Skip to main content
You can dynamically register third-party applications for your tenant. Dynamic Client Registration (DCR) is based on the OpenID Connect Dynamic Client Registration specification. All applications created through Dynamic Client Registration are third-party applications with enhanced security controls. This means DCR clients:
  • Receive a tpc_ client ID prefix
  • Require PKCE for authorization code flows
  • Support only authorization_code and refresh_token grant types. The client_credentials grant type is not available via DCR.
  • Can only access APIs through explicit client grants
  • Can only use domain-level connections for authentication

Enable Dynamic Client Registration

Auth0 supports Open Dynamic Registration. If enabled, anyone will be able to create applications in your tenant without a token.
By default, Dynamic Client Registration is disabled for all tenants. To enable Dynamic Client Registration, use the Auth0 Dashboard or Management API.
  1. Navigate to Dashboard > Settings > Advanced and enable Dynamic Client Registration (DCR).

Configure API access for DCR clients

Before enabling DCR, configure default permissions for third-party applications on the APIs that dynamically registered clients should access. Without default permissions, DCR clients will not be able to access any API. Default permissions define a baseline set of APIs and scopes available to all third-party applications automatically. This is essential for DCR because you cannot configure per-application client grants during the registration flow. To learn how to configure default permissions, read Configure Third-Party Applications.

Register an application

To dynamically register an application, make a POST request to the /oidc/register endpoint. Because Auth0 supports Open Dynamic Registration, the /oidc/register endpoint accepts registration requests without an access token. If successful, Auth0 returns the application credentials:
Third-party developers cannot modify application settings after registration. If changes are necessary, they must contact the tenant owner.
After registration, the application can initiate an Authorization Code Flow with PKCE using the client_id and configured redirect_uris.

Tenant Access Control List (ACL)

Auth0 provides a Tenant Access Control List (ACL) to manage traffic to the /oidc/register endpoint. You can restrict who can send DCR requests by configuring ACL rules based on:
  • Source IP addresses and CIDR ranges
  • Geolocation
  • Other request signals
To configure ACL rules for DCR, add the dcr scope to an ACL rule. To learn more, read Tenant ACL Reference.

Rate limits

The /oidc/register endpoint is rate-limited to 5 requests per second per tenant. To learn more about rate limits, read Rate Limit Configuration.

Permissive mode for DCR

Some customers who were using third-party applications before April 2026 can configure DCR to create applications with pre-existing behavior instead of enhanced security controls. To learn more, read Dynamic Client Registration in Permissive Mode.

Learn more