auth0 · KartikJha · Mar 23, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
@@ -5,18 +5,12 @@ has_toc: false
 ---
 # auth0 quickstarts setup
 
-Creates an Auth0 application and generates a .env file with the necessary configuration.
+Auto-detects your project, creates an Auth0 application and/or API, and generates a config file.
 
-The command will:
-  1. Check if you are authenticated (and prompt for login if needed)
-  2. Create an Auth0 application based on the specified type
-  3. Generate a .env file with the appropriate environment variables
-
-Supported types:
-  - vite: For client-side SPAs (React, Vue, Svelte, etc.)
-  - nextjs: For Next.js server-side applications
-  - fastify: For Fastify web applications
-  - jhipster-rwa: For JHipster regular web applications
+Workflows:
+  --app                          Create an application (auto-detects framework).
+  --api                          Create an API (prompts to create or link an app).
+  --api --linked-app-id <id>     Create an API linked to an existing application.
 
 ## Usage
 ```
@@ -26,23 +20,46 @@ auth0 quickstarts setup [flags]
 ## Examples
 
 ```
-  auth0 quickstarts setup --type vite
-  auth0 quickstarts setup --type nextjs
-  auth0 quickstarts setup --type fastify
-  auth0 quickstarts setup --type vite --name "My App"
-  auth0 quickstarts setup --type nextjs --port 8080
-  auth0 quickstarts setup --type jhipster-rwa
-  auth0 qs setup --type fastify -n "My App" -p 3000
+  # Interactive setup:
+  auth0 quickstarts setup
+
+  # App only:
+  auth0 quickstarts setup --app --type spa --framework react
+
+  # App with all options:
+  auth0 quickstarts setup --app --type spa --framework react --build-tool vite --name "My SPA" --port 5173
+
+  # API + new app:
+  auth0 quickstarts setup --api --app --type regular --framework express --identifier https://my-api
+
+  # API + existing app:
+  auth0 quickstarts setup --api --linked-app-id <client-id> --identifier https://my-api
+
+  # API with custom settings:
+  auth0 quickstarts setup --api --linked-app-id <client-id> --identifier https://my-api --scopes "read:data,write:data"
 ```
 
 
 ## Flags
 
 ```
-      --json          Output in json format.
-  -n, --name string   Name of the Auth0 application (default: 'My App' for vite, nextjs and fastify, 'JHipster' for jhipster-rwa)
-  -p, --port int      Port number for the application (default: 5173 for vite, 3000 for nextjs/fastify, 8080 for jhipster-rwa)
-  -t, --type string   Type of quickstart (vite, nextjs, fastify, jhipster-rwa)
+      --api                     Create an Auth0 API resource server
+      --app                     Create an Auth0 application (SPA, regular web, or native)
+      --audience string         Unique URL identifier for the API (audience), e.g. https://my-api
+      --build-tool string       Build tool used by the project (vite, webpack, cra, none) (default "none")
+      --callback-url string     Override the allowed callback URL for the application
+      --framework string        Framework to configure (e.g., react, nextjs, vue, express)
+      --identifier string       Unique URL identifier for the API (audience), e.g. https://my-api
+      --linked-app-id string    [API] Client ID of an existing application to link to the API (skips app creation)
+      --logout-url string       Override the allowed logout URL for the application
+      --name string             Name of the Auth0 application
+      --offline-access          Allow offline access (enables refresh tokens)
+      --port int                Local port the application runs on (default varies by framework, e.g. 3000, 5173)
+      --scopes string           [API] Comma-separated list of permission scopes for the API
+      --signing-alg string      [API] Token signing algorithm: RS256, PS256, or HS256 (leave blank to be prompted interactively)
+      --token-lifetime string   [API] Access token lifetime in seconds (default: 86400 = 24 hours)
+      --type string             Application type: spa, regular, native, or m2m
+      --web-origin-url string   Override the allowed web origin URL for the application
 ```
 
 

@@ -18,26 +18,27 @@ auth0 test login [flags]
   auth0 test login
   auth0 test login <client-id>
   auth0 test login <client-id> --connection-name <connection-name>
-  auth0 test login <client-id> --connection-name <connection-name> --audience <api-identifier|api-audience>
-  auth0 test login <client-id> --connection-name <connection-name> --audience <api-identifier|api-audience> --organization <org-id>
-  auth0 test login <client-id> --connection-name <connection-name> --audience <api-identifier|api-audience> --domain <domain> --params "foo=bar"
-  auth0 test login <client-id> --connection-name <connection-name> --audience <api-identifier|api-audience> --domain <domain> --scopes <scope1,scope2>
-  auth0 test login <client-id> -c <connection-name> -a <api-identifier|api-audience> -d <domain> -s <scope1,scope2> --force
-  auth0 test login <client-id> -c <connection-name> -a <api-identifier|api-audience> -d <domain> -s <scope1,scope2> --json
-  auth0 test login <client-id> -c <connection-name> -a <api-identifier|api-audience> -d <domain> -s <scope1,scope2> --json-compact
-  auth0 test login <client-id> -c <connection-name> -a <api-identifier|api-audience> -d <domain> -o <org-id> -s <scope1,scope2> -p "foo=bar" -p "bazz=buzz" --json
-  auth0 test login <client-id> -c <connection-name> -a <api-identifier|api-audience> -d <domain> -o <org-id> -s <scope1,scope2> -p "foo=bar","bazz=buzz" --json
-  auth0 test login <client-id> -c <connection-name> -a <api-identifier|api-audience> -d <domain> -s <scope1,scope2> --force --json
+  auth0 test login <client-id> --connection-name <connection-name> --identifier <api-identifier>
+  auth0 test login <client-id> --connection-name <connection-name> --identifier <api-identifier> --organization <org-id>
+  auth0 test login <client-id> --connection-name <connection-name> --identifier <api-identifier> --domain <domain> --params "foo=bar"
+  auth0 test login <client-id> --connection-name <connection-name> --identifier <api-identifier> --domain <domain> --scopes <scope1,scope2>
+  auth0 test login <client-id> -c <connection-name> -a <api-identifier> -d <domain> -s <scope1,scope2> --force
+  auth0 test login <client-id> -c <connection-name> -a <api-identifier> -d <domain> -s <scope1,scope2> --json
+  auth0 test login <client-id> -c <connection-name> -a <api-identifier> -d <domain> -s <scope1,scope2> --json-compact
+  auth0 test login <client-id> -c <connection-name> -a <api-identifier> -d <domain> -o <org-id> -s <scope1,scope2> -p "foo=bar" -p "bazz=buzz" --json
+  auth0 test login <client-id> -c <connection-name> -a <api-identifier> -d <domain> -o <org-id> -s <scope1,scope2> -p "foo=bar","bazz=buzz" --json
+  auth0 test login <client-id> -c <connection-name> -a <api-identifier> -d <domain> -s <scope1,scope2> --force --json
 ```
 
 
 ## Flags
 
 ```
-  -a, --audience string          The unique identifier of the target API you want to access. For Machine to Machine Applications, only the enabled APIs will be shown within the interactive prompt.
+      --audience string          The unique identifier of the target API you want to access. For Machine to Machine Applications, only the enabled APIs will be shown within the interactive prompt.
   -c, --connection-name string   The connection name to test during login.
   -d, --domain string            One of your custom domains.
       --force                    Skip confirmation.
+  -a, --identifier string        The unique identifier of the target API you want to access. For Machine to Machine Applications, only the enabled APIs will be shown within the interactive prompt.
       --json                     Output in json format.
       --json-compact             Output in compact json format.
   -o, --organization string      organization-id to use for the login. Can use organization-name if allow_organization_name_in_authentication_api is enabled for tenant

@@ -5,7 +5,7 @@ has_toc: false
 ---
 # auth0 test token
 
-Request an access token for a given application. Specify the API you want this token for with `--audience` (API Identifier). Additionally, you can also specify the `--scopes` to grant.
+Request an access token for a given application. Specify the API you want this token for with `--identifier` (API Identifier). Additionally, you can also specify the `--scopes` to grant.
 
 ## Usage
 ```
@@ -16,23 +16,24 @@ auth0 test token [flags]
 
 ```
   auth0 test token
-  auth0 test token <client-id> --audience <api-audience|api-identifier> --organization <org-id> --scopes <scope1,scope2> --params "foo=bar"
-  auth0 test token <client-id> -a <api-audience|api-identifier> -o <org-id> -s <scope1,scope2>
-  auth0 test token <client-id> -a <api-audience|api-identifier> -s <scope1,scope2> --force
-  auth0 test token <client-id> -a <api-audience|api-identifier> -o <org-id> -s <scope1,scope2> -p "foo=bar" -p "bazz=buzz" --force
-  auth0 test token <client-id> -a <api-audience|api-identifier> -s <scope1,scope2> --json
-  auth0 test token <client-id> -a <api-audience|api-identifier> -s <scope1,scope2> --json-compact
-  auth0 test token <client-id> -a <api-audience|api-identifier> -o <org-id> -s <scope1,scope2> -p "foo=bar","bazz=buzz" --json
-  auth0 test token <client-id> -a <api-audience|api-identifier> -s <scope1,scope2> --force --json
+  auth0 test token <client-id> --identifier <api-identifier> --organization <org-id> --scopes <scope1,scope2> --params "foo=bar"
+  auth0 test token <client-id> -a <api-identifier> -o <org-id> -s <scope1,scope2>
+  auth0 test token <client-id> -a <api-identifier> -s <scope1,scope2> --force
+  auth0 test token <client-id> -a <api-identifier> -o <org-id> -s <scope1,scope2> -p "foo=bar" -p "bazz=buzz" --force
+  auth0 test token <client-id> -a <api-identifier> -s <scope1,scope2> --json
+  auth0 test token <client-id> -a <api-identifier> -s <scope1,scope2> --json-compact
+  auth0 test token <client-id> -a <api-identifier> -o <org-id> -s <scope1,scope2> -p "foo=bar","bazz=buzz" --json
+  auth0 test token <client-id> -a <api-identifier> -s <scope1,scope2> --force --json
 ```
 
 
 ## Flags
 
 ```
-  -a, --audience string         The unique identifier of the target API you want to access. For Machine to Machine Applications, only the enabled APIs will be shown within the interactive prompt.
+      --audience string         The unique identifier of the target API you want to access. For Machine to Machine Applications, only the enabled APIs will be shown within the interactive prompt.
   -d, --domain string           One of your custom domains.
       --force                   Skip confirmation.
+  -a, --identifier string       The unique identifier of the target API you want to access. For Machine to Machine Applications, only the enabled APIs will be shown within the interactive prompt.
       --json                    Output in json format.
       --json-compact            Output in compact json format.
   -o, --organization string     organization-id to use for the login. Can use organization-name if allow_organization_name_in_authentication_api is enabled for tenant

@@ -127,7 +127,7 @@ var RequiredScopes = []string{
 	"openid",
 	"offline_access", // For retrieving refresh token.
 	"create:clients", "delete:clients", "read:clients", "update:clients",
-	"read:client_grants",
+	"create:client_grants", "read:client_grants",
 	"create:resource_servers", "delete:resource_servers", "read:resource_servers", "update:resource_servers",
 	"create:roles", "delete:roles", "read:roles", "update:roles",
 	"create:rules", "delete:rules", "read:rules", "update:rules",

@@ -7,6 +7,10 @@ import (
 )
 
 type ClientGrantAPI interface {
-	// List all client grants.
+	// Create a new client grant, authorizing the given client for the specified API (audience).
+	// Returns an error if the grant already exists or the request fails.
+	Create(ctx context.Context, g *management.ClientGrant, opts ...management.RequestOption) error
+
+	// List returns all client grants for the tenant, with optional filtering via opts.
 	List(ctx context.Context, opts ...management.RequestOption) (*management.ClientGrantList, error)
 }