Skip to main content
In Auth0, you can control how applications access your APIs using application API access policies and client grants. A client grant provides fine-grained application access to an API. It associates:
  • An API identified by its audience or unique identifier.
  • An application identified by its client_id.
  • A list of permissions such as scopes and/or authorization_details_types that the application is allowed to request for the specified audience.
To learn more about the list of attributes you can define in a client grant, read Client grant attributes. To learn how to define and manage client grants, read Create client grant.

Application API access policies and client grants

When you configure an API’s application access policy to require_client_grant, only applications with a client grant defined can get an access token for the API. The client grant establishes the maximum permissions an application can request from the API by following the least privilege principle approach. As a result, Auth0 recommends using require_client_grant when configuring an API’s application access policy.

Example: Social Media API

To illustrate how client grants follow the least privilege principle approach, say you have a Social Media API with the permissions: read:posts, write:posts, read:friends, and delete:posts. You create an application and define a client grant with the permissions: read:posts and write:posts. This client grant now serves as a hard ceiling. Even though the Social Media API has other permissions, your application can never request or be granted read:friends or delete:posts.

User-delegated access vs. client access

In user and client access, client grants define the final set of permissions that control an application’s access to an API. The client grant’s subject_type attribute determines the type of application access allowed for an API. An application can have up to two client grants for a single API:
  • When you set subject_type to client, you define its machine-to-machine permissions.
  • When you set subject_type to user, you define its permissions to act on the user’s behalf.
The following table explains how client grants control application access to APIs based on the access type flow:
You can modify the final scopes granted by the authorization server to the application or user using Actions.

Client grant attributes

A client grant has several attributes that you can define to configure application access to APIs using the Auth0 Management API:

Create client grant

You can create: When both exist for the same API, per-application permissions take precedence over default permissions for third-party applications.

Per-application permissions

To configure per-application permissions using the Auth0 Dashboard:
  1. Navigate to Dashboard > Applications > APIs and select the API you want to configure application access for.
  2. Go to the Settings tab and scroll down to Application Access Policy.
    • Configure User-Delegated Access to No apps allowed, Per-app authorization, or All apps allowed.
      • No apps allowed: No application can get an access token to the API.
      • Per-app authorization: Only applications with a client grant defined can get an access token for the API.
      • All apps allowed: Any application in your tenant can get an access token to the API.
    • Configure the Client Access to Per-app authorization or All apps allowed.
      • Per-app authorization: Only applications with a client grant defined can get an access token for the API.
      • All apps allowed: Any application in your tenant can get an access token to the API.
  3. Select Save to save the Application Access Policy settings.
Dashboard API Settings for Application Access Policy
For per-application permissions, you need to individually authorize API access for each application.
  1. Navigate to Applications > APIs and select the API.
  2. Go to the Application Access tab.
  3. Scroll to the application, select Edit, and then Grant Access for User-Delegated Access and/or Client Access. Then, select your desired permissions.
  4. Select Save.
Dashboard API Settings for Granting API Access to Application

Default permissions for third-party applications

Third-party applications always require an explicit client grant to access any API, even when the API’s access policy is set to Allow All. To simplify management when you have many third-party applications or use Dynamic Client Registration, configure default grants or permissions that apply to all third-party applications automatically. A default third-party client grant uses the default_for attribute instead of a client_id. You can also define per-application permissions by creating a client grant with a specific client_id. When both exist for the same API, per-application permissions take precedence.
System APIs (the Management API, My Account API, and others) do not support default third-party client grants. Third-party applications cannot be granted access to system APIs.
The default_for and client_id attributes are mutually exclusive. Each client grant must specify exactly one of them. To learn how to configure API access policies for third-party applications, read Configure Third-Party Applications.
To configure default permissions for third-party applications using the Auth0 Dashboard:
  1. Navigate to Dashboard > Applications > APIs and select the API you want to configure application access for.
  2. Go to the Settings tab and scroll down to Default Permissions for Third-Party Applications.
    • Configure User-Delegated Access and/or Client Access to Unauthorized, Authorized, or All.
      • Unauthorized: No permissions allowed.
      • Authorized: Pick and choose permissions.
      • All: Includes existing and future permissions.
  3. Select Save.
Dashboard API Settings with Default Permissions for Third Party Apps

Update client grant

To update an existing client grant, make a PATCH request to /client-grants/{id}:

Delete client grant

To delete a client grant, make a DELETE request to /client-grants/{id}:

Retrieve client grants

You can also query and paginate through the client-grants collections by using parameters like client_id, audience, or subject_type:

Learn more