Problem statement
The following URL (Application Settings) describes how the “Allowed Apps / APIs” section should be filled out in an Application. However, I can’t find any information about what a “delegation request” is in the first place. I don’t know how to make a delegation request or how to test to make sure delegation requests are completely disabled. If there is an associated OAuth 2.0 / OpenID Connect standard, I would appreciate a link to that standard in addition to Auth0’s explanation of the feature.
We do not intend to use any kind of delegation in our solution. In addition, we have several machine-to-machine applications used by third-parties and I am concerned about the security of leaving the “Allowed Apps / APIs” section of the Application configuration empty.
Solution
Delegation is a legacy Auth0 feature that allowed you to exchange one token for a different one in some cases. This has been deprecated a long time back and is not enabled in any new tenants. The “Allowed Apps / APIs” text field is still shown in all tenants, despite that being disabled.
If your tenant was created after June 8th, 2017, it does not have this enabled, and users will not be able to make any delegation requests. So you can safely ignore this and keep the text field empty.