Clients

clients

Methods

Create A Client ->
post/clients

Create a new client (application or SSO integration). For more information, read Create Applications API Endpoints for Single Sign-On.

Notes:

  • We recommend leaving the client_secret parameter unspecified to allow the generation of a safe secret.
  • The client_authentication_methods and token_endpoint_auth_method properties are mutually exclusive. Use client_authentication_methods to configure the client with Private Key JWT authentication method. Otherwise, use token_endpoint_auth_method to configure the client with client secret (basic or post) or with no authentication method (none).
  • When using client_authentication_methods to configure the client with Private Key JWT authentication method, specify fully defined credentials. These credentials will be automatically enabled for Private Key JWT authentication on the client.
  • To configure client_authentication_methods, the create:client_credentials scope is required.
  • To configure client_authentication_methods, the property jwt_configuration.alg must be set to RS256.
SSO Integrations created via this endpoint will accept login requests and share user profile information.
Delete A Client ->
delete/clients/{client_id}

Delete a client and related configuration (rules, connections, etc).

Get Clients -> ClientsPageNumberPage<>
get/clients

Retrieve clients (applications and SSO integrations) matching provided filters. A list of fields to include or exclude may also be specified. For more information, read Applications in Auth0 and Single Sign-On.

  • The following can be retrieved with any scope: client_id, app_type, name, and description.
  • The following properties can only be retrieved with the read:clients or read:client_keys scope: callbacks, oidc_logout, allowed_origins, web_origins, tenant, global, config_route, callback_url_template, jwt_configuration, jwt_configuration.lifetime_in_seconds, jwt_configuration.secret_encoded, jwt_configuration.scopes, jwt_configuration.alg, api_type, logo_uri, allowed_clients, owners, custom_login_page, custom_login_page_off, sso, addons, form_template, custom_login_page_codeview, resource_servers, client_metadata, mobile, mobile.android, mobile.ios, allowed_logout_urls, token_endpoint_auth_method, is_first_party, oidc_conformant, is_token_endpoint_ip_header_trusted, initiate_login_uri, grant_types, refresh_token, refresh_token.rotation_type, refresh_token.expiration_type, refresh_token.leeway, refresh_token.token_lifetime, organization_usage, organization_require_behavior.
  • The following properties can only be retrieved with the read:client_keys or read:client_credentials scope: encryption_key, encryption_key.pub, encryption_key.cert, client_secret, client_authentication_methods and signing_key.
Get Client By ID ->
get/clients/{client_id}

Retrieve client details by ID. Clients are SSO connections or Applications linked with your Auth0 tenant. A list of fields to include or exclude may also be specified. For more information, read Applications in Auth0 and Single Sign-On.

  • The following properties can be retrieved with any of the scopes: client_id, app_type, name, and description.
  • The following properties can only be retrieved with the read:clients or read:client_keys scopes: callbacks, oidc_logout, allowed_origins, web_origins, tenant, global, config_route, callback_url_template, jwt_configuration, jwt_configuration.lifetime_in_seconds, jwt_configuration.secret_encoded, jwt_configuration.scopes, jwt_configuration.alg, api_type, logo_uri, allowed_clients, owners, custom_login_page, custom_login_page_off, sso, addons, form_template, custom_login_page_codeview, resource_servers, client_metadata, mobile, mobile.android, mobile.ios, allowed_logout_urls, token_endpoint_auth_method, is_first_party, oidc_conformant, is_token_endpoint_ip_header_trusted, initiate_login_uri, grant_types, refresh_token, refresh_token.rotation_type, refresh_token.expiration_type, refresh_token.leeway, refresh_token.token_lifetime, organization_usage, organization_require_behavior.
  • The following properties can only be retrieved with the read:client_keys or read:client_credentials scopes: encryption_key, encryption_key.pub, encryption_key.cert, client_secret, client_authentication_methods and signing_key.
Rotate A Client Secret ->
post/clients/{client_id}/rotate-secret

Rotate a client secret.

This endpoint cannot be used with clients configured with Private Key JWT authentication method (client_authentication_methods configured with private_key_jwt).

Note: The generated secret is NOT base64 encoded.

Update A Client ->
patch/clients/{client_id}

Updates a client's settings. For more information, read Applications in Auth0 and Single Sign-On.

Notes:

  • The client_secret and signing_key attributes can only be updated with the update:client_keys scope.
  • The client_authentication_methods and token_endpoint_auth_method properties are mutually exclusive. Use client_authentication_methods to configure the client with Private Key JWT authentication method. Otherwise, use token_endpoint_auth_method to configure the client with client secret (basic or post) or with no authentication method (none).
  • When using client_authentication_methods to configure the client with Private Key JWT authentication method, only specify the credential IDs that were generated when creating the credentials on the client.
  • To configure client_authentication_methods, the update:client_credentials scope is required.
  • To configure client_authentication_methods, the property jwt_configuration.alg must be set to RS256.
Clients

Credentials

clients.credentials

Methods

Create A Client Credential -> { id, alg, created_at, 7 more... }
post/clients/{client_id}/credentials

Create a client credential associated to your application. The credential will be created but not yet enabled for use with Private Key JWT authentication method. To enable the credential, set the client_authentication_methods property on the client. For more information, read Configure Private Key JWT Authentication.

Delete A Client Credential ->
delete/clients/{client_id}/credentials/{credential_id}

Delete a client credential you previously created. May be enabled or disabled. For more information, read Client Credential Flow.

Get Client Credentials -> Array<>
get/clients/{client_id}/credentials

Get the details of a client credential.

Important: To enable credentials to be used for Private Key JWT authentication method, set the client_authentication_methods property on the client.

Get Client Credential Details -> { id, alg, created_at, 7 more... }
get/clients/{client_id}/credentials/{credential_id}

Get the details of a client credential.

Important: To enable credentials to be used for Private Key JWT authentication method, set the client_authentication_methods property on the client.

Update A Client Credential -> { id, alg, created_at, 7 more... }
patch/clients/{client_id}/credentials/{credential_id}

Change a client credential you previously created. May be enabled or disabled. For more information, read Client Credential Flow.

Security

Example: Authorization: Bearer My Bearer Token

Parameters
client_id: string
credential_id: string
Response fields
id: string
Optional

ID of the credential. Generated on creation.

alg: "RS256" | "RS384" | "PS256"
Optional

Algorithm which will be used with the credential. Supported algorithms: RS256,RS384,PS256

created_at: string
Optional
(format: date-time)

The ISO 8601 formatted date the credential was created.

credential_type: string
Optional

The type of credential. Supported types: public_key.

expires_at: string
Optional
(format: date-time)

The ISO 8601 formatted date representing the expiration of the credential.

kid: string
Optional

The key identifier of the credential, generated on creation.

name: string
Optional

The name given to the credential by the user.

subject_dn: string
Optional

The X509 certificate's Subject Distinguished Name

thumbprint_sha256: string
Optional

The X509 certificate's SHA256 thumbprint

updated_at: string
Optional
(format: date-time)

The ISO 8601 formatted date the credential was updated.

Request example
200Example

Domain types

ClientCredential = { id, alg, created_at, 7 more... }