Documentation Index
Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Tenant Access Control List (ACL) provides the power and flexibility needed to handle a large variety of scenarios.
Block a request
Here is an example of a Tenant ACL rule that blocks incoming traffic from a specific geolocation country code.
Management API
Go SDK
Node SDK
Terraform
Deploy CLI
Auth0 CLI
To create this Tenant ACL rule with the Management API:
-
Get a Management API access token with the
create:network_acls scope.
-
Call the Management API Create access control list endpoint with the following body:
{
"description": "Example of blocking a request",
"active": true,
"priority": 2,
"rule": {
"action": {
"block": true
},
"match": {
"geo_country_codes": [
"GEO_COUNTRY_CODE"
]
},
"scope": "authentication"
}
}
const createNetworkAclPayload: Management.CreateNetworkAclRequestContent = {
description: "Example of blocking a request",
active: true,
priority: 2,
rule: {
action: {
block: true,
},
match: {
geo_country_codes: ["GEO_COUNTRY_CODE"],
},
scope: "authentication",
},
};
const createNetworkAcl = await client.networkAcls.create(createNetworkAclPayload);
resource "auth0_network_acl" "example_blocking_request_acl" {
description = "Example of blocking a request"
active = true
priority = 2
rule {
action {
block = true
}
match {
geo_country_codes = ["GEO_COUNTRY_CODE"]
}
scope = "authentication"
}
}
networkACLs:
- description: Example of blocking a request
active: true
priority: 2
rule:
action:
block: true
match:
geo_country_codes:
- GEO_COUNTRY_CODE
scope: authentication
auth0 network-acl create \
--description "Example of blocking a request" \
--active true \
--priority 2 \
--rule '{"action":{"block":true},"match":{"geo_country_codes":["GEO_COUNTRY_CODE"]},"scope":"authentication"}'
Example of a block page
Allow a request
Here is an example of a Tenant ACL rule that allows traffic only from a specific geolocation country code.
Management API
Go SDK
Node SDK
Terraform
Deploy CLI
Auth0 CLI
To create this Tenant ACL rule with the Management API:
-
Get a Management API access token with the
create:network_acls scope.
-
Call the Management API Create access control list endpoint with the following body:
{
"description": "Example of allowing a request",
"active": true,
"priority": 2,
"rule": {
"action": {
"allow": true
},
"match": {
"geo_country_codes": [
"GEO_COUNTRY_CODE"
]
},
"scope": "authentication"
}
}
const createNetworkAclPayload: Management.CreateNetworkAclRequestContent = {
description: "Example of allowing a request",
active: true,
priority: 2,
rule: {
action: {
allow: true,
},
match: {
geo_country_codes: ["GEO_COUNTRY_CODE"],
},
scope: "authentication",
},
};
const createNetworkAcl = await client.networkAcls.create(createNetworkAclPayload);
resource "auth0_network_acl" "example_allowing_request_acl" {
description = "Example of allowing a request"
active = true
priority = 2
rule {
action {
allow = true
}
match {
geo_country_codes = ["GEO_COUNTRY_CODE"]
}
scope = "authentication"
}
}
networkACLs:
- description: Example of allowing a request
active: true
priority: 2
rule:
action:
allow: true
match:
geo_country_codes:
- GEO_COUNTRY_CODE
scope: authentication
auth0 network-acl create \
--description "Example of allowing a request" \
--active true \
--priority 2 \
--rule '{"action":{"allow":true},"match":{"geo_country_codes":["GEO_COUNTRY_CODE"]},"scope":"authentication"}'
Redirect a request
Here is an example of a Tenant ACL rule that redirects all traffic from a specific geolocation country code.
Management API
Go SDK
Node SDK
Terraform
Deploy CLI
Auth0 CLI
To create this Tenant ACL rule with the Management API:
-
Get a Management API access token with the
create:network_acls scope.
-
Call the Management API Create access control list endpoint with the following body:
{
"description": "Example of redirecting a request",
"active": true,
"priority": 2,
"rule": {
"action": {
"redirect": true,
"redirect_uri": "REDIRECT_URI"
},
"match": {
"geo_country_codes": [
"GEO_COUNTRY_CODE"
]
},
"scope": "authentication"
}
}
const createNetworkAclPayload: Management.CreateNetworkAclRequestContent = {
description: "Example of redirecting a request",
active: true,
priority: 2,
rule: {
action: {
redirect: true,
redirect_uri: "REDIRECT_URI",
},
match: {
geo_country_codes: ["GEO_COUNTRY_CODE"],
},
scope: "authentication",
},
};
const createNetworkAcl = await client.networkAcls.create(createNetworkAclPayload);
resource "auth0_network_acl" "example_redirecting_request_acl" {
description = "Example of redirecting a request"
active = true
priority = 2
rule {
action {
redirect = true
redirect_uri = "REDIRECT_URI"
}
match {
geo_country_codes = ["GEO_COUNTRY_CODE"]
}
scope = "authentication"
}
}
networkACLs:
- description: Example of redirecting a request
active: true
priority: 2
rule:
action:
redirect: true
redirect_uri: REDIRECT_URI
match:
geo_country_codes:
- GEO_COUNTRY_CODE
scope: authentication
auth0 network-acl create \
--description "Example of redirecting a request" \
--active true \
--priority 2 \
--rule '{"action":{"redirect":true,"redirect_uri":"REDIRECT_URI"},"match":{"geo_country_codes":["GEO_COUNTRY_CODE"]},"scope":"authentication"}'
Complex comparisons
You can combine the match and not_match operators in a single Tenant ACL rule to enforce fine-grained access policies.
Here is an example of a Tenant ACL rule that evaluates the geo_country_code and geo_subdivision_code signals to block all traffic from a given country except for a specific state, region, or province within that country.
Management API
Go SDK
Node SDK
Terraform
Deploy CLI
Auth0 CLI
To create this Tenant ACL rule with the Management API:
-
Get a Management API access token with the
create:network_acls scope.
-
Call the Management API Create access control list endpoint with the following body:
{
"description": "Example of a complex comparison",
"active": true,
"priority": 1,
"rule": {
"action": {
"block": true
},
"match": {
"geo_country_codes": [
"GEO_COUNTRY_CODE"
]
},
"not_match": {
"geo_subdivision_codes": [
"GEO_SUBDIVISION_CODE"
]
},
"scope": "authentication"
}
}
const createNetworkAclPayload: Management.CreateNetworkAclRequestContent = {
description: "Example of a complex comparison",
active: true,
priority: 1,
rule: {
action: {
block: true,
},
match: {
geo_country_codes: ["GEO_COUNTRY_CODE"],
},
not_match: {
geo_subdivision_codes: ["GEO_SUBDIVISION_CODE"],
},
scope: "authentication",
},
};
const createNetworkAcl = await client.networkAcls.create(createNetworkAclPayload);
resource "auth0_network_acl" "example_complex_comparison_acl" {
description = "Example of a complex comparison"
active = true
priority = 1
rule {
action {
block = true
}
match {
geo_country_codes = ["GEO_COUNTRY_CODE"]
}
not_match {
geo_subdivision_codes = ["GEO_SUBDIVISION_CODE"]
}
scope = "authentication"
}
}
networkACLs:
- description: Example of a complex comparison
active: true
priority: 1
rule:
action:
block: true
match:
geo_country_codes:
- GEO_COUNTRY_CODE
not_match:
geo_subdivision_codes:
- GEO_SUBDIVISION_CODE
scope: authentication
auth0 network-acl create \
--description "Example of a complex comparison" \
--active true \
--priority 1 \
--rule '{"action":{"block":true},"match":{"geo_country_codes":["GEO_COUNTRY_CODE"]},"not_match":{"geo_subdivision_codes":["GEO_SUBDIVISION_CODE"]},"scope":"authentication"}'
