Create a client
Create a new client (application or SSO integration). For more information, read Create Applications API Endpoints for Single Sign-On.
Notes:
- We recommend leaving the
client_secretparameter unspecified to allow the generation of a safe secret. - The
client_authentication_methodsandtoken_endpoint_auth_methodproperties are mutually exclusive. Useclient_authentication_methodsto configure the client with Private Key JWT authentication method. Otherwise, usetoken_endpoint_auth_methodto configure the client with client secret (basic or post) or with no authentication method (none). - When using
client_authentication_methodsto configure the client with Private Key JWT authentication method, specify fully defined credentials. These credentials will be automatically enabled for Private Key JWT authentication on the client. - To configure
client_authentication_methods, thecreate:client_credentialsscope is required. - To configure
client_authentication_methods, the propertyjwt_configuration.algmust be set to RS256.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Body
Name of this client (min length: 1 character, does not allow < or >).
^[^<>]+$Free text description of this client (max length: 140 characters).
140URL of the logo to display for this client. Recommended size is 150x150 pixels.
Comma-separated list of URLs whitelisted for Auth0 to use as a callback to the client after authentication.
Configuration for OIDC backchannel logout
Configuration for OIDC backchannel logout (deprecated, in favor of oidc_logout)
Native to Web SSO Configuration
Comma-separated list of URLs allowed to make requests from JavaScript to Auth0 API (typically used with CORS). By default, all your callback URLs will be allowed. This field allows you to enter other origins if necessary. You can also use wildcards at the subdomain level (e.g., https://*.contoso.com). Query strings and hash information are not taken into account when validating these URLs.
Comma-separated list of allowed origins for use with Cross-Origin Authentication, Device Flow, and web message response mode.
List of audiences/realms for SAML protocol. Used by the wsfed addon.
1List of allow clients and API ids that are allowed to make delegation requests. Empty means all all your clients are allowed.
1Comma-separated list of URLs that are valid to redirect to after logout from Auth0. Wildcards are allowed for subdomains.
List of grant types supported for this application. Can include authorization_code, implicit, refresh_token, client_credentials, password, http://auth0.com/oauth/grant-type/password-realm, http://auth0.com/oauth/grant-type/mfa-oob, http://auth0.com/oauth/grant-type/mfa-otp, http://auth0.com/oauth/grant-type/mfa-recovery-code, urn:openid:params:grant-type:ciba, urn:ietf:params:oauth:grant-type:device_code, and urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token.
1Defines the requested authentication method for the token endpoint. Can be none (public client without a client secret), client_secret_post (client uses HTTP POST parameters), or client_secret_basic (client uses HTTP Basic).
none, client_secret_post, client_secret_basic If true, trust that the IP specified in the auth0-forwarded-for header is the end-user's IP for brute-force-protection on token endpoint.
The type of application this client represents
native, spa, regular_web, non_interactive, resource_server, express_configuration, rms, box, cloudbees, concur, dropbox, mscrm, echosign, egnyte, newrelic, office365, salesforce, sentry, sharepoint, slack, springcm, zendesk, zoom, sso_integration, oag Whether this client a first party client or not
Whether this client conforms to strict OIDC specifications (true) or uses legacy features (false).
Configuration related to JWTs for the client.
Encryption used for WsFed responses with this client.
Applies only to SSO clients and determines whether Auth0 will handle Single Sign On (true) or whether the Identity Provider will (false).
Whether this client can be used to make cross-origin authentication requests (true) or it is not allowed to make such requests (false).
URL of the location in your site where the cross origin verification takes place for the cross-origin auth flow when performing Auth in your own domain instead of Auth0 hosted login page.
true to disable Single Sign On, false otherwise (default: false)
true if the custom login page is to be used, false otherwise. Defaults to true
The content (HTML, CSS, JS) of the custom login page.
1The content (HTML, CSS, JS) of the custom login page. (Used on Previews)
1HTML form template to be used for WS-Federation.
1Addons enabled for this client and their associated configurations.
Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/()<>@ [Tab] [Space]
Additional configuration for native mobile apps.
Initiate login uri, must be https
Configure native social settings
Refresh token configuration
Defines the default Organization ID and flows
Defines how to proceed during an authentication transaction with regards an organization. Can be deny (default), allow or require.
deny, allow, require Defines how to proceed during an authentication transaction when client.organization_usage: 'require'. Can be no_prompt (default), pre_login_prompt or post_login_prompt. post_login_prompt requires oidc_conformant: true.
no_prompt, pre_login_prompt, post_login_prompt Defines the available methods for organization discovery during the pre_login_prompt. Users can discover their organization either by email, organization_name or both.
1Method for discovering organizations during the pre_login_prompt. email allows users to find their organization by entering their email address and performing domain matching, while organization_name requires users to enter the organization name directly. These methods can be combined.
email, organization_name Defines client authentication methods.
Makes the use of Pushed Authorization Requests mandatory for this client
Makes the use of Proof-of-Possession mandatory for this client
JWT-secured Authorization Requests (JAR) settings.
Defines the compliance level for this client, which may restrict it's capabilities
none, fapi1_adv_pkj_par, fapi1_adv_mtls_par, fapi2_sp_pkj_mtls, fapi2_sp_mtls_mtls, null Controls whether a confirmation prompt is shown during login flows when the redirect URI uses non-verifiable callback URIs (for example, a custom URI schema such as myapp://, or localhost).
If set to true, a confirmation prompt will not be shown. We recommend that this is set to false for improved protection from malicious apps.
See https://auth0.com/docs/secure/security-guidance/measures-against-app-impersonation for more information.
Configuration for token exchange.
Specifies how long, in seconds, a Pushed Authorization Request URI remains valid
10 <= x <= 600The identifier of the resource server that this client is linked to.
1 - 600Application specific configuration for use with the OIN Express Configuration feature.
Array of notification channels for contacting the user when their approval is required. Valid values are guardian-push, email.
1guardian-push, email Response
Client successfully created.
ID of this client.
Name of the tenant this client belongs to.
Name of this client (min length: 1 character, does not allow < or >).
Free text description of this client (max length: 140 characters).
Whether this is your global 'All Applications' client representing legacy tenant settings (true) or a regular client (false).
Client secret (which you must not make public).
The type of application this client represents
native, spa, regular_web, non_interactive, resource_server, express_configuration, rms, box, cloudbees, concur, dropbox, mscrm, echosign, egnyte, newrelic, office365, salesforce, sentry, sharepoint, slack, springcm, zendesk, zoom, sso_integration, oag URL of the logo to display for this client. Recommended size is 150x150 pixels.
Whether this client a first party client (true) or not (false).
Whether this client conforms to strict OIDC specifications (true) or uses legacy features (false).
Comma-separated list of URLs whitelisted for Auth0 to use as a callback to the client after authentication.
Comma-separated list of URLs allowed to make requests from JavaScript to Auth0 API (typically used with CORS). By default, all your callback URLs will be allowed. This field allows you to enter other origins if necessary. You can also use wildcards at the subdomain level (e.g., https://*.contoso.com). Query strings and hash information are not taken into account when validating these URLs.
Comma-separated list of allowed origins for use with Cross-Origin Authentication, Device Flow, and web message response mode.
List of audiences/realms for SAML protocol. Used by the wsfed addon.
List of allow clients and API ids that are allowed to make delegation requests. Empty means all all your clients are allowed.
Comma-separated list of URLs that are valid to redirect to after logout from Auth0. Wildcards are allowed for subdomains.
Native to Web SSO Configuration
Configuration for OIDC backchannel logout
List of grant types supported for this application. Can include authorization_code, implicit, refresh_token, client_credentials, password, http://auth0.com/oauth/grant-type/password-realm, http://auth0.com/oauth/grant-type/mfa-oob, http://auth0.com/oauth/grant-type/mfa-otp, http://auth0.com/oauth/grant-type/mfa-recovery-code, urn:openid:params:grant-type:ciba, urn:ietf:params:oauth:grant-type:device_code, and urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token.
Configuration related to JWTs for the client.
Signing certificates associated with this client.
Encryption used for WsFed responses with this client.
Applies only to SSO clients and determines whether Auth0 will handle Single Sign On (true) or whether the Identity Provider will (false).
Whether Single Sign On is disabled (true) or enabled (true). Defaults to true.
Whether this client can be used to make cross-origin authentication requests (true) or it is not allowed to make such requests (false).
URL of the location in your site where the cross origin verification takes place for the cross-origin auth flow when performing Auth in your own domain instead of Auth0 hosted login page.
Whether a custom login page is to be used (true) or the default provided login page (false).
The content (HTML, CSS, JS) of the custom login page.
The content (HTML, CSS, JS) of the custom login page. (Used on Previews)
HTML form template to be used for WS-Federation.
Addons enabled for this client and their associated configurations.
Defines the requested authentication method for the token endpoint. Can be none (public client without a client secret), client_secret_post (client uses HTTP POST parameters), or client_secret_basic (client uses HTTP Basic).
none, client_secret_post, client_secret_basic If true, trust that the IP specified in the auth0-forwarded-for header is the end-user's IP for brute-force-protection on token endpoint.
Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/()<>@ [Tab] [Space]
Additional configuration for native mobile apps.
Initiate login uri, must be https
Refresh token configuration
Defines the default Organization ID and flows
Defines how to proceed during an authentication transaction with regards an organization. Can be deny (default), allow or require.
deny, allow, require Defines how to proceed during an authentication transaction when client.organization_usage: 'require'. Can be no_prompt (default), pre_login_prompt or post_login_prompt. post_login_prompt requires oidc_conformant: true.
no_prompt, pre_login_prompt, post_login_prompt Defines the available methods for organization discovery during the pre_login_prompt. Users can discover their organization either by email, organization_name or both.
1Method for discovering organizations during the pre_login_prompt. email allows users to find their organization by entering their email address and performing domain matching, while organization_name requires users to enter the organization name directly. These methods can be combined.
email, organization_name Defines client authentication methods.
Makes the use of Pushed Authorization Requests mandatory for this client
Makes the use of Proof-of-Possession mandatory for this client
JWT-secured Authorization Requests (JAR) settings.
Defines the compliance level for this client, which may restrict it's capabilities
none, fapi1_adv_pkj_par, fapi1_adv_mtls_par, fapi2_sp_pkj_mtls, fapi2_sp_mtls_mtls, null Controls whether a confirmation prompt is shown during login flows when the redirect URI uses non-verifiable callback URIs (for example, a custom URI schema such as myapp://, or localhost).
If set to true, a confirmation prompt will not be shown. We recommend that this is set to false for improved protection from malicious apps.
See https://auth0.com/docs/secure/security-guidance/measures-against-app-impersonation for more information.
Configuration for token exchange.
Specifies how long, in seconds, a Pushed Authorization Request URI remains valid
10 <= x <= 600Application specific configuration for use with the OIN Express Configuration feature.
The identifier of the resource server that this client is linked to.
Array of notification channels for contacting the user when their approval is required. Valid values are guardian-push, email.
1guardian-push, email