Hi @chris9
Welcome to the Auth0 Community!
Thank you for posting your question. To consider your Application as Confidential, it must follow the guidelines of confidential apps:
Confidential applications can hold credentials in a secure way without exposing them to unauthorized parties. They require a trusted backend server to store the secret(s).
Grant types
Confidential applications use a trusted backend server and can use grant types that require specifying their Client ID and Client Secret (or alternative registered credentials) for authentication when calling the Auth0 Authentication API Get Token endpoint. Confidential applications can use Client Secret Post, Client Secret Basic, or Private Key JWT authentication methods.
These are considered confidential applications:
- A web application with a secure backend that uses the Authorization Code Flow, Resource Owner Password Flow, or Resource Owner Password Flow with realm support
- A machine-to-machine (M2M) application that uses the Client Credentials Flow
ID tokens
Because confidential applications are capable of holding secrets, you can have ID tokens issued to them that have signed in one of two ways:
- Symmetrically, using their client secret (
HS256)- Asymmetrically, using a private key (
RS256)
You need to adjust your authentication settings and use methods to see your application as confidential.
Thanks
Dawid