Exposing client id and client secret to clients


For allowing machine-to-machine communication with our systems for some of our clients/customers, we’re currently creating a new Application in Auth0 for every one of those customers and then providing them with the client id and client secret which they can then use to generate tokens in order to connect with our systems.

I’m wondering if this is the proper way of working. Everywhere in the documentation I read that client secret should not be exposed. Is this the exception to the rule?

What Application settings need to be properly curated to make sure we don’t give them too much power using this secret?

Hi @emiel,

Please use the #help category for questions like this. I’ll move the topic now, but in the future you can post your questions there. Thank you!

You are referring to First-Party and Third-Party Applications. Third-party apps are apps that are designated to external parties outside of your control. They have more limited access and should be designated as such in your tenant. Please read through the docs and let me know if you have any specific questions. Thanks!

Hi @dan.woda,

Thanks for this. Interesting!
The docs state that the only way to add third party applications is through the API and apps created in the dashboard are always first party ones.

Is there a way to see in the dashboard (we have quite a number of applications defined now) to see which ones are first or third party?

I’ll make sure to use the #help category next time! :slight_smile:

It doesn’t appear so. If you want to do it through a GUI, you can always use the management API explorer.

The GET clients endpoint has a filter for first party apps.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.