You can dynamically register third-party applications for your tenant. Dynamic Client Registration (DCR) is based on the OpenID Connect Dynamic Client Registration specification. All applications created through Dynamic Client Registration are third-party applications with enhanced security controls. This means DCR clients:Documentation Index
Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
- Receive a
tpc_client ID prefix - Require PKCE for authorization code flows
- Support only
authorization_codeandrefresh_tokengrant types - Can only access APIs through explicit client grants
- Can only use domain-level connections for authentication
Enable Dynamic Client Registration
By default, Dynamic Client Registration is disabled for all tenants. To enable Dynamic Client Registration, use the Auth0 Dashboard or Management API.- Auth0 Dashboard
- Management API
- Navigate to Dashboard > Settings > Advanced and enable Dynamic Client Registration (DCR).
Configure API access for DCR clients
Before enabling DCR, configure default permissions for third-party applications on the APIs that dynamically registered clients should access. Without default permissions, DCR clients will not be able to access any API. Default permissions define a baseline set of APIs and scopes available to all third-party applications automatically. This is essential for DCR because you cannot configure per-application client grants during the registration flow. To learn how to configure default permissions, read Configure Third-Party Applications.Register an application
To dynamically register an application, make aPOST request to the /oidc/register endpoint. Because Auth0 supports Open Dynamic Registration, the /oidc/register endpoint accepts registration requests without an access token.
| Parameter | Description |
|---|---|
client_name | The name of the application to create. |
redirect_uris (required) | An array of URLs that Auth0 will accept as valid callback URLs at the end of an authentication flow. |
token_endpoint_auth_method | The authentication method for the token endpoint. Use none for public clients (SPA, Native) or client_secret_post (default) for confidential clients. |
grant_types | The grant types the application will use. Third-party applications support authorization_code and refresh_token. |
response_types | The response types the application will use. Use code for authorization code flow. |
| Field | Description |
|---|---|
client_id | Unique application identifier with a tpc_ prefix. Use this when initiating authentication flows. |
client_secret | Application secret for confidential clients. Not returned when token_endpoint_auth_method is none. |
client_secret_expires_at | Expiration time for the client secret. Always 0 (never expires) for Auth0. |
Third-party developers cannot modify application settings after registration. If changes are necessary, they must contact the tenant owner.
client_id and configured redirect_uris.
Tenant Access Control List (ACL)
Auth0 provides a Tenant Access Control List (ACL) to manage traffic to the/oidc/register endpoint. You can restrict who can send DCR requests by configuring ACL rules based on:
- Source IP addresses and CIDR ranges
- Geolocation
- Other request signals
dcr scope to an ACL rule. To learn more, read Tenant ACL Reference.
Rate limits
The/oidc/register endpoint is rate-limited to 5 requests per second per tenant. To learn more about rate limits, read Rate Limit Configuration.