> ## Documentation Index > Fetch the complete documentation index at: https://docs-dev.auth0-mintlify.app/llms.txt > Use this file to discover all available pages before exploring further. # Troubleshoot Third-Party Applications > Resolve common errors when working with third-party applications in Auth0. Use this page to resolve common errors when integrating with third-party applications. For an overview of third-party application capabilities and restrictions, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls). ## Identify third-party application issues If you encounter an error during an OAuth flow, check if the application is a third-party application: * **Client ID prefix**: Third-party applications have a `client_id` that starts with `tpc_`. * **Tenant logs**: In [Auth0 Dashboard > Monitoring > Logs](https://manage.auth0.com/#/logs), filter by the application to review error events. ## Common errors ### `unauthorized_client` when requesting tokens **Cause**: The third-party application does not have a client grant for the requested API. Third-party applications always require an explicit client grant, even when the API access policy is set to **Allow All**. **Solution**: Create a client grant for the application or configure default permissions for third-party applications. To learn more, read [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants). ```bash theme={null} curl --request POST \ --url 'https://YOUR_DOMAIN/api/v2/client-grants' \ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \ --header 'Content-Type: application/json' \ --data '{ "default_for": "third_party_clients", "audience": "https://api.example.com", "scope": ["read:items", "write:items"], "subject_type": "user" }' ``` ### `unauthorized_client` even with "Allow All" API policy **Cause**: The API's access policy setting of **Allow All** applies only to first-party applications. Third-party applications always require an explicit client grant regardless of this setting. **Solution**: Configure a [default permission for third-party applications](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications) or create a per-application client grant. ### `invalid_request` on `/authorize` with unsupported parameters **Cause**: Third-party applications enforce strict parameter validation on the `/authorize` endpoint. Parameters such as `screen_hint`, `login_ticket`, `invitation`, `request` (JAR), and `request_uri` (PAR) are not supported. **Solution**: Remove unsupported parameters from your authorization request. For the list of allowed parameters, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls#authorize-parameter-validation). ### `unsupported_response_type` for `id_token` or `token` **Cause**: Implicit flow (`response_type=token` or `response_type=id_token`) is not available for third-party applications. **Solution**: Use `response_type=code` with [PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). ### No ID token returned from `/oauth/token` **Cause**: Third-party applications with enhanced security controls do not return ID tokens or process OIDC scopes (`openid`, `profile`, `email`) in this release. The token endpoint will return an access token but no `id_token`. **Solution**: Use API-scoped access tokens to retrieve the information your application needs. OIDC support for third-party applications is planned for a future release. ### Grant type not supported **Cause**: Only `authorization_code` and `refresh_token` grant types are supported. Grant types such as `implicit`, `password`, `client_credentials`, and `urn:ietf:params:oauth:grant-type:device_code` are not available. **Solution**: Update the application to use the [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). ### Classic Login not working **Cause**: [Classic Login](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/classic-experience) is not supported for third-party applications. **Solution**: Use [Universal Login](/docs/authenticate/login/auth0-universal-login). Universal Login is the recommended login experience for all applications. ### Client ID starts with `tpc_` **Cause**: Third-party applications automatically receive a `tpc_` prefix on their Client ID for traffic classification. This is assigned at creation and cannot be changed. **Solution**: This is expected behavior. Update any client-side validation or database constraints to accommodate the longer Client ID format. ### Cannot change `is_first_party` or security mode **Cause**: The security mode and application ownership are permanent design decisions set at creation. They cannot be changed afterward. **Solution**: Create a new application with the desired configuration. You cannot convert an existing application between first-party and third-party, or between security modes. ### Email verification or password reset shows an error page **Cause**: The application's `redirection_policy` is set to `open_redirect_protection`, which prevents Auth0 from exposing `application.callback_domain` in email templates. **Solution**: Update your email templates with a Liquid conditional that provides a fallback for third-party applications: ```liquid wrap lines theme={null} {% if application.callback_domain == '' %} https://YOUR_FALLBACK_DOMAIN {% endif %} {% if application.callback_domain != '' %} {{ application.callback_domain }}/result-page {% endif %} ``` Alternatively, set `redirection_policy` to `allow_always` for trusted third-party applications created via the Dashboard or Management API. To learn more, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls#redirect-protection). ### DCR client cannot access any API **Cause**: Dynamically registered clients require default permissions configured before they can request tokens. Without default permissions, third-party DCR clients have no API access. **Solution**: Configure default permissions for third-party applications on each API the DCR clients need to access. To learn more, read [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications#default-permissions-for-all-third-party-applications). ### `/userinfo` returns error **Cause**: The `/userinfo` endpoint is not available for third-party applications in this release. **Solution**: Use API-scoped access tokens to retrieve the information your application needs. OIDC support, including `/userinfo`, is planned for a future release. ### `/oauth/revoke` works but logout endpoints do not **Cause**: Logout endpoints (`/v2/logout`) are not available for third-party applications. **Solution**: Use `POST /oauth/revoke` to revoke refresh tokens. The application is responsible for clearing its own session state. ### Connection not available for a third-party application **Cause**: The connection is not promoted to the domain level. Third-party applications can only authenticate users through domain-level connections. **Solution**: Promote the connection to the domain level. To learn more, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level). ### Refresh token rotation causing issues **Cause**: Refresh token rotation is enabled by default for public (SPA, Native) third-party applications, aligned with OAuth 2.1 requirements. **Solution**: Ensure your application handles rotating refresh tokens correctly, where each token exchange returns a new refresh token, and the previous one is invalidated. Admins can adjust rotation settings for manually created applications via the Dashboard or Management API. ## Learn more * [Third-Party Applications](/docs/get-started/applications/third-party-applications) * [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls) * [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications) * [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)