> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev.auth0-mintlify.app/llms.txt
> Use this file to discover all available pages before exploring further.
# First-Party and Third-Party Applications
> Learn the difference between first-party and third-party applications in Auth0.
export const AuthCodeGroup = ({children, dropdown}) => {
const [processedChildren, setProcessedChildren] = useState(children);
useEffect(() => {
let unsubscribe = null;
function init() {
unsubscribe = window.autorun(() => {
const processChildren = node => {
if (typeof node === "string") {
let processedNode = node;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
processedNode = processedNode.replaceAll(new RegExp(escapedKey, "g"), value);
}
return processedNode;
} else if (Array.isArray(node)) {
return node.map(processChildren);
} else if (node && node.props && node.props.children) {
return {
...node,
props: {
...node.props,
children: processChildren(node.props.children)
}
};
}
return node;
};
setProcessedChildren(processChildren(children));
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
return {processedChildren};
};
export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
const [displayText, setDisplayText] = useState(children);
const [copyText, setCopyText] = useState(children);
const wrapperRef = React.useRef(null);
useEffect(() => {
let unsubscribe = null;
function init() {
if (!window.autorun || !window.rootStore) {
return;
}
unsubscribe = window.autorun(() => {
let processedChildrenForDisplay = children;
let processedChildrenForCopy = children;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
let displayValue = value;
if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
displayValue = value.substring(0, 3) + "*****MASKED*****";
}
processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
}
setDisplayText(processedChildrenForDisplay);
setCopyText(processedChildrenForCopy);
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
useEffect(() => {
if (!wrapperRef.current) return;
const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
let isOverriding = false;
const handleClick = e => {
const button = e.target.closest('[data-testid="copy-code-button"]');
if (!button || !wrapperRef.current.contains(button)) return;
isOverriding = true;
navigator.clipboard.writeText = text => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
return originalWriteText(copyText);
}
return originalWriteText(text);
};
setTimeout(() => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
}
}, 100);
};
const wrapper = wrapperRef.current;
wrapper.addEventListener('click', handleClick, true);
return () => {
wrapper.removeEventListener('click', handleClick, true);
if (navigator.clipboard.writeText !== originalWriteText) {
navigator.clipboard.writeText = originalWriteText;
}
};
}, [copyText]);
return
{displayText}
;
};
When you register an application in Auth0, you decide whether it is first-party or third-party based on who owns and operates it.
* First-party applications: Owned and operated by your organization. You control their deployment, credentials, and behavior.
* Third-party applications: Owned and operated by an external organization, such as a partner, an independent developer, or an AI agent. You grant them access to your resources, but you cannot directly control what they do with that access.
"Third-party" refers to operational control, not authorship. Many organizations outsource development of their own applications. For example, a contractor building your application does not make it third-party. The key distinction is: who deploys it, who holds the credentials, and who can stop it.
Confidential/public and first-party/third-party are independent classifications. Confidential or public describes the application's authentication capability (whether it can hold a secret). First-party or third-party describes the trust relationship (who owns and operates the application).
Both first-party and third-party applications can be confidential (Regular Web App) or public (SPA, Native). A third-party Regular Web App is both confidential and third-party.
## First-party applications
First-party applications are controlled by the same organization or person who owns the Auth0 domain. For example, let's say you created a Contoso API and an application that logs into `contoso.com` and consumes the Contoso API. You would register both the API and application under the same Auth0 domain, and the application would be a first-party application. By default, all applications created via the [Auth0 Dashboard](https://manage.auth0.com/#/applications) are first-party applications.
## Third-party applications
Third-party applications are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party applications enable external parties or partners to securely access protected resources behind your API.
For example, if a partner company builds a data analytics dashboard to visualize information from your service, they must first register their application in your Auth0 tenant to obtain a client ID and secret. Even though this application is registered within your environment, it is considered third-party because the code and credentials are owned and operated by the partner, not by your organization.
All applications created through [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) are third-party applications. To learn more about third-party applications in Auth0, read [Third-Party Applications](/docs/get-started/applications/third-party-applications).
## First-party vs. third-party in Auth0
The following table summarizes the differences between first-party and third-party applications in Auth0:
| | **First-party** | **Third-party** |
| ------------------------------------- | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **API access** | Follows the API's configured access policy | Always requires an explicit [client grant](/docs/get-started/applications/application-access-to-apis-client-grants) |
| **Auth0 system APIs** | Accessible in user flows | Not accessible in user flows |
| **User consent** | Can be skipped (if enabled on the API) | Always required |
| **Grant types** | All supported grant types | `authorization_code`, `refresh_token`, and `client_credentials` |
| **OIDC** | Supported | Not supported. Planned for a future release. |
| **Rules** | Executed | Not supported. Results in error. |
| **Non-OAuth protocols** (SAML, WsFed) | Supported | Not supported |
| **Organizations** | Supported | Machine-to-machine access supported via [organization client grants](/docs/manage-users/organizations/configure-organizations/configure-organization-client-grants). User flows planned for a future release. |
| **Client ID format** | Standard format | `tpc_` prefix |
| **Connections** | All enabled connections | Domain-level connections |
To learn more about third-party applications in Auth0, read [Third-Party Applications](/docs/get-started/applications/third-party-applications).
## Application ownership
Application ownership is determined at creation time and cannot be changed afterward. By default, applications are created as first-party, which applies less restrictive security settings. To ensure the appropriate [security controls](/docs/get-started/applications/third-party-applications/security-controls) are applied, you must correctly identify applications owned by external parties as third-party when creating them through the Auth0 Dashboard or Management API. To learn how, read [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications).
Application ownership is immutable. You cannot convert a third-party application to first-party or vice versa.
## Check application ownership
To check if an application is first-party or third-party:
1. Navigate to **Applications > Applications**.
2. Select the application. Third-party applications display a badge indicating they are third-party.
Make a `GET` call to the [Get a Client endpoint](https://auth0.com/docs/api/management/v2#!/Clients/get_clients_by_id). Be sure to replace `{YOUR_CLIENT_ID}`
and `{YOUR_MANAGEMENT_API_ACCESS_TOKEN}` placeholder values with your client ID and Management API Access Token, respectively.
```bash cURL theme={null}
curl --request GET \
--url 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true' \
--header 'authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
```
```csharp C# theme={null}
var client = new RestClient("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}");
IRestResponse response = client.Execute(request);
```
```go Go theme={null}
package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}
```
```java Java theme={null}
HttpResponse response = Unirest.get("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true")
.header("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
.asString();
```
```javascript Node.JS theme={null}
var axios = require("axios").default;
var options = {
method: 'GET',
url: 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}',
params: {fields: 'is_first_party', include_fields: 'true'},
headers: {authorization: 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'}
};
axios.request(options).then(function (response) {
console.log(response.data);
}).catch(function (error) {
console.error(error);
});
```
```php PHP theme={null}
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "GET",
CURLOPT_HTTPHEADER => [
"authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
```
```python Python theme={null}
import http.client
conn = http.client.HTTPSConnection("")
headers = { 'authorization': "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}" }
conn.request("GET", "/{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
```
```ruby Ruby theme={null}
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(url)
request["authorization"] = 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
response = http.request(request)
puts response.read_body
```
| Value | Description |
| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| `YOUR_CLIENT_ID` | Τhe ID of the application to be updated. |
| `YOUR_MANAGEMENT_API_ACCESS_TOKEN` | [Access Tokens for the Management API](https://auth0.com/docs/api/management/v2/tokens) with the [scope](/docs/glossary?term=scope) `read:clients`. |
If the application is first-party, the `is_first_party` field will have a value of `true`. If the application is third-party, the `is_first_party` field will have a value of `false`.
## Learn more
* [Third-Party Applications](/docs/get-started/applications/third-party-applications)
* [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
* [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications)
* [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications)