Auth0 API | Clients › Get Clients

Clients

clients

Methods

Create A Client ->

post/clients

Create a new client (application or SSO integration). For more information, read Create Applications API Endpoints for Single Sign-On.

Notes:

We recommend leaving the client_secret parameter unspecified to allow the generation of a safe secret.
The client_authentication_methods and token_endpoint_auth_method properties are mutually exclusive. Use client_authentication_methods to configure the client with Private Key JWT authentication method. Otherwise, use token_endpoint_auth_method to configure the client with client secret (basic or post) or with no authentication method (none).
When using client_authentication_methods to configure the client with Private Key JWT authentication method, specify fully defined credentials. These credentials will be automatically enabled for Private Key JWT authentication on the client.
To configure client_authentication_methods, the create:client_credentials scope is required.
To configure client_authentication_methods, the property jwt_configuration.alg must be set to RS256.

SSO Integrations created via this endpoint will accept login requests and share user profile information.

Delete A Client ->

delete/clients/{client_id}

Delete a client and related configuration (rules, connections, etc).

Get Clients -> ClientsPageNumberPage<

Client

get/clients

Retrieve clients (applications and SSO integrations) matching provided filters. A list of fields to include or exclude may also be specified. For more information, read Applications in Auth0 and Single Sign-On.

The following can be retrieved with any scope: client_id, app_type, name, and description.
The following properties can only be retrieved with the read:clients or read:client_keys scope: callbacks, oidc_logout, allowed_origins, web_origins, tenant, global, config_route, callback_url_template, jwt_configuration, jwt_configuration.lifetime_in_seconds, jwt_configuration.secret_encoded, jwt_configuration.scopes, jwt_configuration.alg, api_type, logo_uri, allowed_clients, owners, custom_login_page, custom_login_page_off, sso, addons, form_template, custom_login_page_codeview, resource_servers, client_metadata, mobile, mobile.android, mobile.ios, allowed_logout_urls, token_endpoint_auth_method, is_first_party, oidc_conformant, is_token_endpoint_ip_header_trusted, initiate_login_uri, grant_types, refresh_token, refresh_token.rotation_type, refresh_token.expiration_type, refresh_token.leeway, refresh_token.token_lifetime, organization_usage, organization_require_behavior.
The following properties can only be retrieved with the read:client_keys or read:client_credentials scope: encryption_key, encryption_key.pub, encryption_key.cert, client_secret, client_authentication_methods and signing_key.

Security

Example: Authorization: Bearer My Bearer Token

Parameters

app_type: string

Optional

Optional filter by a comma-separated list of application types.

fields: string

Optional

Comma-separated list of fields to include or exclude (based on value provided for include_fields) in the result. Leave empty to retrieve all fields.

from: string

Optional

Optional Id from which to start selection.

include_fields: boolean

Optional

Whether specified fields are to be included (true) or excluded (false).

include_totals: boolean

Optional

Return results inside an object that contains the total result count (true) or as a direct array of results (false, default).

is_first_party: boolean

Optional

Optional filter on whether or not a client is a first-party client.

is_global: boolean

Optional

Optional filter on the global client parameter.

page: number

Optional

(minimum: 0)

Page index of the results to return. First page is 0.

per_page: number

Optional

(maximum: 100, minimum: 0)

Number of results per page. Default value is 50, maximum value is 100

q: string

Optional

Advanced Query in Lucene syntax.
Permitted Queries:

client_grant.organization_id:{organization_id}
client_grant.allow_any_organization:true

Additional Restrictions:

Cannot be used in combination with other filters
Requires use of the from and take paging parameters (checkpoint paginatinon)
Reduced rate limits apply. See Rate Limit Configurations

Note: Recent updates may not be immediately reflected in query results

take: number

Optional

(maximum: 100, minimum: 1)

Number of results per page. Defaults to 50.

Response fields

UnionMember0 = Array<

Client

UnionMember1 = { clients, limit, start, 1 more... }

UnionMember2 = { clients, next }

Request example

curl https://login0.local.dev.auth0.com/api/v2/clients \
    -H "Authorization: Bearer $BEARER_TOKEN"

200Example

[
  {
    "addons": {
      "aws": {
        "lifetime_in_seconds": 0,
        "principal": "principal",
        "role": "role"
      },
      "azure_blob": {
        "accountName": "accountName",
        "blob_delete": true,
        "blob_read": true,
        "blob_write": true,
        "blobName": "blobName",
        "container_delete": true,
        "container_list": true,
        "container_read": true,
        "container_write": true,
        "containerName": "containerName",
        "expiration": 0,
        "signedIdentifier": "signedIdentifier",
        "storageAccessKey": "storageAccessKey"
      },
      "azure_sb": {
        "entityPath": "entityPath",
        "expiration": 0,
        "namespace": "namespace",
        "sasKey": "sasKey",
        "sasKeyName": "sasKeyName"
      },
      "box": {
        "foo": "bar"
      },
      "cloudbees": {
        "foo": "bar"
      },
      "concur": {
        "foo": "bar"
      },
      "dropbox": {
        "foo": "bar"
      },
      "echosign": {
        "domain": "domain"
      },
      "egnyte": {
        "domain": "domain"
      },
      "firebase": {
        "client_email": "client_email",
        "lifetime_in_seconds": 0,
        "private_key": "private_key",
        "private_key_id": "private_key_id",
        "secret": "secret"
      },
      "layer": {
        "keyId": "keyId",
        "privateKey": "privateKey",
        "providerId": "providerId",
        "expiration": 0,
        "principal": "principal"
      },
      "mscrm": {
        "url": "https://example.com"
      },
      "newrelic": {
        "account": "account"
      },
      "oag": {},
      "office365": {
        "connection": "connection",
        "domain": "domain"
      },
      "rms": {
        "url": "https://example.com"
      },
      "salesforce": {
        "entity_id": "https://example.com"
      },
      "salesforce_api": {
        "clientid": "clientid",
        "community_url_section": "community_url_section",
        "communityName": "communityName",
        "principal": "principal"
      },
      "salesforce_sandbox_api": {
        "clientid": "clientid",
        "community_url_section": "community_url_section",
        "communityName": "communityName",
        "principal": "principal"
      },
      "samlp": {
        "audience": "audience",
        "authnContextClassRef": "authnContextClassRef",
        "createUpnClaim": true,
        "destination": "destination",
        "digestAlgorithm": "digestAlgorithm",
        "issuer": "issuer",
        "lifetimeInSeconds": 0,
        "mapIdentities": true,
        "mappings": {
          "foo": "bar"
        },
        "mapUnknownClaimsAsIs": true,
        "nameIdentifierFormat": "nameIdentifierFormat",
        "nameIdentifierProbes": [
          "x"
        ],
        "passthroughClaimsWithNoMapping": true,
        "recipient": "recipient",
        "signatureAlgorithm": "signatureAlgorithm",
        "signResponse": true
      },
      "sap_api": {
        "clientid": "clientid",
        "nameIdentifierFormat": "nameIdentifierFormat",
        "scope": "scope",
        "servicePassword": "servicePassword",
        "tokenEndpointUrl": "https://example.com",
        "usernameAttribute": "usernameAttribute"
      },
      "sentry": {
        "base_url": "base_url",
        "org_slug": "org_slug"
      },
      "sharepoint": {
        "external_url": [
          "string"
        ],
        "url": "url"
      },
      "slack": {
        "team": "team"
      },
      "springcm": {
        "acsurl": "acsurl"
      },
      "sso_integration": {
        "name": "name",
        "version": "version"
      },
      "wams": {
        "masterkey": "masterkey"
      },
      "wsfed": {
        "foo": "bar"
      },
      "zendesk": {
        "accountName": "accountName"
      },
      "zoom": {
        "account": "account"
      }
    },
    "allowed_clients": [
      "string"
    ],
    "allowed_logout_urls": [
      "string"
    ],
    "allowed_origins": [
      "string"
    ],
    "app_type": "app_type",
    "callbacks": [
      "string"
    ],
    "client_aliases": [
      "string"
    ],
    "client_authentication_methods": {
      "private_key_jwt": {
        "credentials": [
          {
            "id": "id"
          }
        ]
      },
      "self_signed_tls_client_auth": {
        "credentials": [
          {
            "id": "id"
          }
        ]
      },
      "tls_client_auth": {
        "credentials": [
          {
            "id": "id"
          }
        ]
      }
    },
    "client_id": "client_id",
    "client_metadata": {
      "foo": "bar"
    },
    "client_secret": "client_secret",
    "compliance_level": "none",
    "cross_origin_authentication": true,
    "cross_origin_loc": "https://example.com",
    "custom_login_page": "custom_login_page",
    "custom_login_page_on": true,
    "custom_login_page_preview": "custom_login_page_preview",
    "default_organization": {
      "flows": [
        "client_credentials"
      ],
      "organization_id": "organization_id"
    },
    "description": "description",
    "encryption_key": {
      "cert": "cert",
      "pub": "pub",
      "subject": "subject"
    },
    "form_template": "form_template",
    "global": true,
    "grant_types": [
      "string"
    ],
    "initiate_login_uri": "https://example.com",
    "is_first_party": true,
    "jwt_configuration": {
      "alg": "HS256",
      "lifetime_in_seconds": 0,
      "scopes": {
        "foo": "bar"
      },
      "secret_encoded": true
    },
    "logo_uri": "logo_uri",
    "mobile": {
      "android": {
        "app_package_name": "app_package_name",
        "sha256_cert_fingerprints": [
          "x"
        ]
      },
      "ios": {
        "app_bundle_identifier": "app_bundle_identifier",
        "team_id": "team_id"
      }
    },
    "name": "name",
    "native_social_login": {},
    "oidc_conformant": true,
    "oidc_logout": {
      "backchannel_logout_initiators": {
        "mode": "custom",
        "selected_initiators": [
          "rp-logout"
        ]
      },
      "backchannel_logout_urls": [
        "https://example.com"
      ]
    },
    "organization_require_behavior": "no_prompt",
    "organization_usage": "deny",
    "refresh_token": {
      "expiration_type": "expiring",
      "rotation_type": "rotating",
      "idle_token_lifetime": 0,
      "infinite_idle_token_lifetime": true,
      "infinite_token_lifetime": true,
      "leeway": 0,
      "token_lifetime": 0
    },
    "require_proof_of_possession": true,
    "require_pushed_authorization_requests": true,
    "signed_request_object": {
      "credentials": [
        {
          "id": "id"
        }
      ],
      "required": true
    },
    "signing_keys": [
      {
        "cert": "cert",
        "pkcs7": "pkcs7",
        "subject": "subject"
      }
    ],
    "sso": true,
    "sso_disabled": true,
    "tenant": "tenant",
    "token_endpoint_auth_method": "none",
    "web_origins": [
      "string"
    ]
  }
]

Get Client By ID ->

Client

get/clients/{client_id}

Retrieve client details by ID. Clients are SSO connections or Applications linked with your Auth0 tenant. A list of fields to include or exclude may also be specified. For more information, read Applications in Auth0 and Single Sign-On.

The following properties can be retrieved with any of the scopes: client_id, app_type, name, and description.
The following properties can only be retrieved with the read:clients or read:client_keys scopes: callbacks, oidc_logout, allowed_origins, web_origins, tenant, global, config_route, callback_url_template, jwt_configuration, jwt_configuration.lifetime_in_seconds, jwt_configuration.secret_encoded, jwt_configuration.scopes, jwt_configuration.alg, api_type, logo_uri, allowed_clients, owners, custom_login_page, custom_login_page_off, sso, addons, form_template, custom_login_page_codeview, resource_servers, client_metadata, mobile, mobile.android, mobile.ios, allowed_logout_urls, token_endpoint_auth_method, is_first_party, oidc_conformant, is_token_endpoint_ip_header_trusted, initiate_login_uri, grant_types, refresh_token, refresh_token.rotation_type, refresh_token.expiration_type, refresh_token.leeway, refresh_token.token_lifetime, organization_usage, organization_require_behavior.
The following properties can only be retrieved with the read:client_keys or read:client_credentials scopes: encryption_key, encryption_key.pub, encryption_key.cert, client_secret, client_authentication_methods and signing_key.

Rotate A Client Secret ->

Client

post/clients/{client_id}/rotate-secret

Rotate a client secret.

This endpoint cannot be used with clients configured with Private Key JWT authentication method (client_authentication_methods configured with private_key_jwt).

Note: The generated secret is NOT base64 encoded.

Update A Client ->

Client

patch/clients/{client_id}

Updates a client's settings. For more information, read Applications in Auth0 and Single Sign-On.

Notes:

The client_secret and signing_key attributes can only be updated with the update:client_keys scope.
The client_authentication_methods and token_endpoint_auth_method properties are mutually exclusive. Use client_authentication_methods to configure the client with Private Key JWT authentication method. Otherwise, use token_endpoint_auth_method to configure the client with client secret (basic or post) or with no authentication method (none).
When using client_authentication_methods to configure the client with Private Key JWT authentication method, only specify the credential IDs that were generated when creating the credentials on the client.
To configure client_authentication_methods, the update:client_credentials scope is required.
To configure client_authentication_methods, the property jwt_configuration.alg must be set to RS256.

Clients

Credentials

clients.credentials

Methods

Create A Client Credential -> { id, alg, created_at, 7 more... }

post/clients/{client_id}/credentials

Create a client credential associated to your application. The credential will be created but not yet enabled for use with Private Key JWT authentication method. To enable the credential, set the client_authentication_methods property on the client. For more information, read Configure Private Key JWT Authentication.

Delete A Client Credential ->

delete/clients/{client_id}/credentials/{credential_id}

Delete a client credential you previously created. May be enabled or disabled. For more information, read Client Credential Flow.

Get Client Credentials -> Array<

ClientCredential

get/clients/{client_id}/credentials

Get the details of a client credential.

Important: To enable credentials to be used for Private Key JWT authentication method, set the client_authentication_methods property on the client.

Get Client Credential Details -> { id, alg, created_at, 7 more... }

get/clients/{client_id}/credentials/{credential_id}

Get the details of a client credential.

Important: To enable credentials to be used for Private Key JWT authentication method, set the client_authentication_methods property on the client.

Update A Client Credential -> { id, alg, created_at, 7 more... }

patch/clients/{client_id}/credentials/{credential_id}

Change a client credential you previously created. May be enabled or disabled. For more information, read Client Credential Flow.

Domain types

ClientCredential = { id, alg, created_at, 7 more... }