Auth0 · Authenticationintermediate
Auth0 Application (Client) Config
An Auth0 application/client configuration export — callback URLs, grant types, token settings and JWT config — for a regular web app.
auth0oauthoidcauthenticationjwt
Preview
{
"name": "My Web App",
"app_type": "regular_web",
"oidc_conformant": true,
"callbacks": [
"https://app.example.com/callback",
"http://localhost:3000/callback"
],
"allowed_logout_urls": [
"https://app.example.com"
],
"web_origins": [
"https://app.example.com"
],
"grant_types": [
"authorization_code",
"refresh_token"
],
"token_endpoint_auth_method": "client_secret_post",
"jwt_configuration": {
"alg": "RS256",
"lifetime_in_seconds": 3600
},
"refresh_token": {
"rotation_type": "rotating",
"expiration_type": "expiring",
"token_lifetime": 2592000
}
}AI actions
Documentation
Purpose
Configure an Auth0 application: how it authenticates, where it redirects, and how tokens are issued.
When to use
Managing an Auth0 tenant as code via the Deploy CLI / Management API, or reviewing an application export.
Required fields
- name — the application display name
- app_type — regular_web, spa, native, or non_interactive
- callbacks — allowed redirect URIs
Optional fields
- allowed_logout_urls — post-logout redirects
- grant_types — enabled OAuth grants
- jwt_configuration — token lifetime and signing alg
- oidc_conformant — enable OIDC-conformant behavior
Best practices
- Enable oidc_conformant on new applications.
- Use RS256 for token signing, not HS256.
- List exact callback/logout URLs — no wildcards in production.
Security considerations
- Never store client_secret in a public (SPA/native) app.
- Restrict callbacks to your own domains only.
- Prefer authorization_code + PKCE over implicit grant.