Application Access to APIs: Client Grants

In Auth0, you can control how applications access your APIs using application API access policies and client grants. A client grant provides fine-grained application access to an API. It associates:

An API identified by its audience or unique identifier.
An application identified by its client_id.
A list of permissions such as scopes and/or authorization_details_types that the application is allowed to request for the specified audience.

To learn more about the list of attributes you can define in a client grant, read Client grant attributes. To learn how to define and manage client grants, read Configure client grants.

Application API access policies and client grants

When you configure an API’s application access policy to require_client_grant, only applications with a client grant defined can get an access token for the API. The client grant establishes the maximum permissions an application can request from the API by following the least privilege principle approach. As a result, Auth0 recommends using require_client_grant when configuring an API’s application access policy. To illustrate how client grants follow the least privilege principle approach, say you have a Social Media API with the permissions: read:posts, write:posts, read:friends, and delete:posts. You create an application and define a client grant with the permissions: read:posts and write:posts. This client grant now serves as a hard ceiling. Even though the Social Media API has other permissions, your application can never request or be granted read:friends or delete:posts.

User-delegated access vs. client access

In user and client access, client grants define the final set of permissions that control an application’s access to an API. The client grant’s subject_type attribute determines the type of application access allowed for an API. An application can have up to two client grants for a single API:

When you set subject_type to client, you define its machine-to-machine permissions.
When you set subject_type to user, you define its permissions to act on the user’s behalf.

The following table explains how client grants control application access to APIs based on the access type flow:

Access type	subject_type attribute	Description
Client credential access (Machine-to-machine access)	Set `subject_type` to `client`.	The client grant directly authorizes the application to access the API on its own behalf instead of the end user’s behalf. The permissions you define in the client grant are the ones the application is authorized to receive in the access token.
User-delegated access	Set `subject_type` to `user`.	The client grant defines the maximum permissions the application can request from the API. The final permissions in the access token issued to the application on the user’s behalf are the intersection of the permissions: Requested by the application Allowed by the client grant Allowed by Role-Based Access Control policies for the user Consented to by the end user, if applicable. To learn more about user-delegated access flows, read Authentication and Authorization Flows. User-delegated access flows do not include the Client Credentials Flow.

You can modify the final scopes granted by the authorization server to the application or user using Actions.

Client grant attributes

A client grant has several attributes that you can define to configure application access to APIs using the Auth0 Management API:

Attribute	Description
`id`	Unique identifier of the client grant.
`audience`	Unique identifier of the API the client grant is for.
`client_id`	The unique ID of the application that is being granted access.
`scopes`	An array of strings representing the permissions the application can request.
`authorization_details_types`	An array of strings representing rich authorization data types that the application can request. This attribute can only be specified for user-delegated access flows.
`subject_type`	The type of application access the client grant allows for: `user`: used for user-delegated access, which corresponds to all flows that generate a token associated with an end user. `client`: used for machine access, which corresponds to the Client Credentials Flow.
`allow_all_scopes`	Boolean. Indicates if all scopes defined on the API are allowed for the application. Future defined scopes, for the API, are automatically permitted.
`organization_usage`	Determines how the application may use organizations when accessing the API via the Client Credentials Flow. Possible values are: `deny`, `allow`, or `require`. To learn more about the Organization settings, read Organizations for M2M Applications: Define Organization Behavior.
`allow_any_organization`	Determines whether the application can access any organization when using the Client Credentials Flow. To learn more about the Organization settings, read Organizations for M2M Applications: Define Organization Behavior.

Configure client grants

You can configure client grants using the or the .

Auth0 Dashboard
Management API

To configure client grants using the Auth0 Dashboard:

Navigate to Dashboard > Applications.
Select the Application you want to configure.
Select the APIs tab.
Select Edit to authorize User-Delegated Access, Client Access, or both.

For application-level authorization settings to take effect, you must set API Access Policy to Allow via client-grant. To learn more read, API Access Policies for Applications.

Configure the User-Delegated Access Authorization to Unauthorized, Authorized, or All.
- Unauthorized: No permission allowed.
- Authorized: Select desired permissions.
- All: Include all existing and future permissions.
Configure the Client Credential Access Authorization to Unauthorized, Authorized, or All.
- Unauthorized: No permission allowed.
- Authorized: Select desired permissions.
- All: Include all existing and future permissions.

Select Save to save the Application’s API settings.

To configure client grants, use the /client-grants endpoint.Create client grantTo create a new client grant, make a POST request to the /client-grants endpoint:

curl --location 'https://{yourDomain}/api/v2/client-grants' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
--data '{
    "client_id": "{CLIENT_ID}",
    "audience": "https://api.my-service.com",
    "scope": [
        "read:item"
    ],
    "authorization_details_types":["payment"],
    "subject_type": "user"
}'

Update client grantTo update an existing client grant, make a PATCH request to /client-grants/{id}:

curl --location --request PATCH 'https://{yourDomain}/api/v2/client-grants/{CLIENT_GRANT_ID}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
--data '{
    "scope": [
        "read:item",
        "update:item"
    ],
    "authorization_details_types":["payment", "credits_transfer"]
}'

Delete client grantTo delete a client grant, make a DELETE request to /client-grants/{id}:

curl --location --request DELETE 'https://{yourDomain}/api/v2/client-grants/{CLIENT_GRANT_ID}' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}'

Retrieve client grantsYou can also query and paginate through the client-grants collections by using parameters like client_id, audience, or subject_type:

curl --request GET \
--url 'https://{yourDomain}/api/v2/client-grants?subject_type=user&audience=https%3A%2F%2Fapi.my-service.com' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
--header 'Accept: application/json'

Default permissions for third-party applications

Third-party applications always require an explicit client grant to access any API, even when the API’s access policy is set to Allow All. To simplify management when you have many third-party applications or use Dynamic Client Registration, configure default permissions that apply to all third-party applications automatically. A default third-party client grant uses the default_for attribute instead of a client_id. You can also define per-application permissions by creating a client grant with a specific client_id. When both exist for the same API, the per-application grant takes precedence.

System APIs (the Management API, My Account API, and others) do not support default third-party client grants. Third-party applications cannot be granted access to system APIs.

The default_for and client_id attributes are mutually exclusive. Each client grant must specify exactly one of them. To learn how to configure API access policies for third-party applications, read Configure Third-Party Applications.

Learn the Basics

Auth0 Tenants

Applications in Auth0

Auth0 AI

Universal Components

Application Access to APIs: Client Grants

Application API access policies and client grants

User-delegated access vs. client access

Client grant attributes

Configure client grants

Default permissions for third-party applications

Learn more

Learn the Basics

Auth0 Tenants

Applications in Auth0

Auth0 AI

Universal Components

​Application API access policies and client grants

​Example: Social Media API

​User-delegated access vs. client access

​Client grant attributes

​Configure client grants

​Default permissions for third-party applications

​Learn more

Application API access policies and client grants

Example: Social Media API

User-delegated access vs. client access

Client grant attributes

Configure client grants

Default permissions for third-party applications

Learn more