Enable Third-Party Applications

You can enable third-party applications for your tenant. See First-Party and Third-Party Applications for details on the differences between the two types of applications.

  1. Update your application's ownership to third-party in Auth0.

    By default, applications registered in Auth0 are first-party applications. If you want your application to be a third-party application, you must update its ownership.

  2. Promote the connections you will use with third-party applications to domain level in Auth0.

    Third-party applications can only authenticate users from connections flagged as domain-level connections. Domain-level connections can be enabled for selected first-party applications while also being open to all third-party application users for authentication.

  3. Update your application's login page. If you use Lock in the Universal Login Page, you must also:

    1. Upgrade to Lock version 11 or later.

    2. Set the __useTenantInfo: config.isThirdPartyClient flag when instantiating Lock.

    3. For Private Cloud users only: Set the configurationBaseUrl option to https://{config.auth0Domain}/ when instantiating Lock.

Access token current_user_* scopes

Neither first- nor third-party applications can use ID tokens to invoke Management API endpoints. Instead, they should get access tokens with the following current_user_* scopes required by each endpoint:

Scope Endpoint
read:current_user List or search users
Get a user
Get user MFA enrollments
update:current_user_metadata Update a user
Delete a user's multi-factor provider
create:current_user_device_credentials Create a device public key
delete:current_user_device_credentials Delete a device credential
update:current_user_identities Link a user account
Unlink a user identity

Script example

<script src="https://cdn.auth0.com/js/lock/11.x.y/lock.min.js"></script>
  // Decode utf8 characters properly
  var config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))));

  var connection = config.connection;
  var prompt = config.prompt;
  var languageDictionary;
  var language;
  if (config.dict && config.dict.signin && config.dict.signin.title) {
    languageDictionary = { title: config.dict.signin.title };
  } else if (typeof config.dict === 'string') {
    language = config.dict;

  var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
    auth: {
      redirectUrl: config.callbackURL,
      responseType: config.callbackOnLocationHash ? 'token' : 'code',
      params: config.internalOptions
    assetsUrl:  config.assetsUrl,
    allowedConnections: connection ? [connection] : null,
    configurationBaseUrl: 'https://' + config.auth0Domain + '/', // for PSaaS only
    rememberLastLogin: !prompt,
    language: language,
    languageDictionary: languageDictionary,
    closable: false,
    __useTenantInfo: config.isThirdPartyClient // required for all Tenants


Was this helpful?


Learn more