Skip to main content
You can dynamically register third-party applications for your tenant. Dynamic Client Registration (DCR) is based on the OpenID Connect Dynamic Client Registration specification. All applications created through Dynamic Client Registration are third-party applications with enhanced security controls. This means DCR clients:
  • Receive a tpc_ client ID prefix
  • Require PKCE for authorization code flows
  • Support only authorization_code and refresh_token grant types
  • Can only access APIs through explicit client grants
  • Can only use domain-level connections for authentication

Enable Dynamic Client Registration

Auth0 supports Open Dynamic Registration. If enabled, anyone will be able to create applications in your tenant without a token.
By default, Dynamic Client Registration is disabled for all tenants. To enable Dynamic Client Registration, use the Auth0 Dashboard or Management API.
  1. Navigate to Dashboard > Settings > Advanced and enable Dynamic Client Registration (DCR).

Configure API access for DCR clients

Before enabling DCR, configure default permissions for third-party applications on the APIs that dynamically registered clients should access. Without default permissions, DCR clients will not be able to access any API. Default permissions define a baseline set of APIs and scopes available to all third-party applications automatically. This is essential for DCR because you cannot configure per-application client grants during the registration flow. To learn how to configure default permissions, read Configure Third-Party Applications.

Register an application

To dynamically register an application, make a POST request to the /oidc/register endpoint. Because Auth0 supports Open Dynamic Registration, the /oidc/register endpoint accepts registration requests without an access token.
ParameterDescription
client_nameThe name of the application to create.
redirect_uris (required)An array of URLs that Auth0 will accept as valid callback URLs at the end of an authentication flow.
token_endpoint_auth_methodThe authentication method for the token endpoint. Use none for public clients (SPA, Native) or client_secret_post (default) for confidential clients.
grant_typesThe grant types the application will use. Third-party applications support authorization_code and refresh_token.
response_typesThe response types the application will use. Use code for authorization code flow.
If successful, Auth0 returns the application credentials: 
{
  "client_name": "My Dynamic Application",
  "client_id": "tpc_8SXWY6j3afl2CP5ntwEOpMdPxxy49Gt2",
  "client_secret": "Q5O...33P",
  "redirect_uris": [
    "https://application.example.com/callback"
  ],
  "client_secret_expires_at": 0,
  "grant_types": ["authorization_code", "refresh_token"],
  "token_endpoint_auth_method": "none"
}
FieldDescription
client_idUnique application identifier with a tpc_ prefix. Use this when initiating authentication flows.
client_secretApplication secret for confidential clients. Not returned when token_endpoint_auth_method is none.
client_secret_expires_atExpiration time for the client secret. Always 0 (never expires) for Auth0.
Third-party developers cannot modify application settings after registration. If changes are necessary, they must contact the tenant owner.
After registration, the application can initiate an Authorization Code Flow with PKCE using the client_id and configured redirect_uris.

Tenant Access Control List (ACL)

Auth0 provides a Tenant Access Control List (ACL) to manage traffic to the /oidc/register endpoint. You can restrict who can send DCR requests by configuring ACL rules based on:
  • Source IP addresses and CIDR ranges
  • Geolocation
  • Other request signals
To configure ACL rules for DCR, add the dcr scope to an ACL rule. To learn more, read Tenant ACL Reference.

Rate limits

The /oidc/register endpoint is rate-limited to 5 requests per second per tenant. To learn more about rate limits, read Rate Limit Configuration.

Permissive mode for DCR

Some customers who were using third-party applications before April 2026 can configure DCR to create applications with pre-existing behavior instead of enhanced security controls. To learn more, read Dynamic Client Registration in Permissive Mode.

Learn more