Auth0 · Authenticationintermediate

Auth0 Application (Client) Config

An Auth0 application/client configuration export — callback URLs, grant types, token settings and JWT config — for a regular web app.

auth0oauthoidcauthenticationjwt

Preview

{
  "name": "My Web App",
  "app_type": "regular_web",
  "oidc_conformant": true,
  "callbacks": [
    "https://app.example.com/callback",
    "http://localhost:3000/callback"
  ],
  "allowed_logout_urls": [
    "https://app.example.com"
  ],
  "web_origins": [
    "https://app.example.com"
  ],
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ],
  "token_endpoint_auth_method": "client_secret_post",
  "jwt_configuration": {
    "alg": "RS256",
    "lifetime_in_seconds": 3600
  },
  "refresh_token": {
    "rotation_type": "rotating",
    "expiration_type": "expiring",
    "token_lifetime": 2592000
  }
}

AI actions

Documentation

Purpose

Configure an Auth0 application: how it authenticates, where it redirects, and how tokens are issued.

When to use

Managing an Auth0 tenant as code via the Deploy CLI / Management API, or reviewing an application export.

Required fields

  • name — the application display name
  • app_type — regular_web, spa, native, or non_interactive
  • callbacks — allowed redirect URIs

Optional fields

  • allowed_logout_urls — post-logout redirects
  • grant_types — enabled OAuth grants
  • jwt_configuration — token lifetime and signing alg
  • oidc_conformant — enable OIDC-conformant behavior

Best practices

  • Enable oidc_conformant on new applications.
  • Use RS256 for token signing, not HS256.
  • List exact callback/logout URLs — no wildcards in production.

Security considerations

  • Never store client_secret in a public (SPA/native) app.
  • Restrict callbacks to your own domains only.
  • Prefer authorization_code + PKCE over implicit grant.