-templates#configure-template-fields) instructions. Make a `PATCH` request to the `/email-templates/async_approval` endpoint and follow the [Configure template fields](/docs/customize/email/email-templates#configure-template-fields) instructions to fill in the rest of the template settings. To learn more, read the [Patch an email template API documentation](https://auth0.com/docs/api/management/v2/email-templates/patch-email-templates-by-template-name). ```bash lines theme={null} curl -L "https://{YOUR_DOMAIN}.auth0.com/api/v2/email-templates" \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H "Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}" \ -d '{"template":"async_approval","body":"{{application.name}} says click on {{url}}, binding message: {{binding_message}}","subject":"Action Required","syntax":"liquid","enabled":true,"from":""}' ``` #### Ensure the authorizing user has a verified email address If the user does not have a verified email address, Auth0 rejects the CIBA email request. To send an email notification with CIBA, the authorizing user must have a verified email address associated with their user account. To verify that the user has a verified email address using the Auth0 Dashboard: 1. Navigate to **User Management > Users** and click on the user. 2. Under **Email**, the user should have a verified email address listed. # Configure FAPI Compliance Source: https://auth0.com/docs/get-started/applications/configure-fapi-compliance Learn how to configure FAPI compliance for an Auth0 tenant. To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details. To help customers configure their Auth0 tenant to adhere to one of the Financial-grade API (FAPI) profiles, the Application model includes a `compliance_level` property that can be set to one of three values: * `null` or undefined: No compliance level is required. This is the default. * `fapi1_adv_mtls_par`: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using [mTLS](/docs/get-started/applications/configure-mtls) and [PAR](/docs/get-started/applications/configure-par). * `fapi1_adv_pkj_par`: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using [Private Key JWT](/docs/get-started/applications/configure-private-key-jwt) and [PAR](/docs/get-started/applications/configure-par). * `fapi2_sp_pkj_mtls`: The customer would like this client to behave in accordance with the FAPI 2.0 Security Profile using [Private Key JWT](/docs/get-started/applications/configure-private-key-jwt) and [mTLS Token Sender-Constraining](/docs/secure/sender-constraining/mtls-sender-constraining). * `fapi2_sp_mtls_mtls`: The customer would like this client to behave in accordance with the FAPI 2.0 Security Profile using [mTLS Client Authentication](/docs/get-started/applications/configure-mtls) and [mTLS Token Sender-Constraining](/docs/secure/sender-constraining/mtls-sender-constraining). Complying with a FAPI profile requires a number of configuration changes. Setting the `compliance_level` ensures that no authorization request can succeed unless the request and the configuration is compliant with the selected standard. For example, both the `fapi1_adv_pkj_par` and `fapi1_adv_mtls_par` compliance levels require PAR. If either of these compliance levels are selected, PAR is required regardless of the value of the `require_pushed_authorization_requests` setting. Attempting an authorization without using PAR results in the following error response: ```json lines theme={null} { “error”: “invalid_request”, “error_description”: “Pushed Authorization Requests are required by the configured compliance level” } ``` In some cases, setting a compliance level also changes Auth0’s behavior. For example, both the `fapi1_adv_pkj_par` and `fapi1_adv_mtls_par` compliance levels cause Auth0 to include a `s_hash` claim in the returned ID token containing a SHA256 hash of the state value. This allows the ID tokens to act as a detached signature. The following tables summarize the additional validation rules and changes to Auth0’s behavior that each compliance level enables:
Validation fapi1\_adv\_pkj\_par fapi1\_adv\_mtls\_par fapi2\_sp\_pkj\_mtls fapi2\_sp\_mtls\_mtls
Prevents the use of access tokens in the URL query when calling /userinfo. Access tokens must be placed in the Authorization header instead. Y Y Y Y
Requires PAR. Y Y Y Y
Requires PKCE with the S256 challenge method. Y Y Y Y
Prevents the use of wildcards in the allowed callbacks on a client. Y Y N N
Enforces the use of JAR. Y Y N N
Ensures the JAR payload is signed using the PS256 algorithm. Y Y N N
Ensures the JAR payload contains the nbf claim and it is no longer than 60 minutes in the past. Y Y N N
Ensures the JAR payload contains the exp claim and that it is no more than 60 minutes after the nbf claim. Y Y N N
Ensures the client has set the oidc\_conformant property to true. Y Y Y Y
Requires the use of x-fapi-\* headers Y Y N N
Requires the use of Private Key JWT for client authentication. Y N Y N
Requires the use of mTLS for client authentication. N Y N Y
Allowed response types. code id\_token code id\_token code code
Requires aud claim to strictly match issuer in Private Key JWT assertion. N N/A Y N/A
Requires redirect\_uri parameter in Pushed Authorization Requests. N N Y Y
Auth0 updated behavior fapi1\_adv\_pkj\_par fapi1\_adv\_mtls\_par fapi2\_sp\_pkj\_mtls fapi2\_sp\_mtls\_mtls
Adds s\_hash claim to ID tokens. Y Y N N
When the profile scope is requested, the update\_at claim contains an OIDC Conformant unix timestamp rather than a string. Y Y Y Y
Returns only OIDC conformant error codes. In some cases, Auth0 may return additional error codes, but enabling this compliance level ensures that Auth0 only uses error codes defined in the OpenID standards. Y Y Y Y
Returns issuer as iss parameter in code responses. N N Y Y
Reduces maximum lifetime of authorization code to 60 seconds. N N Y Y
## Configure FAPI Compliance for a client To perform this using the Auth0 Dashboard: 1. Navigate to **Auth0 Dashboard > Applications**. 2. Select the application. 3. Select the **Application Settings** tab. 4. Open the **Advanced Settings** section. 5. In the **OAuth tab**, select the **FAPI Compliance Enforcement Level**. The options to configure FAPI compliance are: * **None**: No compliance level is required. This is the default. * **FAPI 1 Advanced profile using Private Key JWT and PAR**: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using [Private Key JWT](/docs/get-started/applications/configure-private-key-jwt) and [PAR](/docs/get-started/applications/configure-par). * **FAPI 1 Advanced profile using mTLS and PAR**: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using [mTLS](/docs/get-started/applications/configure-mtls) and [PAR](/docs/get-started/applications/configure-par). * **FAPI 2.0 Security Profile with Private Key JWT and certificate binding**: The customer would like this client to behave in accordance with the FAPI2.0 Security Profile using [Private Key JWT Client Authentication](/docs/get-started/applications/configure-private-key-jwt) and [mTLS Token Sender-Constraining](/docs/secure/sender-constraining/mtls-sender-constraining). * **FAPI 2.0 Security Profile with mTLS and certificate binding**: The customer would like this client to behave in accordance with the FAPI2.0 Security Profile using [mTLS Client Authentication](/docs/get-started/applications/configure-mtls) and [mTLS Token Sender-Constraining](/docs/secure/sender-constraining/mtls-sender-constraining). Use the [Management API](https://auth0.com/docs/api/management/v2) to set the `compliance_level` property with a `POST` or `PATCH` request: ```bash lines theme={null} curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/clients/$client_id' \ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \ --header 'Content-Type: application/json' \ --data '{ "compliance_level": "fapi1_adv_mtls_par" }' ``` To return the `compliance_level` property, use a `GET` request: ```bash lines theme={null} curl --location 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID} \ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' ``` For FAPI 2.0 compliance, you can configure the expiry on pushed authorization requests to a value that is less than 600 seconds, with a default of 30 seconds. You can set the expiry value using the Management API. ## Learn more * [Configure Private Key JWT Authentication](/docs/get-started/applications/configure-private-key-jwt) * [Configure Pushed Authorization Requests (PAR)](/docs/get-started/applications/configure-par) * [Configure mTLS Authentication](/docs/get-started/applications/configure-mtls) # Configure Auth0 to pass OpenID FAPI Certification Tests Source: https://auth0.com/docs/get-started/applications/configure-fapi-compliance/configure-auth0-to-pass-openid-fapi-certification-tests Learn how to configure Auth0 to pass the OpenID FAPI Certification Tests. This section contains some advice on how to configure your client if you would like to test your solution using the [OpenID FAPI Conformance Tests](https://openid.net/certification/certification-fapi_op_testing/). To pass the OpenID FAPI Conformance Tests, first configure the following: * Set the `compliance_level` property to the desired profile, either `fapi1_adv_pkj_par`, `fapi1_adv_mtls_par`, `fapi2_sp_pkj_mtls`, or `fapi2_sp_mtls_mtls` * Either [Configure mTLS](/docs/get-started/applications/configure-mtls) (including [mTLS aliases](/docs/get-started/applications/configure-mtls/configure-mtls-for-a-tenant#enable-mtls-aliases)) or [Configure Private Key JWT](/docs/get-started/applications/configure-private-key-jwt) * [Configure mTLS Token Binding](/docs/get-started/applications/configure-mtls/configure-mtls-for-a-client#enable-token-binding) * Configure [Pushed Authorization Requests](/docs/get-started/applications/configure-par) * Ensure the `oidc_conformant` property is set to `true` for any clients used for the test. This is the default value for clients created with the Auth0 Dashboard. Then, follow the instructions below to complete your OpenID FAPI Conformance Tests configuration: * [Ensure Auth0 prompts users for consent](#ensure-auth0-prompts-users-for-consent) * [Configure supported ACR claims for the tenant](#configure-supported-acr-claims-for-the-tenant) * [Remove the alg property from JWKS endpoint](#remove-the-alg-property-from-jwks-endpoint) * [Add Action to require scope and redirect\_uri](#add-action-to-require-scope-and-redirect-uri) * [(FAPI2 profiles only) Ensure `iss` claim is returned in responses](#fapi2-profiles-only-ensure-iss-claim-is-returned-in-responses) ### Ensure Auth0 prompts users for consent You will need to ensure that Auth0 prompts users for consent. You may skip this step if the client is configured as a first-party app, and the Resource Server or API supports skipping consent for first-party apps. To ensure Auth0 requests users for consent, set the `is_first_party` property on the client to `false`: ```bash lines theme={null} curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/clients/YOUR_CLIENT_ID' \ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \ --header 'Content-Type: application/json' \ --data-raw '{ "is_first_party": false }' ``` Then, promote your connection to the domain level: ```bash lines theme={null} curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/connections/YOUR_CONNECTION_ID' \ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \ --header 'Content-Type: application/json' \ --data-raw '{ "is_domain_connection": true }' ``` #### Configure supported ACR claims for the tenant The FAPI tests pass a required ACR value of `urn:mace:incommon:iap:silver`. To include the required ACR value in the ID token, add `urn:mace:incommon:iap:silver` to the list of supported ACR values for the tenant: ```bash lines theme={null} curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/tenants/settings' \ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \ --header 'Content-Type: application/json' \ --data-raw '{ "acr_values_supported": ["urn:mace:incommon:iap:silver"] }' ``` #### Remove the alg property from JWKS endpoint To allow for keys to be used with multiple algorithms, not just RS256, remove the tenant's `alg` property from the output of the `/.well-known/jwks.json` endpoint: ```bash lines theme={null} curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/tenants/settings' \ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \ --header 'Content-Type: application/json' \ --data-raw '{ "flags": { "remove_alg_from_jwks": true } }' ``` #### Add Action to require scope and redirect\_uri By default, Auth0 allows requests without a scope, assuming the `openid` scope if no scope is present. Auth0 also allows requests without a `redirect_uri,` which you can set in [Actions](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/redirect-with-actions). However, the FAPI conformance tests require Auth0 to be more restrictive. Add the following Action to enforce the necessary restrictions on scope and `redirect_uri`: ```js lines theme={null} exports.onExecutePostLogin = async (event, api) => { if (!event.request.body || !event.request.body.refresh_token) { // Require a scope if (!event.request.query.scope) { api.access.deny('scope must be provided in the request'); } // To improve the error message if redirect_uri is not present if (!event.request.query.redirect_uri) { api.access.deny('redirect_uri must be provided in the request'); } } }; ``` #### (FAPI2 profiles only) Ensure `iss` claim is returned in responses The FAPI 2.0 Security Profile requires that the `iss` parameter is returned in authorization responses according to [RFC9207](https://www.rfc-editor.org/info/rfc9207). For compatibility reasons, Auth0 does not do this by default. To enable this behaviour, set the `authorization_response_iss_parameter_supported` property in tenant settings to `true`. ```bash lines theme={null} curl --location --request PATCH "https://{YOUR_DOMAIN}/api/v2/tenants/settings" \ --header "Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}" \ --header "Content-Type: application/json" \ --data-raw '{ "authorization_response_iss_parameter_supported": true }' ``` ## Learn more * [Configure Private Key JWT Authentication](/docs/get-started/applications/configure-private-key-jwt) * [Configure mTLS Authentication](/docs/get-started/applications/configure-mtls) # Configure JWT-secured Authorization Requests (JAR) Source: https://auth0.com/docs/get-started/applications/configure-jar Learn how to configure JWT-secured Authorization Requests (JAR) for an application. To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details. JWT-Secured Authorization Requests (JAR) allow OAuth2 authorization request parameters to be packaged into a single JWT request parameter which is then signed for integrity protection. ## Prerequisites Before configuring your application for using JAR, you must [generate an RSA key pair](/docs/secure/application-credentials/generate-rsa-key-pair). You should generate a separate key pair for each type of credential usage. For example, do not reuse the same key pairs for both JAR and Private Key JWT Authentication. ## Configure JAR for an application You can configure JAR for an application with the Auth0 Dashboard and the Management API. Use the Auth0 Dashboard to configure your application to use JAR with previously generated RSA keys. 1. Navigate to [Auth0 Dashboard > Applications](https://manage.auth0.com/#/applications). 2. Select the application you want to use with JAR. 3. Select the **Application Settings** tab. 4. In the **Authorization Requests** section, enable **Require JWT-Secured Authorization Requests**. 5. If no credential is assigned and there are credentials available, you will be prompted to assign an existing credential. Dashboard > Application > Settings > Assign Existing Credentials 6. You will also have the option to assign a new credential. Auth0 Dashboard > Applications > Settings > Assign New Credentials 7. Add and assign a new credential by uploading a previously generated RSA key pair. When prompted, enter the following: * **Name**: a name to identify the credential * **Public Key**: public key of the X.509 certificate in PEM format * **Algorithm**: select the JAR signature algorithm * **Expiration Date**: set the expiration date of the credential Use the [Management API](https://auth0.com/docs/api/management/v2) to configure JAR for your application using the `signed_request_object` client configuration property. This object property contains the following fields: * `required`: forces all authorization requests to the `/authorize` and `/oauth/par` to use JAR. To learn more, read [Authorization Code Flow with JWT-Secured Authorization Requests](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-jar). * `credentials`: an array of credential IDs used to verify signatures. The credentials parameter behaves similarly to the Private Key JWT parameter `client_authentication_methods.private_key_jwt.credentials` which supports credential creation when you create a new application. To learn more, read [Configure Private Key JWT](/docs/get-started/applications/configure-private-key-jwt). You can configure JAR for a new application or for an existing application via the Management API. #### Configure JAR for a new application When you create a new application, configure JAR by sending a POST request with the `signed_request_object`. In that POST request, you can also register the corresponding client credential (i.e. the key PEM): ```json lines theme={null} POST https://{yourTenant}.auth0.com/api/v2/clients Authorization: Bearer Content-Type: application/json { "name": "My App using JAR", "signed_request_object": { "required": true, "credentials": [{ "name": "My credential for JAR", "credential_type": "public_key", "pem": "[YOUR PEM FILE CONTENT]", "alg": "RS256" }] }, "jwt_configuration": { "alg": "RS256" } } ``` #### Configure JAR for an existing application When updating an existing application, you need to explicitly create a client credential first. The following POST request uses your PEM file content to create your client credentials for JAR: Make sure newlines are properly JSON-encoded with no additional formatting. Then, assign the client credential to the `signed_request_object` client configuration. The following PATCH request associates your client credentials with the `signed_request_object`: ## Learn more * [Authorization Code Flow with JWT-Secured Authorization Requests (JAR)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-jar) # Configure mTLS Authentication Source: https://auth0.com/docs/get-started/applications/configure-mtls Learn how to configure mTLS authentication. To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details. Use the [Auth0 Management API](https://auth0.com/docs/api/management/v2) or [Auth0 Dashboard](https://manage.auth0.com/) to configure mTLS authentication. To learn more about how mTLS authentication works at Auth0, read [Authenticate with mTLS](/docs/get-started/authentication-and-authorization-flow/authenticate-with-mtls).
Read... To learn...
Set up your customer edge How to set up your customer edge to validate your client certificate and forward requests to Auth0's edge network.
Configure mTLS for a client How to configure mTLS authentication for your Auth0 application.
Configure mTLS for a tenant How to configure mTLS authentication for your Auth0 tenant.
# Configure mTLS Authentication for a Client Source: https://auth0.com/docs/get-started/applications/configure-mtls/configure-mtls-for-a-client Describes how to configure mTLS authentication for a client. Learn how to configure mTLS authentication for a client with the [Management API](#configure-mtls-with-management-api) and [Auth0 Dashboard](#configure-mtls-with-auth0-dashboard). You can use the Auth0 Dashboard to configure mTLS for a client to enable mTLS client authentication to the Authorization Server. 1. Navigate to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications). 2. Select the application you want to use with mTLS or [create a new application](/docs/get-started/auth0-overview/create-applications). 3. Select the **Credentials** tab. 4. Choose the required **Authentication Method**, which can be either: * mTLS with a [self-signed certificate](/docs/customize/custom-domains/self-managed-certificates) * mTLS with a certificate authority signed certificate 5. Once you select your preferred type of certificate, you can: * Assign an existing credential (certificate) to the client application * Add a new credential by uploading a certificate Use the [Auth0 Management API](https://auth0.com/docs/api/management/v2) to configure mTLS for a client. The following examples specify **\$management\_access\_token**, or a [Management API access token](/docs/secure/tokens/access-tokens/management-api-access-tokens). This must be replaced with an access token that contains at least the following scopes: * `create:custom_domains` * `read:custom_domains` * `create:clients` * `update:clients` * `update:client_credentials` * `update:client_keys` * `update:tenant_settings` To learn more about retrieving an access token with the required scopes, read [Get Access Tokens](/docs/secure/tokens/access-tokens/get-access-tokens). #### Self-signed certificates Use self-signed certificates to verify the client’s identity during mTLS authentication. However, self-signed certificates have the following limitations * Self-signed certificates are not accepted by some cloud providers such as Amazon. * To ensure the stability of our platform, Auth0 limits customers to two registered certificates. ##### Generate a certificate To authenticate using self-signed mTLS, you must create a new self-signed client certificate. The following code sample generates a new self-signed certificate: ```bash wrap lines theme={null} openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" ``` If using curl or Wget, the PEM certificate must be JSON escaped before you pass it to Auth0. For example, replace a newline is with `\r\n`: ```bash wrap lines theme={null} -----BEGIN PRIVATE KEY-----\r\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDXAVKQo2SUMHH\r\no9ecWYNiL5\/yva5NSj8uQjKoeRAsOIOAyOBTLxgwmno13xZ8VDkcT1cHTlC+2CkE\r\noBII4OUbHPVof+dtknkL+jUBdIPX1QvlGSUbzduZE4hEEQ8zH6w4EAA2VN72Bymn\r\nT8i\/+Tz9Dx6M1nkuXPCwM7sYEuq5OrqT5yVB6KByKKElp\/tauJkHp0st04iGDgl2\r\nFJUt3QJFCFewTDDdGq62otVJxHfouXPmHBQjzf+f1CZy+N0q2z+JGRt44YZq+F9y\r\ne3RWawvv2x3TXgRBLpvIKqf99LoPVdwozHl8QODu52dyelvLQ866XLhAALuMwic\/\r\nbQbolnMpAgMBAAECggEAf6LliekFmezNTmQLgIkzP7kh5XRsJu81bEGv20aNfHbH\r\n5CJZ\/b8tLMQgyIWiqURVs9taXtmaA7YyxmTWo5pb1WUMKWQ3je0+zMaCTxsS8Lau\r\n+NV+2zWaHd8XDnGe3qX43QAHQ3gb294+JqQH4vUyFZwFN7sAnXv3fQevW0Ewvics\r\nOua\/xNa7y5hbJUPZiQjRhO+n+gTEqpfsnPWNlm9hk\/wVnnjKvMfstN4zUbznRAoN\r\nW8TK82tiVWAXW4CjgIBtVRZjTA9x3UOtbhcvNzaTRxc+scCpIpAVuurS+ZIKZdpm\r\nNnhiOk3akpLU3KZrm8C5JQRn8cupY9WkfCiLXbMFAQKBgQD9JfVMv6zDeNvExneR\r\n7fZDIT2UAEhYExwRJwQPyxkVPwev9HBYuuaaknIbomWTkt\/B6Q3k3p6VI4lxhnVl\r\nbkpOYl5UquP3VoVROEJts224hKgVcLw6s+i+lZDOAleNgbN7rj82l4BIu+SEj\/7c\r\nz94hAa\/wRRvsW+QnxF1sZnpY+QKBgQDFj2h8I4noFJk3sbbk3qQdi5+49ibWSuhc\r\nXVpU+0dQ1lRlhXYT9cDMc22HRt8hjXUNRhdpXvOqVaFiBjv9wBsmFyaJO3tOK3uE\r\ndBgD4lF03bnbGI7\/I3DivW\/tyEMS5JXI\/qrpdWor+wR30c5M\/45y2AGpjwnoGf+D\r\nX8SAMzknsQKBgQCrSljuIrBK3+eNAWH821CL4d0h3QMWnW+bZ5QG\/70sNCcGd1bh\r\noy3Qn5EYg81JitNfCUw+dihF7\/LbX0jmZjdfTI5Zqfxw6xlweKnyQrvWY+S8BTlI\r\nW138P4Xo74rAlGeXI7NgRCkojgK1dB3W2cyK9vJOmOSpDRCXm\/Y\/GCRnOQKBgCE\/\r\n75\/lA1LSFK9w8401g32NgEZK92JdnRnehFOFLw2F5RJpEeRuGhLO4oJABVHKUwb2\r\n4v3TA0OJwe2Tiwk8CdWxU8UJA8m2O8WhHGGa94apwpwDWB3MwzUGGQ52BAPsAOGh\r\nKva70jCwwKHB5+zBniHqBO2aq1oq9fwQZCwHcvkhAoGBAIa8QMHNrX7AuCSAeR4\/\r\n\/7XrGU1a4oExz417AYgZOuGaYQAI5BMIjRZZ3JTzO\/QsmkzeS1tFuBlih8li\/t4l\r\nE2TdnKhy376A6QWfbTDkJN6gzFeaMKwe98mOHKeq0KZITGYVTSa2AYH5zaro0Yku\r\nonOH1NdyEKFFgxGLg7wveYUW\r\n-----END PRIVATE KEY----- ``` ##### Create a new client To create a new client, make a POST call to the [`/clients`](https://auth0.com/docs/api/management/v2/clients/post-clients) endpoint with the following payload: * `$client_name`**:** the name for the new client * `$credential_name`**:** the name for the public key * `$credential_certificate`: the content of `$certificate_pem`generated in the previous step ```bash lines theme={null} curl --location --request POST 'https://$tenant/api/v2/clients' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "$client_name", "app_type": "non_interactive", "client_authentication_methods": { "self_signed_tls_client_auth": { "credentials": [{ "name": "$credential_name", "credential_type": "x509_cert", "pem": "$credential_certificate" }] } }, "jwt_configuration": { "alg": "RS256" } }' ``` For more information, see the [Create a client](https://auth0.com/docs/api/management/v2/clients/post-clients) API documentation. ##### Patch an existing client You can update an existing client to accept mTLS client authentication by removing any value in the `token_endpoint_auth_method` field and creating values in the `client_authentication_methods` field. Once you have configured your client for mTLS, you won't be able to authenticate using the Client Secret unless you configure the `token_endpoint_auth_method` to stop using mTLS. To learn more, read [Revert a client to use a Client Secret](#revert-a-client-to-use-a-client-secret). ##### Create the credential resource After you generate a certificate, create the credential resource: ```bash lines theme={null} curl --location --request POST 'https://$tenant/api/v2/clients/$client_id/credentials' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "$credential_name", "credential_type": "x509_cert", "pem": "$credential_certificate" }' ``` Auth0 returns a credential ID in the response that you will need to associate the credential with the client. For more information, see the [Create a client credential](https://auth0.com/docs/api/management/v2/clients/post-credentials) API documentation. ##### Associate the credential with the client and disable `token_endpoint_auth_method` Uploaded credentials are not automatically enabled for client authentication. You need to update the client authentication to use the new self-signed client certificate. The following PATCH request sets the `token_endpoint_auth_method` to `null`, thus disabling Client Secret authentication. It also updates `client_authentication_methods` with the credential ID: ```bash lines theme={null} curl --location --request PATCH 'https://$tenant/api/v2/clients/$client_id' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "token_endpoint_auth_method": null, "client_authentication_methods": { "self_signed_tls_client_auth": { "credentials": [{ "id": $credential.id }] } } }' ``` Once this request has completed, a Client Secret will no longer be accepted and clients must authenticate using mTLS. For more information, see the [Update a client](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id) API documentation. #### Certificate authority signed certificates Unlike self-signed certificates that are generated by the client and have no trust chain, certificate authority (CA) signed certificates are considered more trustworthy since they are issued by a trusted third party. CA-signed certificates are the only type of certificate accepted by some cloud providers such as Amazon. CA-signed certificates have embedded in their identity information the notion of a Distinguished Name (DN). While each individual certificate created by a given CA is unique, they can share a common DN. When using CA-signed certificates, Auth0 stores the DN and compares forwarded client certificates with registered DNs. ##### Generate a certificate The method of generating a CA-signed client certificate is highly dependent on the Public Key Infrastructure and outside of the scope of this document. We recommend generating at least a [2048-bit RSA key pair](/docs/secure/application-credentials/generate-rsa-key-pair). ##### Create a new client To create a client, make a POST call to the [`/clients`](https://auth0.com/docs/api/management/v2/clients/post-clients) endpoint with the following payload: * `$client_name`**:** the name for the new client * `$credential_name`**:** the name for the public key * `$credential_certificate`: the content of `$certificate_pem`generated by the CA ```bash lines theme={null} curl --location --request POST 'https://$tenant/api/v2/clients' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "$client_name", "app_type": "non_interactive", "client_authentication_methods": { "tls_client_auth": { "credentials": [{ "name": "$credential_name", "credential_type": "cert_subject_dn", "pem": "$credential_certificate" }] } }, "jwt_configuration": { "alg": "RS256" } }' ``` Instead of passing the full PEM file, you can also pass the subject DN. The subject DN must match the extracted Distinguished Name (DN) of the client certificates sent during the mTLS handshake. Subject DN extraction may differ between different ecosystems. The most reliable way to guarantee that the authorization server will match the subject DN is to upload the whole PEM file. The following POST request creates a new client with the subject DN: ```bash lines theme={null} curl --location --request POST 'https://$tenant/api/v2/clients' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "$client_name", "app_type": "non_interactive", "client_authentication_methods": { "tls_client_auth": { "credentials": [{ "name": "$credential_name", "credential_type": "cert_subject_dn", "subject_dn": "C=XX\nST=StateName\nL=CityName\nO=CompanyName\nOU=CompanySectionName\nCN=CommonNameOrHostname" }] } }, "jwt_configuration": { "alg": "RS256" } }' ``` For more information, see the [Create a client](https://auth0.com/docs/api/management/v2/clients/post-clients) API documentation. ##### Patch an existing client If you don’t want to create a new client to use mTLS, you can update an existing client to accept mTLS client authentication. This involves removing any value in the `token_endpoint_auth_method` field and creating values in the `client_authentication_methods` field. Once you have configured your client for mTLS, you won't be able to authenticate using the Client Secret unless you configure the `token_endpoint_auth_method` to stop using mTLS. To learn more, read [Revert a client to use a Client Secret](#revert-a-client-to-use-a-client-secret). ##### Create the credential resource Once you have [generated a key pair](/docs/secure/application-credentials/generate-rsa-key-pair) exclusively for mTLS, create the credential resource. Make the following POST request to the `/clients` endpoint: ```bash lines theme={null} curl --location --request POST 'https://$tenant/api/v2/clients/$client_id/credentials' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "$credential_name", "credential_type": "cert_subject_dn", "pem": "$credential_certificate" }' ``` Instead of passing the full PEM file, you can pass the subject DN. The subject DN must match the extracted Distinguished Name (DN) of the client certificates sent during the mTLS handshake. The following code sample creates the credential resource using the Subject DN: ```bash lines theme={null} curl --location --request POST 'https://$tenant/api/v2/clients/$client_id/credentials' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "$credential_name", "credential_type": "cert_subject_dn", "subject_dn": "C=XX\nST=StateName\nL=CityName\nO=CompanyName\nOU=CompanySectionName\nCN=CommonNameOrHostname" }' ``` When using either method, remember that the credential ID that gets returned in the response is needed to associate the credential with the client. For more information, see the [Create a client credential](https://auth0.com/docs/api/management/v2/clients/post-credentials) API documentation. ##### Associate the credential with the client and disable `token_endpoint_auth_method` Although we have created the credential, we have not yet associated the credential with the client. To do so, update  `client_authentication_methods` by making the following PATCH request to the `/clients` endpoint. In the same request, set `token_endpoint_auth_method` to `null`: ​​ ```bash lines theme={null} curl --location --request PATCH 'https://$tenant/api/v2/clients/$client_id' \   --header 'Authorization: Bearer $management_access_token' \   --header 'Content-Type: application/json' \   --data-raw '{   "token_endpoint_auth_method": null,   "client_authentication_methods": {     "tls_client_auth": {       "credentials": [{ "id": $credential.id }]     }   } }' ``` Once this request has completed, the client can only be authenticated using mTLS. For more information, see the [Update a client](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id) API documentation. #### Revert a client to use a Client Secret To restore your client’s configuration to authenticate using a Client Secret, disable `client_authentication_methods` and re-enable `token_endpoint_auth_method` with your desired authentication method. In the following PATCH request, set `token_endpoint_auth_method` to `client_secret_post` to re-enable Client Secret authentication: ```bash lines theme={null} curl --location --request PATCH 'https://$tenant/api/v2/clients/$client_id' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "token_endpoint_auth_method": "client_secret_post", "client_authentication_methods": null }' ``` For more information, see the [Update a client](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id) API documentation. ## Learn more * [Authenticate with mTLS](/docs/get-started/authentication-and-authorization-flow/authenticate-with-mtls) * [Set up the Customer Edge](/docs/get-started/applications/configure-mtls/set-up-the-customer-edge) * [Configure mTLS Authentication for a Tenant](/docs/get-started/applications/configure-mtls/configure-mtls-for-a-tenant) # Configure mTLS Authentication for a Tenant Source: https://auth0.com/docs/get-started/applications/configure-mtls/configure-mtls-for-a-tenant Describes how to configure mTLS Authentication for a tenant. Learn how to configure mTLS authentication for a tenant. The following examples specify **\$management\_access\_token**, or a [Management API access token](/docs/secure/tokens/access-tokens/management-api-access-tokens). This must be replaced with an access token that contains at least the following scopes: * `create:custom_domains` * `read:custom_domains` * `create:clients` * `update:clients` * `update:client_credentials` * `update:client_keys` * `update:tenant_settings` To learn more about retrieving an access token with the required scopes, read [Get Access Tokens](/docs/secure/tokens/access-tokens/get-access-tokens). To begin, you must configure and verify a [custom domain](/docs/customize/custom-domains). ### Create a custom domain At the tenant level, you must configure a [custom domain](/docs/customize/custom-domains) to accept mTLS headers with the [Management API](https://auth0.com/docs/api/management/v2). Because the [customer edge](/docs/get-started/applications/configure-mtls/set-up-the-customer-edge) is responsible for validating the client certificates, set the `type` as `self_managed_certs` in the POST request: ```bash lines theme={null} curl --location --request POST 'https://$tenant/api/v2/custom-domains' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "domain":"string", "type":"self_managed_certs", "verification_method":"txt", "tls_policy":"recommended", "custom_client_ip_header":"true-client-ip" }' ``` A successful request returns an identifier that is used to verify the custom domain. For more information, see the [Configure a new custom domain](https://auth0.com/docs/api/management/v2/custom-domains/post-custom-domains) API documentation. ### Patch an existing custom domain You can configure an existing custom domain to accept mTLS headers with the [Management API](https://auth0.com/docs/api/management/v2). However, you cannot update the `type` for an already existing custom domain. Only custom domains with the `self_managed_certs` type can be used for mTLS. Auth0 currently does not support the `auth0_managed_certs` type for mTLS. The following POST request configures an existing custom domain to accept mTLS headers: ```bash lines theme={null} curl --location --request POST 'https://$tenant/api/v2/custom-domains/:id' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "tls_policy":"recommended", "custom_client_ip_header":"true-client-ip" }' ``` For more information, see the [Update custom domain configuration](https://auth0.com/docs/api/management/v2/custom-domains/patch-custom-domains-by-id) API documentation. ### Verify the custom domain Before Auth0 accepts requests to create and update the custom domain, it must first verify the domain. Use the [Management API](https://auth0.com/docs/api/management/v2) to send the following POST request to verify the custom domain: ```bash wrap lines theme={null} curl --location --request POST 'https://$tenant/api/v2/custom-domains/:id/verify' ``` Check the `status` field to see its verification status. Once verification is complete, it may take up to 10 minutes before the custom domain can start accepting requests. When Auth0 verifies the custom domain for the first time, the response includes the `cname_api_key`, which you need to configure your edge/reverse proxy. This key must be kept secret and is used to validate the forwarded requests. For more information, see the [Verify a custom domain](https://auth0.com/docs/api/management/v2/custom-domains/patch-custom-domains-by-id) API documentation. ### Enable mTLS endpoint aliases When the mTLS handshake requests a client certificate from the client, the web browser presents users with a modal dialog to select a certificate. This introduces friction in the user experience and should be avoided for endpoints where mTLS is unnecessary such as the `/authorize` endpoint. As a result, customers that support mTLS and non-mTLS traffic on different domains should enable mTLS endpoint aliases. mTLS endpoint aliases indicate that clients should send mTLS traffic to the endpoints specified in the `mtls_endpoint_aliases` property of the OIDC discovery document. Clients will send non-mTLS traffic to the normal endpoints. For more information about the `mtls_endpoint_aliases` property, see [Call the resource server](/docs/get-started/authentication-and-authorization-flow/authenticate-with-mtls#call-the-resource-server). You can enable mTLS endpoint aliases with the Auth0 Dashboard and the Management API. To enable mTLS endpoint aliases using the Auth0 Dashboard: 1. Navigate to [Auth0 Dashboard](https://manage.auth0.com/#/tenant/general) and select **Settings** from the side menu. 2. Under Tenant Settings, select the **Advanced** tab. 3. Find **Allow mTLS Endpoint Aliases** and toggle it on. This will route mTLS traffic to an endpoint called `mtls.`**.** To enable mTLS endpoint aliases using the [Management API](https://auth0.com/docs/api/management/v2), set the `enable_endpoint_aliases` property to `true` for your tenant: ```bash lines theme={null} curl --location --request PATCH 'https://$tenant/api/v2/tenants/settings' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "mtls": { "enable_endpoint_aliases": true } }' ``` mTLS endpoint aliases add the `mtls.` prefix to the configured custom domain. For example, if the configured custom domain is `auth.saasapp.com`, the mTLS endpoint aliases will use the domain `mtls.auth.saasapp.com`. Depending on feedback, customers may be able to configure the mTLS endpoint aliases in the future. The mTLS subdomain is outside of Auth0’s control. Administrators must be aware of the risks of subdomains and act accordingly. This includes, but is not limited to: * Ensuring the ownership and ability to administer the top-level domain and subdomains used with mTLS. Failure to do so could result in the loss of both the login handler and the mTLS subdomain. This is especially important when using [custom domains](/docs/customize/custom-domains). * Ensuring that you have a SSL certificate for the mTLS subdomain i.e. `mtls.auth.saasapp.com`. A wildcard certificate for `*.saasapp.com` does not include the mTLS subdomain. Preventing subdomain takeovers due to dangling DNS entries if an IP is no longer in use. For more information, see the Mozilla Developer Network (MDN) [Subdomain takeovers](https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers) documentation. To disable mTLS endpoint aliases, set the `enable_endpoint_aliases` value to `false`. For more information, see the [Update tenant settings](https://auth0.com/docs/api/management/v2/tenants/patch-settings) API documentation. ## Learn more * [Authenticate with mTLS](/docs/get-started/authentication-and-authorization-flow/authenticate-with-mtls) * [Set up the Customer Edge](/docs/get-started/applications/configure-mtls/set-up-the-customer-edge) * [Configure mTLS Authentication for a Client](/docs/get-started/applications/configure-mtls/configure-mtls-for-a-client) # Set up the Customer Edge Source: https://auth0.com/docs/get-started/applications/configure-mtls/set-up-the-customer-edge Learn how to set up your customer edge for mTLS authentication. This section explains how to set up the customer edge network. The specifics of configuring different edge networks are out of the scope of this document. For more information, see the [custom domains](/docs/customize/custom-domains) documentation. The customer’s edge domain must match the registered custom domain. If mTLS endpoint aliases are enabled, the customer edge must also accept requests on the subdomain used by the mTLS aliases. All requests that arrive at the mTLS subdomain should request a client TLS certificate and verify that the certificate is registered for use. For more information, see [Verify the client certificate](#verify-the-client-certificate). The mTLS handshake occurs before the edge infrastructure can determine the requested path. Once the TLS session is established, the customer may wish to inspect the path and only forward requests for the following endpoints: * `/oauth/token` * `/oauth/par` * `/userinfo` If your installation aims for FAPI compliance, additional requirements related to TLS are placed on your edge network. For more information, see the [FAPI1 Baseline](https://openid.net/specs/openid-financial-api-part-1-1_0.html#tls-and-dnssec-considerations), [FAPI1 Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html#tls-considerations), and [FAPI2 Baseline](https://openid.net/specs/fapi-2_0-baseline.html#name-network-layer-protections) specifications. ## Verify the client certificate The customer edge network performs validations that depend on the expected type of the client certificate. To avoid common security problems and pitfalls, use a well-vetted certificate validation library when possible. When the client certificate fails validation, the expected behavior is dependent on the installation and outside of the scope of this document. ### CA-signed certificates When a certificate is signed by a certificate authority, the trust chain of the certificate must be verified, including the root certificate. The certificate may also be compared against an allow or deny list to ensure the certificate is registered and has not been revoked. We recommend you do **not** use a public certificate authority to sign your client certificates as it may increase the risk of your client applications being impersonated. ### Self-signed certificates Self-signed certificates are not backed by a chain of trust so a certificate chain cannot be checked. Instead, the certificate thumbprint could be checked against a registered certificate database or forwarded directly to Auth0 to perform this check. ## Forward the request Once the certificate is verified, requests are forwarded along with several special headers from the customer to the same endpoint on the custom domain’s forwarding target at [Auth0's edge network](/docs/customize/custom-domains/self-managed-certificates). The forwarded request must include the following headers: * The Custom Domain API key as the `cname-api-key` header. * The client certificate as the `client-certificate` header. **Note**: Since HTTP headers must be text, the certificate must be converted to a URL component encoded PEM. The header value is limited to 4096 bytes. Therefore, only the first certificate in the chain should be forwarded to Auth0. * The client certificate CA verification status as the `client-certificate-ca-verified` header. The `client-certificate-ca-verified` header can have the following values: * **SUCCESS**: indicates that the client certificate is valid and has been verified by a certificate authority. * **FAILED:** indicates that the presented client certificate is valid, however the certificate's trust chain has NOT been verified by a certificate authority. In other words, it’s a self-signed certificate. May include an optional failure reason. If your configuration supports only CA-signed certificates, you don't need to forward self-signed certificates to the Auth0 edge network, and you can terminate the request earlier. However, if your clients are configured to authenticate using self-signed certificates, Auth0 expects your network edge to send a `client-certificate-ca-verified:FAILED` header. Depending on this header value, Auth0 knows which client authentication method has been used and which client credentials need to be verified against. ## Learn more * [Authenticate with mTLS](/docs/get-started/authentication-and-authorization-flow/authenticate-with-mtls) * [Configure mTLS Authentication for a Tenant](/docs/get-started/applications/configure-mtls/configure-mtls-for-a-tenant) * [Configure mTLS Authentication for a Client](/docs/get-started/applications/configure-mtls/configure-mtls-for-a-client) # Configure Pushed Authorization Requests (PAR) Source: https://auth0.com/docs/get-started/applications/configure-par Learn how to configure Pushed Authorization Requests (PAR) for your application. To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details. The Auth0 Push Authorization Request (PAR) implementation is based on the [OAuth RFC9126: Push Authorization Request](https://www.rfc-editor.org/rfc/rfc9126.html) specification. For more information, see [Authorization Code Flow with Pushed Authorization Requests](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par). By default, PAR is not enabled by your tenant. You can enable it in the Auth0 Dashboard under your tenant settings. To learn more, read [Enable PAR for a tenant](#enable-par-for-a-tenant). After enabling PAR for your tenant, you can send authorization requests to both the `/oauth/par` and the `/authorize` endpoints. However, to fully secure your authorization flow, set PAR as required for an application via the [Management API](https://auth0.com/docs/api/management/v2) or **Application Settings** on the Auth0 Dashboard. ## Enable PAR for a tenant To enable PAR for a tenant, use the [Auth0 Dashboard](https://manage.auth0.com/). 1. Navigate to Auth0 Dashboard > Settings > Advanced. 2. Scroll down to **Settings** and toggle on **Allow Pushed Authorization Requests (PAR)**. ## Require PAR for an application Your tenant must have **Allow Pushed Authorization Requests (PAR)** enabled at the tenant-level before enabling PAR at the application-level. 1. Navigate to Auth0 Dashboard > Applications. 2. Select the application. 3. Select the **Application Settings** tab. 4. In the **Authorization Requests** section, enable the toggle **Require Pushed Authorization Requests (PAR)**. Your tenant must have **Allow Pushed Authorization Requests (PAR)** enabled at the tenant-level before enabling PAR at the application-level. Use the following code sample to configure PAR for your application using the Management API: ```bash lines theme={null} curl -X PATCH --location 'https://TENANT.auth0.com/api/v2/clients/CLIENT_ID' \   --header 'Authorization: Bearer MANAGEMENT_ACCESS_TOKEN' \   --header 'Content-Type: application/json' \   --data-raw '{    "require_pushed_authorization_requests": true }' ``` ## Learn more * [Authorization Code Flow with Pushed Authorization Requests (PAR)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par) # Configure Private Key JWT Authentication Source: https://auth0.com/docs/get-started/applications/configure-private-key-jwt Describes how to configure new and existing applications to use Private Key JWT Authentication. Private Key JWT is available for customers on the Enterprise plan. To upgrade, contact [Auth0 pricing](https://auth0.com/pricing/). Private Key JWT Authentication supports [OIDC Connect Core Client Authentication 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) client authentication using JWT assertions signed with asymmetric key pairs. You can create a new application to use `private_key_jwt` or enable existing applications to use private key pairs for authentication. ## Prerequisites Before configuring an application that authenticates using Private Key JWT, you must [generate an RSA key pair](/docs/secure/application-credentials/generate-rsa-key-pair). ## Configure Private Key JWT You can use the Auth0 Dashboard to create a new application and configure the credentials or update an existing application. We recommend you securely store the current `client_secret` parameter before you set your application credential method to Private Key JWT. The `client_secret` parameter will be hidden once the Private Key JWT configuration is complete. #### Configure a new application for `private_key_jwt` 1. Navigate to [**Auth0 Dashboard > Applications > Application**](https://manage.auth0.com/#/applications). 2. Select **Create Application**. 3. Choose your application type. 4. Under the application settings, select the **Credentials** tab. 5. Under **Authentication Methods**, select **Private Key JWT**. Configure Private Key JWT Authentication - Auth0 Dashboard instructions 6. Configure credential details: 1. Enter a name for the credential. 2. Upload your PEM format or X.509 certificate. 3. Select the algorithm to sign the assertions. 4. Optional: Enable custom expiration. Select **Set an explicit expiry date for this Credential** and set a future date. You may receive an invalid certificate error if you are submitting an malformed key material, to avoid any issues it’s best to upload the file directly created by openssl. 7. Select **Add Credential**. #### Configure an existing application 1. Navigate to [Auth0 Dashboard > Applications](http://manage.auth0.com/#/applications). 2. Select the application you want to update. 3. Select the **Credentials** tab. 4. Choose **Private Key JWT**. 5. Configure credential details: 1. Enter a name for the credential. 2. Upload your PEM format or X.509 certificate. 3. Select the algorithm to sign the assertions. 4. Optional: Enable custom expiration. Select **Set an explicit expiry date for this Credential** and set a future date. 6. Select **Add Credential**. #### Configure an application to use Client Secret authentication 1. Navigate to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/dashboard/#/applications/) and select the application you want to update. 2. Select the **Credentials** tab. 3. Choose **Client Secret (Post)** or **Client Secret (Basic)**. 4. Select **Save**. #### Update credential expiration You can update an existing credential with an expiration date with Auth0 Dashboard. 1. Navigate to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/dashboard/#/applications/) and select the application you want to update. 2. Select the **Credentials** tab. 3. Choose the credential you want to update and select **Edit Credential**. Dashboard - Applications - Application Settings - Credentials - update expiry date 4. Select **Set an explicit expiry date for this Credential** and set a future date. 5. Select **Update Credential**. #### Configure a new application for `private_key_jwt` You can create a new application with `private_key_jwt` as the authentication method using the Management API. Make a `POST` call to the [`Create a Client`](https://auth0.com/docs/api/management/v2#!/Clients/get_clients) endpoint with the following payload: ```bash lines theme={null} curl --location --request POST 'https://{domain}/api/v2/clients' \ --header 'Authorization: Bearer {managementApiAccessToken} \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "{clientName}", "app_type": "non_interactive", "client_authentication_methods": { "private_key_jwt": { "credentials": [ { "name": "{credentialName}", "credential_type": "public_key", "pem": "{credentialublicKey}", "alg": "{algorithm}", "expires_at": "{expiresAt}" } ] }, "jwt_configuration": { "alg": "RS256" } } }' ```
Parameter Description
algorithm Algorithm used to sign assertions. Supported values are RS256, RS384 and PS256. If not specified, the algorithm will default to RS256.
clientName Name for your new client.
credentialName Name for the public key.
expires\_at Optional. Expiration date of the credential in ISO 8601 format. For example, 2020-08-20T19:10:06.299Z. Once the expiration date passes, the credential is no longer valid.
managementApiAccessToken Access token for the Management API with the scope create:credentials.
pem Public key, or x.509 certificate, encoded in PEM format.
parse\_expiry\_from\_cert Optional. A boolean that indicates that Auth0 should parse the expiry when provided a certificate. If a certificate is not provided, Auth0 will return an error. parse\_expiry\_from\_cert and expires\_at are also mutually exclusive. In this case, Auth0 will return an error.
The public key PEM should be JSON escaped before being passed to Auth0, in our example, this is the content we need to pass: `-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA53VzmIVVZZWyNm266l82 mnoDc9g/snXklax5kChEhqK/WnTUvuXP4Gd4THj8rchxgUGKXd4PF3SUcKyn/qPm Tet0idVHk2PwP//FOVgYo5Lb04js0pgZkbyB/WjuMp1w+yMuSn0NYAP7Q9U7DfTb jmox8OQt4tCB4m7UrJghGqT8jkPyZO/Ka6/XsyjTYPOUL3t3PD7JShVAgo1mAY6g Sr4SORywIiuHsg+59ad7MXGy78LirhtqAcDECKF7VZpxMuEjMLg3o2yzNUeWI2Mg IF+t0HbO1E387fvLcuSyai1yWbSr1PXyiB2aXyDpbD4u7d3ux4ahU2opH11lBqvx +wIDAQAB -----END PUBLIC KEY-----` The response contains the `client_id` property which will link your application to the resource server. The response also contains a generated `kid` for the credential you created. This will be used later to generate the `client_assertion`. Auth0 follows the [JSON Web Key Thumbprint](https://datatracker.ietf.org/doc/html/rfc7638) standard to generate the kid of your credentials. The kid consists of a base64URL encoded SHA256 digest of of the JWK representation of your public key. #### Configure an existing application You can also configure an existing application to use Private Key JWT Authentication with the Auth0 Management API. You will need to remove any values in the `token_endpoint_auth_method` field and create values in the `client_authentication_methods` field. If you update an existing production application to authenticate with `private_key_jwt`, we recommend you securely store your current `client_secret` value for future reference. After you configure private\_key\_jwt, you won't be able to access the client\_secret value unless you restore your application's configuration to use a Client Secret. ##### Create the credential resource Once you have generated a key pair, create the credential resource. Make the following POST request to the Management API’s [`/clients`](https://auth0.com/docs/api/management/v2#!/Clients/post_clients) endpoint. ```bash lines theme={null} curl --location --request POST 'https://{domain}/api/v2/clients/{clientId}/credentials' \ --header 'Authorization: Bearer {managementApiAccessToken} \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "{credentialName}", "credential_type": "public_key", "pem": "{credentialPublicKey}", "alg": "{algorithm}", "expires_at ": "{expiresAt}", }' ```
Parameter Description
algorithm Algorithm used to sign assertions. Supported values are RS256, RS384 and PS256. If not specified, the algorithm default is RS256.
clientId ID of the application to be updated.
credentialName Name of the public key.
managementApiAccessToken Access token for the Management API with the scope create:credentials.
pem Public key, or x.509 certificate, encoded in PEM format.
expires\_at Optional. Expiration date of the credential in ISO 8601 format. For example, 2020-08-20T19:10:06.299Z. Once the expiration date passes, the credential is no longer valid.
parse\_expiry\_from\_cert Optional. A boolean that indicates that Auth0 should parse the expiry when provided a certificate. If a certificate is not provided, Auth0 will return an error. parse\_expiry\_from\_cert and expires\_at are mutually exclusive. In this case, Auth0 will return an error.
The PEM public key should be JSON-escaped before being passed to Auth0. In this example, the content we need to pass is: ```pem lines theme={null} ----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA53VzmIVVZZWyNm266l82 mnoDc9g/snXklax5kChEhqK/WnTUvuXP4Gd4THj8rchxgUGKXd4PF3SUcKyn/qPm Tet0idVHk2PwP//FOVgYo5Lb04js0pgZkbyB/WjuMp1w+yMuSn0NYAP7Q9U7DfTb jmox8OQt4tCB4m7UrJghGqT8jkPyZO/Ka6/XsyjTYPOUL3t3PD7JShVAgo1mAY6g Sr4SORywIiuHsg+59ad7MXGy78LirhtqAcDECKF7VZpxMuEjMLg3o2yzNUeWI2Mg IF+t0HbO1E387fvLcuSyai1yWbSr1PXyiB2aXyDpbD4u7d3ux4ahU2opH11lBqvx +wIDAQAB -----END PUBLIC KEY----- ``` A credential ID returns in the response. Use the ID for the next step. ##### Associate the credential After you create the credential, associate it with your application. Your application uses these credentials during authentication with `private_key_jwt`. Make a PATCH request to the Management API [`Update a Client`](https://auth0.com/docs/api/management/v2#!/Clients/patch_clients_by_id) endpoint: ```bash lines theme={null} curl --location --request PATCH 'https://{domain}/api/v2/clients/{clientId} \ --header 'Authorization: Bearer {managementApiAccessToken} \ --header 'Content-Type: application/json' \ --data-raw '{ "token_endpoint_auth_method": null, "client_authentication_methods": { "private_key_jwt": { "credentials": [{ "id": {credentialId} }] } } }​​'​​ ```
Parameter Description
clientId ID of the application to be updated.
managementApiAccessToken Access token for the Management API with the scope update:client and update:credentials.
credentialId ID of the credential you created.
pem The public key in PEM format.
Auth0 does not support use of HS256 as the applications’s JWT signing algorithm. You must have the `jwt_configuration.alg` field set to the RS256 algorithm. To learn how to change the signing algorithm, read [Change Application Signing Algorithms](/docs/get-started/applications/change-application-signing-algorithms). #### Configure an application to use Client Secret authentication To restore your application’s configuration to use a Client Secret, you must disable `client_authentication_methods` and re-enable `token_endpoint_auth_method` with the authentication method. Once you have configured your authentication method as `client_secret`, your applications will no longer be able to authenticate using `private_key_jwt` until you have updated them to authenticate using `client_secret`. **Example** ```bash lines theme={null} curl --location --request PATCH 'https://{domain}/api/v2/clients/{clientId} \ --header 'Authorization: Bearer {managementApiAccessToken} \ --header 'Content-Type: application/json' \ --data-raw '{ "token_endpoint_auth_method": "{tokenEndpointAuthMethod}", "client_authentication_methods": null }​​'​​ ```
Parameter Description
clientId ID of the updated application.
managementApiAccessToken Access token for the Management API with the scopes update:client and update:credentials.
tokenEndpointAuthMethod Final authentication method. For example: client\_secret\_basic or client\_secret\_post.
#### Patch credentials with an expiration field You can update an existing credential with an expiration date with the Management API [Update a credential](https://auth0.com/docs/api/management/v2#!/Clients/patch_credentials_by_credential_id) endpoint. ```bash lines theme={null} curl --location --request PATCH 'https://{domain}/api/v2/clients/{clientId}/credentials/{credentialId} ' \ --header 'Authorization: Bearer {managementApiAccessToken} \ --header 'Content-Type: application/json' \ --data-raw '{ "expires_at": {expiresAt} }' ```
Parameter Description
managementApiAccessToken Access tokens for the Management API with the scopes update:credentials.
clientId The client you want to update.
expires\_at The expiration date of the credential in ISO 8601 format. For example, 2020-08-20T19:10:06.299Z.
The only field you can update is the `expires_at` field. The rest of the attributes are immutable and require you to rotate the credential to change. ## Credential limits Auth0 enforces a minimum RSA key size of 2048 bits and a maximum key size of 4096 bits. Applications can have a maximum of two credentials configured. ## Rotate credentials To prevent leaked keys, Auth0 recommends you periodically rotate the key pair. To learn how, read [Rotate Credentials](/docs/get-started/applications/rotate-credentials). ## Learn more * [Application Credentials](/docs/secure/application-credentials) * [Credential Settings](/docs/get-started/applications/credentials) * [Authenticate with Private Key JWT](/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt) # Configure WS-Fed Applications Source: https://auth0.com/docs/get-started/applications/configure-ws-fed-applications Describes how to configure a WS-Fed application to use Auth0 as an identity provider. You can configure a WS-Fed application (service provider) to use Auth0 as an identity provider. Some commonly used WS-Fed applications are pre-configured in Auth0 and available via [Single Sign-On Integrations](/docs/customize/integrations/sso-integrations). If a WS-Fed application is not listed in Single Sign-On Integrations, the WS-Fed application configuration can be accessed using the following steps. 1. Go to **Dashboard >** **Applications > Applications**. 2. Click **Create App**. 3. Enter a name, and click **Save**. 4. Go to the **Addons** tab. Enabling both SAML and WS-Fed addons for a single client is not supported and may lead to inconsistent behavior. Use a separate client for each addon. 5. Scroll to **WS-Fed Web App**, and enter the **Application Callback URL**. This is your callback URL in the WS-Fed application to which the WS-Fed response will be posted. It may also be called the **ACS** or **Assertion Consumer Service URL** in some applications. 6. Enter the **Realm**. This is an identifier sent by the WS-Fed application and is used to identify the application in the response. ## Configure claims included in the WS-Fed token response Unlike the SAML Web App addon, the WS-Fed Web App addon does not include configuration settings that allow you to configure the token generated by Auth0. If you need to change the default settings, you can create a rule similar to: ```javascript lines expandable theme={null} function (user, context, callback) { // only apply changes for the WS-Fed application if (context.clientName !== 'Your ws-fed application name') { return callback(null, user, context); } // exclude the upn claim creation (defaults to true) context.samlConfiguration.createUpnClaim = false; // exclude the identities array (defaults to true) context.samlConfiguration.mapIdentities = false; // exclude claims that were not explicitly mapped (defaults to true) context.samlConfiguration.passthroughClaimsWithNoMapping = false; // this is the default mapping. Remove or change as you like. // Note that the key (left side) is the attribute name (namespace-qualified) // and the value (right side) is the property name from the user object. // you can also use transient values from the user object. For example, for: // user.calculated_field = ; // then add this mapping: // 'some_claim': 'calculated_field', context.samlConfiguration.mappings = { 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier': 'user_id', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'email', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'name', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname': 'given_name', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname': 'family_name', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn': 'upn', 'http://schemas.xmlsoap.org/claims/Group': 'groups' }; callback(null, user, context); } ``` ## Custom domains To use your WS-Fed apps with a custom domain and with Auth0 as the IdP, update your service provider with new identity provider metadata from Auth0. You can obtain the metadata from: `https:///wsfed/FederationMetadata/2007-06/FederationMetadata.xml`. ## Encrypted responses If you require encrypted responses, you should use SAML to connect to ADFS. To learn more, read [Configure ADFS as SAML Identity Provider](/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-service-provider/configure-adfs-saml-connections) and [Sign and Encrypt SAML Requests](/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests). ## Learn more * [Custom Domains](/docs/customize/custom-domains) * [Auth0 Integrations](/docs/customize/integrations) # Credential Settings Source: https://auth0.com/docs/get-started/applications/credentials Describes the settings related to credentials tab available in the Auth0 Dashboard. On the [Applications](http://manage.auth0.com/#/applications) page of the Dashboard, locate your application in the list, and click its name to view the available settings. Switch to the **Credentials** tab. The Credentials tab may not be visible in your tenant if you have a public application. To learn more about confidential applications versus public applications, read [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications). ## Authentication Methods Auth0 offers the following ways your application can authenticate with the authorization server: * **Private Key JWT**: An asymmetric authentication method for confidential applications. In Private Key JWT, you generate a pair of keys, public and private, to use as credentials. You provide the public key and securely store the private key in your own system without sharing it with Auth0. You use the private key to sign the request sent to the authorization server. You can manage the public keys below in the **Available Credentials** section. * **Client Secret:** A symmetrical authentication method. In Client Secret authentication, you provide the Client Secret Auth0 assigned when you created the application. You can view and copy the `client_secret` directly from this section. * **Client Secret (Basic)**: Use Basic for a confidential application using the `HTTP BASIC` authentication scheme to send a Client Secret. * **Client Secret (Post)**: Use Post for a confidential application using request body parameters to send a Client Secret. To learn more about authentication methods and associated credentials, read [Application Credentials](/docs/secure/application-credentials). ## Available Credentials **Add New Credential**: Adds a new entry to the list if you have not reached the max number of credentials (2) for the application. * **Name**: Name of the credential. For example: 4096. * **Key ID**: Unique Auth0-generated credential identifier. The same credential can’t be uploaded more than once. * **Algorithm**: Algorithm you select for each credential. We support RS256, PS256, and RS384. * **Expires At**: `datetime` when the credential is invalid for the declared use. The credential will not be deleted, but will be inoperable. This can be configured in the UI by enabling the **Set an explicit expiry date for this credential** checkbox. Choose the side menu to enable, disable, or delete credentials. ## Rotate client secret You may need to occasionally rotate your application’s client secret. To learn more, read [Rotate Client Secrets](/docs/get-started/applications/rotate-client-secret). ## Learn more * [Application Credentials](/docs/secure/application-credentials) * [Authenticate with Private Key JWT](/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt) * [Rotate Credentials](/docs/get-started/applications/rotate-credentials) * [Configure Private Key JWT Authentication](/docs/get-started/applications/configure-private-key-jwt) # Dynamic Client Registration Source: https://auth0.com/docs/get-started/applications/dynamic-client-registration Learn how to dynamically register applications with Auth0 using the Management API. You can dynamically register third-party applications for your tenant. This feature is based on the [OpenID Connect Dynamic Client Registration specification](https://openid.net/specs/openid-connect-registration-1_0.html). ## Enable dynamic client registration Auth0 supports **Open Dynamic Registration**, which means that if you enable this feature, **anyone** will be able to create applications in your tenant without a token. By default, dynamic application registration is disabled for all tenants. To change this, you have to set the `enable_dynamic_client_registration` flag to `true` in your tenant's settings. To do so, go to [Dashboard > Settings > Advanced](https://manage.auth0.com/#/tenant/advanced) and enable **Dynamic Client Registration (DCR)**. Alternatively, you can update this flag using the Management API [`/Tenant/patch_settings`](https://auth0.com/docs/api/management/v2#!/Tenants/patch_settings) endpoint. ```bash cURL theme={null} curl --request PATCH \ --url 'https://{yourDomain}/api/v2/tenants/settings' \ --header 'authorization: Bearer API2_ACCESS_TOKEN' \ --header 'cache-control: no-cache' \ --header 'content-type: application/json' \ --data '{ "flags": { "enable_dynamic_client_registration": true } }' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/tenants/settings"); var request = new RestRequest(Method.PATCH); request.AddHeader("content-type", "application/json"); request.AddHeader("authorization", "Bearer API2_ACCESS_TOKEN"); request.AddHeader("cache-control", "no-cache"); request.AddParameter("application/json", "{ "flags": { "enable_dynamic_client_registration": true } }", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "strings" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/tenants/settings" payload := strings.NewReader("{ "flags": { "enable_dynamic_client_registration": true } }") req, _ := http.NewRequest("PATCH", url, payload) req.Header.Add("content-type", "application/json") req.Header.Add("authorization", "Bearer API2_ACCESS_TOKEN") req.Header.Add("cache-control", "no-cache") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/tenants/settings") .header("content-type", "application/json") .header("authorization", "Bearer API2_ACCESS_TOKEN") .header("cache-control", "no-cache") .body("{ "flags": { "enable_dynamic_client_registration": true } }") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'PATCH', url: 'https://{yourDomain}/api/v2/tenants/settings', headers: { 'content-type': 'application/json', authorization: 'Bearer API2_ACCESS_TOKEN', 'cache-control': 'no-cache' }, data: {flags: {enable_dynamic_client_registration: true}} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"content-type": @"application/json", @"authorization": @"Bearer API2_ACCESS_TOKEN", @"cache-control": @"no-cache" }; NSDictionary *parameters = @{ @"flags": @{ @"enable_dynamic_client_registration": @YES } }; NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil]; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/tenants/settings"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"PATCH"]; [request setAllHTTPHeaderFields:headers]; [request setHTTPBody:postData]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/tenants/settings", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "PATCH", CURLOPT_POSTFIELDS => "{ "flags": { "enable_dynamic_client_registration": true } }", CURLOPT_HTTPHEADER => [ "authorization: Bearer API2_ACCESS_TOKEN", "cache-control: no-cache", "content-type: application/json" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") payload = "{ "flags": { "enable_dynamic_client_registration": true } }" headers = { 'content-type': "application/json", 'authorization': "Bearer API2_ACCESS_TOKEN", 'cache-control': "no-cache" } conn.request("PATCH", "/{yourDomain}/api/v2/tenants/settings", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/tenants/settings") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Patch.new(url) request["content-type"] = 'application/json' request["authorization"] = 'Bearer API2_ACCESS_TOKEN' request["cache-control"] = 'no-cache' request.body = "{ "flags": { "enable_dynamic_client_registration": true } }" response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = [ "content-type": "application/json", "authorization": "Bearer API2_ACCESS_TOKEN", "cache-control": "no-cache" ] let parameters = ["flags": ["enable_dynamic_client_registration": true]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/tenants/settings")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PATCH" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ``` You need to update the `API2_ACCESS_TOKEN` with a valid token with the scope `update:tenant_settings`. To learn more, read [Management API Access Tokens](/docs/secure/tokens/access-tokens/management-api-access-tokens). ## Use dynamic client registration In this section, we will see how you can dynamically register and configure an application. ### Register your application To dynamically register an application with Auth0, you need to send an HTTP `POST` message to the Application Registration endpoint: `https://{yourDomain}/oidc/register`. Note that Auth0 supports **Open Dynamic Registration**, which means that the endpoint will accept a registration request without an access token. To create an application with the name `My Dynamic application` and the callback URLs `https://application.example.com/callback` and `https://application.example.com/callback2`, use the following snippet: ```bash cURL theme={null} curl --request POST \ --url 'https://{yourDomain}/oidc/register' \ --header 'content-type: application/json' \ --data '{"client_name":"My Dynamic Application","redirect_uris": ["https://application.example.com/callback", "https://application.example.com/callback2"]}' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/oidc/register"); var request = new RestRequest(Method.POST); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{"client_name":"My Dynamic Application","redirect_uris": ["https://application.example.com/callback", "https://application.example.com/callback2"]}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "strings" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/oidc/register" payload := strings.NewReader("{"client_name":"My Dynamic Application","redirect_uris": ["https://application.example.com/callback", "https://application.example.com/callback2"]}") req, _ := http.NewRequest("POST", url, payload) req.Header.Add("content-type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.post("https://{yourDomain}/oidc/register") .header("content-type", "application/json") .body("{"client_name":"My Dynamic Application","redirect_uris": ["https://application.example.com/callback", "https://application.example.com/callback2"]}") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'POST', url: 'https://{yourDomain}/oidc/register', headers: {'content-type': 'application/json'}, data: { client_name: 'My Dynamic Application', redirect_uris: [ 'https://application.example.com/callback', 'https://application.example.com/callback2' ] } }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"content-type": @"application/json" }; NSDictionary *parameters = @{ @"client_name": @"My Dynamic Application", @"redirect_uris": @[ @"https://application.example.com/callback", @"https://application.example.com/callback2" ] }; NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil]; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/oidc/register"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"POST"]; [request setAllHTTPHeaderFields:headers]; [request setHTTPBody:postData]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/oidc/register", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{"client_name":"My Dynamic Application","redirect_uris": ["https://application.example.com/callback", "https://application.example.com/callback2"]}", CURLOPT_HTTPHEADER => [ "content-type: application/json" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") payload = "{"client_name":"My Dynamic Application","redirect_uris": ["https://application.example.com/callback", "https://application.example.com/callback2"]}" headers = { 'content-type': "application/json" } conn.request("POST", "/{yourDomain}/oidc/register", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/oidc/register") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["content-type"] = 'application/json' request.body = "{"client_name":"My Dynamic Application","redirect_uris": ["https://application.example.com/callback", "https://application.example.com/callback2"]}" response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = ["content-type": "application/json"] let parameters = [ "client_name": "My Dynamic Application", "redirect_uris": ["https://application.example.com/callback", "https://application.example.com/callback2"] ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/oidc/register")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ``` Where: * **client\_name**: The name of the Dynamic Application to be created * **redirect\_uris** (required): An array of URLs that Auth0 will deem valid to call at the end of an authentication flow Optionally, you can set a value for `token_endpoint_auth_method`, which can be `none` or `client_secret_post` (default value). Use `token_endpoint_auth_method: none` in the request payload if creating a SPA. The response includes the basic application information. ```json lines theme={null} HTTP/1.1 201 Created Content-Type: application/json { "client_name": "My Dynamic Application", "client_id": "8SXWY6j3afl2CP5ntwEOpMdPxxy49Gt2", "client_secret": "Q5O...33P", "redirect_uris": [ "https://application.example.com/callback", "https://application.example.com/callback2" ], "client_secret_expires_at": 0 } ``` Where: * **client\_id**: Unique client identifier. This is the ID you will use while configuring your apps to use Auth0. It is generated by the system and it cannot be modified. * **client\_secret**: Alphanumeric 64-bit client secret. This value is used by applications to authenticate to the Authentication API [`/token`](https://auth0.com/docs/api/authentication#get-token) and for signing and validating ID tokens. * **client\_secret\_expires\_at**: Time at which the `client_secret` will expire. For Auth0 this value will always be zero (`0`) which means that the application never expires. Make a note of the client ID and client secret, as these are the most important pieces for executing authentication and authorization flows. To learn more, read [Authentication and Authorization Flows](/docs/get-started/authentication-and-authorization-flow). Also, keep in mind that third-party developers are not allowed to modify the application settings. In case this is necessary, they need to contact the tenant owner with their request. ### Configure your application Now that you have a Client ID and Secret, you can configure your application to authenticate users with Auth0. We will go through a simple example, that shows how to call an API from a client-side web app, using the [Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post). First, you need to configure your application to send the user to the authorization URL: Where: * **audience** (optional): The target API for which the Application is requesting access on behalf of the user. Set this parameter if you need API access. * **scope** (optional): The scopes for which you want to request authorization. These must be separated by a space. You can request any of the [standard OIDC scopes](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) for users, such as `profile` and `email`, custom claims that must conform to a namespaced format, or any scopes supported by the target API (for example, `read:contacts`). Set this parameter if you need API access. To learn more, read [API Scopes](/docs/get-started/apis/scopes/api-scopes). * **response\_type**: The response type. For Implicit Grant you can either use `token` or `id_token token`. This will specify the type of token you will receive at the end of the flow. Use `token` to get only an access token, or `id_token token` to get both an ID token and an access token. * **client\_id**: Your application's client ID. * **redirect\_uri**: The URL to which the authorization server (Auth0) will redirect the User Agent (Browser) after authorization has been granted by the User. The access token (and optionally an ID token) will be available in the hash fragment of this URL. This URL must be specified as a valid callback URL under the **Application Settings** of your application. * **state**: An opaque value the applications add to the initial request that the authorization server includes when redirecting the back to the application. This value must be used by the application to prevent CSRF attacks. * **nonce**: A string value that will be included in the ID token response from Auth0, used to prevent token replay attacks. It is required for `response_type=id_token token`. For example: This call will redirect the user to Auth0, and upon successful authentication, back to your application (specifically to the **redirect\_uri**). If you need API access, then following the authentication, you need to extract the access token from the hash fragment of the URL, and use it to make calls to the API, by passing it as a `Bearer` token in the `Authorization` header of the HTTP request. ## Use Tenant Access Control List (ACL) Auth0 provides [Tenant Access Control List (ACL)](/docs/secure/tenant-access-control-list) to manage traffic. For the `/oidc/register` endpoint, you can add the `dcr` scope to an ACL rule to help manage requests. To learn more, read [Reference](/docs/secure/tenant-access-control-list/reference). ## Learn more * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) # Enable Android App Links Support Source: https://auth0.com/docs/get-started/applications/enable-android-app-links-support Describes how to enable Android App Links support for your Auth0 application using the Auth0 Dashboard. [Android App Links](https://developer.android.com/training/app-links) allow an application to designate itself as the default handler of a given type of link. For example, clicking a URL in an email would open the link in the designated application. This guide will show you how to enable Android App links support for your Auth0-registered application using Auth0's Dashboard. 1. Go to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), and select the name of the application to view. Dashboard Applications List 2. Scroll to the bottom of the **Settings** page, and select **Show Advanced Settings**. 3. Select **Device Settings**, provide the [App Package Name](https://developer.android.com/studio/build/application-id) and the SHA256 fingerprints of your app’s signing certificate for your Android application, and select **Save Changes**. Dashboard Applications Application Settings Tab Advanced Settings Device Settings Tab You can use the following command to generate the fingerprint using the Java keytool in your terminal: `keytool -list -v -keystore my-release-key.keystore` To learn more about signing certificates, see Android's [Sign Your App](https://developer.android.com/studio/publish/app-signing.html) developer documentation. ## Test link 1. Navigate to the following URL in your browser: `https://{yourDomain}/.well-known/assetlinks.json` 2. If the link is successful, you will return the following JSON (formatted for readability): ```json lines theme={null} [{ "relation": ["delegate_permission/common.handle_all_urls"], "target": { "namespace": "android_app", "package_name": "com.mycompany.app1", "sha256_cert_fingerprints": ["14:6D:E9:83:C5:73:06:50:D8:EE:B9:95:2F:34:FC:64:16:A0:83:42:E6:1D:BE:A8:8A:04:96:B2:3F:CF:44:E5"] } }] ``` To learn more about testing your app link, read [Verify Android App Links](https://developer.android.com/training/app-links/verify-site-associations) at [https://developer.android.com](https://developer.android.com). # Enable Single Sign-On Integrations for Applications Source: https://auth0.com/docs/get-started/applications/enable-sso-for-applications Describes how to create a single sign-on (SSO) integration for an application. Only for use with legacy tenants. By default, seamless single sign-on (SSO) is enabled for all new Auth0 tenants; however, **legacy tenants** may [choose whether to enable this feature at the tenant level](/docs/get-started/tenant-settings/enable-sso-for-legacy-tenants). If you have not enabled tenant-level SSO, you may enable it per application. You can enable an SSO for your application using the Auth0 Dashboard. ## Prerequisite Before enabling SSO for an application, you must first create and configure a connection for each identity provider you want to use. For social identity providers, make sure the connection is not using developer keys if you use the [Universal Login experience](/docs/authenticate/login/auth0-universal-login). ## Enable SSO 1. Go to [Auth0 Dashboard > Applications > SSO Integrations](https://manage.auth0.com/#/externalapps), and select the name of the integration to view. 2. Scroll to the bottom of the **Settings** page, locate **Use Auth0 instead of the IdP to do Single Sign-on**, enable the toggle, and select **Save Changes**. ## Learn more * [Single Sign-On Integrations](/docs/customize/integrations/sso-integrations) # Enable Universal Links Support in Apple Xcode Source: https://auth0.com/docs/get-started/applications/enable-universal-links-support-in-apple-xcode Learn how to enable universal links support for your Auth0 app in Apple Xcode using the Auth0 Dashboard. Universal links establish a verified relationship between domains and applications, so both your Auth0 Application settings and your iOS application need to be in sync. To do this, you need to provide Auth0 with Apple Team ID and Bundle Identifier. You can enable universal links support for your Auth0-registered application using the Auth0 Dashboard. ## Obtain Apple Team ID and Bundle Identifier 1. To find your Apple **Team ID**, go to your [Apple developer account summary page](https://developer.apple.com/membercenter/index.action#accountSummary). 2. To find your iOS application's **Bundle identifier**, go to its [Xcode project settings](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/ConfiguringYourApp/ConfiguringYourApp.html) page. ## Provide Apple Team ID and Bundle Identifier to Auth0 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/clients) and select the name of the application to view. Dashboard Applications List 2. Scroll to the bottom of the **Settings** page, and select **Show Advanced Settings**. 3. Select **Device Settings**, provide the **Team ID** and the **App bundler identifier** values for your iOS application and select **Save Changes**. Dashboard Applications Application Settings Tab Advanced Settings Device Settings Tab ## Test link Check whether the universal links `apple-app-site-association` file is available for your application by navigating to the following URL in your browser: `{yourDomain}/apple-app-site-association` If the link is successful, you will see the following JSON (formatted for readability): ```json lines theme={null} { "applinks": { "apps": [], "details": [{ "appID": "86WQXF56BC.com.auth0.Passwordless-Email", "paths": ["/ios/com.auth0.Passwordless-Email/*"] }] } } ``` # Remove Applications Source: https://auth0.com/docs/get-started/applications/remove-applications Learn how to remove an Auth0-registered application using the Auth0 Dashboard or the Management API. You can remove an application using the Auth0 Dashboard or the Management API. Once confirmed, this operation cannot be undone. ## Use the Dashboard 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), and select the name of an application to view. Dashboard Applications List 2. Scroll to the bottom of the **Settings** page, locate the **Danger Zone**, select **Delete**, and confirm. ## Use the Management API Make a `DELETE` call to the [`/Clients/delete_clients_by_id`](https://auth0.com/docs/api/management/v2#!/Clients/delete_clients_by_id) endpoints. Be sure to replace `{yourClientId}` and `MGMT_API_ACCESS_TOKEN` placeholder values with your client ID and Management API access token, respectively. ```bash cURL theme={null} curl --request DELETE \ --url 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D' \ --header 'authorization: Bearer {yourMgmtApiToken}' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D"); var request = new RestRequest(Method.DELETE); request.AddHeader("authorization", "Bearer {yourMgmtApiToken}"); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D" req, _ := http.NewRequest("DELETE", url, nil) req.Header.Add("authorization", "Bearer {yourMgmtApiToken}") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.delete("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D") .header("authorization", "Bearer {yourMgmtApiToken}") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'DELETE', url: 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D', headers: {authorization: 'Bearer {yourMgmtApiToken}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiToken}" }; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/clients/%7ByourClientId%7D"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"DELETE"]; [request setAllHTTPHeaderFields:headers]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "DELETE", CURLOPT_HTTPHEADER => [ "authorization: Bearer {yourMgmtApiToken}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") headers = { 'authorization': "Bearer {yourMgmtApiToken}" } conn.request("DELETE", "/{yourDomain}/api/v2/clients/%7ByourClientId%7D", headers=headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Delete.new(url) request["authorization"] = 'Bearer {yourMgmtApiToken}' response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = ["authorization": "Bearer {yourMgmtApiToken}"] let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "DELETE" request.allHTTPHeaderFields = headers let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```
Value Description
Τhe ID of the application to be deleted.
MGMT\_API\_ACCESS\_TOKEN Access Tokens for the Management API with the scope delete:clients.
## Learn more * [Register Regular Web Applications](/docs/get-started/auth0-overview/create-applications/regular-web-apps) * [Register Single-Page Web Applications](/docs/get-started/auth0-overview/create-applications/single-page-web-apps) * [Register Native Applications](/docs/get-started/auth0-overview/create-applications/native-apps) * [Register Machine-to-Machine Applications](/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps) # Revoke Access to APIs Using Application Grants Source: https://auth0.com/docs/get-started/applications/revoke-api-access Configuring your application grant so that the tokens you issue last for only a short period means that when it comes time for you to revoke access to a protected resource, you can simply delete the grant. At this point, the party with the access token only has a limited period between when you delete the grant and the token's expiration to make additional API requests. Because this is an easy (and safe) option to implement, we recommend you deny access to your APIs and other protected resources by revoking application grants. If, for example, you are using a Machine-to-Machine [application](/docs/get-started/applications) to access your [API](/docs/get-started/apis) and you have a partner that calls your API, and at the end of your existing contract, you and your partner decide not to renew your partnership. You now want to remove your partner's access to your API. The issue, however, is that you've given your partner an access token that lasts for a month. * What can you do in this situation? * How might you configure your Auth0 environment to make such situations easier to handle in the future? ## Application grants The main issue in this scenario is the length of time for which the API access token is valid: one month. By default, Auth0 issues access tokens that last for 24 hours. Setting the token's lifetime to 24 hours means that your partner must repeat the client credentials exchange (or whichever grant you've implemented) to obtain a new access token every 24 hours. To deny access to your partner due to the expiration of your contract, you can simply delete the application grant so that when their existing token expires, they cannot request a new one. You can change the lifetime of a token by setting the `token_lifetime` option. The specific lifetime appropriate to your use case will vary, but we recommend setting this value to be as short as possible. A good starting point for determining this value would be the window you consider allowable for the delay between deleting the grant and final use of the API. ### Delete an application grant To delete an application grant, make the appropriate `DELETE` call to the Management API's [Delete an Application Grant endpoint](https://auth0.com/docs/api/management/v2#!/Client_Grants/delete_client_grants_by_id). As part of the call, you'll need to specify the ID of the application grant you want to delete, which you can obtain via the Management API's [Get all Application Grants endpoint](https://auth0.com/docs/api/management/v2#!/Client_Grants/get_client_grants). You can also [update an Application's grant types](/docs/get-started/applications/update-grant-types) through the Auth0 Dashboard. ## Learn more * [Data Security](/docs/secure/security-guidance/data-security) # Rotate Client Secrets Source: https://auth0.com/docs/get-started/applications/rotate-client-secret Learn how to rotate an application's client secret using the Auth Dashboard or the Management API. You can change an application's client secret using the Auth0 Dashboard or the Auth0 Management API. When you rotate a client secret, you must update any authorized applications with the new value. Client secrets should not be stored in public client applications. To learn more, read [Confidential and Public Applications.](/docs/get-started/applications/confidential-and-public-applications) New secrets may be delayed up to thirty seconds while rotating. To minimize downtime, we suggest you store the new client secret in your application's code/system configuration as a fallback to the previous secret. This way, if the client application request doesn't work with the old secret, your app will use the new secret. Secrets can be stored in a list (or similar structure) until they're no longer needed. Once you're sure that an old secret is obsolete, you can remove its value from your app's code. ## Use the Dashboard 1. In the Auth0 Dashboard, go to [Applications > Applications](https://manage.auth0.com/#/applications), and then select the name of the application to view. Dashboard Applications List 2. Scroll to the bottom of the **Settings** page, locate the **Danger Zone**, select **Rotate**, and confirm. 3. Scroll to the top of the page, and switch to the **Credentials** tab. 4. View your new secret by locating **Client Secret**, and selecting the eye icon. Dashboard Applications Application Settings Tab Basic Information 5. Update authorized applications with the new value. ## Use the Management API 1. Call the Management API [Rotate a client secret](https://auth0.com/docs/api/management/v2#!/Clients/post_rotate_secret) endpoint. Replace the `{yourClientId}` and `MGMT_API_ACCESS_TOKEN` placeholder values with your client ID and Management API access token, respectively. ```bash cURL theme={null} curl --request POST \ --url 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret' \ --header 'authorization: Bearer {yourMgmtApiAccessToken}' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret"); var request = new RestRequest(Method.POST); request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}"); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret" req, _ := http.NewRequest("POST", url, nil) req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.post("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret") .header("authorization", "Bearer {yourMgmtApiAccessToken}") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'POST', url: 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret', headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" }; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"POST"]; [request setAllHTTPHeaderFields:headers]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_HTTPHEADER => [ "authorization: Bearer {yourMgmtApiAccessToken}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" } conn.request("POST", "/{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret", headers=headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["authorization"] = 'Bearer {yourMgmtApiAccessToken}' response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"] let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```
Value Description
Τhe ID of the application to be updated.
MGMT\_API\_ACCESS\_TOKEN Access Tokens for the Management API with the scope update:client\_keys.
2. Update authorized applications with the new value. ### Set a custom client secret You can use the Management API [Update a client](https://auth0.com/docs/api/management/v2/#!/Clients/patch_clients_by_id) endpoint to to set a client secret manually instead of requesting a rotation to an automatically generated secret. Your application is configured with the future secret as a fallback ahead of the actual rotation. ```bash lines theme={null} curl --request PATCH \ --url https://{TenantDomain}/api/v2/clients/{ClientID} \ --header 'Authorization: Bearer {AccessToken}' \ --header 'Content-Type: application/json' \ --data '{ "client_secret": "{CustomClientSecret}" }' ``` ## Learn more * [View Signing Certificates](/docs/get-started/tenant-settings/signing-keys/view-signing-certificates) * [Signing Algorithms](/docs/get-started/applications/signing-algorithms) * [Change Application Signing Algorithms](/docs/get-started/applications/change-application-signing-algorithms) # Rotate Credentials Source: https://auth0.com/docs/get-started/applications/rotate-credentials Describes how to rotate existing credentials in the Auth0 Dashboard. Auth0 recommends you rotate key material regularly to meet your compliance needs and ensure security is not compromised by leaked private keys. You can use the Auth0 Dashboard or Management API to rotate new keys into use. You need to create a new credential, associate it with the `private_key_jwt` authentication method, and remove old or unused credentials. The current application storage limit is two credentials at one time. To repeatedly rotate new credentials, you need to delete unused credentials. To rotate your application credentials with Auth0 Dashboard: 1. Navigate to [**Auth0 Dashboard > Applications > Application**](https://manage.auth0.com/#/applications) and select the application you want to update. 2. Switch to the **Credentials** tab. 3. In the **Available Credentials** section, select **Add New Key**. 4. Set a name for your new credential, the public key in PEM format, and the algorithm for the new credential. 5. Select **Add Credential**. 6. To activate your new credential, navigate to the menu for the credential and choose **Enable for Private Key JWT use**. 7. Once you have updated your applications to use the new credential, deactivate your original credential: 1. Select **Disable for Private Key JWT Use**. 2. Once disabled, return to the credential menu and select **Delete Credential**. In the rotation examples below, `credential1` is an existing credential in use, and `credential2` is a new credential to replace the existing one. 1. Generate a new key pair. 2. Create the credential resource with a `POST` request to the Management API. The current application storage limit is two credentials at one time. To repeatedly rotate new credentials, you need to delete unused credentials. 3. Make a PATCH request to the Management API [Update a Client](https://auth0.com/docs/api/management/v2#!/Clients/patch_clients_by_id) endpoint to associate the credential to the authentication method `private_key_jwt`: ```bash lines theme={null} curl --location --request PATCH 'https://{domain}/api/v2/clients/{clientId} \ --header 'Authorization: Bearer {managementApiAccessToken} \ --header 'Content-Type: application/json' \ --data-raw '{ "client_authentication_methods": { "private_key_jwt": { "credentials": [{ "id": {credentialId1} }, { "id": {credentialId2} }] } } }' ```
Parameter Description
clientId Application you want to update.
credentialId1 ID for the existing credential in use.
credentialId2 ID for the new credential.
managementApiAccessToken Access token for the Management API with the scopes update:clients and update:credentials.
4. Update your application to use the new private key to sign assertions for the Auth0 Authentication API. 5. Remove the unused key from your application. ```bash lines theme={null} curl --location --request PATCH 'https://{domain}/api/v2/clients/{clientId} \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "client_authentication_methods": { "private_key_jwt": { "credentials": [{ "id": {credentialId2} }] } } }' ``` 6. Remove the unused key from your application. This will permanently delete the credential from storage.  You must unassociate the credential from your application or you will not be able to remove it. ```bash lines theme={null} curl --location --request DELETE 'https://{domain}/api/v2/clients/{clientId}/credentials/{credentialId}' \ --header 'Authorization: Bearer {managementApiAccessToken} ```
Parameter Description
clientId Application you want to update.
credentialId ID for the old credential you want to delete.
managementApiAccessToken Access token for the Management API with the scope delete:credentials.
### Active credentials To assure zero downtime, you can leave multiple credentials active during rotation. Applications can function normally using older keys until keys are updated. Applications can send signed assertions with any set of active credentials. Auth0 recommends you minimize the time that multiple credentials are in use. The example below uses multiple associated credentials: ```bash lines theme={null} curl --location --request PATCH 'https://$tenant/api/v2/clients/$client_id' \ --header 'Authorization: Bearer $management_access_token' \ --header 'Content-Type: application/json' \ --data-raw '{ "client_authentication_methods": { "private_key_jwt": { "credentials": [{ "id": $credential1.id }, { "id": $credential2.id }] } } }' ``` ## Learn more * [Configure Private Key JWT Authentication](/docs/get-started/applications/configure-private-key-jwt) * [Application Credentials](/docs/secure/application-credentials) * [Credential Settings](/docs/get-started/applications/credentials) # Configure Cross-Origin Resource Sharing Source: https://auth0.com/docs/get-started/applications/set-up-cors Describes how to configure Cross-Origin Resource Sharing (CORS) for an Auth0-registered application using the Auth0 Dashboard. * For security purposes, your application's origin URL must be listed as an approved URL. If you have not already added it to the **Allowed Callback URLs** for your application, you will need to add it to the list of **Allowed Origins (CORS)**. * Ensure that **Allowed Web Origins** in your application's **Settings** view is set to the domain making the request. The URLs can contain wildcards for subdomains, but cannot contain relative paths after the domain URL. To learn more, read [Placeholders for Subdomains](/docs/get-started/applications/wildcards-for-subdomains). * If you don't enable [Custom Domains](/docs/customize/custom-domains), you will need to create a verification page that uses Auth0.js as the fallback for the cross-origin authentication. Cross-origin resource sharing (CORS) is a mechanism that allows an application to load data (resource) from a domain (origin) that is different from the one that it's hosted on. A CORS policy is an explicit exception to the same-origin policy common to web applications. For example, if you wanted your application (app.mydomain.com) to fetch a font from Google (fonts.google.com) in the background using Ajax, you would need to configure CORS. ## Configure cross-origin authentication 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and click the name of the application to view. 2. Under **Cross-Origin Authentication**, toggle on **Allow Cross-Origin Authentication**. 3. Locate **Allowed Origins (CORS)**, and enter your application's origin URL. To learn more about Origins, read [Origin on Mozilla MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin). 4. Click **Save Changes**. If you do not need to use CORS for your application, ensure that **Allow Cross-Origin Authentication** is toggled off. ## Create cross-origin verification page There are some cases when third-party cookies will not be available. Certain browser versions do not support third-party cookies and, if they do, they may be disabled in a user's settings. For [browsers that are supported](#browser-testing-support), you can use the `crossOriginVerification` method from the [Auth0.js SDK](/docs/libraries/auth0js) in your application on a dedicated page to handle cases when third-party cookies are disabled. For browsers that are not supported, such as Chrome, Opera, and Safari, cross-origin authentication will not work when third-party cookies are disabled unless you enable [Custom Domains](/docs/customize/custom-domains). **Safari's** configuration is labeled as "Prevent cross-site tracking" and uses [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/). Unfortunately, this also prevents third-party cookies from being useful in authentication scenarios. Here's an example of how it affects [token renewal](/docs/troubleshoot/authentication-issues/renew-tokens-when-using-safari). 1. Create a page in your application that instantiates `WebAuth` from [Auth0.js](/docs/libraries/auth0js). Call `crossOriginVerification` immediately. The name of the page is up to you. When third party cookies are not available, Auth0.js renders an iframe to call a different cross-origin verification flow. 2\. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), and select the application to view. 3\. Under **Cross-Origin Authentication**, add the URL of the callback page you created to the **Cross-Origin Verification Fallback URL** field. For production environments, verify that the URL for the page does not point to `localhost`. The page must be in the same domain where the embedded login form is hosted and must have an `https` scheme. 4. Click **Save Changes**. For more details, view the [cross-origin authentication sample on GitHub](https://github.com/auth0/lock/blob/master/support/callback-cross-auth.html). ## Error codes and descriptions Error descriptions are intended to be human-readable. They are subject to change at any time and should not be parsed by any code. When Auth0.js v9 (and Lock) is used for embedded login, it calls the `/co/authenticate` endpoint, which has the following errors:
Status Code Description
400 invalid\_request Invalid request body. All and only of client\_id, credential\_type, username, otp, realm are required.
400 unsupported\_credential\_type Unknown credential type parameter.
400 invalid\_request Unknown realm non-existent-connection.
401 unauthorized\_client Cross origin login not allowed.
401 password\_leaked This login attempt has been blocked because the password you're using was previously disclosed through a data breach (not in this application).
403 access\_denied Wrong email or password.
403 access\_denied Authentication error
403 blocked\_user Blocked user
429 too\_many\_attempts Your account has been blocked after multiple consecutive login attempts. We've sent you a notification via your preferred contact method with instructions on how to unblock it.
429 too\_many\_attempts We have detected suspicious login behavior and further attempts will be blocked. Please contact the administrator.
In addition, you can also get a generic `403` error without an `error` or `error_description` property. The response body would just include something similar to the following: `Origin https://test.app is not allowed.` ## Browser testing support The following browsers can use cross-origin authentication when third-party cookies are disabled: * Microsoft Internet Explorer Previously, the [`samesite` cookie attribute](/docs/manage-users/cookies/samesite-cookie-attribute-changes) options were `true`, `false`, `strict` or `lax`. If you didn't set the attribute manually, Auth0 would use the default value of `false`. Effective February 2020, Google Chrome v80 changed the way it handles cookies, and Auth0 implemented the following changes accordingly: * Cookies without the `samesite` attribute set will be set to `lax`. * Cookies with `sameSite=none` must be secured, otherwise they cannot be saved in the browser's cookie jar. The goal of these changes are to improve security and help mitigate cross-site resource forgery (CSRF) attacks. ## Learn more * [Embedded Login](/docs/authenticate/login/embedded-login) * [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication) * [Application Settings](/docs/get-started/applications/application-settings) * [SameSite Cookie Attribute Changes](/docs/manage-users/cookies/samesite-cookie-attribute-changes) # Set Up Database Connections Source: https://auth0.com/docs/get-started/applications/set-up-database-connections Describes how to set up database connections for applications using the Auth0 Dashboard. You can set up database connections for applications using the Auth0 Dashboard. The configured database connections can be used to log in to your application. To set up a connection, follow the steps below. Navigate to [Auth0 Dashboard > Authentication > Database](http://manage.auth0.com/#/connections/database), and select **Create DB Connection**. Dashboard - Authentication - Database - Database Connections List Enter a name for your connection, and select **Create**. Dashboard - Authentication - Database - New DB Connection Select the **Applications** view, enable the switch for each Auth0 application that should be able to use this connection. Dashboard - Connections - Database - Edit - View Applications ## Learn more * [Test Database Connections](/docs/get-started/applications/test-database-connections) # Signing Algorithms Source: https://auth0.com/docs/get-started/applications/signing-algorithms Describes signing algorithms and recommendations for configuring them in the Auth0 Dashboard. Signing algorithms are algorithms used to sign tokens issued for your application or API. A signature is part of a [JSON Web Token (JWT)](/docs/secure/tokens/json-web-tokens) and is used to verify that the sender of the token is who it says it is and to ensure that the message wasn't changed along the way. You can select from the following signing algorithms: * **RS256 (RSA Signature with SHA-256)**: An asymmetric algorithm, which means that there are two keys: one public key and one private key that must be kept secret. Auth0 has the private key used to generate the signature, and the consumer of the JWT retrieves a public key from the metadata endpoints provided by Auth0 and uses it to validate the JWT signature. * **HS256 (HMAC with SHA-256)**: A symmetric algorithm, which means that there is only one private key that must be kept secret, and it is shared between the two parties. Since the same key is used both to generate the signature and to validate it, care must be taken to ensure that the key is not compromised. This private key (or secret) is created when you register your application (client secret) or API (signing secret) and choose the HS256 signing algorithm. * **PS256 (RSA Signature with SHA-256)**: An asymmetric algorithm, which means that there are two keys: one public key and one private key that must be kept secret. Auth0 has the private key used to generate the signature, and the consumer of the JWT retrieves a public key from the metadata endpoints provided by Auth0 and uses it to validate the JWT signature. Unlike RS256, the same JWT header and payload will generate a different signature each time. The most secure practice, and our recommendation, is to use RS256 because: * With RS256, you are sure that only the holder of the private key (Auth0) can sign tokens, while anyone can check if the token is valid using the public key. * With RS256, if the private key is compromised, you can implement key rotation without having to re-deploy your application or API with the new secret (which you would have to do if using HS256). For troubleshooting help, review [Troubleshooting Invalid Token Errors](/docs/troubleshoot/basic-issues/invalid-token-errors). ## Learn more * [JSON Web Tokens](/docs/secure/tokens/json-web-tokens) * [Change Application Signing Algorithms](/docs/get-started/applications/change-application-signing-algorithms) * [Signing Keys](/docs/get-started/tenant-settings/signing-keys) * [Rotate Signing Keys](/docs/get-started/tenant-settings/signing-keys/rotate-signing-keys) * [Revoke Signing Keys](/docs/get-started/tenant-settings/signing-keys/revoke-signing-keys) * [View Signing Certificates](/docs/get-started/tenant-settings/signing-keys/view-signing-certificates) # Test Database Connections Source: https://auth0.com/docs/get-started/applications/test-database-connections Describes how to test database connections for applications using the Auth0 Dashboard. You can test database connections for applications using the Auth0 Dashboard. The configured database connections can be used to log in to your application. To properly test, you should have already [set up your database connection](/docs/get-started/applications/set-up-database-connections) and [created a user](/docs/manage-users/user-accounts/create-users) for your database connection. 1. Navigate to [Auth0 Dashboard > Authentication > Database](https://manage.auth0.com/#/connections/database), and select the **Try** arrow next to the connection you want to test. Dashboard - Authentication - Database - Database Connections List 2. Enter your test user's username and password. If you have configured everything correctly, you will see the **It Works!** page: Dashboard - Connections - Database - Try - Success ## Learn more * [Set Up Database Connections](/docs/get-started/applications/set-up-database-connections) # Update Application Connections Source: https://auth0.com/docs/get-started/applications/update-application-connections Describes how to update an application's enabled connections using the Auth0 Dashboard. You can change your application's enabled connections using the Auth0 Dashboard. 1. Go to [Dashboard > Applications](https://manage.auth0.com/#/applications) and click the name of the application to view. Dashboard Applications List 2. Click the **Connections** tab, and enable or disable the appropriate connections for the application. ## Learn more * [View Connections](/docs/authenticate/identity-providers/view-connections) * [Verify Connections](/docs/troubleshoot/basic-issues/verify-connections) # Update Grant Types Source: https://auth0.com/docs/get-started/applications/update-grant-types Learn how to update an application's grant types using the Auth0 Dashboard or the Management API. You can change your application's grant types using the Auth0 Dashboard or the Management API. ## Use the Dashboard 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and select the name of the application to view. Dashboard Applications List 2. Scroll to the bottom of the page, and select **Show Advanced Settings**. 3. Select **Grant Types**, and enable or disable the appropriate grants for the application. When finished, select **Save Changes**. The device code grant type is only available for native apps. Dashboard Applications Application Settings Tab Advanced Settings Grant Types tab ## Use the Management API Make a `PATCH` call to the [`/Clients/patch_clients_by_id`](https://auth0.com/docs/api/management/v2#!/Clients/patch_clients_by_id) endpoint. Be sure to replace `{yourClientId}`, `{yourManagementApiAccessToken}`, and `{grantType}` placeholder values with your client ID, Management API access token, and desired grant type, respectively. ```bash cURL theme={null} curl --request PATCH \ --url 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D' \ --header 'authorization: Bearer {yourMgmtApiAccessToken}' \ --header 'cache-control: no-cache' \ --header 'content-type: application/json' \ --data '{ "grant_types": "{grantTypes}" }' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D"); var request = new RestRequest(Method.PATCH); request.AddHeader("content-type", "application/json"); request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}"); request.AddHeader("cache-control", "no-cache"); request.AddParameter("application/json", "{ "grant_types": "{grantTypes}" }", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "strings" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D" payload := strings.NewReader("{ "grant_types": "{grantTypes}" }") req, _ := http.NewRequest("PATCH", url, payload) req.Header.Add("content-type", "application/json") req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}") req.Header.Add("cache-control", "no-cache") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D") .header("content-type", "application/json") .header("authorization", "Bearer {yourMgmtApiAccessToken}") .header("cache-control", "no-cache") .body("{ "grant_types": "{grantTypes}" }") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'PATCH', url: 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D', headers: { 'content-type': 'application/json', authorization: 'Bearer {yourMgmtApiAccessToken}', 'cache-control': 'no-cache' }, data: {grant_types: '{grantTypes}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"content-type": @"application/json", @"authorization": @"Bearer {yourMgmtApiAccessToken}", @"cache-control": @"no-cache" }; NSDictionary *parameters = @{ @"grant_types": @"{grantTypes}" }; NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil]; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/clients/%7ByourClientId%7D"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"PATCH"]; [request setAllHTTPHeaderFields:headers]; [request setHTTPBody:postData]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "PATCH", CURLOPT_POSTFIELDS => "{ "grant_types": "{grantTypes}" }", CURLOPT_HTTPHEADER => [ "authorization: Bearer {yourMgmtApiAccessToken}", "cache-control: no-cache", "content-type: application/json" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") payload = "{ "grant_types": "{grantTypes}" }" headers = { 'content-type': "application/json", 'authorization': "Bearer {yourMgmtApiAccessToken}", 'cache-control': "no-cache" } conn.request("PATCH", "/{yourDomain}/api/v2/clients/%7ByourClientId%7D", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Patch.new(url) request["content-type"] = 'application/json' request["authorization"] = 'Bearer {yourMgmtApiAccessToken}' request["cache-control"] = 'no-cache' request.body = "{ "grant_types": "{grantTypes}" }" response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = [ "content-type": "application/json", "authorization": "Bearer {yourMgmtApiAccessToken}", "cache-control": "no-cache" ] let parameters = ["grant_types": "{grantTypes}"] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PATCH" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```
Value Description
Τhe ID of the application to be updated.
MGMT\_API\_ACCESS\_TOKEN Access Tokens for the Management API with the scope update:clients.
GRANT\_TYPES The grant types you would like to enable for the specified application.
## Troubleshoot Attempting to use a flow with an application lacking the appropriate `grant_types` for that flow (or with the field empty) will result in the following error: ``Grant type `grant_type` not allowed for the client.`` ## Learn more * [Application Grant Types](/docs/get-started/applications/application-grant-types) # Subdomain URL Placeholders Source: https://auth0.com/docs/get-started/applications/wildcards-for-subdomains Describes placeholders, including wildcard and organization placeholders, for subdomains function in application configuration. You can use various placeholders to act as dynamic text entries in your URLs. ## How URL evaluation works A URL containing an `{organization_name}` placeholder will only be evaluated when all the following conditions are met: * The application has the `organization_usage` set to `allow` or `require` * A transaction was performed in the context of an organization (for example, initiating an authorization transaction with the organization parameter: `/authorize?organization=org_bVss9Do3994SIbiH&…`) URLs with the `{organization_name}` placeholder will be evaluated in addition to exact match URLs (`https://app.exampleco.com`) and URLs with wildcards (`https://*.exampleco.com`). You must not rely on any specific order of evaluation of the URLs. Avoid registering URLs with wildcard and Organization placeholders in the same configuration field for an application as it may lead to undesirable behavior and make troubleshooting difficult. As an example, consider an application with two **Allowed Callback URLs**: `https://*.exampleco.com` and `https://{organization_name}.exampleco.com`. A `redirect_uri` with the value of `https://company-a.exampleco.com` would be considered valid even if there were no Organizations with the name `company-a` registered in your tenant; this is due to the evaluation of the wildcard placeholder. ## Wildcard URL placeholders Wildcard placeholders in subdomains **should not** be used in production applications. Auth0 recommends URLs with the `{organization_name}` placeholder where relevant. Manage these settings in [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) in the following fields: * **Allowed Callback URLs**: List of URLs to which Auth0 is allowed to redirect users after they authenticate. * **Allowed Logout URLs**: List of URLs to which you can redirect users after they log out from Auth0. * **Allows Web Origins**: List of URLs from where an authorization request using [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication), [Device Flow](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow), and [web\_message as the response mode](/docs/authenticate/protocols/oauth) can originate. * **Allowed Origins (CORS)**: List of URLs that will be allowed to make requests from JavaScript to Auth0 API (typically used with CORS). Avoid using wildcard placeholders for subdomains in production application callbacks and allowed origins as it can make your application vulnerable to attacks. You can use the star symbol (`*`) as a wildcard for subdomains, but it must be used in accordance with the following rules in order to properly function: * The protocol of the URL **must** be `http` or `https`. Protocols such as `com.example.app` and `service:jmx:rmi` will not work. * The wildcard **must** be located in a subdomain within the hostname component. `https://*.com` will not work. * The wildcard **must** be located in the subdomain furthest from the root domain. `https://sub.*.example.com` will not work. * The URL **must not** contain more than one wildcard. `https://*.*.example.com` will not work. * A wildcard **may** be prefixed and/or suffixed with additional valid hostname characters. `https://prefix-*-suffix.example.com` will work. * A URL with a valid wildcard **will not** match a URL more than one subdomain level in place of the wildcard. `https://*.example.com` will not work with `https://sub1.sub2.example.com`. ## Organization URL placeholders You can use `{organization_name}` as a placeholder to dynamically specify a registered organization’s name in a URL (`https://{organization_name}.exampleco.com`). URLs with the `{organization_name}` placeholder should only be used on domains that you fully control (for example, `https://{organization_name}.exampleco.com` where you control the `exampleco.com` domain). Manage these settings in [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) in the following fields: * **Allowed Callback URLs**: List of URLs to which Auth0 is allowed to redirect users after they authenticate. * **Allowed Origins (CORS)**: List of URLs that will be allowed to make requests from JavaScript to Auth0 API (typically used with CORS). The following restrictions apply when using the `{organization_name}` placeholder: * The protocol of the URL must be `http:` or `https:`. `com.example.app://{organization_name}.exampleco.com` will not work. * The placeholder must be located in a subdomain within the hostname component. `https://{organization_name}` or `https://exampleco.com/{organization_name}` will both not work. * The placeholder must be located in the subdomain furthest from the root domain. `https://sub.{organization_name}.exampleco.com` will not work. * The URL must not contain more than one placeholder. `https://{organization_name}.{organization_name}.exampleco.com` will not work. * A placeholder must not be prefixed nor suffixed with additional valid hostname characters. `https://prefix-{organization_name}-suffix.exampleco.com` will not work. * A placeholder **must not** be used in conjunction with a wildcard in the URL. `https://{organization_name}.*.exampleco.com` will not work. ## Custom domain URL placeholders You can use `{custom_domain.metadata.KEY}` as a placeholder to dynamically specify a URL based on metada associated with the Custom Domain used in the request. This allows you to support multiple custom domains with different application URLs within the same tenant. For a comprehensive overview of this feature, see [Multiple Custom Domains](/docs/customize/custom-domains/multiple-custom-domains) ### Validation rules The following restrictions apply when using Custom Domain placeholders: * **Public prefix required**: The metadata key used in the placeholder must start with `public_` or `PUBLIC_` (for example, `{custom_domain.metadata.public_callback_subdomain}`). Keys without this prefix are ignored at runtime for security reasons. * **Protocol**: The protocol of the URL must be `http` or `https`. * **Location**: The placeholder must be located in the domain or subdomain component. It cannot be used in the URL path. * Valid: `https://{custom_domain.metadata.public_app_url}.example.com/login` * Invalid: `https://example.com/{custom_domain.metadata.public_path}` * **Nesting**: You cannot access nested metadata properties. Only top-level keys are supported. * **No wildcards**: A custom domain placeholder must not be used in conjunction with a wildcard (`*`) in the same URL. * **Data type**: The value in the custom domain metadata must be a String. If the key does not exist, or the value is not a String, the URL is ignored during validation. ### Supported fields These placeholders can be configured for the following Application URLs: * Allowed Callback URLs * Allowed Logour URLs * Allowed Web Origins * Allowed Origins (CORS) For more information, see [Application Settings](https://auth0.com/docs/get-started/applications/application-settings#application-uris). Custom domain placeholders are not supported for third-party applications. ### Using with Organization placeholders You can combine the Custom Domain placeholder with the `{organization_name}` placeholder, as long as your flow supports it. Both placeholders are evaluated and replaced at runtime. ## Learn more * [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications) * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) * [Enable Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications) # Test Applications Locally Source: https://auth0.com/docs/get-started/applications/work-with-auth0-locally Learn how to develop and test Auth0 applications. In most cases, authenticating users through Auth0 requires an internet connection. However, you can still develop and test apps that use Auth0 locally. In some cases, you might not need access to an internet connection. To learn how to structure your development, test, and production environments when using Auth0, see [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments). ## Use JSON Web Tokens with client-side applications Because [JSON Web Tokens (JWTs)](/docs/secure/tokens/json-web-tokens) are stateless (that is, the app that consumes them cares only about its contents, not any of its previous states), this is one of the easiest scenarios to test locally. You can obtain JWTs for testing using any of the following methods: 1. Create a test user for a [database connection](/docs/get-started/applications/set-up-database-connections), and programmatically log the user in. Essentially, you are using the [Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow). For detailed implementation instructions, read [Call Your API Using the Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow/call-your-api-using-resource-owner-password-flow). 2. Use a browser bot to play the role of a user, log in and retrieve a JWT. ## Use sessions with server-side applications Unless your server-side application allows the generation of artificial sessions for testing, you'll need a way to perform a login through Auth0 manually. For a high-level overview of how to do this, see [Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow). For detailed implementation instructions, see our tutorial, [Add Login Using the Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/add-login-auth-code-flow). ## Use local domains with Auth0 If you're developing your application locally, you can use `localhost` and other domains inaccessible by Auth0 (such as those on an intranet) as [callback URLs](/docs/authenticate/login/redirect-users-after-login). For example, during development, you could use `http://localhost:3000/callback` as the callback URL. 1. Go to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications/\{yourClientId}/settings) and click the application. 2. Add the URL to the **Allowed Callback URLs** list. Because Auth0's main identity protocol is [OpenID Connect (OIDC)](/docs/authenticate/protocols/openid-connect-protocol), Auth0 never needs to directly call your application's server. Instead, Auth0 redirects users to your application's endpoint(s) with required information contained in a query string or hash fragment. ## Divert emails for testing If you want to test your local application and do not want the emails (creation, validation, etc.) to be delivered to the actual email address of the users your application creates or validates, Auth0 recommends using a custom email provider. For example, a service like [Mailtrap](https://mailtrap.io/signin) or your own custom SMTP server implementation can apply whatever logic you require to trap the emails. This ensures that users do not receive emails but you can access them for validation and troubleshooting. To learn more, read [Configure Test SMTP Email Server](/docs/customize/email/configure-test-smtp-email-servers). Auth0 does not allow certain "false" domains commonly used during testing. Use real email addresses to avoid disruption or errors. ## Learn more * [Verify Domain](/docs/troubleshoot/basic-issues/verify-domain) * [Verify Platform](/docs/troubleshoot/basic-issues/verify-platform) # Auth0 Overview Source: https://auth0.com/docs/get-started/auth0-overview Describes Auth0 services and helps you get started using them with your applications and APIs. Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. Your team and organization can avoid the cost, time, and risk that come with building your own solution to authenticate and authorize users. Take a look at just a few of Auth0's use cases: * You built an awesome app and you want to add user authentication and authorization. Your users should be able to log in either with an identifier (username, email, or phone number) and password or with their social accounts (such as Facebook or X). You want to retrieve the user's profile after the login so you can customize the UI and apply your authorization policies. * You built an API and you want to secure it with [OAuth 2.0](/docs/authenticate/protocols/oauth). * You have more than one app, and you want to implement [Single Sign-on (SSO)](/docs/authenticate/single-sign-on). * You built a JavaScript front-end app and a mobile app, and you want them both to securely access your API. * You have a web app that needs to authenticate users using [Security Assertion Markup Language (SAML)](/docs/authenticate/protocols/saml/saml-configuration). * You believe passwords are broken and you want your users to log in with one-time codes delivered by email or SMS. * If one of your user's email addresses is compromised in some site's public data breach, you want to be notified, and you want to notify the users and/or block them from logging in to your app until they reset their password. * You want to act proactively to block suspicious IP addresses if they make consecutive failed login attempts, in order to avoid DDoS attacks. * You are part of a large organization that wants to federate your existing enterprise directory service to allow employees to log in to the various internal and third-party applications using their existing enterprise credentials. * You don't want (or you don't know how) to implement your own user management solution. Password resets, creating, provisioning, blocking, and deleting users, and the UI to manage all these. You just want to focus on your app. * You want to enforce [multi-factor authentication (MFA)](/docs/secure/multi-factor-authentication) when your users want to access sensitive data. * You are looking for an identity solution that will help you stay on top of the constantly growing compliance requirements of SOC2, GDPR, PCI DSS, HIPAA, and others. * You want to monitor users on your site or application. You plan on using this data to create funnels, measure user retention, and improve your sign-up flow. * You want robust authorization policy to allow your users access to resources based on [their relationship](https://docs.fga.dev/authorization-concepts) to the resource or [their role](/docs/manage-users/access-control/rbac) in your organization.
Read... To learn...                                
Auth0 Dashboard About the Auth0 Dashboard and features you can access to implement authentication and authorization with your applications and APIs.
Create Tenants How to create tenants using the Auth0 Dashboard or the Management API, explore creating multiple tenants and child tenants, and learn about setting up multiple environments.
Create Applications How to set up and configure applications in the Auth0 Dashboard.
Register APIs How to set up and configure APIs in the Auth0 Dashboard.
## Learn more * [Create Tenants](/docs/get-started/auth0-overview/create-tenants) * [Auth0 Dashboard](/docs/get-started/auth0-overview/dashboard) * [Architecture Scenarios](/docs/get-started/architecture-scenarios) * [Protocols](/docs/authenticate/protocols) # Create Applications Source: https://auth0.com/docs/get-started/auth0-overview/create-applications Learn how to set up and configure applications in the Auth0 Dashboard. An **application** in Auth0 can be a native app that executes on a mobile device, a single-page web app that executes on a browser, or a regular web application that executes on a server. When you create an application in the Auth0 Dashboard, Auth0 assigns it a **client ID** which is an alphanumeric string that is the unique identifier for your application. You will use this ID in your application code when you call Auth0 APIs. You can't modify the client ID. Another important piece of information is the **client secret**. It must be kept confidential at all times. If anyone gains access to your application's client secret, then they can impersonate your application and access protected resources. It is important that you select the correct application type to help Auth0 check for certain security risks. 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications). 2. Click **Create Application**. 3. Give your new application a descriptive name. 4. Choose from the following app types: * **Native Applications**: These applications include mobile, desktop, or hybrid apps running natively on a device (e.g., i0S, Android). * **Single-Page Web Applications**: These applications include JavaScript apps that perform most of their user interface logic in a web browser, communicating with a web server primarily using APIs (e.g., AngularJS + Node.js or React). * **Regular Web Applications**: These applications are traditional web applications that perform most of their application logic on the server (e.g., Express.js, ASP.NET). * **Machine-to-Machine Applications**: These applications include non-interactive applications, such as command-line tools, daemons, IoT devices, or services running on your back-end. 5. Click **Create**. The **Application** **Details** page appears which includes the following tabs:
Settings Tab Description
Quick Start Shows all the available documentation for your application type.
Settings Shows all available settings for your application. By default, most of the settings will be created for you. To learn more, read Application Settings.
Credentials Shows the application’s authentication method and configured credentials. To learn more, read Application Credentials
Add-ons Allows you to enable plugins associated with an application. These are SAML or WS-Fed web apps for which Auth0 generates access tokens. To learn more, read Enable SAML2 Web App Addon and Configure WS-Fed Applications.
Connections Allows you to enable connections for your application. Connections are sources of users; they can be enabled and shared between multiple applications. To learn more, read Connections.
Organizations Allows you to authenticate users into organizations to which they belong. To learn more, read Organizations.
## Learn more * [Register Native Applications](/docs/get-started/auth0-overview/create-applications/native-apps) * [Register Single-Page Web Applications](/docs/get-started/auth0-overview/create-applications/single-page-web-apps) * [Register Regular Web Applications](/docs/get-started/auth0-overview/create-applications/regular-web-apps) * [Register Machine-to-Machine Applications](/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps) * [Application Settings](/docs/get-started/applications/application-settings) * [Remove Applications](/docs/get-started/applications/remove-applications) # Configure an Identity Provider in Access Gateway Source: https://auth0.com/docs/get-started/auth0-overview/create-applications/configure-an-identity-provider-in-access-gateway Configure an identity provider in OAG To integrate Auth0 with a machine-to-machine (M2M) application, you must first register your app with Auth0 using the Auth0 Dashboard. 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and click **Create Application**. 2. Enter a descriptive name for your application, select **Machine to Machine Applications**, and click **Create**. 3. Select the Management API to authorize M2M communication, as this is how OAG interacts with Auth0. 4. Click **Authorize**. 5. Each M2M app that accesses an API must be granted a set of permissions (or scopes) that should be granted by the authenticated user. Select the **Permissions** that you want to be issued as part of your application's access token. OAG requires the following permissions for the **client** and **users:** * `read:client, write:client, update:client, delete:client` * `read:users` 6. Click **Authorize**. 7. Select the **Credentials** tab of your application. 8. Click the **Client ID** and copy it into a text editor app. 9. Click the **Client Secret** and copy it into a text editor app. 10. Continue with the \[Configure an Identity Provider in Access Gateway]\(/docs/Configure an Identity Provider in Access Gateway) procedure. # Register Machine-to-Machine Applications Source: https://auth0.com/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps Learn how to register and configure a machine-to-machine (M2M) application using the Auth0 Dashboard and authorize it using the Management API test feature. To integrate Auth0 with a machine-to-machine (M2M) application, you must first register your app with Auth0 using the Auth0 Dashboard. These apps may include non-interactive apps, such as command-line tools, daemons, IoT devices, or services running on your back-end. M2M apps are linked to an API and its permissions or [scopes](/docs/get-started/apis/scopes/api-scopes), which are selected from pre-defined values. Make sure you have already [registered the associated API](/docs/get-started/auth0-overview/set-up-apis) with Auth0 and defined scopes for the API before beginning this registration. If you want to authorize your application to access only the Auth0 Management API, you do not need to register a separate API; the Management API is pre-populated for you. To integrate Auth0 with a machine-to-machine (M2M) application, you must first register your app with Auth0 using the Auth0 Dashboard. 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and click **Create Application**. 2. Enter a descriptive name for your application, select **Machine to Machine Applications**, and click **Create**. 3. Select the API you want to be able to call from your application. 4. Each M2M app that accesses an API must be granted a set of permissions (or scopes) that should be granted by the authenticated user. To learn how to add permissions, see [Add API Permissions](/docs/get-started/apis/add-api-permissions). Select the **Permissions** that you want to be issued as part of your application's access token, and click **Authorize**. Use the `update:client_grants` and `create:client_grants` scopes with only high-privileged applications, as they allow the client to grant further permissions to itself. Once the new application is created, you can configure **Application Settings** which includes the following tabs:
Settings Tab Description
Quick Start Shows all the available examples for \$ applications. It also shows you how you can call your API using various technologies. To learn how to accept and validate Access Tokens in your API, see our Backend/API Quickstarts.
Settings Shows all available settings for your application. By default, Auth0 creates most of these settings for you.
Credentials Shows the application’s authentication method and configured credentials. To learn more, read Application Credentials
APIs Allows you to authorize additional APIs for use with your Application.
Login Experience Allows you to configure the login experience for users in your Organization. For more information, see [Understand How Auth0 Organizations Work](/docs/manage-users/organizations/organizations-overview#login-experience)
To learn more, read [Application Settings](/docs/get-started/applications/application-settings). ## Next steps Once you have registered and configured your application, some common next steps are: * Configure an identity provider connection and enable it for your application (if needed for your use case). * Modify your app code to use your Auth0-registered application. See our [Auth0 Quickstarts](/docs/quickstarts), where you'll find detailed instructions and samples for a variety of technologies. You'll also learn how to implement login and logout, handle your user sessions, retrieve and display user profile information, and more. * Use [Auth0 APIs](/docs/api). * The [Authentication API](https://auth0.com/docs/api/authentication) handles all primary identity-related functions (for example, login, logout, and get user profile). Most users consume this API through our Quickstarts, the [Auth0.js library](/docs/libraries/auth0js), or the [Lock widget](/docs/libraries/lock). However, if you are building all of your authentication UI manually, you will have to interact with this API directly. * The [Management API](https://auth0.com/docs/api/management/v2) allows you to automate various tasks that can also be accessed via the Dashboard in Auth0 (for example: creating users, setting application grant types). ## Learn more * [Register APIs](/docs/get-started/auth0-overview/set-up-apis) * [Create Machine-to-Machine Applications for Testing](/docs/get-started/apis/create-m2m-app-test) * [Application Settings](/docs/get-started/applications/application-settings) * [Add API Permissions](/docs/get-started/apis/add-api-permissions) * [Delete API Permissions](/docs/get-started/apis/delete-api-permissions) # Register Native Applications Source: https://auth0.com/docs/get-started/auth0-overview/create-applications/native-apps Learn how to register and configure a native application using the Auth0 Dashboard. To integrate Auth0 with a native application, you must first register your app with Auth0 using the Auth0 Dashboard. Native apps should use the Authorization Code flow with PKCE for secure authentication. To learn more, read [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). These apps may include mobile, desktop, or hybrid apps running natively in a device (for example, iOS, Android). 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and click **Create Application**. 2. Enter a descriptive name for your application, select **Native**, and click **Create**. Once you create the application, Auth0 directs you to **Application Settings**, which includes the following tabs:
Settings Tab Description
Quick Start Shows all the available documentation for your application type.
Settings Shows all available settings for your application. By default, most of the settings will be created for you. To learn more, read Application Settings.
Credentials Shows the application’s authentication method and configured credentials. To learn more, read Application Credentials
Add-ons Allows you to enable plugins associated with an application. Add-ons are primarily used for SAML or WS-Fed integrations and are typically not applicable to native applications. To learn more, read Enable SAML2 Web App Addon and Configure WS-Fed Applications.
Connections Allows you to enable connections for your application. Connections are sources of users; they can be enabled and shared between multiple applications. To learn more, read Connections.
Organizations Allows you to authenticate users into organizations to which they belong. To learn more, read Organizations.
Login Experience Allows you to configure the login experience for users in your Organization. For more information, read [Understand how Auth0 Organizations Work](/docs/manage-users/organizations/organizations-overview#login-experience).
To learn more, read [Application Settings](/docs/get-started/applications/application-settings). 3. If you're developing a mobile app, provide the necessary iOS/Android parameters in the **Advanced Settings** area, and click **Save Changes**. * For iOS apps, [provide your **Team ID** and **App Bundle Identifier**](/docs/get-started/applications/enable-universal-links-support-in-apple-xcode). * For Android apps, [provide your **App Package Name** and your **Key Hashes**](/docs/get-started/applications/enable-android-app-links-support). ## Next steps Once you have registered and configured your application, some common next steps are: * Configure a connection and enable it for your application. * Modify your app code to use your Auth0-registered application. See our [Auth0 Quickstarts](/docs/quickstarts), where you'll find detailed instructions and samples for a variety of technologies. You'll also learn how to implement login and logout, handle your user sessions, retrieve and display user profile information, and more. * Use [Auth0 APIs](/docs/api). * The [Authentication API](https://auth0.com/docs/api/authentication) handles all primary identity-related functions (for example, login, logout, and get user profile). Most users consume this API through our Quickstarts, the [Auth0.js library](/docs/libraries/auth0js), or the [Lock widget](/docs/libraries/lock). However, if you are building all of your authentication UI manually, you will have to interact with this API directly. * The [Management API](https://auth0.com/docs/api/management/v2) allows you to automate various tasks that can also be accessed via the Dashboard in Auth0 (for example: creating users, setting application grant types). ## Learn more * [Application Settings](/docs/get-started/applications/application-settings) * [Add Bot Detection to Native Applications](/docs/secure/attack-protection/bot-detection/bot-detection-native-apps) # Register Regular Web Applications Source: https://auth0.com/docs/get-started/auth0-overview/create-applications/regular-web-apps Learn how to register and configure a regular web application using the Auth Dashboard. To integrate Auth0 with a regular web app, you must first register your app with Auth0 using the Auth0 Dashboard. Regular web apps are traditional web applications that perform most of their application logic on the server (for example, Express.js, ASP.NET). To learn more about application types, read [Application Types](/docs/get-started/applications). 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and click **Create Application**. 2. Enter a descriptive name for your application, select **Regular Web Applications**, and click **Create**. Once the new application is created, you can view the **Application Settings** page, which includes the following tabs:
Settings Tab Description
Quick Start Shows all the available documentation for your application type.
Settings Shows all available settings for your application. By default, most of the settings will be created for you. To learn more, read Application Settings.
Credentials Shows the application’s authentication method and configured credentials. To learn more, read Application Credentials
Add-ons Allows you to enable plugins associated with an application. These are SAML or WS-Fed web apps for which Auth0 generates access tokens. To learn more, read Enable SAML2 Web App Addon and Configure WS-Fed Applications.
Connections Allows you to enable connections for your application. Connections are sources of users; they can be enabled and shared between multiple applications. To learn more, read Connections.
Organizations Allows you to authenticate users into organizations to which they belong. To learn more, read Organizations.
Login Experience Allows you to configure the login experience for users in your Organization. For more information, read [Understand how Auth0 Organizations Work](/docs/manage-users/organizations/organizations-overview#login-experience).
To learn more, read [Application Settings](/docs/get-started/applications/application-settings). 3. Scroll down and locate the **Trust Token Endpoint IP Header** setting. If your application architecture supports it, enable this setting and click **Save Changes**. This setting helps protect against brute-force attacks by allowing Auth0 to trust IP headers from your proxy. ## Next steps Once you have registered and configured your application, follow these next steps: 1. Configure a connection and enable it for your application. 2. Implement authentication in your app code by using your Auth0-registered application. See our [Auth0 Quickstarts](/docs/quickstarts), where you'll find detailed instructions and samples for a variety of technologies. You'll also learn how to implement login and logout, handle your user sessions, retrieve and display user profile information, and more. * Use [Auth0 APIs](/docs/api). * The [Authentication API](https://auth0.com/docs/api/authentication) handles all primary identity-related functions (for example, login, logout, and get user profile). Most users consume this API through our Quickstarts, the [Auth0.js library](/docs/libraries/auth0js), or the [Lock widget](/docs/libraries/lock). However, if you are building all of your authentication UI manually, you can interact with this API directly. * The [Management API](https://auth0.com/docs/api/management/v2) allows you to automate various tasks that you can also access via the Auth0 Dashboard (for example, creating users and setting application grant types). ## Learn more * [Application Settings](/docs/get-started/applications/application-settings) * [Regular Web Applications with Single Sign-On](/docs/get-started/architecture-scenarios/sso-for-regular-web-apps) # Register Single-Page Web Applications Source: https://auth0.com/docs/get-started/auth0-overview/create-applications/single-page-web-apps Learn how to register a single-page web application (SPA) using the Auth0 Dashboard. To integrate Auth0 with a single-page web app, you must first register your app with Auth0 using the Dashboard. 1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and click **Create Application**. 2. Enter a descriptive name for your application, select **Single-Page Web Applications**, and click **Create**. Once the new application is created, you can view the **Application Settings** page, which includes the following tabs:
Settings Tab Description
Quick Start Shows all the available documentation for your application type.
Settings Shows all available settings for your application. By default, most of the settings will be created for you. To learn more, read Application Settings.
Credentials Shows the application’s authentication method and configured credentials. To learn more, read Application Credentials
Add-ons Allows you to enable plugins associated with an application. These are typically used for SAML or WS-Fed integrations, which are not commonly needed for SPAs. To learn more, read Enable SAML2 Web App Addon and Configure WS-Fed Applications.
Connections Allows you to enable connections for your application. Connections are sources of users; they can be enabled and shared between multiple applications. To learn more, read Connections.
Organizations Allows you to authenticate users into organizations to which they belong. To learn more, read Organizations.
Login Experience Allows you to configure the login experience for users in your Organization. For more information, read [Understand how Auth0 Organizations Work](/docs/manage-users/organizations/organizations-overview#login-experience).
To learn more, read [Application Settings](/docs/get-started/applications/application-settings). ## Next steps Once you have registered your application, review and complete these configuration steps: * Configure at least one connection (such as a database connection or social login) and enable it for your application. Without an enabled connection, users cannot authenticate. * Modify your app code to use your Auth0-registered application. Review our [Auth0 Quickstarts](/docs/quickstarts), where you'll find detailed instructions on how to implement login and logout, handle your user sessions, retrieve and display user profile information, and more. * Use [Auth0 APIs](/docs/api). * The [Authentication API](https://auth0.com/docs/api/authentication) handles all primary identity-related functions (for example, login, logout, and get user profile). Most users consume this API through our Quickstarts, the [Auth0 SPA SDK](/docs/libraries/auth0-spa-js), or the [Lock widget](/docs/libraries/lock). For legacy applications, see the [Auth0.js library](/docs/libraries/auth0js). However, if you are building all of your authentication UI manually, you will have to interact with this API directly. * The [Management API](https://auth0.com/docs/api/management/v2) allows you to automate various tasks that can also be accessed via the Dashboard in Auth0 (for example: creating users, setting application grant types). ## Learn more * [Application Settings](/docs/get-started/applications/application-settings) * [Authenticate Single-Page Apps With Cookies](/docs/manage-users/cookies/spa-authenticate-with-cookies) * [Get Management API Access Tokens for Single-Page Applications](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-tokens-for-single-page-applications) # Create Tenants Source: https://auth0.com/docs/get-started/auth0-overview/create-tenants Describes how to create a tenant and learn the basics of Auth0 and familiarize yourself with the terminology. We will walk through the initial steps of getting started using Auth0 to familiarize you with the key concepts of the Auth0 service. We will use the company **Example-Co** to help describe some of the steps involved. ## Set up an Auth0 account If you haven't already [signed up](https://auth0.com/signup) for an Auth0 **account**, do so (it's free). You can either use username/email/phone and password or log in with a social provider (such as LinkedIn, Microsoft, GitHub, or Google). ## Create a tenant and domain Once you create your account you will be asked to create a **tenant**. Everything starts with an Auth0 tenant. This is where you configure your use of Auth0, and then where Auth0 assets - such as [applications](/docs/get-started/applications), [connections](/docs/authenticate/identity-providers), and [user profiles](/docs/get-started/architecture-scenarios/business-to-business/profile-management) - are defined, managed and stored. You access an Auth0 tenant via the Auth0 [Dashboard](/docs/get-started/auth0-overview/dashboard), where you can also create additional, associated tenants. You can create more than one Auth0 tenant so that you can structure your tenants in a way that will isolate different domains of users and also support your Software Development Life Cycle (SDLC). **Tenant names cannot be changed or reused once deleted.** So, make sure you're happy with the name(s) before you create your Auth0 tenants. Determining the level of isolation you require when it comes to your user domains is an important step, and together with your branding requirements helps you determine the number of Auth0 tenants needed in your environment. The number of Auth0 tenants you need to manage can quickly grow so consider carefully before creating multiple Auth0 tenants for production. Tenant characteristics: * The tenant name has to be unique. It will be used to create your personal domain. * The tenant name can contain only lowercase alphanumeric characters and hyphens ("-"). It cannot begin or end with a hyphen. * The tenant name must be a minimum of 3 characters and a maximum of 63 characters. * The tenant name cannot be changed after creation. * You can create more than one tenant; in fact, you are encouraged to do so for each environment you may have such as development, staging, or production. To learn more, read [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments). When you name your tenant, that name becomes part of your Auth0 **domain** until and unless you create a custom domain. This domain is the base URL used to access the Auth0 API and the URL where your users authenticate. ### Region, locality, and sub-locality The domain name is also made up of the locality value from a **region**. We support the following locality values for the [public cloud deployment option](/docs/deploy-monitor/deployment-options):
Region Locality Sub-localities
Australia AU AU
Canada CA CA
Europe EU EU, EU-2
Japan JP JP
United Kingdom UK UK
United States of America US US, US-3, US-4, US-5
Each of these localities is separated into a sub-locality (or **tenant environment**) with a digit after the locality, e.g. `EU-2`. Tenant environments cannot be chosen manually, but localities based on the selected region may be specified, which control the assigned tenant domain and the region where your data will be hosted. In our example, **Example-Co** chose the name `example-co` and AU as their region. So their domain is `example-co.au.auth0.com`. ## Custom domains We recommend the use of custom domains, such as `example-co.com`, in production environments to provide your users with the most secure and seamless experience. If you have a **single-tenant** implementation, custom domain certificates can be managed by Auth0 or self-managed by you. To learn more, read [Custom Domains](/docs/customize/custom-domains). ## What's next * **Create and register applications**: Now that you have an account and a domain, you need to register each application that will use our services in the [Auth0 Dashboard](https://manage.auth0.com/#/applications). To learn more, read [Applications in Auth0](/docs/get-started/applications) and [Create Applications](/docs/get-started/auth0-overview/create-applications). * **Set up connections**: Next, you need to set up how your users will authenticate during log in. Auth0 sits between your app and the identity provider that authenticates your users (such as Google or Facebook). The relationship between Auth0 and the identity provider is referred to as a **connection**. By using this connection layer, Auth0 keeps your app isolated from any changes that occur with the identity provider's implementation. To learn more, read [Authentication and Authorization](/docs/get-started/identity-fundamentals/authentication-and-authorization) and [Connections](/docs/authenticate/identity-providers). ## Extend Auth0's functionality Auth0 offers several ways to extend the platform's functionality: * [Actions](/docs/customize/actions): Actions are secure, tenant-specific, versioned functions written in Node.js that execute at certain points within the Auth0 platform. Use Actions to customize and extend Auth0's capabilities with custom login. * [Rules](/docs/customize/rules): Rules are functions written in JavaScript or C#, that are executed in Auth0 just after successful authentication and before control returns to your app. Rules can be chained together for modular coding and can be turned on and off individually. You can use Rules for: * Access control * Webhooks * Profile enrichment * Multi-factor authentication (MFA) * [Hooks](/docs/customize/hooks): Hooks allow you to customize the behavior of Auth0 using Node.js code that is executed against extensibility points (which are comparable to webhooks that come with a server). They are secure, self-contained functions associated with specific extensibility points of the Auth0 platform. Auth0 invokes the Hooks at runtime to execute your custom logic. * [Extensions](/docs/customize/extensions): Auth0 Extensions enable you to install applications or run commands/scripts that extend the functionality of the Auth0 base product. You can either use one of the pre-defined extensions, provided by Auth0, or create your own. Some of the actions you can do with extensions include: * Manage the authorizations for users (using groups, roles, and permissions) * Import/export users * Export logs to other services * Deploy scripts from external repositories ## Learn more * [Tenant Settings](/docs/get-started/tenant-settings) * [Create Multiple Tenants](/docs/get-started/auth0-overview/create-tenants/create-multiple-tenants) * [Link Multiple Tenants to a Single Subscription](/docs/get-started/auth0-overview/create-tenants/child-tenants) * [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments) # Link Multiple Tenants to a Single Subscription Source: https://auth0.com/docs/get-started/auth0-overview/create-tenants/child-tenants Learn how to request linking of multiple tenants under a single Auth0 subscription. Auth0 offers the ability for customers with an Enterprise subscription to link multiple tenants under a single Auth0 subscription (these linked tenants can also be referred to as child tenants). This feature can be useful under the following situations: * Separate development and production tenants while keeping the same feature access on development tenants as available in production tenants * Own more than one production tenant under a single Enterprise subscription ## Linking tenants Enterprise subscription automatically allows for users to link tenants under an existing Auth0 subscription by selection "Custom Agreement" option from Create Under when creating new tenants. If you need to link previously created tenants that are not currently part of your Enterprise subscription, contact your designated Technical Account Manager. You can also link accounts if you have a self-service tenant. To learn more, read [Tenant Management](/docs/get-started/auth0-teams/tenant-management). ## Usage Consolidation Usage from linked tenants count toward the Enterprise subscription limits and are aggregated under applicable usage and quota reports. ## Learn more * [Create Multiple Tenants](/docs/get-started/auth0-overview/create-tenants/create-multiple-tenants) * [Delete or Reset Tenants](/docs/troubleshoot/customer-support/manage-subscriptions/delete-or-reset-tenant) * [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments) # Create Multiple Tenants Source: https://auth0.com/docs/get-started/auth0-overview/create-tenants/create-multiple-tenants Describes how to create an additional tenant using the Auth0 Dashboard. You can configure multiple tenants to create [different environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments) in the Auth0 Dashboard to allow for complex configurations. For example, you could have two separate domains (one internal and one public-facing), or you may want users to log in differently for different applications. The way to accomplish this is to create more than one Auth0 tenant to allow you to have separate sets of applications, connections, and users for the applications and groups of users that you need to support. 1. Go to the [Auth0 Dashboard](https://manage.auth0.com/#/), select your tenant name, and select **Create Tenant**. Dashboard Tenant Drop-Down Menu Create Tenant 2. Enter your desired **Tenant Domain**, select a **Region**, and select **Create**. ## Learn more * [Multiple Organization Architecture](/docs/get-started/architecture-scenarios/multiple-organization-architecture) * [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments) * [Delete or Reset Tenants](/docs/troubleshoot/customer-support/manage-subscriptions/delete-or-reset-tenant) * [Multi-Tenant Applications Best Practices](/docs/get-started/auth0-overview/create-tenants/multi-tenant-apps-best-practices) * [Tenant Settings](/docs/get-started/tenant-settings) # Multi-Tenant Applications Best Practices Source: https://auth0.com/docs/get-started/auth0-overview/create-tenants/multi-tenant-apps-best-practices Describes best practices for how to use Auth0 to secure your multi-tenant applications. Multi-tenancy is an architectural approach featuring a single instance of software that runs on a server and is accessible by multiple groups of users. With multi-tenancy, you can segment users with shared characteristics into groups and grant them separate permissions and levels of access to your application. This allows you to create and maintain tailored experiences for different customers, business units, or other defined groups of users. In Auth0, the best method for implementing multi-tenancy is [Auth0 Organizations](/docs/manage-users/organizations/organizations-overview). If necessary, other legacy solutions can be used to accommodate distinct business use cases. If you offer a [business-to-business (B2B)](/docs/get-started/architecture-scenarios/business-to-business) product or service, setting up multi-tenancy for your business users may be beneficial for your use case. The sections below outline the options available for implementing multi-tenancy in Auth0. This article uses the software architecture term "tenant" to refer to a group of users who can access your application. When referring to your Auth0 instance, the term "Auth0 tenant" is used. ## Auth0 Organizations For most multi-tenant use cases, Auth0 Organizations is the ideal solution for you and your users. Auth0 Organizations supports business-to-business (B2B) implementations that have one or more applications that end-users can access. Common features of B2B implementations include: * A product that is licensed to another business for use by their employees. * Multiple organizations that require their own federation and lightweight branding of the authentication experience. * Separate levels of application access for different groups of users. With Auth0 Organizations, you can create unique groups of users and tailor their experiences with [role-based access control](/docs/manage-users/access-control/rbac), [customized login pages and email templates](/docs/manage-users/organizations/create-first-organization#customize-prompts-and-email-templates), and more. To learn more about using Auth0 Organizations to implement multi-tenancy, review [Multiple Organization Architecture](/docs/get-started/architecture-scenarios/multiple-organization-architecture). ## Legacy solutions If Auth0 Organizations does not satisfy the requirements of your use case, please reach out to our [Professional Services](/docs/get-started/professional-services) team to develop a solution that ensures your success. Some legacy solutions include: * Using an Auth0 connection to represent each tenant. * Using an Auth0 application to represent each tenant. * Using an Auth0 tenant to represent each tenant. * Storing tenant details in the user's profile. ### Use Auth0 connections Entity limits may apply. To learn more, read [Entity Limit Policy](/docs/troubleshoot/customer-support/operational-policies/entity-limit-policy). If you have an Enterprise subscription, you will not be constrained due to entity limits, but you may be constrained by a connection that already has thousands of enabled clients. You can represent each of your tenants with a separate Auth0 connection. This approach allows you to support scenarios where: * You have different connection-level requirements, such as varying password policies, for each of your tenants. * You have user pools from different connections. For example, one tenant could require users to provide username/password credentials, while another tenant could require users to log in through an enterprise IdP. To prompt a user to log in through a specific connection, call the [Auth0 Authentication API Login endpoint](https://auth0.com/docs/api/authentication#login), and include the `connection` parameter. If you use [Lock](/docs/libraries#lock) in your application, note that it supports a maximum of 50 database connections per application. Social and enterprise connections are not affected by this limit, but are still subject to the [Entity Limit Policy](/docs/troubleshoot/customer-support/operational-policies/entity-limit-policy). ### Use Auth0 applications Entity limits may apply. To learn more, read [Entity Limit Policy](/docs/troubleshoot/customer-support/operational-policies/entity-limit-policy). If you have an Enterprise subscription, you will not be constrained due to entity limits, but you may be constrained by a connection that already has thousands of enabled clients. You can represent each of your tenants with a separate Auth0 application. This approach allows you to uniquely configure each Auth0 application based on varying tenant requirements, such as available connections. You'll need to track the tenants to which your users belong within your application. When a logs into your application, you'll need to read that information, and direct the user to the appropriate Auth0 application to complete authentication. To enable a connection for multiple applications with the Auth0 Management API, call the [Update enabled clients for a connection endpoint](https://auth0.com/docs/api/management/v2/connections/patch-clients), and pass the relevant connection ID. ### Use Auth0 tenants You can represent each of your tenants with a separate Auth0 tenant. This approach allows you to share access to the Auth0 Dashboard with users, restricted by tenant, but requires you to configure Auth0 individually for each tenant. This means that, in addition to managing the features of each Auth0 tenant individually (such as Branding, Actions, and Attack Protection), your application will have to support multiple Auth0 configurations. ### Store tenant details in the user's profile You can store tenant details in the user's profile and have your application read that information after the user logs in. This approach allows all of your users, regardless of which tenant to which they belong to, to log in using in a uniform configuration (such as available connections). To implement this, you could store tenant details in the user's Auth0 profile in the `app_metadata` object, using an identifier of your choice (for example, `"tenant": "customer-group-12345"`). After the user logs in, your application retrieves the `tenant` variable, and then displays a version appropriate to the returned value. # Set Up Multiple Environments Source: https://auth0.com/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments Describes how to use multiple Auth0 tenants to manage various environments. Development, staging, and production environments are easy to set up in Auth0. Simply create a new tenant for each environment to guarantee isolation between them. You can easily switch between tenants using the tenant chooser from the top left menu on the Dashboard. You can also configure different administrators for each. Production [rate limits](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy) only apply to tenants tagged as `Production`. Ensure your tenant's environment tag is set to `Production` before going live, and note the differences between rate limits for different tenants, environments, and fee structures. You can name your multiple environments any way you prefer. For production environments, we strongly recommend using [custom domains](/docs/customize/custom-domains). If you have an Enterprise subscription plan, you can create child tenants by [linking multiple tenants to a single subscription](/docs/get-started/auth0-overview/create-tenants/child-tenants); child tenants each gain access to the paid or upgraded features associated with the subscription. You can ensure your development, staging, or testing environments have access to the same features as your production environment by linking them all to the same Enterprise subscription. ## Tag the environment For each new tenant created, you should specify its environment. You can assign Environment Tags to your tenants to differentiate between development, staging, and production environments. If your tenant is mixed use, choose the higher environment. For example, a tenant used for both development and production should be set to **Production**. 1. To assign an Environment Tag to a tenant, go to the [Dashboard > Settings > General](https://manage.auth0.com/#/tenant/general). Dashboard Tenant Settings General Settings tab 2. Under **Assign Environment Tag**, identify your tenant's environment as **Development**, **Staging**, or **Production**. undefined 3. After selecting the environment, click **Save**. ## Migration Through the [Management API v2](https://auth0.com/docs/api/management/v2), you can automate the migration of assets ([rules](/docs/customize/rules), database [connections](/docs/authenticate/identity-providers), and so forth) between tenants. For easier configuration management, save your configuration values in the [Dashboard](https://manage.auth0.com/#/rules), instead of hardcoding them into your **rules** or **db connections** scripts. For example, let's say you want to set a URL for logs. One way to do it is to hardcode it in the rule: ```javascript lines theme={null} function(user, context, callback){ var log_url = 'https://someurl/log'; ... } ``` This code, however, is not portable since this URL will likely change from development to production. The recommended way of working with code that you need to use/move from development to product is via [Rules](https://manage.auth0.com/#/rules) section. If you have not yet created a rule, you'll need to do so. (Otherwise, jump to step 4.) 1. Click **Create Your First Rule**. 2. Choose the **empty rule** template. 3. Enter a name for your new rule, and click **Save**. 4. Go to [Dashboard > Rules](https://manage.auth0.com/#/rules), and scroll to the bottom of the page to set your configuration values (we will use `log_url` for the key name, and `https://someurl/log` for value), then click **Create**. 5. Now, you can write your rule. Edit the rule you created, enter the following code in the code area, and click **Save**. ```javascript lines theme={null} function(user, context, callback){ var log_url = configuration.log_url; ... } ``` This code is portable, and when you migrate to production, you only need to change this setting instead of searching your scripts. ## AD/LDAP Connectors If you use multiple Auth0 tenants with AD/LDAP, you will need to create an AD/LDAP Connection and set up an AD/LDAP Connector for each tenant. This is because each AD/LDAP Connector is tied to a specific Connection within an Auth0 tenant. Multiple AD/LDAP Connectors can point to the same AD or LDAP directory, but each AD/LDAP Connector can only be used by one Connection within one Auth0 tenant. If you have multiple AD/LDAP directories against which users will authenticate (for example, to support different departments or customers, each with their own directory), you can set up multiple AD/LDAP Connectors within each Auth0 tenant. ## Learn more * [Create Multiple Tenants](/docs/get-started/auth0-overview/create-tenants/create-multiple-tenants) * [Delete or Reset Tenants](/docs/troubleshoot/customer-support/manage-subscriptions/delete-or-reset-tenant) * [Link Multiple Tenants to a Single Subscription](/docs/get-started/auth0-overview/create-tenants/child-tenants) # Auth0 Dashboard Source: https://auth0.com/docs/get-started/auth0-overview/dashboard Describes the Auth0 Dashboard and all the features you can access to implement authentication and authorization with your applications and APIs.. The [Auth0 Dashboard](https://manage.auth0.com/#) is where you manage all aspects of your Auth0 subscription and configuration. Auth0 Dashboard Activity page It consists of several sections that you can navigate using the sidebar menu on your left. For best practices around usage of the Teams Dashboard, [see General Usage and Operations Best Practices](/docs/troubleshoot/general-usage-and-operations-best-practices). ## Configure implementation The following table contains a brief overview of the different Dashboard sections and what you can do in each.
Section Description
Applications Manage your applications, APIs, and single sign-on (SSO) integrations.
Applications: For each of your apps for which you want to authenticate users with Auth0, register an application.
APIs: For each of your APIs that you want to secure with Auth0, register an API. Create new APIs and manage existing ones.
SSO Integrations: View and enable external services for SSO. Create new SSO integrations and configure, review, and manage integration settings.
Authentication Manage the identity providers through which you allow users to authenticate to your apps.
Database: Securely store and manage identifier/password credentials either in an Auth0 datastore or in your own database. Connect to existing databases using template-based JavaScript scripts that run on Auth0's server during every authentication. Gradually migrate an existing database of legacy credentials to Auth0 as users authenticate (no password reset required).
Social: Configure social identity providers (such as Facebook, X, and Github) through which your users can log in.
Enterprise: Configure enterprise identity providers (such as Active Directory, SAML, and Office 365) through which your users can log in using their enterprise credentials.
Passwordless: Allow your users to sign up and log in using one-time passcodes (delivered by email or SMS) or one-click links, instead of passwords.
Organizations Manage the organizations you do business with, and customize the experience their users have when accessing your applications.
User Management Manage your users' identities and permissions.
Users: View and create user profiles, perform password resets, block and delete users, and more.
Roles: Create and manage roles for your apps. Roles contain collections of permissions and can be assigned to users.
Branding Universal Login: Create and customize a login page to which you can direct users to authenticate.
Custom Domains: Create a custom domain to maintain a consistent experience for your users.
Email Templates: Use templates to create welcome, password reset, and account verification email-based workflows.
Email Provider: Designate and configure your custom email provider information.
Security Configure extra layers of security by enabling shields that protect your users against different types of attacks and user access anomalies.
Attack Protection: Manage settings for bot, IP throttling, brute-force, and breached password attacks.
Multi-factor Auth: Require additional factors during the login process to prevent unauthorized access.
Monitoring: Monitor threat intelligence events with one of our data visualization and alerting integrations.
Actions Configure flows such as login, machine-to-machine, user registration, and password resets. Create and manage customized actions used in flows.
Auth Pipeline Rules: Configure custom JavaScript snippets that are executed in Auth0 as part of each user authentication transaction. You can call external APIs, filter which users can log in to your application, use an AllowList, configure geolocated access, and so on.
Hooks: Customize the behavior of Auth0 when you use Database Connections by configuring Node.js code that is executed against extensibility points (which are comparable to webhooks that come with a server).
Monitoring Logs: View log data of actions taken in the dashboard by administrators and user logins.
Streams: Create and manage log event streaming to external data analysis services.
Marketplace Explore integrations that help your business do more with Auth0.
Extensions Extend the Auth0 platform with official and third-party add-ons.
Settings Configure your tenants, manage your Auth0 subscription and payment options, control your tenant administrators and other user roles. Manage other tenant settings related to your custom domains, signing keys, and other advanced settings.
Get Support Go to our Support Center. If your plan does not have access to support services, see the Auth0 Community.
## Manage account settings On the top left, you can see your tenant's name and icon, and a little arrow. This arrow displays a dropdown menu that you can use to configure different aspects of your account: * [**Settings**](/docs/get-started/tenant-settings): Configure several aspects of your tenant. * [**Invite a member**](/docs/get-started/manage-dashboard-access): Add an additional user as an administrator or other role to your tenant configuration. * [**Quota Utilization**](https://support.auth0.com/reports/quota): See quota utilization information about your subscription and tenants. * [**Create tenant**](/docs/get-started/auth0-overview/create-tenants): Use this to create a new tenant. * **Switch tenant**: If you have [multiple tenants](/docs/get-started/auth0-overview/create-tenants/create-multiple-tenants), use this option to switch between them. If you create an application for one tenant, you will not see it listed for another tenant. On the top right, you see several clickable options: * **Search**: Look for apps, marketplace entries, users, and other content related to your tenant. * **Discuss your needs:** Contact an Auth0 expert to help you reach your goals with Auth0. * **Docs:** A link to the documentation site you’re reading right now. * **Notifications bell:** Informs you of new communication from Auth0 or your tenant settings. * **Profile:** A link to your local tenant profile, as well as options to [change your theme](/docs/get-started/dashboard-profile/light-and-dark-themes) and log out. ## Learn more * [Create Tenants](/docs/get-started/auth0-overview/create-tenants) * [Tenant Settings](/docs/get-started/tenant-settings) * [Application Settings](/docs/get-started/applications/application-settings) * [Create Users](/docs/manage-users/user-accounts/create-users) * [API Settings](/docs/get-started/apis/api-settings) * [Logs](/docs/deploy-monitor/logs) # About the Activity Page Source: https://auth0.com/docs/get-started/auth0-overview/dashboard/activity Learn about the metrics on the Activity page for your Auth0 tenant, including information on active users, failed logins, and more. The Activity page provides a summary of key data about your Auth0 tenant, including information on active users, failed logins, and more. ## Things to know * Viewing a tenant's Activity page requires an account with an administrator role (such as Administrator or Owner). * The **Support Access** role has read-only access to view metrics on the tenant's Activity page but cannot modify settings. * To ensure data is consistent, the current date cannot be selected in the date picker and data may take up to 24 hours to display. ## Metrics Here’s what you will see on your tenant's Activity page. ### Totals At the top of the page, you'll see your tenant's total number of users, applications, APIs, and connections. Example Dashboard Activity page tenant totals ### Daily active users The number of daily unique users with successful authentication (successful login) or authorization activity (successful token exchange). This is calculated based on successful log events for each user. You can see the number of unique users for each day by hovering your mouse over a point in the graph. Example Dashboard Activity page Active Users line graph ### User retention The percentage of users that were active during the given time frame, calculated from the number of active users out of the total number of users on the tenant. Example Dashboard Activity page User Retention line graph ### Signups The number of successful user signups, which includes new user registrations through any configured connection (database, social, enterprise). Example Dashboard Activity page Sign ups line graph ### Failed logins The number of failed user logins (the `f` [log event type](/docs/deploy-monitor/logs/log-event-type-codes)) over the given time period. Example Dashboard Activity page Failed Logins line graph ## Compare to last period When **Compare to last period** is enabled: * The percentage difference is included in the graph. Increases are colored green while decreases are colored red. * Dotted lines are the last time period and solid lines are the current time period. Example of mouse hovering over the Dashboard Activity page Active Users line graph ## View data by time frame You can view data for a given time frame by using the datepicker next to the **Compare to last period** checkbox. There are built-in date ranges for the last 7/14/30/60 days, or you can provide the **From** and **To** dates for a custom range. Example of Dashboard Activity page datepicker form # Register APIs Source: https://auth0.com/docs/get-started/auth0-overview/set-up-apis Learn how to register APIs in the Auth0 Dashboard. Before you register any APIs in the Auth0 Dashboard, one API will already exist: the **Auth0 Management API**. To learn more about the features of the Management API and its available endpoints, see [Management API](https://auth0.com/docs/api/management/v2). 1. Go to [Dashboard > Applications > APIs](https://manage.auth0.com/#/apis), and select **+ Create API**. 2. Provide the following information for your API, and click **Create**:
Field Description Example
Name A friendly name for the API. Does not affect any functionality. yourDomain
Identifier A unique identifier for the API. Auth0 recommends using a URL. Auth0 does differentiate between URLs that include the last forward slash. For example, `https://example.com` and `https://example.com/` are two different identifiers. The URL does not have to be a publicly available URL. Auth0 will not call your API. This value cannot be modified afterwards. `https://{yourDomain}`
JSON Web Token (JWT) Profile The profile determines the format of the access tokens issued for the API. The available values are Auth0 and RFC 9068. To learn more, read Access Token Profiles. Auth0
JSON Web Token (JWT) Signing Algorithm The algorithm to sign the access tokens with. The available values are HS256, PS256, RS256. If you select RS256, the token will be signed with the tenant's private key. RS256
Access Policy for Applications within user flow Allow applications to access the API on the user’s behalf. To learn more read, [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications). Allow via client-grant
Access Policy for Applications within client flows Allow Machine to Machine applications to access the API. To learn more read, [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications). Allow via client-grant
3. Make the implementation changes to your API that are described in the QuickStart. These changes consist of choosing a JWT library from a predefined list and configuring this library to validate the access tokens in your API. Dashboard - Applications - APIs - Quickstart If you are creating a new custom API and also have Single-Page or Native applications in your tenant, you must enable Role-based Access Control (RBAC) to keep users logged in to these applications from generating an access token for your API that does not consider scopes. To learn how to enable RBAC for your API, read [Enable Role-Based Access Control for APIs](/docs/get-started/apis/enable-role-based-access-control-for-apis). The other available Dashboard views for your API are: * **Settings**: Lists the settings for your API. Some are editable. Here you can change the token expiration time and enable offline access (this way Auth0 will allow your applications to ask for refresh tokens for this API). * **Scopes**: Define the scopes for this API by setting a name and a description. * **Machine to Machine Applications**: Lists all applications for which the **Client Credentials** grant is enabled. By default, this grant is enabled for regular web applications and machine-to-machine applications. You can authorize any of these applications to request access tokens for your API. Optionally, you can select a subset of the defined scopes to limit your authorized application's access. * **Test**: Execute a sample client credentials flow with any of your authorized applications to check that everything is working as expected. ## Learn more * [API Settings](/docs/get-started/apis/api-settings) * [Token Best Practices](/docs/secure/tokens/token-best-practices) * [Which OAuth 2.0 Flow Should I Use?](/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use) # Auth0 Teams Source: https://auth0.com/docs/get-started/auth0-teams Describes how Auth0 Teams allows you to manage tenants and tenant administrators. Auth0 Teams provides a single point of visibility and control over your Auth0 resources by providing centralized governance, compliance, and secure collaboration at scale. Teams membership sits on top of the tenant membership account. The main team member role is referred to as the Team Owner and has visibility into all tenants within their Auth0 Account. As an Auth0 Team Owner, you can manage a single tenant or multiple tenants. The following features are currently available as part of Auth0 Teams: * Visibility and control of Teams members * Visibility into Tenants with relevant details * Visibility and control of Tenant members * Ability to enforce Single Sign-On with your own Identity provider * Ability to restrict tenant creation * Ability to manage subscription and billing details for self-service subscriptions Auth0 teams let you manage all tenants and administrators Auth0 Teams currently supports a single Teams instance for all tenants attached to either your subscription or Enterprise contract. Team Owners manage and configure the tenants and tenant administrators within the Teams instance. ## Getting Started Auth0 Teams is on by default for new self-service users since 1 November 2023. Existing Public and Private Cloud Enterprise customers can request to be onboarded into Teams through their Technical Account Manager, Sales Executive, or via support. For all other subscription types, if you joined Auth0 prior to 1 November 2023, you need to upgrade your plan to the latest version in your tenant's [subscription settings](https://manage.auth0.com/#/tenant/billing/subscription) to have Teams automatically provisioned for you. ## Feature Support Matrix Features marked with an asterisk are currently in beta for Private Cloud customers.
Teams Feature Enterprise Private Cloud Enterprise Public Cloud Self-Service Subscription
Tenant Management
Tenant Member Management ✅ \*
SSO Enforcement ✅ \*
Tenant Creation from Teams
# Configure Security Policies Source: https://auth0.com/docs/get-started/auth0-teams/configure-security-policies Configure the security policies associated with an Auth0 Team. This feature is offered as Early Access to Public Cloud Enterprise tenants and as a Beta release to Private Cloud Enterprise tenants. By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/). To learn more about Auth0’s release stages, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages). Security policies allow [team owners](/docs/get-started/auth0-teams/team-member-management) to configure and implement authentication rules that adhere to your organization's IT security policies for access to infrastructure systems or applications. ## Available Enterprise IdP Connections Auth0 Teams allows you to connect to your identity provider (IdP) to provide single-sign on (SSO) for team members. ### Add SSO connection (Beta) You can configure an SSO connection in the Auth0 Teams Dashboard. Before you add an SSO connection, you need to collect the following information: * Your IdP provider (for example: Okta, ADFS, or Google Workspace) * Your IdP domain * Auth0 Callback URL (`https://auth0.auth0.com/login/callback`) * Your Client ID, Client Secret, Sign-in URL, and Signing Certificate (depending on your IdP) 1. Go to [**Security**](https://accounts.auth0.com/teams/#/security-policies). 2. Select + **Add Connection (Beta)**, and then select **Get Started**. 3. Choose an identity provider, and then select **Next**. 4. Follow the instructions to create an application, and then select **Next**. 5. Configure your connection, then select **Create Connection**. 6. Read the prompt, then select **Proceed**. 7. Follow the instructions to grant users and groups access, and then select **Next**. 8. Select **Test Connection** to verify that your connection is configured properly. 9. When ready, select **Enable Connection**. After you enable your connection, it appears in the **Available Enterprise IdP Connections** section of the **Security Policies** page. ### Configure just-in-time (JIT) provisioning JIT provisioning enables Auth0 to automatically create an account for team members who log in through an SSO connection. You must enable [Tenant Member Management](/docs/get-started/auth0-teams/tenant-member-management) to configure JIT provisioning. 1. Go to [Security](https://accounts.auth0.com/teams/#/security-policies). 2. Locate the **Available Enterprise IdP Connections** section. 3. Enable the **JIT Membership** toggle for the connection. ## Enforce Single Sign On Auth0 Teams allows you to require team members to log in through one of your **Available Enterprise IdP Connections**. To enforce SSO, you must be logged in through an SSO connection and have the **Team Owner** role. If you are not logged in through an SSO connection, but you have one configured, you can [invite yourself to your Auth0 Team](/docs/get-started/auth0-teams/team-member-management) on that connection. ### Use JIT provisioning This method allows team members to log in to the SSO connection immediately after it's enabled, and instructs Auth0 to automatically create an account for them after the first time they log in successfully. 1. Enable [Tenant Member Management](/docs/get-started/auth0-teams/tenant-member-management). 2. Enable the **JIT Membership** toggle for the SSO connection. 3. Go to the Teams Dashboard’s Settings page and note your team's permalink value. 4. Instruct all team members to log out of the Auth0 Teams Dashboard and log in via the SSO connection. The URL structure for the team members to follow is `https://accounts.auth0.com/teams/{team-permalink}`. 5. Auth0 automatically creates a new account (on the SSO connection) for each team member. 6. Assign each team member's new account the same [team role](/docs/get-started/auth0-teams/team-member-management) as their old account. 7. (Optional) Delete each team member's old account. ### Manage team and tenant membership manually This method allows you to manage team members separately from tenant members. For team members, [send a new invitation from the Teams Dashboard](/docs/get-started/auth0-teams/team-member-management) and instruct them to accept the invitation using the SSO connection. For tenant members, [send a new invitation from the Auth0 Dashboard](/docs/get-started/manage-dashboard-access/add-dashboard-users) from each tenant they're a member of and instruct them to accept the invitation using the SSO connection. After accepting the invitation, Private Cloud Enterprise customers that enforce SSO and/or use Tenant Member Management can click the **Continue with Auth0 Teams** login button in their Private Cloud Auth0 Dashboard. ### Configure home-realm discovery (HRD) If you enable HRD, Auth0 recognizes the domain of the email address a team member enters and directs them to the associated SSO connection. Before you enable HRD, make sure your team members are prepared! If you're using Team Member Management and JIT provisioning, notify your team members of the new behavior. If you're managing team membership manually, ensure all team members have an account on the associated SSO connection and they know how to log in. 1. [Open a ticket](https://support.auth0.com) with Auth0 Support. 2. Let them know you'd like to enable HRD for an Auth0 Teams SSO connection, and provide the following information: * Your **Team Name** and **Team Permalink** * The name of the SSO connection * The domain associated with the SSO connection # About the Quarterly Snapshot Source: https://auth0.com/docs/get-started/auth0-teams/quarterly-snapshot Learn about the Quarterly Snapshot report available to Auth0 Teams members, including how to access it and how to interpret the provided metrics. The Quarterly Snapshot provides highlights of usage and value at an account level, including aggregated information on how you’re measuring against quota, your identity environment, and threat detection. The feature is automatically enabled when Auth0 Teams is provisioned. It is exclusively available for select enterprise customers managed by the Digital Technical Account Manager (DTAM). ## Things to know * The Quarterly Snapshot is accessible only through [Auth0 Teams](/docs/get-started/auth0-teams). Auth0 Teams should be provisioned for the account prior to the calendar quarter start. * The Quarterly Snapshot is a feature accessible to a select group of Enterprise customers managed by the DTAM. * Team Owners and Report Viewers can view and download the Quarterly Snapshot in the **Reports** section of the Auth0 Teams dashboard. * Team Owners can manage the list of Report Viewers through the Auth0 Teams dashboard. * Metric objects in the Quarterly Snapshots may vary as a result of an accounts entitlements, enabled features, and usage. * All metrics are aggregated at an account level. For more information, refer to the **Metrics** table below. ## Metrics Here are the metrics you may see on your Quarterly Snapshot.
Metric What it measures Comments
Monthly Active Users Measures the unique monthly active users on the account as compared to your quota. For detailed information on a tenant level, please reference the Support Center Quota report.
Machine to Machine Tokens Shows the number of access tokens issued by Auth0 for the client credentials grant. Tokens issued for Auth0 Management API or other Auth0 built in APIs are not counted. For detailed information on a tenant level, please reference the Support Center Quota report.
Active Enterprise Connections This metric displays the number of enterprise connections an account is using. For more details about your quota, contact your Account Executive.
New User Signups This displays how many new users (user registrations) were added to your tenant(s) in the months of this quarter. Refer to the Activity Page for more information on new users.
Dormant Users This metric represents the monthly average users that haven’t authenticated in the last month.
Breached Password Number of attempts blocked with compromised credentials, as stopped by the Breached password detection feature.
Brute-force Protection Requests blocked by the Brute-force Protection feature, if enabled. This metric summarizes all requests blocked specifically on production tenants.
Suspicious IP Throttling Requests blocked by the Suspicious IP Throttling feature, if enabled. This metric sums all requests blocked specifically on production tenants.
Bot Detection Requests failed to solve the CAPTCHA challenge. This metric sums all the bot requests that were blocked by the Bot Detection feature after failing to solve a CAPTCHA challenge.
Adaptive MFA Requests where MFA challenge was issued due to a low confidence score. This metric sums all login attempts where a multi-factor authentication challenge was issued and the calculated confidence score was low.
# Team Activity Source: https://auth0.com/docs/get-started/auth0-teams/team-activity Team Activity allows Team Owners to view and audit event logs generated by team member. Team Activity allows Team Owners to view audit logs associated to member activities performed on their Auth0 account. Team Activity report is located under the **Reports** section of the Teams Dashboard. Team Activity provides a summary view of the member who generated the event, the event type, and the date the event was generated. You can select **View Details** to find more information such as the description of the event, the event status, the IP address of the user who triggered the event, user agent details, and more. ## Event types Team Activity event types are described below.
Event Type Description
Team Invitation Team member invitation created
Team member invitation deleted
Team Member Team member deleted
Team member role updated
Security Policy Security policy updated
Social connections updated
Team Setting Team settings updated
Support for dashboard user authentication to Auth0 and Teams Dashboard and other events will be available in the future. ## Event schema Team Activity event schema is described below. ```json lines theme={null} { "id": "string", "team_id": "string", "user_id": "string", "type": "string", "description": "string", "status": "string", "details": "object", "ip": "string", "hostname": "string", "user_agent": "string", "version": "string", "created_at": "date", "team_slug": "string", "user": "object" } ```
Name Type Description
id string Event log unique identification.
team\_id string Unique team identification.
user\_id string The unique identifier for the user that generated the event.
type string Event type.
description string Event type summary.
status string Event status. Possible values are Success or Failure.
details object Details of the logged event.
ip string IP address of the user that generated the event log.
hostname string FQDN of the Auth0 App on which the event was performed.
user\_agent string Web browser and Device OS type and version.
version string Schema version under which the activity log was generated.
created\_at datetime Date and time event log was generated.
team\_slug string Unique text team identifier.
user object Contains name, avatar URL, and Team membership status (boolean).
## Audit log retention The retention of Team Activity audit logs varies by plan. Read our [Pricing](https://auth0.com/pricing) page for more information. # Team Member Management Source: https://auth0.com/docs/get-started/auth0-teams/team-member-management Manage and configure members of your team. Team Owners can manage and configure Auth0 Teams. Auth0 creates at least one Owner when we provision Teams. We recommend at least two Team Owners, especially if you limit tenant creation to Team Owners. **Self-Service Customers** When Auth0 provisions a Team, we may automatically assign the **Team Owner** role to the administrator user account . However, this user must manually assign themselves the **Team Owner** role in order to verify their email and receive full account permissions. This user can then invite additional members as needed. As a Team Owner, you can add, change, and remove team members. The supported roles apart from a Team Owner are Report Viewer and Contributor. ## Team membership roles ### Team Owner Members with this role have full access to the team dashboard (list of all tenants, tenant creation restriction, team members management) and can access specific tenants of which they are a member. ### Report Viewer Members with this role can view Quarterly Snapshots. The Report Viewer role is available to select enterprise customers that are managed by the Digital Technical Account Manager (DTAM). ### Contributor Members with this role can view and access specific tenants of which they are a member. ## View and add team members ### Invite a new team member 1. On the left side of the Teams Dashboard, select **Members**. A view of Auth0 Team Members on the Teams Dashboard 2. To invite a new Team Owner, select **Invite a Member**. 3. Enter the email address of the member to invite and select the access level. Team member management screenshot 4. Select **Send Invite**. ### Update existing team member role 1. To update the role of an existing Team Member, search for the member in the **Members** list. 2. Select the three-dot menu option and click on the **Assign Role** option. 3. Pick the new role you want to assign the Team Member and click **Assign**. ### Delete an existing team member If a team member no longer requires access to the team, they can simultaneously be removed from the Teams Dashboard and all team tenants in which they are a user. This feature requires tenant member management. Public Cloud Enterprise customers must activate this feature manually on the Teams settings page. To delete an existing Team Member: 1. Navigate to the **Members** section on the left side of the Teams Dashboard, then locate the team member. 2. Select the ellipsis to reveal more options and choose **Remove Member**. 3. After you confirm the removal, you will be presented with a toast notification confirming the successful deletion of the team member. If you only want to remove the team member's access to one or more tenants, go to the [Team Member's details page](/docs/get-started/auth0-teams/tenant-member-management). ## Update team name Teams allow you to update the Team name visible on the tenant picker for dashboard users. To update the Team name: 1. Select **Settings** on the left side of the Teams Dashboard. 2. Make the necessary changes to the **Team Name** captured within the **Team Information** section. 3. Select **Save**. This change now displays in the tenant picker. # Tenant Management Source: https://auth0.com/docs/get-started/auth0-teams/tenant-management Manage the Auth0 teams information within a given tenant. Access and modify Team information from within your tenant. If you don't yet have a tenant associated with your account, see [Create Tenants.](/docs/get-started/auth0-overview/create-tenants) ## Access the Teams Dashboard If you are a Team Owner, you can use the Teams Dashboard to: * Choose who can create new tenants: Team Owners or all tenant administrators. * View all tenants created under your Auth0 subscription or custom agreement. * View and invite Team Owners. To access the Teams Dashboard from any of your tenants: 1. Select your tenant name from the tenant drop-down menu in the [Auth0 Dashboard](https://manage.auth0.com/dashboard). 2. Find your Teams name at the bottom of the menu and select **Go to team**. Access the Auth0 Team Dashboard To access the Teams Dashboard using a URL: 1. Navigate to `https://accounts.auth0.com/` 2. If your user account is a member of only one Team, enter your credentials to be taken to your Teams dashboard. If your user account is a member of one or more Teams, select the Team from the list of Teams your user account is associated with to login. If the option for Teams access isn't visible, try the following:
Possible Cause Action
The current tenant isn’t in Teams. Try switching to a different tenant.
You’re not a Teams owner. Ask a Teams owner to invite you to the team.
## View tenants In the Teams Dashboard, you can view all tenants within your Auth0 custom agreement or subscription present in either the Public or Private Cloud Environment. For each tenant, you can review: * Tenant name * Region * Creation date * Environment (Development, Staging, or Production) * Tenant administrators 1. Select **Tenants** on the left side of the Teams Dashboard. For Private Cloud Environments, select the **Overview** menu drop-down to reveal the **Tenants** menu option. 2. If you’re an administrator for a tenant, select the tenant name to access the tenant. If you are not a tenant administrator, you will not be able to select the tenant. 3. To review tenant members, select **View Members**. ## View private cloud environments A list of private cloud environments can be viewed from the Teams Dashboard. You are able to view the following information * Environment name * Cloud provider type (AWS or Azure) * Deployment region * Failover region * Current environment release version. 1. Select the **Overview** menu drop-down to reveal the **Private Cloud** menu option. ## Link tenants This feature is currently available for the following Team Subscription types: * B2C - Essentials * B2B - Essentials * B2C - Professional * B2B - Professional Linking tenants allows you to share features and quota limits available within your Team Subscription with the linked tenant. Once linked, that tenants subscriptions will be tied to your Team and you would no longer have to individually manage the subscription for that tenant. You are able to link tenants to your team, if the following conditions are true: * The tenant is not part of an existing Team. * You are an administrator of the tenant you want to link. * You have a Team Owner role on the team. Linking a tenant cancels the subscription attached to the tenant. If these conditions are met, the tenant will show up as a possible option to link to your team when you select **Link Existing Tenant** from the Tenants page. ## Create new tenant This feature is currently available for the following Team Subscription types: * B2C - Essentials * B2B - Essentials * B2C - Professional * B2B - Professional * Enterprise Private Cloud By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/). Team Owners can create a tenant from within the Teams Dashboard, automatically linking the created tenant with the team, including associating the Team Subscription details (available features and quota limits) with the newly created tenant. You can do this by clicking on the **Create New Tenant** button on the Tenants page, which will open the Create Tenant form. ## Manage tenants You can control who can create new tenants under your Auth0 custom agreement or subscription under **Team Settings**. When creating a new tenant, administrators can: * Link the tenant to custom agreement. The new tenant exists under your custom agreement or subscription. It benefits from the same features, counts toward limits, and is visible to Team Owners. or * Create a tenant under their personal account. The new tenant is not a part of your Teams' custom agreement or subscription. The administrator who creates the tenant can access it with the same login credentials. To allow administrators to link a tenant to a custom agreement, the Team Owner must: 1. Select **Settings** on the left side of the Teams Dashboard. 2. Select the option **Allow Tenant Admins to Create Tenants under the Teams Account**. If this option is unchecked, then tenant administrators can create personal accounts only. The **Tenant Creation** option does not apply to Team Owners. Owners have permissions to create new tenants in the Teams instance under the custom agreement or subscription. 3. Select **Save**. If a Tenant administrator without permission attempts to create tenants, they will be prompted to contact the Team Owner. ## View Team Subscription details This feature is currently available for the following Team Subscription types: * B2C - Essentials * B2B - Essentials * B2C - Professional * B2B - Professional Team Owners can view Team Subscription details by visiting Subscription tab within the Setting page. # Tenant Member Management Source: https://auth0.com/docs/get-started/auth0-teams/tenant-member-management Describes how to use Auth0 Teams to centrally manage Tenant Membership. Tenant Member Management allows Team Owners to manage tenant access and [roles](/docs/get-started/manage-dashboard-access/feature-access-by-role) for Team members directly in the Teams dashboard. ## Enable Tenant Member Management Tenant Member Management is enabled by default for all Self-service customers and most Public Cloud Enterprise customers. To enable Tenant Member Management in your Teams dashboard: 1. Go to **Settings**. 2. Locate the **Tenant Member Management** section. 3. Enable the **Manage tenant members** checkbox. 4. Select **Save**. After you enable Tenant Member Management, a background process replicates all current tenant members as Team members and grants them the **Contributor** role. If a user already has a Team member account, the role with greater privileges is maintained. ## Add tenant access for a Team member To add tenant access for a Team member through the Teams dashboard: 1. Go to **Members**. 2. Select the Team member to open their **Member details** page. 3. Select **Add Tenant Access**. 4. Type the tenant name into the search window or select a tenant from the dropdown menu. You can select up to five tenants. Specific Apps option is not presented if more than one tenant is selected. Select individual Tenant to assign Editor -Specific Apps role. 5. Select the desired role(s) you want to assign to the Team member for all selected tenants. 6. Select **Assign**. ## Edit tenant access for a Team member To edit tenant access for a Team member through the Teams dashboard: 1. Go to **Members**. 2. Select the Team member to open their **Member details** page, or select **Manage Tenant Access** from the ellipsis menu (**...**) next to their name. 3. Locate the desired tenant and select **Edit Roles** from the ellipsis menu (**...**). 4. Select **Assign**. If a Team member is currently logged in and you edit their role, Auth0 forcibly logs them out and terminates their session. This may result in loss of unsaved work. ## Remove tenant access for a Team member To remove tenant access for a Team member through the Teams dashboard: 1. Go to **Members**. 2. Select the Team member to open their **Member details** page. 3. Locate the desired tenant and select **Remove Access** from the ellipsis menu (**...**). 4. Select **Assign**. If you want to remove a Team member from all tenants associated with the Team, [remove them from the Team](/docs/get-started/auth0-teams/team-member-management). # Troubleshoot Teams Source: https://auth0.com/docs/get-started/auth0-teams/troubleshoot-teams Troubleshoot any issues associated with an Auth0 Teams membership. To ensure undisrupted service, see below to help troubleshoot any issues associated with an Auth0 Teams membership. For best practices around usage of the Teams Dashboard, [see General Usage and Operations Best Practices](/docs/troubleshoot/general-usage-and-operations-best-practices). #### Add a missing tenant If you are on a self-service subscription plan and you don’t see a tenant under your Teams instance, verify the [subscription](/docs/troubleshoot/customer-support/manage-subscriptions) details: 1. First verify the [subscription](/docs/troubleshoot/customer-support/manage-subscriptions) details by checking the tenant's subscription. 2. Attempt to link the tenant by following the [Link tenants](/docs/get-started/auth0-teams/tenant-management) guide. If the subscriptionis an Enterprise Agreementbut is not part of your Teams instance, contact [Auth0 Support](http://support.auth0.com) to assist in adding the tenant. Screenshot of what to expect when your tenant subscription is an Enterprise Agreement #### Remove an unrecognized admin If a Tenant administrator is listed as part of a tenant and should not be: 1. If you are a Team Owner and also the tenant admin for the tenant, access the Auth0 Dashboard for the tenant to remove the admin. To learn more, read [Team Member Management](/docs/get-started/auth0-teams/team-member-management). 2. Request a tenant administrator to remove the admin from the tenant. # Dashboard Profile Source: https://auth0.com/docs/get-started/dashboard-profile Explore options in Auth0 Dashboard's Profile menu. Explore options in Auth0 Dashboard's profile option.
Read... To learn...
Light and Dark themes How to choose your preferred theme.
Auth0 Dashboard Login Session Management How to manage Auth0 Dashboard sessions.
# Auth0 Dashboard Login Session Management Source: https://auth0.com/docs/get-started/dashboard-profile/auth0-dashboard-login-session-management Describes how Auth0 Dashboard Admins can view and revoke login sessions. With Login Sessions, Auth0 Dashboard administrators can track active sessions from different Dashboard applications across multiple devices and browsers. You can review and revoke sessions created by users accessing the Teams Dashboard, Support Center, and Auth0 Dashboard respectively. You can see a list of all active sessions within your Auth0 Dashboard [profile page](https://manage.auth0.com/#/profile/sessions). Auth0 Dashboard > Profile To log out or revoke a session, locate the session of interest and select **Revoke**. Revoking a session does not automatically remove sessions belonging to extensions. However, sessions belonging to extensions are short-lived and do not renew when a login session is revoked or expires. # Light and Dark themes Source: https://auth0.com/docs/get-started/dashboard-profile/light-and-dark-themes How to toggle between light and dark themes for your Dashboard Auth0 customers can use light mode or dark mode in their tenant Dashboard. You can also set your Dashboard to use the same settings as your local system environment. There are two ways to change your Dashboard theme: 1. Select the profile dropdown menu at the top-right of your Dashboard. 2. Use the menu to switch between themes. Where to find the Dark mode and Light mode toggle You may also click **Your Profile** in the same dropdown and scroll to the bottom, where you can choose from the three themes. Where you can change your theme in the Profile section # Identity Fundamentals Source: https://auth0.com/docs/get-started/identity-fundamentals Learn the basics of identity and access management. Explore topics related to the fundamentals of identity and access management.
Read... To learn...                                
Introduction to Identity and Access Management (IAM) Basic concepts of IAM.
Authentication vs. Authorization About the differences between authentication and authorization.
Glossary Definitions of various terms related to identity.
# Authentication vs. Authorization Source: https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization Explore the differences between authentication and authorization. While often used interchangeably, [authentication](/docs/authenticate) and authorization represent fundamentally different functions. In this article, we compare and contrast the two to show how they protect applications in complementary ways. ## What are authentication and authorization? In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to. Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity. Then, when you arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to the plane. ## Authentication vs. authorization Here's a quick overview of the differences between authentication and authorization:
Authentication Authorization
Determines whether users are who they claim to be Determines what users can and cannot access
Challenges the user to validate credentials (for example, through passwords, answers to security questions, or facial recognition) Verifies whether access is allowed through policies and rules
Usually done before authorization Usually done after successful authentication
Generally, transmits info through an ID Token Generally, transmits info through an Access Token
Generally governed by the OpenID Connect (OIDC) protocol Generally governed by the OAuth 2.0 framework
Example: Employees in a company are required to authenticate through the network before accessing their company email Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access
In short, access to a resource is protected by both authentication and authorization. If you can't prove your identity, you won't be allowed into a resource. And even if you can prove your identity, if you are not authorized for that resource, you will still be denied access. Auth0 has products and services for authentication, like [passwordless](/docs/authenticate/passwordless/passwordless-with-universal-login), [multi-factor authentication](/docs/secure/multi-factor-authentication) (MFA), and [Single-Sign On (SSO)](/docs/authenticate/single-sign-on) you can configure using Auth0 Dashboard or Management API. For authorization, Auth0 offers [role-based access control](/docs/manage-users/access-control/rbac) (RBAC) or [fine grained authorization](https://docs.fga.dev/fga) FGA). # Introduction to Identity and Access Management (IAM) Source: https://auth0.com/docs/get-started/identity-fundamentals/identity-and-access-management Basic overview of the computer software field of identity and access management, written for those new to the space ## What is identity and access management (IAM)? Identity and access management provides control over user validation and resource access. Commonly known as IAM, this technology ensures that theright people access the right digital resources at the right time and for the right reasons. ## IAM basic concepts To understand IAM, you must be familiar with some fundamental concepts: * A **digital resource** is any combination of applications and data in a computer system. Examples of digital resources include web applications, APIs, platforms, devices, or databases. * The core of IAM is **identity**. Someone wants access to your resource. It could be a customer, employee, member, participant, and so on. In IAM, a **user** account is a digital identity. User accounts can also represent non-humans, such as software, Internet of Things devices, or robotics. Simple diagram showing user accessing resource Simple diagram showing that the IAM system controls user access to a resource * **Authentication** is the verification of a digital identity. Someone (or something) authenticates to prove that they’re the user they claim to be. * **Authorization** is the process of determining what resources a user can access. ## The difference between authentication and authorization It’s common to confuse authentication and authorization because they seem like a single experience to users. They are two separate processes: authentication proves a user’s identity, while authorization grants or denies the user’s access to certain resources. You can think of authentication and authorization as the security system for an office building. Users are the people who want to enter the building. Resources that people want to access are areas in the building: floors, rooms, and so on. **Authentication:** When you enter the building, you must show your photo ID badge to the security guard. The guard compares the photo on the badge to your face. If they match, the guard lets you through the door to try to access different areas of the building. The guard doesn’t tell you what rooms you can access; they only get proof that you are who you claim to be. This is authentication: confirming user identity. Diagram showing how authentication is like a security guard checking your badge at the door **Authorization:** In this scenario, imagine the elevators and doorways in the building have key sensors for access. The chip in your badge gives you access only to the first floor, which your company occupies. If you swipe your badge to enter any other floor, your access is denied. You can access your private office but not those belonging to your colleagues. You can enter the supply room but not the server room. This is authorization: granting and denying access to different resources based on identity. Diagram showing how authorization is like a badge that gives you access to only some rooms in a building To learn more about authentication and authorization, read [Authentication vs. Authorization](/docs/get-started/identity-fundamentals/authentication-and-authorization). ## What does IAM do? Identity and access management gives you control over user validation and resource access: * How users become a part of your system * What user information to store * How users can prove their identity * When and how often users must prove their identity * The experience of proving identity * Who can and cannot access different resources You integrate IAM with your application, API, device, data store, or other technology. This integration can be very simple. For example, your web application might rely entirely on Facebook for authentication, and have an all-or-nothing authorization policy. Your app performs a simple check: if a user isn’t currently logged in to Facebook in the current browser, you direct them to do so. Once authenticated, all users can access everything in your app. It’s unlikely that such a simple IAM solution would meet the needs of your users, organization, industry, or compliance standards. In real life, IAM is complex. Most systems require some combination of these capabilities: * **Seamless signup and login experiences:** Smooth and professional login and signup experiences occur within your app, with your brand’s look and language. * **Multiple sources of user identities:** Users expect to be able to log in using a variety of social (such as Google or Linkedin), enterprise (such as Microsoft Active Directory), and other [identity providers](/docs/authenticate/identity-providers). * **Multi-factor authentication (MFA):** In an age when passwords are often stolen, requiring additional proof of identity is the new standard. Fingerprint authentication and one-time passwords are examples of common authentication methods. To learn more, read [Multi-Factor Authentication (MFA)](/docs/secure/multi-factor-authentication). * **Step-up authentication:** Access to advanced capabilities and sensitive information require stronger proof of identity than everyday tasks and data. Step-up authentication requires additional identity verification for selected areas and features. To learn more, read [Add Step-up Authentication](/docs/secure/multi-factor-authentication/step-up-authentication). * **Attack protection:** Preventing bots and bad actors from breaking into your system is fundamental to cybersecurity. To learn more, read [Attack Protection](/docs/secure/attack-protection). * **Role-based access control (RBAC):** As the number of users grows, managing the access of each individual quickly becomes impractical. With RBAC, people who have the same role have the same access to resources. To learn more, read [Role-Based Access Control](/docs/manage-users/access-control/rbac). * **Fine-grained authorization (FGA):** When you need more options to manage user access to your resources or technologies, you can use relationship-based access control to go beyond role-based. You can give individual users access to certain resources and determine the best solution for your specific use case. To learn more, read [What Is Fine-Grained Authorization?](https://docs.fga.dev/authorization-concepts#what-is-fine-grained-authorization) Facing this level of complexity, many developers rely on an IAM platform like Auth0 instead of building their own solutions. ## How does IAM work? “Identity and access management” is not one clearly defined system. IAM is a discipline and a type of framework for solving the challenge of secure access to digital resources.  There’s no limit to the different approaches for implementing an IAM system. This section explores elements and practices in common implementations. ### Identity providers In the past, the standard for identity and access management was for a system to create and manage its own identity information for its users. Each time a user wanted to use a new web application, they filled in a form to create an account. The application stored all of their information, including login credentials, and performed its own authentication whenever a user signed in. As the internet grew and more and more applications became available, most people amassed countless user accounts, each with its own account name and password to remember. There are many applications that continue to work this way. But many others now rely on identity providers to reduce their development and maintenance burden and their users’ effort. An identity provider creates, maintains, and manages identity information, and can provide authentication services to other applications. For example, Google Accounts is an identity provider. They store account information such as your user name, full name, job title, and email address. Slate online magazine lets you log in with Google (or another identity provider) rather than go through the steps of entering and storing your information anew. Screenshot of Slate magazine login Identity providers don’t share your authentication credentials with the apps that rely on them. Slate, for example, doesn’t ever see your Google password. Google only lets Slate know that you’ve proven your identity. Other identity providers include social media (such as Facebook or LinkedIn), enterprise (such as Microsoft Active Directory), and legal identity providers (such as Swedish BankID). ### Authentication factors Authentication factors are methods for proving a user’s identity. They commonly fall into these basic types:
Factor type Examples
Knowledge (something you know) Pin, password
Possession (something you have) Mobile phone, encryption key device
Inherence (something you are) Fingerprint, facial recognition, iris scan
IAM systems require one or many authentication factors to verify identity. ### Authentication and authorization standards Authentication and authorization standards are open specifications and protocols that provide guidance on how to: * Design IAM systems to manage identity * Move personal data securely * Decide who can access resources These IAM industry standards are considered the most secure, reliable, and practical to implement: #### OAuth 2.0 OAuth 2.0 is a delegation protocol for accessing APIs and is the industry-standard protocol for IAM. An open authorization protocol, OAuth 2.0 lets an app access resources hosted by other web apps on behalf of a user without ever sharing the user’s credentials. It’s the standard that allows third-party developers to rely on large social platforms like Facebook, Google, and Twitter for login. To learn more, read [OAuth 2.0 Authorization Framework](/docs/authenticate/protocols/oauth). #### Open ID Connect A simple identity layer that sits on top of OAuth 2.0, OpenID Connect (OIDC) makes it easy to verify a user’s identity and obtain basic profile information from the identity provider. OIDC is another open standard protocol. To learn more, read [OpenID Connect Protocol](/docs/authenticate/protocols/openid-connect-protocol). #### JSON web tokens JSON web tokens (JWTs) are an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs can be verified and trusted because they’re digitally signed. They can be used to pass the identity of authenticated users between the identity provider and the service requesting the authentication. They also can be authenticated and encrypted. To learn more, read [JSON Web Tokens](/docs/secure/tokens/json-web-tokens). #### Security Assertion Markup Language (SAML) Security Assertion Markup Language (SAML) is an open-standard, XML-based data format that lets businesses communicate user authentication and authorization information to partner companies and enterprise applications that their employees use. To learn more, read [SAML](/docs/authenticate/protocols/saml). #### Web Services Federation (WS-Fed) Developed by Microsoft and used extensively in their applications, this standard defines the way security tokens can be transported between different entities to exchange identity and authorization information. To learn more, read [Web Services Federation Protocol](/docs/authenticate/protocols/ws-fed-protocol). ## Why use an IAM platform? Why do so many developers choose to build on an identity and access management platform instead of building their own solution from the ground up? User expectations, customer requirements, and compliance standards introduce significant technical challenges. With multiple user sources, authentication factors, and open industry standards, the amount of knowledge and work required to build a typical IAM system can be enormous. A strong IAM platform has built-in support for all identity providers and authentication factors, offers APIs for easy integration with your software, and relies on the most secure industry standards for authentication and authorization. For those who haven’t yet decided whether to build or buy an IAM solution, [Build vs. Buy: Guide to Evaluating Identity Management](https://auth0.com/resources/whitepapers/build-vs-buy-evaluating-identity-management) is a useful resource. # Introduction to Auth0 Source: https://auth0.com/docs/get-started/identity-fundamentals/introduction-to-auth0 Describes Auth0 services and features. Auth0 is an identity access management (IAM) provider. But what does this mean? If you've read [Introduction to Identity and Access Management (IAM)](/docs/get-started/identity-fundamentals/identity-and-access-management), you know an IAM solution is a gatekeeper to the resources you provide to customers as web applications, APIs, etc. The gatekeeper initiates authorization as outlined in OAuth 2.0. The addition of the OpenID Connect layer adds authentication to secure your users’ digital identities and your product. The Auth0 identity platform supports different application types and frameworks. Whether your application is a regular web app, a mobile app, or a machine-to-machine app, Auth0 provides configurations for the most secure authorization grant, or workflow, for each. You can read more about authorization grants and choose the one for your application in our article [Which OAuth 2.0 Flow Should I Use?](/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use) Aside from supporting secure protocols, the Auth0 identity platform allows you to customize login services to fit your business, your technology, and your customer base. Using the Auth0 Dashboard and Management API, you can create your own Auth0 instance to authenticate and authorize your customers. You can configure login behaviors, connect your user data store, manage those users, choose an authorization grant, and establish authentication factors for a seamless, scalable product with an impactful user experience. ## Get Started ### Identity fundamentals You don’t have to be an expert on IAM to integrate Auth0 into your application or API, but you can choose the right configuration for your use case if you know some key concepts. To learn more, read our [Introduction to Identity and Access Management (IAM)](/docs/get-started/identity-fundamentals/identity-and-access-management) article. If you still have questions about planning your implementation, review our [Architecture Scenarios](/docs/get-started/architecture-scenarios) section for walk-throughs of real world scenarios. ### Integrate with Auth0 To start integrating with Auth0, you can either start with our interactive [Quickstart guides](/docs/quickstarts) for initial set-up and quick configurations, or you can register your application manually in the Auth0 Dashboard. In Dashboard, you can create a tenant, or your Auth0 instance, from the ground up. If you prefer to use SDKs, Auth0 offers multiple options for each application type. To see the full offering, navigate to [Auth0 Libraries](/docs/libraries). You can begin your configuration with general details in the Dashboard tenant settings, such as the name displayed to your users, your company logo, your callback URLs, or where Auth0 redirects your users after authentication. You can review our recommendations by reading [Tenant Settings](/docs/get-started/tenant-settings). Once you’ve set up the tenant, then you can create and configure your application or API. You can use the instructions in our articles [Create Applications](/docs/get-started/auth0-overview/create-applications) or [Register APIs](/docs/get-started/auth0-overview/set-up-apis) as a starting point. ### Authenticate The vehicle of authentication is the login form, or the intermediary to allow your users access to your application. Users provide pre-determined credentials, such as username or password, in the login form to verify their digital identities. Auth0’s Universal Login is a login form you can customize to accommodate your brand and configure to provide secure access. Some benefits of using Universal Login are: * Passwordless login with biometrics * Choice of multi-factor authentication methods from email, voice, or Duo * Single Sign-on (SSO) capabilities * Localization support To learn more, read [Universal Login](/docs/authenticate/login/auth0-universal-login). To find out more about available features, read [Universal Login vs. Classic Login](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login). Once you have a login form, you can connect your user store to Auth0. You can connect an existing database, or use a social, legal, or enterprise identity provider such as X or Azure Active Directory. New users can sign up with the connection you have configured. Once you have a login form and user store connection, you can set protocols that work behind the scenes when users log in to your application. The most common protocols are associated with the OAuth 2.0 and OpenID Connect (OIDC) specs you may have reviewed in our [Identity Fundamentals](/docs/get-started/identity-fundamentals) article. Another protocol to securely transmit information during log in comes in the form of tokens. Tokens from the Authorization Server, Auth0’s Authentication API, transmit information between entities.  When a user logs in and access is approved, the Authentication API sends an access token, an ID token, or both depending on the authentication grant you are using to create a session. Access tokens contain information about what scopes, or permissions, the requestor has in your application while ID tokens have requestor information, such as user metadata to better the user experience. Tokens from the Authentication API are JSON Web Tokens (JWTs) structured with: * a header that includes the signature * the payload that contains statements and attributes about the requestor * the signature that verifies the token is valid To learn more about tokens, read [Access Tokens](/docs/secure/tokens/access-tokens), [ID Tokens](/docs/secure/tokens/id-tokens), or [JSON Web Tokens](/docs/secure/tokens/json-web-tokens). Other protocols, like SAML (Security Assertion Markup Language) and WS-Fed (Web Service Federation) are used with more specific systems. SAML works with some identity providers while WS-Fed is used with Microsoft products. You can learn more by exploring the [Protocols](/docs/authenticate/protocols) section of our documentation. ### Manage users Managing user profiles and access can be time-consuming. If you choose to manage users with your Auth0 instance, you can remove some of the pain points. You can easily automate CRUD operations and query user profiles using Auth0 Dashboard or the Management API. You can categorize your users into categories with Auth0 Organizations to arrange your customer-base to fit your management style. To learn more, navigate to the [Manage Users](/docs/manage-users) section of our documentation. Your business model may include levels of access for your users. You may want a subsection of users to have read-only permissions and another subsection with the ability to edit. Auth0’s Authorization Core allows you to implement role-based access control. You can create roles, assign roles to users, and define permissions. If you want to manage access based on browser behaviors, you can limit the lifetime of a session. A session, or the interaction between the requesting entity and your application or resource, has a lifetime limit. A session can end when the user closes the browser or navigates away from your webpage. You can extend sessions with refresh tokens that renew access tokens. Configure refresh tokens in the Dashboard.  To learn more, read [Session Lifetime Limits](/docs/manage-users/sessions/session-lifetime-limits) and [Get Refresh Tokens](/docs/secure/tokens/refresh-tokens/get-refresh-tokens). Cookies, or strings of data, tie into the session and represent an authenticated user. Cookies allow your authenticated users to maintain a session and move between web pages without being forced to re-authenticate.  Once the browser closes, the cookie is cleared by the browser. ### Customize Your brand is important, and Auth0 offers customization to make the login experience more personalized to your business. You can add your logo and color scheme to your login form as well as use a custom domain to give you ownership of the login URL. To learn more about configuration, read [Custom Domains](/docs/customize/custom-domains). Universal Login offers numerous features to configure authentication to fit your needs, like Multi-factor authentication, passwordless authentication with device biometrics, and localization. On a more granular level, you can adjust the text of prompts your user receives when an action needs to be completed. You can configure prompts for your users to signup, to enroll a device for authentication, or to send a code to an email/SMS for users to enter for verification. You can also customize email communications to welcome new users, verify enrollment, or reset passwords with email templates. To learn more, read [Customize Universal Login Text Elements](/docs/customize/login-pages/universal-login/customize-text-elements) and [Customize Email Templates](/docs/customize/email/email-templates). You can also configure certain events with Auth0 Actions. Actions are secure functions that execute during runtime. Actions trigger at different points in the pipeline and have a variety of uses. You could add metadata before the user signs up or redirect users to an external site. To learn more about what Actions can do for you, read [Understand How Auth0 Actions Work](/docs/customize/actions/actions-overview). ### Secure Malicious attacks can happen anytime. Auth0 offers several attack protection options, such as Bot Detection in combination with Google reCAPTCHA Enterprise to prevent cyber attacks. To learn more about Bot Detection configuration, read [Bot Detection](/docs/secure/attack-protection/bot-detection). Even if you are using your own login page, Auth0 offers other security options you can enable in the Auth0 Dashboard: * Breached Password Detection * Brute-Force Protection * Suspicious IP Throttling Breached password detection is a security measure against malicious agents with stolen credentials. Brute-force protection safeguards a targeted user account by limiting the amount of login attempts that automatically block the malicious IP and send a notification to the flagged user account. Suspicious IP throttling works where brute force protection leaves off to block traffic from any IP address that attempts rapid signups or logins. Other security measures depend on how you want your users to authenticate. Enabling multi-factor authentication (MFA) in Universal Login requires users to provide two or more authentication factors. With Auth0, you can customize MFA to trigger under certain circumstances, such as a user logging in from an unknown device or from a questionable IP address. To learn more about configuring MFA, read [Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa). ### Deploy and monitor When you’ve finished testing your Auth0 instance and are ready to deploy, you can use our public or private cloud offerings. To learn more about available offerings, read [Deployment Options](/docs/deploy-monitor/deployment-options). If you need a multi-tenant capable environment, you can read more about [Private Cloud on AWS](/docs/deploy-monitor/deploy-private-cloud/private-cloud-on-aws). To keep your deployment on track, we provide guidance in the form of pre-deployment recommendations, a deployment checklist, best practices, common fixes, and other tips to help make deployment as seamless as possible. Once you’ve established your production environment ready for users, you can be on the lookout with error tracking and alerts. The System Center Operations Manager allows you to monitor, while event logs can be exported to an analytical tool and allow you insight on trends, user behavior, or issues. # Auth0 Onboarding Source: https://auth0.com/docs/get-started/onboarding Integrate Auth0 into your existing infrastructure by following the B2B, B2C, or M2M pathway. Welcome to Auth0 Onboarding! This section of our documentation is to help you integrate Auth0 into your existing infrastructure and give you the confidence to go live with your integration. In this section, you can find relevant resources. As a complement to this guided onboarding, you can enroll in our free course [Introduction to Okta](https://www.okta.com/training/introduction-to-okta-formerly-okta-basics), which has relevant modules to assist you as you get started. Follow our guided onboarding to start your journey with Auth0.
Read... To learn...                                
Self-Service Machine-to-Machine How to onboard for machine-to-machine authentication.
## Resources and support Along with documentation and possible [architecture scenarios](/docs/get-started/architecture-scenarios), Auth0 has several means of support. * **Auth0 Community:** Engage in discussions with our [developer community and Auth0 experts](https://community.auth0.com/) or you can review our robust [Documentation](https://auth0.com/docs) and [FAQs](https://community.auth0.com/c/faq). * **Auth0 Marketplace**: [Marketplace](http://marketplace.auth0.com/) aims to simplify your development process with a straightforward way to add an integration to your application built and supported by trusted Marketplace Partners. The marketplace makes it easier and faster to extend and customize your Auth0 solution. All of the integrations you find in the Marketplace are validated by Auth0, so you know you can trust them. * **Auth0 Status Page:** Should you encounter service disruptions. Follow [our status page](https://status.auth0.com/) and subscribe to RSS feed to get the latest information around our operational status. ## Learn more * [Introduction to Auth0](/docs/get-started/identity-fundamentals/introduction-to-auth0) * [Identity Fundamentals](/docs/get-started/identity-fundamentals) * [Architecture Scenarios](/docs/get-started/architecture-scenarios) * [Login](/docs/authenticate/login) * [Check Auth0 Status](/docs/deploy-monitor/monitor/check-auth0-status) # Self-Service Machine-to-Machine Source: https://auth0.com/docs/get-started/onboarding/self-service-m2m Describes how to onboard with an M2M business case. If your business case services a non-interactive audience, like APIs or backend servers, you will onboard with a machine-to-machine (M2M) configuration. ## Use cases Use the M2M onboarding path if you: * Support service-to-service communications * Have scheduled jobs or cron tasks running on servers that need to access protected resources or APIs * Allow IoT devices to communicate with backend services or APIs * Have an API layer that needs to communicate with other API layers without user involvement or after a user token has expired * Have a privileged API that may need to be called before a user has authenticated (i.e. from an Action or custom database script in your Auth0 tenant) * Use an API Gateway to manage backend services * Use or support non-interactive applications or other tooling not involving human interaction such as daemons or backend services These services will still need an M2M access token for authentication. ## How to use this guide This guide is a pathway to create your M2M implementation in Auth0. We provide considerations, best practices, and concepts you should review. * In Architecture, we advise you to configure Auth0 to support your Software Development Life Cycle and existing infrastructure. * In Create an account, we provide instructions to create your API instance in Auth0 and an application to support the authentication flow (or grant) needed for machine-to-machine authentication. * In Authentication, we walk through the grant you need to use for authentication as well as access tokens and permissions (or scopes) you can set. * In Branding, we advise you where to find information on how to configure Custom Domains depending on how you plan to manage certificates. * In Deployment Automations, you can read about our tooling to assist with deployment. * In Quality Assurance, you can learn more about unit testing, and the readiness checks we provide in Auth0 Dashboard. ## Architecture Before you configure your Auth0 account and tenant, or the groups and structures of your Auth0 services, create a map of your existing infrastructure so you can best leverage Auth0’s capabilities in your existing ecosystem. As mentioned in common scenarios, you may have other non-interactive technologies in your application domain, network domain, or M2M device domain to consider before you configure Auth0. To review an example M2M scenario, read [Server + API](/docs/get-started/architecture-scenarios/server-application-api/part-1). To attempt a hands-on lab working with Node and test API deployment, visit our [GitHub repository](https://www.google.com/url?q=https://github.com/auth0-training/labs-node-working-with-apis\&sa=D\&source=docs\&ust=1723578190947730\&usg=AOvVaw3IXRQG9ogH4pW6LEY047T6). You may want to create a visualization of your current tech stack as well as plan how Auth0 fits in with your current Software Development Lifecycle (SDLC). This can help you determine how many tenants you may need. ### Considerations Before you create a new account or configure your first tenant, you may want to consider: * How you partition or group your APIs to call specific endpoints. * This may determine the audience and other claims on access tokens. * Any third-party consumers to your resource may request an access token for each call. Excessive calls could affect your [rate limit](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/rate-limit-configurations/self-service-public). * You can use an API Gateway to limit the number of access tokens a third-party can request. To learn more about API Gateways and Auth0, read [Configure an Identity Provider in Access Gateway](/docs/get-started/auth0-overview/create-applications/configure-an-identity-provider-in-access-gateway). ## Create an account Now that you have a plan for your architecture, you’ll configure your Auth0 account and tenants. When you sign up for Auth0 services, you will create your first [tenant](/docs/get-started/auth0-overview/create-tenants). This is where you configure Auth0 assets, services, and resources. [Sign up](https://auth0.com/signup) to start. In the Auth0 Dashboard or with the Auth0 Management API, create: * An API to represent your API * An M2M application to use the Client Credential Flow You may want to plan some configuration details before you create an account. * Your tenant name has a role in your Auth0 domain. Before you determine a name, you should review [tenant characteristics](/docs/get-started/auth0-overview/create-tenants#create-a-tenant-and-domain). * Which Auth0 features you need for your use case. Some features are only available on Professional and Enterprise plans. * Determine if you need to support multiple environments, such as development, staging, and production. To learn more, read [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments). * If you have a use case involving thirty-party applications you want to register in a tenant, you can use [Dynamic Application Registration](/docs/get-started/applications/dynamic-client-registration) based on the [OIDC Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html) specification. ### Provision a tenant Now that you have a plan for your architecture, you’ll configure your Auth0 account and Tenant. Once you create an API in Auth0 Dashboard, a test application for the API automatically generates. If you create an API programmatically in [Management API](https://auth0.com/docs/api/management/v2/), you may need to create a test application in a separate call. #### Register an API In this section, create your API in Auth0. You can always update your API in Auth0 Dashboard or by calling the Management API [Update a resource server](https://auth0.com/docs/api/management/v2/resource-servers/patch-resource-servers-by-id) endpoint. Start by creating an instance in the Auth0 Dashboard for your APIs. 1. Follow instructions to [register your API](/docs/get-started/auth0-overview/set-up-apis). In the [Authentication](/docs/get-started/onboarding/self-service-m2m#authentication) section, configure your API settings for M2M authentication. To register an API programmatically, use the Management API. You will need an access token to use Management API. To learn how, read [Management API Tokens](/docs/secure/tokens/access-tokens/management-api-access-tokens). Use the sample provided in Management API Explorer to call the Management API [Create a Resource Server](https://auth0.com/docs/api/management/v2/resource-servers/post-resource-servers) endpoint and include the following parameters in the body:
Field Description Example
Name A friendly name for the API. Does not affect any functionality. yourDomain
Identifier A unique identifier for the API. Auth0 recommends using a URL. Auth0 does differentiate between URLs that include the last forward slash. For example, `https://example.com` and `https://example.com/` are two different identifiers. The URL does not have to be a publicly available URL. Auth0 will not call your API. This value cannot be modified afterwards. `https://{yourDomain}`
JSON Web Token (JWT) Profile The profile determines the format of the access tokens issued for the API. The available values are Auth0 and RFC 9068. To learn more, read Access Token Profiles. access\_token
JSON Web Token (JWT) Signing Algorithm The algorithm to sign the access tokens with. The available values are HS256, PS256, RS256. If you select RS256, the token will be signed with the tenant's private key. HS256
### Associate an application You need to create an association between your application and your API so your application can request access tokens from it. You will learn more about client grants in the Authentication section. Auth0’s API has multiple settings you may need to review before you configure. To learn more, read [API Settings](/docs/get-started/apis/api-settings). If you create your API in the Dashboard, Auth0 automatically generates a test application and associates it with your API. 1. Navigate to [Auth0 Dashboard > Applications](https://manage.auth0.com/#/applications). 2. Select the test M2M test application created when you created your API. You can create another application for development or production later by following the instructions on [Register Machine-to-Machine Applications](/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps). 3. Switch to the **API** view, and then locate the API you’d like to enable for this application. 4. Enable the **Authorize** toggle, and then select the arrow button on the right to expand the card. 5. Select **Update**. Dashboard > Applications > APIs In this view, you can select the drop-down and choose the scopes you want to add. We will learn more about scopes when discussing access tokens under the Authentication section. Create an application to associate with your API. Use the sample provided in Management API Explorer to: 1. Call the [Create a Client](https://auth0.com/docs/api/management/v2/clients/post-clients) endpoint. You need to set the `app_type` to `non-interactive`. 2. Call the [Create Client Grant](https://auth0.com/docs/api/management/v2/client-grants/post-client-grants) endpoint to associate your application to your API. To learn about application and tenant settings, read [Tenant Settings](/docs/get-started/tenant-settings). ## Authentication When calling one API from another API, or from any situation where there is no authenticated user context, you need a way to authorize the application instead of a user. This is a one step process where the application is authenticated (using a `client_id` and `client_secret`) and then authorized in one call. For non-interactive applications or services to authentication, you must select a client grant, or authentication flow. The OAuth 2.0 [Client Credentials Flow](https://tools.ietf.org/html/rfc6749#section-4.4) does not require human interaction and is best suited for M2M applications. In Auth0 Dashboard or Management API, you will: * Set your application to use the Client Credentials Flow * Update the scopes for your M2M access tokens Before you configure your authentication method: * Review the [Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow) for machine-to-machine authentication. This is the workflow for non-interactive authentication and authorization. * Determine the level of access for your APIs. This helps determine what [scopes](/docs/get-started/apis/scopes/api-scopes), or permissions, you will configure when you create your API. ### Configure the Client Credential Flow You can use the Auth0 Dashboard or Management API to set the authentication flow to provide a client credential in exchange for an access token. Follow the instructions on [Update Grant Types](/docs/get-started/applications/update-grant-types) to use Auth0 Dashboard or Management API. ### M2M access tokens In token-based authentication, non-interactive clients provide `client_id` and `client_secret` in a call to the [Authentication API token endpoint](/docs/customize/actions/explore-triggers/machine-to-machine-trigger) to get an [access token](/docs/secure/tokens/access-tokens). This access token permits access to your protected API. The default profile, or format, is the Auth0 token profile associated with two token profiles. You can choose to change the token profile to RFC 9068. To learn more, read [Access Token Profiles](/docs/secure/tokens/access-tokens/access-token-profiles). To verify the token is valid, your API will check the [Signing Algorithms](/docs/get-started/applications/signing-algorithms). The default signing algorithm is RSA256, a key-based algorithm. Auth0 supports other client authentication methods besides providing Client ID and Client Secret as credentials. These methods, including our recommendation of [Private Key JWT](/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt) for M2M configurations, are available with an Enterprise plan. To learn more, read [Application Credentials](/docs/secure/application-credentials). #### Example A request to the `/oauth/token` endpoint should be similar to the sample below: ```bash cURL theme={null} curl --request POST \ --url 'https://{yourDomain}/oauth/token' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=client_credentials \ --data client_id={yourClientId} \ --data client_secret={yourClientSecret} \ --data audience=YOUR_API_IDENTIFIER ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/oauth/token"); var request = new RestRequest(Method.POST); request.AddHeader("content-type", "application/x-www-form-urlencoded"); request.AddParameter("application/x-www-form-urlencoded", "grant_type=client_credentials&client_id={yourClientId}&client_secret={yourClientSecret}&audience=YOUR_API_IDENTIFIER", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "strings" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/oauth/token" payload := strings.NewReader("grant_type=client_credentials&client_id={yourClientId}&client_secret={yourClientSecret}&audience=YOUR_API_IDENTIFIER") req, _ := http.NewRequest("POST", url, payload) req.Header.Add("content-type", "application/x-www-form-urlencoded") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.post("https://{yourDomain}/oauth/token") .header("content-type", "application/x-www-form-urlencoded") .body("grant_type=client_credentials&client_id={yourClientId}&client_secret={yourClientSecret}&audience=YOUR_API_IDENTIFIER") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'POST', url: 'https://{yourDomain}/oauth/token', headers: {'content-type': 'application/x-www-form-urlencoded'}, data: new URLSearchParams({ grant_type: 'client_credentials', client_id: '{yourClientId}', client_secret: '{yourClientSecret}', audience: 'YOUR_API_IDENTIFIER' }) }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"content-type": @"application/x-www-form-urlencoded" }; NSMutableData *postData = [[NSMutableData alloc] initWithData:[@"grant_type=client_credentials" dataUsingEncoding:NSUTF8StringEncoding]]; [postData appendData:[@"&client_id={yourClientId}" dataUsingEncoding:NSUTF8StringEncoding]]; [postData appendData:[@"&client_secret={yourClientSecret}" dataUsingEncoding:NSUTF8StringEncoding]]; [postData appendData:[@"&audience=YOUR_API_IDENTIFIER" dataUsingEncoding:NSUTF8StringEncoding]]; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/oauth/token"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"POST"]; [request setAllHTTPHeaderFields:headers]; [request setHTTPBody:postData]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/oauth/token", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "grant_type=client_credentials&client_id={yourClientId}&client_secret={yourClientSecret}&audience=YOUR_API_IDENTIFIER", CURLOPT_HTTPHEADER => [ "content-type: application/x-www-form-urlencoded" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") payload = "grant_type=client_credentials&client_id={yourClientId}&client_secret={yourClientSecret}&audience=YOUR_API_IDENTIFIER" headers = { 'content-type': "application/x-www-form-urlencoded" } conn.request("POST", "/{yourDomain}/oauth/token", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/oauth/token") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["content-type"] = 'application/x-www-form-urlencoded' request.body = "grant_type=client_credentials&client_id={yourClientId}&client_secret={yourClientSecret}&audience=YOUR_API_IDENTIFIER" response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = ["content-type": "application/x-www-form-urlencoded"] let postData = NSMutableData(data: "grant_type=client_credentials".data(using: String.Encoding.utf8)!) postData.append("&client_id={yourClientId}".data(using: String.Encoding.utf8)!) postData.append("&client_secret={yourClientSecret}".data(using: String.Encoding.utf8)!) postData.append("&audience=YOUR_API_IDENTIFIER".data(using: String.Encoding.utf8)!) let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/oauth/token")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ``` The response should be similar to the sample below: ```json lines theme={null} HTTP/1.1 200 OK Content-Type: application/json { "access_token":"eyJz93a...k4laUWw", "token_type":"Bearer", "expires_in":86400 } ``` #### Token expiration Your access tokens have a limit for how long the token is valid. Since your communications are on the back-channel, you cannot use refresh tokens to extend sessions, and should consider configuring your access tokens with a 1-hour expiration time. You may need to strike your own balance between security and performance for your specific environment. To learn more, read [Update Access Token Lifetime](/docs/secure/tokens/access-tokens/update-access-token-lifetime). ### Scopes Before any non-interactive clients or services call your API, you need to define the permissions or Scopes your API allows. You can set the scopes in Auth0 Dashboard to include in your authentication request to Authentication API. To read more examples of ways to use API scopes, read [API Scopes](/docs/get-started/apis/scopes/api-scopes). To configure scopes, follow the instructions on [Add API Permissions](/docs/get-started/apis/add-api-permissions) for Auth0 Dashboard or use the sample provided for Management API. To add custom claims to an access token, you can use the Actions Machine-to-Machine Flow. To learn more, read Machine to Machine Flow. ## Branding Even if you service non-interactive clients or services working on the back-channel, you can still customize your experience to align with the look and feel of your existing brand. ### Custom domains Auth0 supports the use of custom domains when you call the `/authorize` endpoint to request access tokens. In Auth0 Dashboard, you must: * Register and verify your domain before you can use it with your Auth0 services. * Determine if you want to manage your own certificate or use an Auth0 managed certificate. To learn more about certificates, read [Certificate management options](/docs/customize/custom-domains#certificate-management-options). * Verify the TLS (SSL) version and cipher you want to use for self-managed certificates is supported by Auth0. To learn more, read [TLS (SSL) Versions and Ciphers](/docs/customize/custom-domains/self-managed-certificates/tls-ssl). 1. To configure your custom domain with Auth0-managed certificates, follow the instructions on [Configure Custom Domains with Auth0-Managed Certificates](/docs/customize/custom-domains/auth0-managed-certificates). 1. If you want to manage your own certificates, follow the instructions on [Configure Custom Domains with Self-Managed Certificates](/docs/customize/custom-domains/self-managed-certificates). You must have an Enterprise subscription to manage certificates in your custom domain. To learn more, read [Auth0 Pricing](https://auth0.com/pricing/) and [Login](/docs/authenticate/login). 2. Review [API configuration with custom domains](/docs/customize/custom-domains/configure-features-to-use-custom-domains#apis). You may need to adjust your API settings to incorporate a custom domain. If you experience issues with your custom domain, review [Troubleshoot Custom Domains](/docs/troubleshoot/integration-extensibility-issues/troubleshoot-custom-domains). ## Deployment Automation Auth0 provides support for a couple of different options when it comes to the deployment automation approaches you can use, and each can be used in conjunction with the other. However you configure deployment automation, we’d recommend you unit test your custom code and Actions prior to deployment, and run some integration tests against your tenant post-deployment too. ### Deploy CLI Tool As recommended under the Architecture section, you should have Auth0 tenants for development, test, and production. These tenants should share identical configurations for quality checks and testing; however, you may be faced with errors as a result of mismatched configurations between your environments. For example, each environment will have different Client IDs and Client Secrets. To mitigate these mismatch errors, you can use the Deploy CLI Tool to help you integrate your Auth0 instance with your existing CI/CD pipeline.  With dynamic keyword replacement, you can replace environmental variables on tenants sharing similar configurations. To learn more, read [Deploy CLI Tool](/docs/deploy-monitor/deploy-cli-tool) and [Keyword Replacement](/docs/deploy-monitor/deploy-cli-tool/keyword-replacement). ### Actions Real-time Logs Actions Real-time Logs displays all logs for custom cSode in real-time, including `console.log` output and other exceptions. If you are using Auth0 Actions or other custom logic, you can use this extension to debug and troubleshoot. To learn more about installation and configuration, read [Actions Real-time Logs](/docs/customize/actions/actions-real-time-logs). ## Quality Assurance Quality Assurance is important in identifying issues before you go live. Depending on the nature of your project, there are several different types of quality assurance testing that you’re going to want to consider as part of your integration with Auth0: * How will your APIs perform when subjected to unexpected production loads? * How will your rate limits be affected by third-party applications? If you are not using Auth0 widgets or features, like Universal Login, you will not have the built-in usability and accessibility best practices out-of-the-box on a host of browsers and devices. To ensure functional requirements are met and unexpected events are handled correctly, guidance is provided for testing the integration between your application(s) and Auth0, and for unit testing individual extensibility modules, such as Auth0 Actions. We also recommend you review Auth0’s [penetration testing policy](/docs/troubleshoot/customer-support/operational-policies/penetration-testing-policy) and complete Mock testing you can leverage in conjunction with our [load testing policy](/docs/troubleshoot/customer-support/operational-policies/load-testing-policy) to help ensure your application(s) perform under unexpected load. ### Unit testing Unit testing is verifying units of extensibility, like Auth0 Actions. If you are using custom code we recommend using a test framework (such as [Mocha](https://mochajs.org/)) to test the additional code before deployment. ### Mock testing In a balance between Auth0’s [load testing policy](/docs/troubleshoot/customer-support/operational-policies/load-testing-policy) and the desire to load test, it is common practice to create a mock test of Auth0’s endpoints. This is a valuable practice in order to ensure that your configuration works with your expected interfaces without having to restrict your testing, and tools such as [MockServer](http://www.mock-server.com/), [JSON Server](https://github.com/typicode/json-server), or even [Postman](https://learning.getpostman.com/docs/postman/mock_servers/setting_up_mock/) can be used to assist. ## Deployment Our [Deploy and Monitor](/docs/deploy-monitor) section provides guidance for deployment best practices. We advise your review [Pre-Deploym](/docs/deploy-monitor/pre-deployment-checks)[ent Checks](/docs/deploy-monitor/pre-deployment-checks), especially the built-in [Auth0 Dashboard Readiness Checks](/docs/deploy-monitor/pre-deployment-checks/how-to-run-production-checks). To review the Readiness Check, select the drop-down menu below your tenant name and environmental tag at [Auth0 Dashboard > Run Readiness Checks](https://manage.auth0.com/#/production-checks). Auth0 Dashboard > Readiness Checklist You can use the filter to apply the Readiness Checks to selected applications. **These checks do not apply to your configured APIs**. For checks that do not apply to your specific configuration, you can select **Dismiss** to remove them from the final results. We advise you to review [Deployment Best Practices](/docs/deploy-monitor/deployment-best-practices) for final checks before you go live and take advantage of [Logs](/docs/deploy-monitor/logs) to monitor your services. ## Learn more * [Auth0 Overview](/docs/get-started/auth0-overview) * [Solution Overview (Server Apps + API)](/docs/get-started/architecture-scenarios/server-application-api/part-1) * [Call Your API Using the Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow/call-your-api-using-the-client-credentials-flow) * [Retrieve Log Logs Using the Management API](/docs/deploy-monitor/logs/retrieve-log-events-using-mgmt-api) * [Get Management API Access Tokens for Production](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production) # Tenant Settings Source: https://auth0.com/docs/get-started/tenant-settings Describes the settings related to tenants available in the Auth0 Dashboard. Use the **Tenant Settings** page in the Auth0 Dashboard at [Dashboard > Settings](https://manage.auth0.com/#/tenant) to configure various settings related to your Auth0 tenant. ## Recommended settings When you configure your tenant, set the following items: * **Specify the Environment Tag.** Tenants tagged as **Production** are granted higher rate limits than tenants tagged as **Development** or **Staging**. On non-Enterprise plans, only one tenant per subscription can be tagged as **Production**. To learn more, read [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments). * **Set the Support Email and Support URL.** If a user encounters an issue while logging in, they'll want to reach out for help. Set these values to direct them to an email address or landing page to get assistance. * **Configure a custom error page.** If possible, you should host your own custom error page and configure Auth0 to use it instead of the default page. This allows you to provide more complete and customized explanations to users about what to do in the event of an error. * **Set up a custom domain.** If you are on a paid plan, you can configure a custom domain for your Auth0 tenant. A custom domain unifies the login experience with your brand and provides additional benefits. To learn more, read [Custom Domains](/docs/customize/custom-domains). * **Set the Single Sign-On (SSO) session timeout.** The SSO session timeout value specifies the time until a user's session expires. The value is 7 days by default, which is the length of time users can access your Auth0-integrated applications without re-entering their credentials. To learn more, read [Sessions](/docs/manage-users/sessions). * **Set up tenant members.** Configure additional Auth0 Dashboard users and enable multi-factor authentication (MFA). To learn more, read [Manage Dashboard Access](/docs/get-started/manage-dashboard-access) and [Manage Dashboard Access with Multi-Factor Authentication](/docs/get-started/manage-dashboard-access/add-change-remove-mfa). * **Disable the Enable Application Connections setting.** If this setting is enabled, all configured connections will be automatically enabled for any new application you create. As a result, users may be able to log in to the application through connections that you did not intend to be available. Disable this setting so you can explicitly enable the connections appropriate for each application. * **Enable Attack Protection.** Protect your users against brute force attacks and breached passwords. To learn more, read [Attack Protection](/docs/secure/attack-protection). ## General On the **General** tab, you can customize basic tenant settings. ### Settings Dashboard Tenant Settings General Settings tab * **Friendly Name**: Name you want to be displayed to your users on the Universal Login page. Typically this is the name of your company or organization. * **Logo URL**: URL of the logo you want to be displayed on the Universal Login page. Minimum recommended resolution is 200 pixels (width) by 200 pixels (height). * **Support Email**: Email address used to contact your support team. * **Support URL**: Link to your company or organization support page. ### Environment Tag You can identify your tenant as a production, staging, or development tenant to differentiate it from other tenants. Higher rate limits apply to tenants tagged as Production with a paid subscription. To learn more, read [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments). undefined ### API Authorization Settings Dashboard Tenant Settings General Tab API Authorization Settings * **Default Audience**: API identifier to use for [Authorization Flows](/docs/get-started/authentication-and-authorization-flow). If you enter a value, all access tokens issued by Auth0 will specify this API identifier as an audience. Setting the **Default Audience** is equivalent to appending this audience to every authorization request made to your tenant for every application. This will cause new behavior that might result in breaking changes for some of your applications. Please [contact support](/docs/troubleshoot/customer-support/open-and-manage-support-tickets) if you require assistance. * **Default Directory**: Name of the default connection to be used for both the [Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow) and [Universal Login Experience](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/universal-experience). Its value should be the exact name of an existing connection for one of the following strategies: `auth0-adldap`, `ad`, `auth0`, `email`, `sms`, `waad`, or `adfs`. ### Error Pages In the event of an authorization error, you can either display a generic error page to your users or you can redirect users to your own custom error page. To learn more, read [Custom Error Pages](/docs/customize/login-pages/custom-error-pages). Dashboard Tenant Settings General Error Pages ### Languages Dashboard Tenant Settings General Tab Languages * **Default Language**: Language your tenant will use by default. * **Supported Languages**: Languages also supported by your tenant. ## Subscription On the **Subscription** tab, you can review your current subscription and compare features of your current plan to other Auth0 subscription plans. You can also change your subscription plan. To learn more, read [Manage Subscription](/docs/troubleshoot/customer-support/manage-subscriptions). If you have an Enterprise subscription, please refer to your Auth0 agreement for details. Auth0 Tenant Settings Subscription tab ## Payment On the **Payment** tab, you can enter or update your billing details. ## Tenant Members On the **Tenant Members** tab, you can view a list tenant members assigned to your tenant. You may also add or remove tenant members and review their assigned roles and if they have multi-factor authentication (MFA) enabled. To learn more, read [Manage Dashboard Access](/docs/get-started/manage-dashboard-access). Dashboard Tenant Settings Tenant Members tab ## Custom Domains On the **Custom Domains** tab, you can configure a custom domain to maintain a consistent user experience. When you create a custom domain, users will remain in your domain for login rather than being redirected to your `auth0.com` domain. To learn more, read [Custom Domains](/docs/customize/custom-domains). Both your specific login implementation and your Auth0 plan or custom agreement affect whether this feature is available. To learn more, read [Pricing](https://auth0.com/pricing). Dashboard Tenant Settings Custom Domains tab ## Signing Keys On the **Signing Keys** tab, you can securely manage the signing key and certificate used to sign ID tokens, access tokens, SAML assertions, and WS-Fed assertions that are sent to your applications. Dashboard Tenant Settings Signing Keys tab * **Rotation Settings**: Settings that allow you to rotate the application signing key and certificate. You can choose whether or not to revoke the signing key upon rotation. To learn more, read [Signing Keys](/docs/get-started/tenant-settings/signing-keys). * **Rotate Signing Key**: Rotates the signing key without revoking it; effectively, moves the current key to the previous key. All tokens signed with the previous key will still be valid until it is revoked. * **Rotate & Revoke Signing Key**: Rotates the signing key and then revokes it; effectively, moves the current key to the previous key, and then invalidates the previous key. Make sure you have updated your application with the next key in the queue before you rotate and revoke the current key. * **List of Valid Keys**: List of valid application signing keys for your tenant, which are also available at the Metadata endpoint for your application. Valid keys include: * **Next in queue**: Key that will be used when the signing key is next rotated. * **Currently used**: Key that is currently in use. * **Previously used**: Key that was previously used. Its appearance indicates that the signing key has been rotated, but the previously-used key has not yet been revoked. * **List of Revoked Keys**: List of the last three revoked keys for your tenant. More data about revoked keys is available in tenant logs. ## Advanced On the **Advanced** tab, you can configure advanced tenant settings. ### Login and Logout Dashboard Tenant Settings Advanced Tab Login and Logout * **Tenant Login URI**: URI that points to a route in your application that starts the OIDC login flow by redirecting to the `/authorize` endpoint; it should take the form of `https://mytenant.org/login`. This will only be used in scenarios where Auth0 needs your tenant to start the OIDC login flow. To learn more, see [Configure Default Login Routes](/docs/authenticate/login/auth0-universal-login/configure-default-login-routes). * **Allowed Logout URLs**: URLs Auth0 can redirect to after logout when no client\_id is specified on the Logout endpoint invocation. Useful as a global list when Single Sign-on (SSO) is enabled. To learn more, read [Logout](docs/authenticate/login/logout). * **Allowed ACR Values**: List of allowed Authentication Context Class Reference (ACR). These values are included in the OpenID Configuration document. When populated, values not listed here will be rejected if used in authentication flows. * **RP-Initiated Logout End Session Endpoint Discovery**: Controls if the logout endpoint is advertised in the OpenID Configuration responses as `end_session_endpoint`. * **RP-Initiated Logout End-User Confirmation**: Controls whether the user is asked to confirm login if the RP-Initiated logout request does not include the correct hints. * **Non-Verifiable Callback URI End-User Confirmation**: Controls whether the user is prompted to confirm login when a custom URI scheme is used as callback. Auth0 recommends that you **do not** skip end-user confirmation in these cases. To learn more, read [Measures Against Application Impersonation](docs/secure/security-guidance/measures-against-app-impersonation.mdx). ### Login Session Management The **Login Session Management** settings configure the login session lifetime that represents the Auth0 Authorization Server session layer. The authorization server session layer drives single sign-on (SSO). To learn more, read [Single Sign-on](/docs/authenticate/single-sign-on). Timeouts for tokens issued by Auth0 can be configured elsewhere. Token timeouts are often used to drive the Application session layer and appear in token claims, such as in the expiration claim for OpenID Connect (OIDC) ID tokens or the lifetime assertion for SAML. Dashboard Tenant Settings Advanced Login Session Management * **Inactivity timeout**: Timeframe (in minutes) after which a user's session will expire if they haven’t interacted with the Authorization Server. It will be superseded by system limits if over 4,320 minutes (3 days) for non-Enterprise plans or 144,000 minutes (100 days) for Enterprise plans. * **Require log in after**: Timeframe (in minutes) after which a user will be required to log in again, regardless of their activity. It will be superseded by system limits if over 43,200 minutes (30 days) for non-Enterprise plans or 525,600 minutes (365 days) for Enterprise plans. ### Device Flow User Code Format If you are using the [Device Authorization Flow](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow), these settings configure the randomly generated user code. To learn more, read [Configure Device User Code Settings](/docs/get-started/tenant-settings/configure-device-user-code-settings). Dashboard Tenant Settings Advanced Tab Device Flow User Code Format * **User Code Character Set**: Character set used to generate the user code. * **User Code Mask**: Mask used to format the user code. The mask defines the length of the user code and formats it into a friendly, readable value, allowing spaces or hyphens for readability. ### Global client information The **Global Client ID** and **Global Client Secret** are used to generate tokens for legacy Auth0 APIs. Typically, you will not need these values. If you need to have the global client secret changed, please [contact support](https://support.auth0.com). Dashboard Tenant Settings Advanced Tab Global Client Information ### Settings (Advanced) Dashboard Tenant Settings Advanced Tab Settings * **Change Password Flow v2**: When enabled, the newest version of the Change Password Flow will be used. The previous version has been deprecated, and we strongly recommend enabling v2. This flag is presented only for backward compatibility, and once enabled, you can no longer disable it. You can customize the user interface for the Change Password widget on the [Universal Login > Password Reset](https://manage.auth0.com/#/password_reset) tab in the Auth0 Dashboard. * **Dynamic Client Registration (DCR)**: When enabled, third-party developers will be able to dynamically register applications for your APIs. You can also update this flag using the [`/tenant/patch_settings`](https://auth0.com/docs/api/management/v2#!/Tenants/patch_settings) endpoint of the Auth0 Management API. By default, this feature is disabled. To learn more, read [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration). * **Resource Parameter Compatibility Profile (Early Access)**: When enabled, Auth0 uses the `resource` parameter to specify which resource server (API) the client application wants to access. When disabled, which is the default, Auth0 uses the `audience` parameter to specify the resource server. When enabled, Auth0 first checks the `audience` parameter, and if not available, it uses the `resource` parameter. The value of the `resource` parameter must be an absolute URI and can be forwarded to an upstream identity provider. * **Enable Application Connections**: When enabled, all current connections will be enabled for any new application that is created. * **Use a generic response in public signup API error message**: When enabled, errors generated while using the public signup API will return a generic response. This helps protect against user registration enumeration by preventing bad actors from being able to guess previously-registered identifiers (username, email, or phone) from reading error response codes, such as `user_exists`. * **Enable Publishing of Enterprise Connections Information with IdP domains**: When enabled, it supports [Home Realm Discovery](/docs/authenticate/login/auth0-universal-login/identifier-first) and [Auth0 Lock](/docs/libraries/lock) relies on a checked public file that includes enterprise connection information. If you don’t require that functionality, you can disable it. * **Enable email verification flow during login for Azure AD and ADFS connections**: When enabled, users will be presented with an email verification prompt during their first login when using Azure AD or ADFS connections. * **Refresh Token Revocation Deletes Grant**: When enabled, it deletes the underlying grant when you revoke a refresh token using the Authentication API `/oauth/revoke` endpoint. For existing tenants, this feature is enabled by default to preserve the existing behavior. For new tenants (as of 13 January 2021), this feature is disabled by default to ensure that the revocation of a refresh token will not revoke the grant. If a grant revocation is needed, a separate request must be sent using a grant revocation endpoint. * **Allow Organization Names in Authentication API**: When enabled, [/authorize](https://auth0.com/docs/api/authentication#authorize-application) and [SAML](https://auth0.com/docs/api/authentication#saml) endpoints can accept both organization IDs and names. Additionally, ID and access tokens will include both `org_id` and `org_name` claims. Before enabling this setting, review [Use Organization Names in Authentication API](/docs/manage-users/organizations/configure-organizations/use-org-name-authentication-api) for important considerations and potential impacts. * **Allow Pushed Authorization Requests (PAR):** When enabled, the `/par` endpoint can accept authorization requests pushed to it from a client application. This prevents the client application from sending requests via the insecure front channel (i.e. the browser). ### Extensibility Dashboard Tenant Settings Advanced Tab Extensibility * **Runtime**: Select the version of the Node.js runtime environment you want to use for Auth0 extensibility features, including [Custom Database Action Scripts](/docs/authenticate/database-connections/custom-db/templates) and [Custom Social Connections](/docs/authenticate/identity-providers/social-identity-providers/oauth2). * **Verify Custom DB Scripts:** Select and run a Node.js runtime version compatibility check for enabled Custom Databases. The Verify Custom Database Action Scripts feature: * Is available if your tenant has 1 to 10 [database connections](/docs/authenticate/database-connections/custom-db/create-db-connection). * Requires [custom database scripts](/docs/authenticate/database-connections/custom-db/templates) to be enabled. * Only checks Node.js runtime compatibility. Functionality is not verified. ### Migrations In this section, you can choose to enable or disable various migrations that are available. ### Feature Previews In this section, you can choose to enable or disable feature previews that are available. ### Delete tenant or subscription Deleted tenants cannot be restored and the tenant name cannot be used again when creating new tenants. To learn how to reset your tenant configuration, read [Delete or Reset Tenants](/docs/troubleshoot/customer-support/manage-subscriptions/delete-or-reset-tenant). ## Learn more * [Manage Subscriptions](/docs/troubleshoot/customer-support/manage-subscriptions) * [Delete or Reset Tenants](/docs/troubleshoot/customer-support/manage-subscriptions/delete-or-reset-tenant) * [Manage Dashboard Access](/docs/get-started/manage-dashboard-access) * [Signing Keys](/docs/get-started/tenant-settings/signing-keys) * [Custom Domains](/docs/customize/custom-domains) # Configure Device User Code Settings Source: https://auth0.com/docs/get-started/tenant-settings/configure-device-user-code-settings Learn how to configure the user code generated by your applications during the device authorization flow using the Auth0 Dashboard. You can configure settings for the user code generated by your application during the [Device Authorization Flow](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow) using the Auth0 Dashboard. 1. Go to [Dashboard > Settings](https://manage.auth0.com/#/tenant) and click the **Advanced** tab. 2. Scroll to the **Device Flow User Code Format** section, locate **User Code Character Set** and **User Code Mask**, enter the desired settings, and click **Save**.
Setting Description
Device Flow User Code Format Character set used to when randomly generating a user code.
User Code Mask Mask used to define length and format of a randomly-generated user code. Its purpose is to increase the user code's readability and ease of input.
## Learn more * [Device Authorization Flow](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow) * [Unlink Devices from Users](/docs/manage-users/user-accounts/unlink-devices-from-users) # Enable Single Sign-On for Tenants Source: https://auth0.com/docs/get-started/tenant-settings/enable-sso-for-legacy-tenants Describes how to enable Single Sign-on (SSO) for a tenant using the Auth0 Dashboard. Only for use with legacy tenants. Only for use with legacy tenants. By default, seamless single sign-on (SSO) is enabled for all new Auth0 tenants, however, legacy tenants may choose whether to enable this feature. You can enable SSO for your tenant using the Auth0 Dashboard. If you do not choose to enable tenant-level SSO, you may [enable it per application](/docs/get-started/applications/enable-sso-for-applications). If you do not see this setting available in the Dashboard, you already have Seamless SSO enabled; this toggle is strictly for legacy tenants. 1. Go to [Dashboard > Tenant Settings](https://manage.auth0.com/#/tenant). Dashboard Tenant Settings General Settings tab 2. Go to the **Advanced** tab. 3. Scroll to the **Log In Session Management** section. Locate **Enable Seamless SSO**. 4. Enter the **Inactivity timeout** (default 4320 minutes) and **Require log in after** (default 10080 minutes) fields. Once finished, you should also [configure your session lifetime settings](/docs/manage-users/sessions/configure-session-lifetime-settings). ## Learn more * [Single Sign-On](/docs/authenticate/single-sign-on) # Find Your Tenant Name or Tenant ID Source: https://auth0.com/docs/get-started/tenant-settings/find-your-tenant-name-or-tenant-id How to find the name of your Auth0 tenant Every Auth0 tenant has a name. You use this name frequently in your code to identify the tenant. When you see the `{yourTenantId}`, `{yourTenantName}`, `{yourTenant}`, or similar variable in the Auth0 documentation, substitute the variable with the tenant name. 1. Go to the [Auth0 Dashboard](https://manage.auth0.com/#). 2. In the top-left corner, find the tenant name beside the Auth0 logo. Find the name or ID of your Auth0 tenant ## Learn more * [Tenant Settings](/docs/get-started/tenant-settings) * [Multi-Tenant Applications Best Practices](/docs/get-started/auth0-overview/create-tenants/multi-tenant-apps-best-practices) # Signing Keys Source: https://auth0.com/docs/get-started/tenant-settings/signing-keys Describes how your tenant's application signing keys work. When you select our recommended signing algorithm (RS256), Auth0 uses public-key cryptography to establish trust with your applications. In more general terms, we use a signing key that consists of a public and private key pair. Signing keys are used to sign ID tokens, access tokens, SAML assertions, and WS-Fed assertions sent to your application or API. The signing key is a JSON web key (JWK) that contains a well-known public key used to validate the signature of a signed JSON web token (JWT). A JSON web key set (JWKS) is a set of keys containing the public keys used to verify any JWT issued by the authorization server and signed using the RS256 signing algorithm. The service may only use one JWK for validating web tokens, however, the JWKS may contain multiple keys if the service rotated signing certificates. ## How it works When a user signs in to your application, we create a token that contains information about the user and sign the token using its private key before we send it back to your application. Auth0 secures the private key, which is unique per tenant. To verify that the token is valid and originated from Auth0, your application validates the token’s signature using the public key. We provide other application security key management capabilities through both our Dashboard and Management API. Auth0 recommends that you rotate keys regularly to ensure you will be ready for action in case of a security breach. Additional application signing certificates are listed below. These links populate using your active tenant to provide you with accurate information. You must be logged in to `auth0.com/docs` with your tenant credentials to access these links. To sign in, select **Log in** to the top right. After logging in, you can switch between tenants by selecting your profile icon and choosing **Switch tenant**. * CER * PEM * raw PEM * PB7 * Fingerprint You can also retrieve this information for individual applications through the Auth0 Dashboard. To do so, navigate to the **Settings** page for a specific application. Then, expand the **Advanced Settings** and choose the **Certificates** tab. We use the application signing key to sign assertions that are sent to applications. These assertions may include ID tokens, access tokens, SAML assertions, and WS-Fed assertions. Note that these keys are different from those used to sign interactions with connections, including signing SAML requests to Identity Providers (IdPs) and encrypting responses from IdPs. By default, SAML assertions for IdP connections are signed, which we recommend. To get public keys you can use to configure the IdP, see [SAML Identity Provider Configuration: Signed Assertions](/docs/authenticate/protocols/saml/saml-identity-provider-configuration-settings). The rotation and revocation process supports your personal preferences and promotes a graceful transition for your application. If you prefer to update your application first, then rotate and revoke your key, you may do that. Alternatively, if you prefer to rotate your key, and then update your application and revoke your old key, you may also do that. Available keys include: * **Currently used**: Key that is currently being used to sign all new assertions. * **Previously used**: Key that was previously used, but has been rotated out. Assertions that were generated with this key will still work. * **Next in queue**: Key that is queued and will replace the current key when the application signing key is next rotated. Always test signing key rotation on a development tenant before rotating application signing keys in production. ## Limitations Rotating your signing key will be subject to a smaller rate limit than other API endpoints. To learn more, read [Management API Rate Limits](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/management-api-endpoint-rate-limits). ## Learn more * [Rotate Signing Keys](/docs/get-started/tenant-settings/signing-keys/rotate-signing-keys) * [Revoke Signing Keys](/docs/get-started/tenant-settings/signing-keys/revoke-signing-keys) * [View Signing Certificates](/docs/get-started/tenant-settings/signing-keys/view-signing-certificates) * [Change Application Signing Algorithms](/docs/get-started/applications/change-application-signing-algorithms) # Customer Provided Public Signing Keys Source: https://auth0.com/docs/get-started/tenant-settings/signing-keys/customer-signing-keys Learn how to import your own signing keys to use with Auth0. Customer Provided Signing Key is currently in Early Access. To learn more, read Product Release Stages. If you want to participate in Customer Provided Signing Keys, you must have an Enterprise plan. Contact your Technical Account Manager for more information. Auth0 uses cryptographic keys to sign access tokens to ensure that tokens are issued by Auth0. Auth0 signs the tokens with a private signing key and publishes the public key to the tenant’s “well-known” JSON Web Token Key Set ([JWKS](/docs/secure/tokens/json-web-tokens/json-web-key-sets)) endpoint: `https://{yourDomain}/.well-known/``jwks.json`. If you generate your own signing keys, you can import the public key to your tenant’s `/.well-known` JWKS endpoint. Auth0 can be the single distribution point for Auth0 signing keys and your custom signing keys. If your business case requires your application to be embedded in remote devices, you can migrate your existing signing keys for Auth0 to publish the public key to your `/.well-known` endpoint. When access tokens with your custom signing keys are being issued as a result of a user authentication and authorization flow: * Auth0's Key Management System is responsible for protecting the signing keys you generate and provide. * Auth0 issues tokens for [authentication and authorization](/docs/get-started/identity-fundamentals/authentication-and-authorization) as the identity provider. * Auth0 publishes a list of valid public keys at a distribution URL specific to the tenant. * A proxy solution receives Auth0 issued tokens and makes them available to legacy applications and APIs. Tokens signed by customer keys cannot be consumed by [Auth0 APIs](/docs/api). * Customer applications use the issued access tokens to consume APIs and resources. * APIs and resources servers validate the signature of the access tokens presented to them by retrieving the public key from Auth0’s JWKS distribution to perform the token signature verification. ## How it works 1. The public part of the signing key is imported to Auth0 and pend publication to Auth0 keys as an aggregated [JWKS](/docs/secure/tokens/json-web-tokens/json-web-key-sets). 2. The public signing key is published to the well-known endpoint of your tenant’s [custom domain](/docs/customize/custom-domains): `{yourCustomDomain}/.well-known/jwks.json`. 3. Auth0 issues access tokens. Those tokens are customized and re-signed with your signing key 4. Your application uses the customized tokens for access to your resources, such as APIs. 5. Auth0 distributes your key by publishing to the `/.wellknown` endpoint. ## Prerequisites To import custom signing keys into Auth0, you must: * Configure a Custom Domain. The aggregated JWKS is served from a custom domain and is not available on the canonical domain. To learn more, read [Custom Domains.](/docs/customize/custom-domains) * Use Auth0’s Private Cloud. You can only import signing keys in Private Cloud environments. To learn more, read about our Private Cloud on [AWS](/docs/deploy-monitor/deploy-private-cloud/private-cloud-on-aws) and [Azure](/docs/deploy-monitor/deploy-private-cloud/private-cloud-on-azure). ## Configure your custom keys with Management API Use the Management API to upload your custom keys in the form of JWKS. To create new (replace all existing) custom keys, make a `PUT` call to the [Create or replace custom signing keys](https://auth0.com/docs/api/management/v2/keys/put-custom-signing-keys) endpoint to import a set of custom public keys into Auth0. Existing custom keys will be replaced by the new set. You can import up to ten custom keys in JWKS format. Once imported, the custom public keys prepend to the list of Auth0-generated keys and will be published to your tenant’s well known endpoint URL for distributing JWKS. To get a list of existing custom keys, make a `GET` call to the [Get custom signing keys](https://auth0.com/docs/api/management/v2/keys/get-custom-signing-keys) endpoint to retrieve the set of custom keys as an array of JWK objects. To delete existing custom keys, make a `DELETE` call to the [Delete custom keys](https://auth0.com/docs/api/management/v2/keys/delete-custom-signing-keys) endpoint to delete the custom keys. # Revoke Signing Keys Source: https://auth0.com/docs/get-started/tenant-settings/signing-keys/revoke-signing-keys Learn how to revoke your tenant's application signing key using the Auth0 Dashboard or Management API. You can revoke your tenant's application or API signing key using the Auth0 Dashboard or the Management API. The signing key is used to sign ID tokens, access tokens, SAML assertions, and WS-Fed assertions sent to your application or API. To learn more, read [Signing Keys](/docs/get-started/tenant-settings/signing-keys). ## Prerequisites * Before you can revoke a previously-used signing key, you must first have rotated the key. To learn more, read [Rotate Signing Keys](/docs/get-started/tenant-settings/signing-keys/rotate-signing-keys), or see the **Rotate and revoke signing key** section below. * Make sure you have updated your application or API with the new key before you revoke the previous key. You cannot reuse a signing key after revocation, so be sure that you want to revoke it. ## Use the Dashboard ### Revoke previously used signing key 1. Go to [Dashboard > Settings > Signing Keys](https://manage.auth0.com/#/tenant/signing_keys). 2. In the **List of Valid Keys** section, locate the **Previously Used** key, select the more options (**...**) menu, and select **Revoke Key**. The **List of Valid Keys** section lists the current signing key being used by your tenant, plus the next signing key that will be assigned should you choose to rotate your signing keys. If you have previously rotated signing keys, this section also lists the previously-used keys. The **List of Revoked Keys** section lists the last three revoked keys for your tenant. 3. Select **Revoke** to confirm. ### Rotate and revoke signing key 1. Go to [Dashboard > Settings > Signing Keys](https://manage.auth0.com/#/tenant/signing_keys). 2. In the **Rotation Settings** section, locate the **Rotate & Revoke Signing Key** section, and select **Rotate & Revoke Key**. 3. Select **Rotate & Revoke** to confirm. ## Use the Management API You can only revoke the previously used signing key. 1. To get a list of the signing keys, make a `GET` call to the [Get all Application Signing Keys](https://auth0.com/docs/api/management/v2#!/Keys/get_signing_keys) endpoint. 2. Make a `PUT` call to the [Revoke an Application Signing Key by its Key ID](https://auth0.com/docs/api/management/v2#!/Keys/put_signing_keys) endpoint. Be sure to replace the `{yourKeyId}` and `{yourMgmtApiAccessToken}` placeholder values with your signing key's ID and Management API access token, respectively. ```bash cURL theme={null} curl --request PUT \ --url 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke' \ --header 'authorization: Bearer {yourMgmtApiAccessToken}' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke"); var request = new RestRequest(Method.PUT); request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}"); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke" req, _ := http.NewRequest("PUT", url, nil) req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.put("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke") .header("authorization", "Bearer {yourMgmtApiAccessToken}") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'PUT', url: 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke', headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" }; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"PUT"]; [request setAllHTTPHeaderFields:headers]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "PUT", CURLOPT_HTTPHEADER => [ "authorization: Bearer {yourMgmtApiAccessToken}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" } conn.request("PUT", "/{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke", headers=headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Put.new(url) request["authorization"] = 'Bearer {yourMgmtApiAccessToken}' response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"] let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D/revoke")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "PUT" request.allHTTPHeaderFields = headers let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```
Value Description
YOUR\_KEY\_ID ID of the signing key to be revoked. To learn how to find your signing key ID, see Locate JSON Web Key Sets.
MGMT\_API\_ACCESS\_TOKEN Access Token for the Management API with the scope update:signing\_keys.
## Learn more * [Rotate Signing Keys](/docs/get-started/tenant-settings/signing-keys/rotate-signing-keys) * [View Signing Certificates](/docs/get-started/tenant-settings/signing-keys/view-signing-certificates) * [Change Application Signing Algorithms](/docs/get-started/applications/change-application-signing-algorithms) # Rotate Signing Keys Source: https://auth0.com/docs/get-started/tenant-settings/signing-keys/rotate-signing-keys Learn how to rotate your tenant's application or API signing key using the Auth0 Dashboard or the Management API. You can manually rotate a signing key periodically to change the JSON web key (JWK) key used by applications and APIs to validate tokens. If your application or API **does not** allow for this key change, and it attempts to use an expired signing key to verify a token, the authentication request will fail. Auth0 recommends that you execute signing key rotation on a development tenant first, then verify that your applications and APIs still work as expected. After you verify that everything is working properly, perform the same signing key rotation on your production tenant. Although Auth0 signs with only one signing key at a time, your tenant's OpenID Connect (OIDC) discovery document always contains multiple keys. The OIDC discovery document will always include both the current key and the next key, and it may also include the previous key if the previous key has not yet been revoked. To provide a seamless experience in case of an emergency, your application should be able to use any of the keys specified in the document. To learn more about OpenID Connect discovery documents, read [Locate JSON Web Key Sets](/docs/secure/tokens/json-web-tokens/locate-json-web-key-sets). To allow you time to update your application with the new signing key, all tokens signed with the previous key will still be valid until you revoke the previous key. To learn more, read [Revoke Signing Keys](/docs/get-started/tenant-settings/signing-keys/revoke-signing-keys). You can rotate your tenant's application signing key using the Auth0 Dashboard or the Auth0 Management API. ## Use the Dashboard 1. Go to [Dashboard > Settings > Signing Keys](https://manage.auth0.com/#/tenant/signing_keys). Dashboard Tenant Settings Signing Keys tab 2. Under **Rotation Settings**, locate **Rotate Signing Key**, and select **Rotate Key**. 3. Click **Rotate** to confirm. Dashboard Settings Signing Keys Tab Rotate Confirm ## Use the Management API 1. To get a list of the signing keys, make a `GET` call to the [Get all Application Signing Keys](https://auth0.com/docs/api/management/v2#!/Keys/get_signing_keys) endpoint. 2. To rotate the signing key, make a `POST` call to the [Rotate the Application Signing Key](https://auth0.com/docs/api/management/v2#!/Keys/post_signing_keys) endpoint. Be sure to replace the `MGMT_API_ACCESS_TOKEN` placeholder value with your Management API access token. ```bash cURL theme={null} curl --request POST \ --url 'https://{yourDomain}/api/v2/keys/signing/rotate' \ --header 'authorization: Bearer {yourMgmtApiAccessToken}' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/keys/signing/rotate"); var request = new RestRequest(Method.POST); request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}"); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/keys/signing/rotate" req, _ := http.NewRequest("POST", url, nil) req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.post("https://{yourDomain}/api/v2/keys/signing/rotate") .header("authorization", "Bearer {yourMgmtApiAccessToken}") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'POST', url: 'https://{yourDomain}/api/v2/keys/signing/rotate', headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" }; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/keys/signing/rotate"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"POST"]; [request setAllHTTPHeaderFields:headers]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/keys/signing/rotate", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_HTTPHEADER => [ "authorization: Bearer {yourMgmtApiAccessToken}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" } conn.request("POST", "/{yourDomain}/api/v2/keys/signing/rotate", headers=headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/keys/signing/rotate") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["authorization"] = 'Bearer {yourMgmtApiAccessToken}' response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"] let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/keys/signing/rotate")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```
Value Description
MGMT\_API\_ACCESS\_TOKEN Access Token for the Management API with the scopes create:signing\_keys and update:signing\_keys.
## Key rotation impact ### APIs and API gateways accepting access tokens Most middleware and API gateways leverage the JSON web key set (JWKS) endpoint to retrieve the current and future signing keys at a certain interval. If your middleware and/or API gateways **do not** support this endpoint and require you to manually configure a `*.cer` file, you will need to coordinate the signing key rotation in Auth0 with the reconfiguration of your middleware and gateways. ### Regular web applications When rotating the signing key in Auth0, you will need to coordinate the reconfiguration of your applications which leverage WS-Fed or SAML. This typically happens when you upload the new public certificate or reconfigure the application by entering the WS-Fed/SAML metadata URL. This will change the JWKS key, which is used by applications to validate tokens, make sure your implementation does not assume JWKS keys don’t change. ## Learn more * [Revoke Signing Keys](/docs/get-started/tenant-settings/signing-keys/revoke-signing-keys) * [Locate JSON Web Key Sets](/docs/secure/tokens/json-web-tokens/locate-json-web-key-sets) * [Change Application Signing Algorithms](/docs/get-started/applications/change-application-signing-algorithms) * [View Signing Certificates](/docs/get-started/tenant-settings/signing-keys/view-signing-certificates) # View Signing Certificates Source: https://auth0.com/docs/get-started/tenant-settings/signing-keys/view-signing-certificates Describes how to view client secrets and signing keys using the Auth0 Dashboard or the Management API. You can view your tenant's application client secrets and signing keys using the Auth0 Dashboard or the Management API. The application signing key is used to sign ID tokens, access tokens, SAML assertions, and WS-Fed assertions sent to your application. These keys are different from those used to sign interactions with connections, including signing SAML requests to identity providers (IdPs) and encrypting responses from IdPs. By default, SAML assertions for IdP connections are signed, which we recommend. To learn more, read [SAML Identity Provider Configuration Settings](/docs/authenticate/protocols/saml/saml-identity-provider-configuration-settings). ## Use the Dashboard ### Tenant settings 1. Go to [Dashboard > Settings > Signing Keys](https://manage.auth0.com/#/tenant/signing_keys). Dashboard Tenant Settings Signing Keys tab 2. In the **Rotation Settings** section, locate **List of Valid Keys** and **List of Revoked Keys**. 1. The **List of Valid Keys** section lists the current signing key being used by your tenant, plus the next signing key that will be assigned should you choose to rotate your signing keys. If you have previously rotated signing keys, this section also lists the previously-used keys. 2. The **List of Revoked Keys** section lists the last three revoked keys for your tenant. ### Application settings You can also view an application's signing key and/or client secret depending on the type of signing algorithm you are using. #### If using the RS256 signing algorithm 1. Go to [Dashboard > Applications](https://manage.auth0.com/#/applications), and select the name of the application to view. 2. Scroll to the bottom of the **Settings** tab, and select **Advanced Settings**. 3. Go to the **Certificates** tab and locate the **Signing Certificate** field. Dashboard Applications Advanced Settings Certificates tab #### If using the HS256 signing algorithm 1. Go to [Dashboard > Applications](https://manage.auth0.com/#/applications), and select the name of the application to view. 2. Under **Basic Information**, locate the **Client Secret** field for the client secret. Dashboard Applications Application Settings Tab Basic Information ## Use the Management API ### Get all signing keys Make a `GET` call to the [`/signing_keys/get_signing_keys`](https://auth0.com/docs/api/management/v2#!/signing_keys/get_signing_keys) endpoint. Be sure to replace the `{yourMgmtApiAccessToken}` placeholder value with your Management API Access Token. ```bash cURL theme={null} curl --request GET \ --url 'https://{yourDomain}/api/v2/keys/signing' \ --header 'authorization: Bearer {yourMgmtApiAccessToken}' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/keys/signing"); var request = new RestRequest(Method.GET); request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}"); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/keys/signing" req, _ := http.NewRequest("GET", url, nil) req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.get("https://{yourDomain}/api/v2/keys/signing") .header("authorization", "Bearer {yourMgmtApiAccessToken}") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'GET', url: 'https://{yourDomain}/api/v2/keys/signing', headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" }; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/keys/signing"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"GET"]; [request setAllHTTPHeaderFields:headers]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/keys/signing", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "GET", CURLOPT_HTTPHEADER => [ "authorization: Bearer {yourMgmtApiAccessToken}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" } conn.request("GET", "/{yourDomain}/api/v2/keys/signing", headers=headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/keys/signing") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Get.new(url) request["authorization"] = 'Bearer {yourMgmtApiAccessToken}' response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"] let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/keys/signing")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "GET" request.allHTTPHeaderFields = headers let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```
Value Description
MGMT\_API\_ACCESS\_TOKEN Access Token for the Management API with the scope read:signing\_keys.
### Get a single signing key Make a `GET` call to the [`/signing_keys/get_signing_key`](https://auth0.com/docs/api/management/v2#!/signing_keys/get_signing_key) endpoint. Be sure to replace the `{yourKeyId}` and `{yourMgmtApiAccessToken}` placeholder values with your signing key's ID and Management API Access Token, respectively. ```bash cURL theme={null} curl --request GET \ --url 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D' \ --header 'authorization: Bearer {yourMgmtApiAccessToken}' ``` ```csharp C# theme={null} var client = new RestClient("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D"); var request = new RestRequest(Method.GET); request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}"); IRestResponse response = client.Execute(request); ``` ```go Go theme={null} package main import ( "fmt" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D" req, _ := http.NewRequest("GET", url, nil) req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```java Java theme={null} HttpResponse response = Unirest.get("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D") .header("authorization", "Bearer {yourMgmtApiAccessToken}") .asString(); ``` ```javascript Node.JS theme={null} var axios = require("axios").default; var options = { method: 'GET', url: 'https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D', headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); }); ``` ```objc Obj-C theme={null} #import NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" }; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"GET"]; [request setAllHTTPHeaderFields:headers]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume]; ``` ```php PHP theme={null} $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "GET", CURLOPT_HTTPHEADER => [ "authorization: Bearer {yourMgmtApiAccessToken}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } ``` ```python Python theme={null} import http.client conn = http.client.HTTPSConnection("") headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" } conn.request("GET", "/{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D", headers=headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8")) ``` ```ruby Ruby theme={null} require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Get.new(url) request["authorization"] = 'Bearer {yourMgmtApiAccessToken}' response = http.request(request) puts response.read_body ``` ```swift Swift theme={null} import Foundation let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"] let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/keys/signing/%7ByourKeyId%7D")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "GET" request.allHTTPHeaderFields = headers let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```
Value Description
YOUR\_KEY\_ID ID of the signing key to be viewed. To learn how to find your signing key ID, see Locate JSON Web Key Sets.
MGMT\_API\_ACCESS\_TOKEN Access Token for the Management API with the scope read:signing\_keys.
## Learn more * [Revoke Signing Keys](/docs/get-started/tenant-settings/signing-keys/revoke-signing-keys) * [Rotate Signing Keys](/docs/get-started/tenant-settings/signing-keys/rotate-signing-keys) * [Signing Algorithms](/docs/get-started/applications/signing-algorithms) * [Change Application Signing Algorithms](/docs/get-started/applications/change-application-signing-algorithms) # null Source: https://auth0.com/docs/index