> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev.auth0-mintlify.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Third-Party Applications

> Configure third-party applications to access your APIs with enhanced security controls.

export const AuthCodeGroup = ({children, dropdown}) => {
  const [processedChildren, setProcessedChildren] = useState(children);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      unsubscribe = window.autorun(() => {
        const processChildren = node => {
          if (typeof node === "string") {
            let processedNode = node;
            for (const [key, value] of window.rootStore.variableStore.values.entries()) {
              const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
              processedNode = processedNode.replaceAll(new RegExp(escapedKey, "g"), value);
            }
            return processedNode;
          } else if (Array.isArray(node)) {
            return node.map(processChildren);
          } else if (node && node.props && node.props.children) {
            return {
              ...node,
              props: {
                ...node.props,
                children: processChildren(node.props.children)
              }
            };
          }
          return node;
        };
        setProcessedChildren(processChildren(children));
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  return <CodeGroup dropdown={dropdown}>{processedChildren}</CodeGroup>;
};

export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
  const [displayText, setDisplayText] = useState(children);
  const [copyText, setCopyText] = useState(children);
  const wrapperRef = React.useRef(null);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      if (!window.autorun || !window.rootStore) {
        return;
      }
      unsubscribe = window.autorun(() => {
        let processedChildrenForDisplay = children;
        let processedChildrenForCopy = children;
        for (const [key, value] of window.rootStore.variableStore.values.entries()) {
          const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
          let displayValue = value;
          if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
            displayValue = value.substring(0, 3) + "*****MASKED*****";
          }
          processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
          processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
        }
        setDisplayText(processedChildrenForDisplay);
        setCopyText(processedChildrenForCopy);
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  useEffect(() => {
    if (!wrapperRef.current) return;
    const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
    let isOverriding = false;
    const handleClick = e => {
      const button = e.target.closest('[data-testid="copy-code-button"]');
      if (!button || !wrapperRef.current.contains(button)) return;
      isOverriding = true;
      navigator.clipboard.writeText = text => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
          return originalWriteText(copyText);
        }
        return originalWriteText(text);
      };
      setTimeout(() => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
        }
      }, 100);
    };
    const wrapper = wrapperRef.current;
    wrapper.addEventListener('click', handleClick, true);
    return () => {
      wrapper.removeEventListener('click', handleClick, true);
      if (navigator.clipboard.writeText !== originalWriteText) {
        navigator.clipboard.writeText = originalWriteText;
      }
    };
  }, [copyText]);
  return <div ref={wrapperRef}>
      <CodeBlock filename={filename} icon={icon} language={language} lines highlight={highlight}>
        {displayText}
      </CodeBlock>
    </div>;
};

Third-party applications are applications owned and operated by an external organization—a partner, independent developer, or AI agent—that authenticate your users and access your APIs.

Unlike [first-party applications](/docs/get-started/applications/first-party-and-third-party-applications#first-party-applications) that you directly control, third-party applications operate independently: you grant them access to your resources, but you cannot control what they do with that access. To learn more about the differences between first-party and third-party applications, read [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications).

Third-party applications have the following unique characteristics:

* **Enhanced security controls**: Auth0 enforces [enhanced security controls](/docs/get-started/applications/third-party-applications/security-controls) for third-party applications, ensuring external applications can only access resources you explicitly authorize. Features intended for first-party use cases are not available.
* **User Consent**: Auth0 always requires user consent when a third-party application requests access to APIs. Consent cannot be skipped.
* **Connections**: Third-party applications can only authenticate users through domain-level connections. To learn more, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).

## Use cases

Common third-party application use cases include:

* **Partner integrations**: External partners build applications that call your APIs on the user's behalf. For example, a CRM vendor integrates with your platform so that mutual customers can sync data between both products.
* **AI agents and MCP clients**: AI-powered tools such as Claude Code, VS Code with Copilot, or custom MCP servers connect to your APIs to perform actions on the user's behalf. To learn more, read [Auth for MCP](https://auth0.com/ai/docs/mcp/intro/overview).
* **Developer ecosystems**: You expose APIs for external developers to build applications on your platform, whether through a developer portal, a marketplace, or [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration).
* **Cross App Access (XAA)**: A workforce application in another organization's tenant accesses your APIs through a trust relationship, where the requesting application is modeled as a third-party application in your tenant. To learn more, read [Cross App Access](/docs/secure/call-apis-on-users-behalf/xaa).

## Supported client types

Third-party applications support both confidential and public client types:

| **Client type** | **Application type** | **Use case**                     |
| --------------- | -------------------- | -------------------------------- |
| Confidential    | Regular Web App      | Server-side partner integrations |
| Public          | Single Page App      | Browser-based partner widgets    |
| Public          | Native               | Mobile partner applications      |

## Supported grant types

Third-party applications support:

* `authorization_code` with mandatory PKCE
* `refresh_token`
* `client_credentials` (confidential clients only)

## Get started

To set up a third-party application in Auth0, follow these steps:

### Step 1: Create the application

[Create a third-party application](/docs/get-started/applications/third-party-applications/configure-third-party-applications#create-a-third-party-application) using the Auth0 Dashboard or the Management API.

### Step 2: Configure API access

Third-party applications always require explicit authorization to access your APIs, even when the API's access policy is set to **Allow All.** You configure API access policies through [client grants](/docs/get-started/applications/application-access-to-apis-client-grants).

You can configure default permissions that apply to all third-party applications automatically. This is useful in cases where you manage many third-party applications or use [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration). To learn more, read [Default permissions for third-party applications](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications).

You can also define specific permissions for individual applications through [client grants](/docs/get-started/applications/application-access-to-apis-client-grants). Per-application permissions take precedence over the defaults. To learn more, read [Create client grant](/docs/get-started/applications/application-access-to-apis-client-grants#create-client-grant).

### Step 3: Configure connections

Third-party applications can only authenticate users through connections promoted to the domain level. Domain-level connections are available to all third-party applications in the tenant.

To promote a connection to the domain level, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).

### Step 4: Users provide consent

When a user authenticates through a third-party application, Auth0 displays a consent dialog asking the user to approve the requested permissions. Consent is always required for third-party applications and cannot be skipped.

To learn more, read [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications).

## Dynamic Client Registration

[Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) creates third-party applications with enhanced security controls by default. Before enabling DCR for third-party applications, you must [configure default API permissions](/docs/get-started/applications/dynamic-client-registration#configure-api-access-for-dcr-clients) so dynamically registered clients can access your APIs.

## Learn more

* [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications)
* [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
* [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications)
* [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
* [Troubleshoot Third-Party Applications](/docs/get-started/applications/third-party-applications/troubleshooting)
* [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)