Auth0 API | Resource Servers › Create A Resource Server

Resource Servers

resource_servers

Methods

Create A Resource Server -> { id, allow_offline_access, authorization_details, 15 more... }

post/resource-servers

Create a new API associated with your tenant. Note that all new APIs must be registered with Auth0. For more information, read APIs.

Security

Example: Authorization: Bearer My Bearer Token

Response fields

id: string

Optional

ID of the API (resource server).

allow_offline_access: boolean

Optional

Whether refresh tokens can be issued for this API (true) or not (false).

authorization_details: Array<unknown>

Optional

client: unknown

Optional

consent_policy: "transactional-authorization-with-mfa"

Optional

enforce_policies: boolean

Optional

Whether authorization polices are enforced (true) or unenforced (false).

identifier: string

Optional

Unique identifier for the API used as the audience parameter on authorization calls. Can not be changed once set.

is_system: boolean

Optional

Whether this is an Auth0 system API (true) or a custom API (false).

name: string

Optional

Friendly name for this resource server. Can not contain < or > characters.

proof_of_possession: { mechanism, required }

Optional

Proof-of-Possession configuration for access tokens

scopes: Array<{ value, description }>

Optional

List of permissions (scopes) that this API uses.

signing_alg: "HS256" | "RS256" | "RS512" | 1 more...

Optional

Algorithm used to sign JWTs. Can be HS256 or RS256. PS256 available via addon.

signing_secret: string

Optional

(minLength: 16)

Secret used to sign tokens when using symmetric algorithms (HS256).

skip_consent_for_verifiable_first_party_clients: boolean

Optional

Whether to skip user consent for applications flagged as first party (true) or not (false).

token_dialect: "access_token" | "access_token_authz" | "rfc9068_profile" | 1 more...

Optional

Dialect of access tokens that should be issued. access_token is a JWT containing standard Auth0 claims; rfc9068_profile is a JWT conforming to the IETF JWT Access Token Profile. access_token_authz and rfc9068_profile_authz additionally include RBAC permissions claims.

token_encryption: { encryption_key, format }

Optional

token_lifetime: number

Optional

Expiration value (in seconds) for access tokens issued for this API from the token endpoint.

token_lifetime_for_web: number

Optional

Expiration value (in seconds) for access tokens issued for this API via Implicit or Hybrid Flows. Cannot be greater than the token_lifetime value.

Request example

curl https://login0.local.dev.auth0.com/api/v2/resource-servers \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $BEARER_TOKEN" \
    -d '{
      "identifier": "x"
    }'

200Example

{
  "id": "id",
  "allow_offline_access": true,
  "authorization_details": [
    {}
  ],
  "client": {},
  "consent_policy": "transactional-authorization-with-mfa",
  "enforce_policies": true,
  "identifier": "identifier",
  "is_system": true,
  "name": "name",
  "proof_of_possession": {
    "mechanism": "mtls",
    "required": true
  },
  "scopes": [
    {
      "value": "x",
      "description": "description"
    }
  ],
  "signing_alg": "HS256",
  "signing_secret": "xxxxxxxxxxxxxxxx",
  "skip_consent_for_verifiable_first_party_clients": true,
  "token_dialect": "access_token",
  "token_encryption": {
    "encryption_key": {
      "alg": "RSA-OAEP-256",
      "pem": "x",
      "kid": "x",
      "name": "x"
    },
    "format": "compact-nested-jwe"
  },
  "token_lifetime": 0,
  "token_lifetime_for_web": 0
}

Delete A Resource Server ->

delete/resource-servers/{id}

Delete an existing API by ID. For more information, read API Settings.

Get Resource Servers -> ResourceServersPageNumberPage<{ id, allow_offline_access, authorization_details, 15 more... }>

get/resource-servers

Retrieve details of all APIs associated with your tenant.

Get A Resource Server -> { id, allow_offline_access, authorization_details, 15 more... }

get/resource-servers/{id}

Retrieve API details with the given ID.

Update A Resource Server -> { id, allow_offline_access, authorization_details, 15 more... }

patch/resource-servers/{id}

Change an existing API setting by resource server ID. For more information, read API Settings.