diff --git a/auth4genai/mcp/get-started/call-your-apis-on-users-behalf.mdx b/auth4genai/mcp/get-started/call-your-apis-on-users-behalf.mdx
index 3063b45391..42bf3e0b73 100644
--- a/auth4genai/mcp/get-started/call-your-apis-on-users-behalf.mdx
+++ b/auth4genai/mcp/get-started/call-your-apis-on-users-behalf.mdx
@@ -11,6 +11,7 @@ permalink: "/mcp/get-started/call-your-apis-on-users-behalf"
---
import MCPGetStartedPrerequisites from "/snippets/mcp/get-started/pre-reqs/prerequisites.mdx";
+import MCPGetStartedEnableOBOTokenExchangeStep from "/snippets/mcp/get-started/pre-reqs/enable-obo-token-exchange.mdx";
import MCPGetStartedConfigTenantSettings from "/snippets/mcp/get-started/config-tenant/config-tenant-settings.mdx";
import MCPGetStartedCreateRoles from "/snippets/mcp/get-started/config-tenant/roles-management.mdx";
import CreateProfile from "/snippets/mcp/get-started/create-custom-token-exchange-profile.mdx";
@@ -25,9 +26,13 @@ import RunMcpServerPython from "/snippets/mcp/get-started/call-your-apis/run-mcp
import ExchangeAccessTokenJs from "/snippets/mcp/get-started/call-your-apis/exchange-access-token-js.mdx";
import ExchangeAccessTokenPython from "/snippets/mcp/get-started/call-your-apis/exchange-access-token-python.mdx";
+
+When you purchase the Auth0 for AI Agents add-on, you can use your subscription tier’s maximum Authentication API rate limit for OBO token exchanges. For example, if you are on [Private Cloud 100 RPS](https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/rate-limit-configurations/tier-100-rps-private-cloud), you can exceed the OBO token exchange rate limit of 30 RPS and leverage the full 100 RPS capacity for your OBO token exchange requests. The Authentication API limit is shared and acts as the global ceiling for all Authentication API requests, including logins, token refreshes, and token exchanges combined.
+
+
To call your APIs on behalf of your users, the MCP server needs to exchange the Auth0 access token it received from the MCP client (with the audience set to the MCP server itself) for a new Auth0 access token with the audience set to your API.
-In Auth0, this is called Custom Token Exchange and uses [RFC 8693](https://www.rfc-editor.org/rfc/rfc8693.html). This flow involves the MCP server acting as both a resource server (for the client) and a client (for the upstream API).
+In Auth0, this is called On-Behalf-Of Token Exchange (OBO) and uses [RFC 8693](https://www.rfc-editor.org/rfc/rfc8693.html). This flow involves the MCP server acting as both a resource server (for the client) and a client (for the upstream API).
![]()
@@ -59,7 +64,7 @@ By the end of this quickstart, you should have an MCP server that can:
## Set up the Auth0 Applications and APIs
-When an MCP server needs to call underlying APIs, it needs to perform a Custom Token Exchange to obtain an access token with the audience set to the API rather than the MCP server itself. Because of this architecture, the MCP server acts in a dual role.
+When an MCP server needs to call underlying APIs, it needs to perform an On-Behalf-Of Token Exchange to obtain an access token with the audience set to the API rather than the MCP server itself. Because of this architecture, the MCP server acts in a dual role.
1. To the MCP client (e.g., an IDE, an AI assistant), the MCP server acts as a **Resource Server** (an API).
2. To the underlying API (e.g., your own API), the MCP server acts as a **Client**.
@@ -74,7 +79,7 @@ Because of this, you will set up the MCP server twice on your Auth0 tenant, both
### Create an Application for your MCP server
-In the custom token exchange scenario, the MCP server acts as a client in order to obtain an Auth0 access token with custom token exchange:
+The MCP server acts as a client in order to obtain an Auth0 access token with On-Behalf-Of token exchange:
```shell wrap lines
auth0 api post clients --data '{
@@ -108,7 +113,16 @@ auth0 api post resource-servers --data '{
}' | jq -r '"Audience: " + .identifier'
```
-Save the `Audience` from the command output; you'll need it in a later step.
+Save the `Audience` from the command output; you'll need it in a later step. Make sure you enable **Allow Skipping User Consent** for the API in the Auth0 Dashboard.
+
+### Create client grant
+
+You need to create a [user-delegated client grant](https://auth0.com/docs/get-started/applications/application-access-to-apis-client-grants) between the Custom API client and the downstream API to authorize access.
+
+1. Navigate to **Applications > Applications** and select your Custom API client.
+2. Under **APIs**, find your resource server (i.e., `https://my-api.example.com`) and select **Edit**.
+3. Under **User-Delegated Access**, select **Authorized**, then select **Specific Permissions** with the permissions you want to grant or **All**.
+4. Select **Save**.
## Sample app
@@ -120,7 +134,7 @@ Save the `Audience` from the command output; you'll need it in a later step.
Once downloaded, extract the files and open the project in your preferred IDE.
@@ -131,18 +145,18 @@ Save the `Audience` from the command output; you'll need it in a later step.
```shell wrap lines
git clone https://github.com/auth0-samples/auth0-ai-samples.git
- cd auth0-ai-samples/auth-for-mcp/fastmcp-mcp-customtokenexchange-js
+ cd auth0-ai-samples/auth-for-mcp/fastmcp-mcp-on-behalf-of-tokenexchange-js
```
Once cloned, open the project in your preferred IDE.
- The sample app demonstrates custom token exchange with a `greet` tool that calls your protected API on behalf of the authenticated user.
+ The sample app demonstrates on-behalf-of token exchange with a `greet` tool that calls your protected API on behalf of the authenticated user.
## Install packages
- Ensure you have npm installed or follow the instructions to [install npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) in its documentation. In the `fastmcp-mcp-customtokenexchange-js` directory, install the required packages:
+ Ensure you have npm installed or follow the instructions to [install npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) in its documentation. In the `fastmcp-mcp-on-behalf-of-tokenexchange-js` directory, install the required packages:
```shell
npm install
@@ -151,12 +165,6 @@ Save the `Audience` from the command output; you'll need it in a later step.
## Create your environment file
- ## Use Custom Token Exchange Action
-
-
- ## Set up the token exchange profile
-
-
## Run the MCP server and the API
@@ -171,7 +179,7 @@ Save the `Audience` from the command output; you'll need it in a later step.
Once downloaded, extract the files and open the project in your preferred IDE.
@@ -181,18 +189,18 @@ Save the `Audience` from the command output; you'll need it in a later step.
```shell wrap lines
git clone https://github.com/auth0-samples/auth0-ai-samples.git
- cd auth0-ai-samples/auth-for-mcp/fastmcp-mcp-customtokenexchange-python
+ cd auth0-ai-samples/auth-for-mcp/fastmcp-mcp-on-behalf-of-tokenexchange-python
```
Once cloned, open the project in your preferred IDE.
- The sample app demonstrates custom token exchange with a `greet` tool that calls your protected API on behalf of the authenticated user.
+ The sample app demonstrates on-behalf-of token exchange with a `greet` tool that calls your protected API on behalf of the authenticated user.
## Install packages
- Ensure you have poetry installed or follow the instructions to [install poetry](https://python-poetry.org/docs/) in its documentation. In the `fastmcp-mcp-customtokenexchange-python` directory, install the required packages:
+ Ensure you have poetry installed or follow the instructions to [install poetry](https://python-poetry.org/docs/) in its documentation. In the `fastmcp-mcp-on-behalf-of-tokenexchange-python` directory, install the required packages:
```shell
poetry install
@@ -201,12 +209,6 @@ Save the `Audience` from the command output; you'll need it in a later step.
## Create your environment file
- ## Use Custom Token Exchange Action
-
-
- ## Set up the token exchange profile
-
-
## Run the MCP server and the API
diff --git a/auth4genai/snippets/mcp/get-started/call-your-apis/create-env-file.mdx b/auth4genai/snippets/mcp/get-started/call-your-apis/create-env-file.mdx
index 890c04dd78..a888f34cd7 100644
--- a/auth4genai/snippets/mcp/get-started/call-your-apis/create-env-file.mdx
+++ b/auth4genai/snippets/mcp/get-started/call-your-apis/create-env-file.mdx
@@ -11,10 +11,9 @@ CLIENT_ID=$(jq -r '.client_id' auth0-app-details.json) \
&& echo "MCP_SERVER_URL=http://localhost:3001/" >> .env \
&& echo "MCP_AUTH0_CLIENT_ID=${CLIENT_ID}" >> .env \
&& echo "MCP_AUTH0_CLIENT_SECRET=${CLIENT_SECRET}" >> .env \
-&& echo "MCP_AUTH0_SUBJECT_TOKEN_TYPE=urn:fastmcp:mcp" >> .env \
-&& echo "MCP_AUTH0_EXCHANGE_SCOPE=openid offline_access read:private" >> .env \
+&& echo "MCP_AUTH0_EXCHANGE_SCOPE=read:private" >> .env \
&& echo "API_AUTH0_AUDIENCE=http://localhost:8787/" >> .env \
-&& echo "API_BASE_URL=http://localhost:8787/" >> .env \
+&& echo "API_BASE_URL=http://localhost:8787" >> .env \
&& rm auth0-app-details.json \
&& echo ".env file created with your Auth0 details:" \
&& cat .env
diff --git a/auth4genai/snippets/mcp/get-started/call-your-apis/exchange-access-token-js.mdx b/auth4genai/snippets/mcp/get-started/call-your-apis/exchange-access-token-js.mdx
index 901ea51677..2efcbc6b2d 100644
--- a/auth4genai/snippets/mcp/get-started/call-your-apis/exchange-access-token-js.mdx
+++ b/auth4genai/snippets/mcp/get-started/call-your-apis/exchange-access-token-js.mdx
@@ -1,17 +1,17 @@
-To call your APIs on behalf of your users, the MCP server needs to exchange the Auth0 access token it received from the MCP client (with the audience set to the MCP server itself) for a new Auth0 access token with the audience set to your API. In Auth0, this is called Custom Token Exchange and uses [RFC 8693](https://www.rfc-editor.org/rfc/rfc8693.html).
+To call your APIs on behalf of your users, the MCP server needs to exchange the Auth0 access token it received from the MCP client (with the audience set to the MCP server itself) for a new Auth0 access token with the audience set to your API. In Auth0, this is called On-Behalf-Of Token Exchange and uses [RFC 8693](https://www.rfc-editor.org/rfc/rfc8693.html).
### The Orchestrator: `bearerForUpstream`
-The process begins with the `bearerForUpstream` function. Its main job is to take the initial token (the `subjectToken`), manage the exchange process, and handle any potential errors gracefully.
+The process begins with the `bearerForUpstream` function. Its main job is to take the initial access token, manage the exchange process, and handle any potential errors gracefully.
This function serves as a safe wrapper around our exchange logic.
```javascript wrap lines highlight={5}
-async function bearerForUpstream(subjectToken: string) {
- if (!subjectToken) return { token: null, scopes: null };
+async function bearerForUpstream(accessToken: string) {
+ if (!accessToken) return { token: null, scopes: null };
try {
- const result = await exchangeCustomToken(subjectToken);
+ const result = await exchangeTokenOnBehalfOf(accessToken);
return {
token: result.accessToken,
scopes: result.scope,
@@ -23,30 +23,32 @@ async function bearerForUpstream(subjectToken: string) {
}
```
-As you can see, it calls `exchangeCustomToken` and, on a successful exchange, returns the new `accessToken` and its associated scope. If the exchange fails, it logs the error and re-throws it to be handled upstream.
+As you can see, it calls `exchangeTokenOnBehalfOf` and, on a successful exchange, returns the new `accessToken` and its associated scope. If the exchange fails, it logs the error and re-throws it to be handled upstream.
-### The core logic: `exchangeCustomToken`
+### The core logic: `exchangeTokenOnBehalfOf`
-This function, located in `src/auth0.ts`, contains the actual token exchange logic. It uses the `ApiClient` from the `auth0-api-js` SDK to simplify the interaction with Auth0's `/oauth/token` endpoint.
+This function, located in `src/auth0.ts`, contains the actual token exchange logic. It uses the `ApiClient` from the `@auth0/auth0-api-js` SDK to simplify the interaction with Auth0's `/oauth/token` endpoint.
-First, we initialize the `ApiClient` with the credentials of the application performing the exchange:
+First, we initialize the `ApiClient` with the credentials of the MCP server application:
```javascript wrap lines
- const exchangeClient = new ApiClient({
+const apiClient = new ApiClient({
domain: AUTH0_DOMAIN,
- audience: API_AUTH0_AUDIENCE,
+ audience: AUTH0_AUDIENCE,
clientId: MCP_AUTH0_CLIENT_ID,
clientSecret: MCP_AUTH0_CLIENT_SECRET,
});
```
-With the client configured, the `exchangeCustomToken` function uses the client's `getTokenByExchangeProfile` method to perform the token exchange. This method implements the [Custom Token Exchange](https://auth0.com/docs/authenticate/custom-token-exchange) flow.
+
+With the client configured, the `exchangeTokenOnBehalfOf` function uses the client's `getTokenOnBehalfOf` method to perform the token exchange. This method implements the On-Behalf-Of Token Exchange flow, which allows the MCP server to obtain a new token for calling the downstream API while preserving the user's identity.
```javascript wrap lines
-export async function exchangeCustomToken(subjectToken: string) {
- return await exchangeClient.getTokenByExchangeProfile(subjectToken, {
- subjectTokenType: MCP_AUTH0_SUBJECT_TOKEN_TYPE,
+export async function exchangeTokenOnBehalfOf(accessToken: string) {
+ return await apiClient.getTokenOnBehalfOf(accessToken, {
audience: API_AUTH0_AUDIENCE,
...(MCP_AUTH0_EXCHANGE_SCOPE && { scope: MCP_AUTH0_EXCHANGE_SCOPE }),
});
}
```
+
+The key difference from custom token exchange is that this uses the `getTokenOnBehalfOf` method with just the `audience` and optional `scope` parameters, making it simpler and more straightforward for the on-behalf-of use case.
diff --git a/auth4genai/snippets/mcp/get-started/call-your-apis/exchange-access-token-python.mdx b/auth4genai/snippets/mcp/get-started/call-your-apis/exchange-access-token-python.mdx
index 3a8b14b057..470869a04a 100644
--- a/auth4genai/snippets/mcp/get-started/call-your-apis/exchange-access-token-python.mdx
+++ b/auth4genai/snippets/mcp/get-started/call-your-apis/exchange-access-token-python.mdx
@@ -1,9 +1,9 @@
-To call your APIs on behalf of your users, the MCP server needs to exchange the Auth0 access token it received from the MCP client (with the audience set to the MCP server itself) for a new Auth0 access token with the audience set to your API. In Auth0, this is called Custom Token Exchange and uses [RFC 8693](https://www.rfc-editor.org/rfc/rfc8693.html).
+To call your APIs on behalf of your users, the MCP server needs to exchange the Auth0 access token it received from the MCP client (with the audience set to the MCP server itself) for a new Auth0 access token with the audience set to your API. In Auth0, this is called On-Behalf-Of Token Exchange and uses [RFC 8693](https://www.rfc-editor.org/rfc/rfc8693.html).
### How tools use token exchange
Here's how the `greet` tool performs token exchange and calls the upstream API:
-```python wrap lines highlight={10,11,12,13,14,19}
+```python wrap lines highlight={10,11,12,13,14,17}
@mcp.tool(name="greet")
@require_scopes(["tool:greet"])
async def greet(name: str, ctx: Context) -> str:
@@ -14,7 +14,7 @@ async def greet(name: str, ctx: Context) -> str:
logger.info(f"Greet tool invoked for user: {user_id}")
# Exchange token and call upstream API
- exchange_result = await exchange_custom_token(
+ exchange_result = await exchange_token_on_behalf_of(
ctx.request_context.request.state.api_client,
auth_info["token"]
)
@@ -29,32 +29,33 @@ async def greet(name: str, ctx: Context) -> str:
return f"Hello, {user_name} ({user_id})!\nUpstream API Response: {json.dumps(upstream_result, indent=2)}"
```
-### The core logic: `exchange_custom_token`
+### The core logic: `exchange_token_on_behalf_of`
-The Python implementation uses the `exchange_custom_token` function that handles the token exchange process.
+The Python implementation uses the `exchange_token_on_behalf_of` function that handles the token exchange process.
-```python wrap lines highlight={3,4,5,6,7,8}
-async def exchange_custom_token(api_client, subject_token: str) -> dict:
- """Exchange subject token for access token via Custom Token Exchange."""
- result = await api_client.get_token_by_exchange_profile(
- subject_token=subject_token,
- subject_token_type=config.mcp_auth0_subject_token_type,
+```python wrap lines highlight={3,4,5,6}
+async def exchange_token_on_behalf_of(api_client, access_token: str) -> dict:
+ """Exchange access token for downstream API token via On-Behalf-Of Token Exchange."""
+ result = await api_client.get_token_on_behalf_of(
+ access_token=access_token,
audience=config.api_auth0_audience,
scope=config.mcp_auth0_exchange_scope or None
)
return {"token": result["access_token"], "scopes": result.get("scope", "")}
```
-This function uses the `get_token_by_exchange_profile` method of `ApiClient` from the `auth0-api-python` SDK and, on a successful exchange, returns the new access token and its associated scopes. This method implements the [Custom Token Exchange](https://auth0.com/docs/authenticate/custom-token-exchange) flow.
+This function uses the `get_token_on_behalf_of` method of `ApiClient` from the `auth0-api-python` SDK and, on a successful exchange, returns the new access token and its associated scopes. This method implements the On-Behalf-Of Token Exchange flow, which allows the MCP server to obtain a new token for calling the downstream API while preserving the user's identity.
+
+The key difference from custom token exchange is that this uses the simpler `get_token_on_behalf_of` method with just the `access_token`, `audience`, and optional `scope` parameters, making it more straightforward for the on-behalf-of use case.
### Client Configuration
-The `ApiClient` is initialized in the `Auth0Middleware` (located in `src/auth0/middleware.py`) with the credentials of the application performing the exchange:
+The `ApiClient` is initialized in the `Auth0Middleware` (located in `src/auth0/middleware.py`) with the credentials of the MCP server application:
```python src/auth0/middleware.py wrap lines
self.client = ApiClient(ApiClientOptions(
domain=domain, # AUTH0_DOMAIN env var
- audience=audience, # API_AUTH0_AUDIENCE env var
+ audience=audience, # AUTH0_AUDIENCE env var
client_id=client_id, # MCP_AUTH0_CLIENT_ID env var
client_secret=client_secret # MCP_AUTH0_CLIENT_SECRET env var
))
diff --git a/auth4genai/snippets/mcp/get-started/enable-obo-token-exchange.mdx b/auth4genai/snippets/mcp/get-started/enable-obo-token-exchange.mdx
new file mode 100644
index 0000000000..cd052c5f72
--- /dev/null
+++ b/auth4genai/snippets/mcp/get-started/enable-obo-token-exchange.mdx
@@ -0,0 +1,5 @@
+To enable your tenant to use the On-Behalf-Of Token Exchange:
+
+1. Navigate to **Applications > Applications** and select your MCP client. Only Custom API clients associated with a resource server can use the OBO token exchange.
+2. Under **Token Exchange**, toggle on **On-Behalf-Of Token Exchange**.
+3. Select **Save**.
diff --git a/auth4genai/snippets/mcp/get-started/pre-reqs/enable-obo-token-exchange.mdx b/auth4genai/snippets/mcp/get-started/pre-reqs/enable-obo-token-exchange.mdx
new file mode 100644
index 0000000000..4bc6700025
--- /dev/null
+++ b/auth4genai/snippets/mcp/get-started/pre-reqs/enable-obo-token-exchange.mdx
@@ -0,0 +1,5 @@
+Enable your tenant to use the On-Behalf-Of Token Exchange:
+
+1. Navigate to **Applications > Applications** and select your MCP client. Only Custom API clients associated with a resource server can use the OBO token exchange.
+2. Under **Token Exchange**, toggle on **On-Behalf-Of Token Exchange**.
+3. Select **Save**.
diff --git a/auth4genai/snippets/mcp/get-started/pre-reqs/prerequisites.mdx b/auth4genai/snippets/mcp/get-started/pre-reqs/prerequisites.mdx
index 1c601f430e..bdf566bcc0 100644
--- a/auth4genai/snippets/mcp/get-started/pre-reqs/prerequisites.mdx
+++ b/auth4genai/snippets/mcp/get-started/pre-reqs/prerequisites.mdx
@@ -3,21 +3,20 @@ import MCPGetStartedAuth0CLIStep from "/snippets/mcp/get-started/pre-reqs/auth0-
## Prerequisites
-
-Auth for MCP is currently available in Early Access. To join the Early Access program, please complete [this form](https://forms.gle/hvJ1ZRLmHr9YjV2a9). We'll reach out to you when your request is processed.
-
-
To continue with this quickstart, you need to have an [Auth0 account](https://auth0.com/signup).
-
+
+
+
+
-
+
-
+
To simplify the process of interacting with the Auth0 CLI, we recommend installing [jq](https://jqlang.org/download/). This will allow you to easily parse JSON responses from the CLI.
diff --git a/main/docs.json b/main/docs.json
index 5f1a59f26d..b1be9b4a0e 100644
--- a/main/docs.json
+++ b/main/docs.json
@@ -3935,19 +3935,28 @@
"group": "Applications confidentielles et publiques",
"pages": [
"docs/fr-ca/get-started/applications/confidential-and-public-applications",
- "docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-type",
- "docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications",
- "docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-ownership",
- "docs/fr-ca/get-started/applications/confidential-and-public-applications/update-application-ownership",
- "docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications",
- "docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications"
+ "docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-type"
+ ]
+ },
+ "docs/fr-ca/get-started/applications/first-party-and-third-party-applications",
+ {
+ "group": "Applications tierces",
+ "pages": [
+ "docs/fr-ca/get-started/applications/third-party-applications",
+ "docs/fr-ca/get-started/applications/third-party-applications/security-controls",
+ "docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications",
+ "docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications",
+ "docs/fr-ca/get-started/applications/third-party-applications/troubleshooting",
+ "docs/fr-ca/get-started/applications/third-party-applications/permissive-mode"
]
},
"docs/fr-ca/get-started/applications/dynamic-client-registration",
"docs/fr-ca/get-started/applications/set-up-database-connections",
"docs/fr-ca/get-started/applications/test-database-connections",
+ "docs/fr-ca/get-started/applications/application-access-to-apis-client-grants",
"docs/fr-ca/get-started/applications/application-grant-types",
"docs/fr-ca/get-started/applications/update-grant-types",
+ "docs/fr-ca/get-started/applications/revoke-api-access",
"docs/fr-ca/get-started/applications/signing-algorithms",
"docs/fr-ca/get-started/applications/change-application-signing-algorithms",
"docs/fr-ca/get-started/applications/configure-application-metadata",
@@ -7216,12 +7225,19 @@
"group": "機密アプリケーションと公開アプリケーション",
"pages": [
"docs/ja-jp/get-started/applications/confidential-and-public-applications",
- "docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-type",
- "docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications",
- "docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-ownership",
- "docs/ja-jp/get-started/applications/confidential-and-public-applications/update-application-ownership",
- "docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications",
- "docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications"
+ "docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-type"
+ ]
+ },
+ "docs/ja-jp/get-started/applications/first-party-and-third-party-applications",
+ {
+ "group": "サードパーティアプリケーション",
+ "pages": [
+ "docs/ja-jp/get-started/applications/third-party-applications",
+ "docs/ja-jp/get-started/applications/third-party-applications/security-controls",
+ "docs/ja-jp/get-started/applications/third-party-applications/user-consent-and-third-party-applications",
+ "docs/ja-jp/get-started/applications/third-party-applications/configure-third-party-applications",
+ "docs/ja-jp/get-started/applications/third-party-applications/troubleshooting",
+ "docs/ja-jp/get-started/applications/third-party-applications/permissive-mode"
]
},
"docs/ja-jp/get-started/applications/dynamic-client-registration",
@@ -7230,6 +7246,7 @@
"docs/ja-jp/get-started/applications/application-access-to-apis-client-grants",
"docs/ja-jp/get-started/applications/application-grant-types",
"docs/ja-jp/get-started/applications/update-grant-types",
+ "docs/ja-jp/get-started/applications/revoke-api-access",
"docs/ja-jp/get-started/applications/signing-algorithms",
"docs/ja-jp/get-started/applications/change-application-signing-algorithms",
"docs/ja-jp/get-started/applications/configure-application-metadata",
@@ -25897,71 +25914,71 @@
},
{
"source": "/docs/configure/applications/confidential-public-apps/user-consent-and-third-party-applications",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications"
+ "destination": "/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications"
},
{
"source": "/docs/authorization/user-consent-and-third-party-applications",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications"
+ "destination": "/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications"
},
{
"source": "/docs/api-auth/user-consent",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications"
+ "destination": "/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications"
},
{
"source": "/docs/configure/applications/confidential-public-apps/enable-third-party-applications",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications"
+ "destination": "/docs/get-started/applications/third-party-applications/configure-third-party-applications"
},
{
"source": "/docs/applications/enable-third-party-applications",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications"
+ "destination": "/docs/get-started/applications/third-party-applications/configure-third-party-applications"
},
{
"source": "/docs/applications/guides/enable-third-party-apps",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications"
+ "destination": "/docs/get-started/applications/third-party-applications/configure-third-party-applications"
},
{
"source": "/docs/applications/guides/enable-third-party-applications",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications"
+ "destination": "/docs/get-started/applications/third-party-applications/configure-third-party-applications"
},
{
"source": "/docs/configure/applications/confidential-public-apps/update-application-ownership",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/update-application-ownership"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/applications/update-application-ownership",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/update-application-ownership"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/api/management/guides/applications/remove-app",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/update-application-ownership"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/api/management/guides/applications/update-ownership",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/update-application-ownership"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/configure/applications/confidential-public-apps/view-application-ownership",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/view-application-ownership"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/api/management/guides/applications/view-ownership",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/view-application-ownership"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/applications/view-application-ownership",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/view-application-ownership"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/configure/applications/confidential-public-apps/first-party-and-third-party-applications",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/applications/concepts/app-types-first-third-party",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/applications/first-party-and-third-party-applications",
- "destination": "/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications"
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
},
{
"source": "/docs/configure/applications/confidential-public-apps/view-application-type",
@@ -29238,6 +29255,26 @@
{
"source": "/docs/api/authentication/get-ws-federation-metadata",
"destination": "/docs/api/authentication/ws-federation/get-ws-federation-metadata"
+ },
+ {
+ "source": "/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications",
+ "destination": "/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications"
+ },
+ {
+ "source": "/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications",
+ "destination": "/docs/get-started/applications/third-party-applications/configure-third-party-applications"
+ },
+ {
+ "source": "/docs/get-started/applications/confidential-and-public-applications/view-application-ownership",
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
+ },
+ {
+ "source": "/docs/get-started/applications/confidential-and-public-applications/update-application-ownership",
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
+ },
+ {
+ "source": "/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications",
+ "destination": "/docs/get-started/applications/first-party-and-third-party-applications"
}
]
}
diff --git a/main/docs/authenticate/custom-token-exchange/configure-custom-token-exchange.mdx b/main/docs/authenticate/custom-token-exchange/configure-custom-token-exchange.mdx
index d78c839a2f..29a37fb7ea 100644
--- a/main/docs/authenticate/custom-token-exchange/configure-custom-token-exchange.mdx
+++ b/main/docs/authenticate/custom-token-exchange/configure-custom-token-exchange.mdx
@@ -40,7 +40,7 @@ When you create a new application:
```
2. Enable the connection you want to use with Custom Token Exchange for the application.
-3. Make sure your application is flagged as [First-Party](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) and it is configured as OIDC Conformant in **[Dashboard > Applications > Advanced Settings > OAuth](/docs/get-started/applications/application-settings#oauth)**.
+3. Make sure your application is flagged as [First-Party](/docs/get-started/applications/first-party-and-third-party-applications) and it is configured as OIDC Conformant in **[Dashboard > Applications > Advanced Settings > OAuth](/docs/get-started/applications/application-settings#oauth)**.
Custom DBs with import mode `ON` are only supported for `setUserById()` operations.
diff --git a/main/docs/authenticate/login/oidc-conformant-authentication.mdx b/main/docs/authenticate/login/oidc-conformant-authentication.mdx
index 5c60b3f2b5..35e1894ce4 100644
--- a/main/docs/authenticate/login/oidc-conformant-authentication.mdx
+++ b/main/docs/authenticate/login/oidc-conformant-authentication.mdx
@@ -111,7 +111,7 @@ To learn more, read [OIDC-Conformant Adoption: Single Sign-On](/docs/authenticat
### Additional features
-* Create third-party applications for your APIs and display consent dialogs for authorization. To learn more, read [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications).
+* Create third-party applications for your APIs and display consent dialogs for authorization. To learn more, read [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications).
* Restrict user profile information provided to applications upon authentication. To learn more, read [User Profiles](/docs/manage-users/user-accounts/user-profiles/user-profile-structure).
* Dynamically register applications. To learn more, read [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration).
* [Organizations](/docs/manage-users/organizations) and their related features become available.
diff --git a/main/docs/fr-ca/authenticate/custom-token-exchange.mdx b/main/docs/fr-ca/authenticate/custom-token-exchange.mdx
index 1c5892bdc4..aca9549c8c 100644
--- a/main/docs/fr-ca/authenticate/custom-token-exchange.mdx
+++ b/main/docs/fr-ca/authenticate/custom-token-exchange.mdx
@@ -51,7 +51,7 @@ Lorsque vous créez une nouvelle application :
2. Activez la [connexion de base de données](/docs/fr-ca/authenticate/database-connections) ou la [connexion d’entreprise](/docs/fr-ca/authenticate/enterprise-connections) que vous souhaitez utiliser avec l’échange de jeton personnalisé.
-3. Assurez-vous que votre application est marquée comme étant de[première partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) et qu’elle est configurée comme étant [conforme à l'OIDC dans le tableau de bord > Applications > Paramètres avancés > OAuth](/docs/fr-ca/get-started/applications/application-settings#oauth).
+3. Assurez-vous que votre application est marquée comme étant de[première partie](/docs/fr-ca/get-started/applications/first-party-and-third-party-applications) et qu’elle est configurée comme étant [conforme à l'OIDC dans le tableau de bord > Applications > Paramètres avancés > OAuth](/docs/fr-ca/get-started/applications/application-settings#oauth).
diff --git a/main/docs/fr-ca/authenticate/identity-providers/promote-connections-to-domain-level.mdx b/main/docs/fr-ca/authenticate/identity-providers/promote-connections-to-domain-level.mdx
index 0a4dac023b..f051f4e0d5 100644
--- a/main/docs/fr-ca/authenticate/identity-providers/promote-connections-to-domain-level.mdx
+++ b/main/docs/fr-ca/authenticate/identity-providers/promote-connections-to-domain-level.mdx
@@ -6,7 +6,7 @@ import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-Si votre locataire a activé [l’enregistrement dynamique du client](/docs/fr-ca/get-started/applications/dynamic-client-registration), vous pouvez autoriser l’utilisation d’une connexion par les [applications tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications) en les promouvant à une connexion du niveau du domaine. Les connexions au niveau du domaine sont activées ou désactivées pour toutes les applications d’un locataire.
+Si votre locataire a activé [l’enregistrement dynamique du client](/docs/fr-ca/get-started/applications/dynamic-client-registration), vous pouvez autoriser l’utilisation d’une connexion par les [applications tierce partie](/docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications) en les promouvant à une connexion du niveau du domaine. Les connexions au niveau du domaine sont activées ou désactivées pour toutes les applications d’un locataire.
Vous pouvez promouvoir une connexion au niveau du domaine en utilisant l’Auth0 Management API.
diff --git a/main/docs/fr-ca/authenticate/login/oidc-conformant-authentication.mdx b/main/docs/fr-ca/authenticate/login/oidc-conformant-authentication.mdx
index 4d3baafd0b..b9cba37c16 100644
--- a/main/docs/fr-ca/authenticate/login/oidc-conformant-authentication.mdx
+++ b/main/docs/fr-ca/authenticate/login/oidc-conformant-authentication.mdx
@@ -111,7 +111,7 @@ Pour en savoir plus, lisez [Adoption conforme à OIDC : Authentification unique
### Caractéristiques supplémentaires
-* Créez des applications tierces pour vos API et affichez des boîtes de dialogue de consentement pour l’autorisation. Pour en savoir plus, lisez [Consentement pour l’autorisation et tierce parties](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications).
+* Créez des applications tierces pour vos API et affichez des boîtes de dialogue de consentement pour l’autorisation. Pour en savoir plus, lisez [Consentement pour l’autorisation et tierce parties](/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications).
* Restreint les informations de profil utilisateur fournies aux applications lors de l’authentification. Pour en savoir plus, consultez [Profils utilisateurs](/docs/fr-ca/manage-users/user-accounts/user-profiles/user-profile-structure).
* Enregistre dynamiquement les applications. Pour en savoir plus, consultez [Enregistrement dynamique des clients](/docs/fr-ca/get-started/applications/dynamic-client-registration).
* Les [Organization](https://auth0.com/docs/manage-users/organizations) et leurs fonctionnalités associées deviennent disponibles.
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications.mdx b/main/docs/fr-ca/get-started/applications.mdx
index 34f917be3f..04d2b4672b 100644
--- a/main/docs/fr-ca/get-started/applications.mdx
+++ b/main/docs/fr-ca/get-started/applications.mdx
@@ -48,7 +48,7 @@ Auth0 fournit de nombreux types ou flux d’authentification et d’autorisation
* [Paramètres d’application](/docs/fr-ca/get-started/applications/application-settings)
* [Applications confidentielles et publiques](/docs/fr-ca/get-started/applications/confidential-and-public-applications)
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
+* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/first-party-and-third-party-applications)
* [Types d’autorisation d’application](/docs/fr-ca/get-started/applications/application-grant-types)
* [Paramètres fictifs d'URL de sous-domaine](/docs/fr-ca/get-started/applications/wildcards-for-subdomains)
* [Enregistrement dynamique d'applications](/docs/fr-ca/get-started/applications/dynamic-client-registration)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/application-access-to-apis-client-grants.mdx b/main/docs/fr-ca/get-started/applications/application-access-to-apis-client-grants.mdx
new file mode 100644
index 0000000000..73b7a43d3e
--- /dev/null
+++ b/main/docs/fr-ca/get-started/applications/application-access-to-apis-client-grants.mdx
@@ -0,0 +1,170 @@
+---
+title: "Application Access to APIs: Client Grants"
+description: Learn about Client Grants
+validatedOn: 2026-01-27
+---
+In Auth0, you can control how applications access your APIs using [application API access policies](/docs/get-started/apis/api-access-policies-for-applications) and client grants.
+
+A client grant provides fine-grained application access to an API. It associates:
+
+* An API identified by its `audience` or unique identifier.
+* An application identified by its `client_id`.
+* A list of permissions such as scopes and/or `authorization_details_types` that the application is allowed to request for the specified audience.
+
+To learn more about the list of attributes you can define in a client grant, read [Client grant attributes](#client-grant-attributes). To learn how to define and manage client grants, read [Configure client grants](#configure-client-grants).
+
+## Application API access policies and client grants
+
+When you configure an API's [application access policy](/docs/get-started/apis/api-access-policies-for-applications) to `require_client_grant`, only applications with a client grant defined can get an access token for the API. The client grant establishes the maximum permissions an application can request from the API by following the least privilege principle approach. As a result, Auth0 recommends using `require_client_grant` when configuring an API’s application access policy.
+
+### Example: Social Media API
+
+To illustrate how client grants follow the least privilege principle approach, say you have a Social Media API with the permissions: `read:posts`, `write:posts`, `read:friends`, and `delete:posts`. You create an application and define a client grant with the permissions: `read:posts` and `write:posts`.
+
+This client grant now serves as a hard ceiling. Even though the Social Media API has other permissions, your application can never request or be granted `read:friends` or `delete:posts`.
+
+## User-delegated access vs. client access
+
+In user and client access, client grants define the final set of permissions that control an application’s access to an API. The client grant’s `subject_type` attribute determines the type of application access allowed for an API.
+
+An application can have up to two client grants for a single API:
+
+* When you set `subject_type` to `client`, you define its machine-to-machine permissions.
+* When you set `subject_type` to `user`, you define its permissions to act on the user’s behalf.
+
+The following table explains how client grants control application access to APIs based on the access type flow:
+
+| Access type | subject_type attribute | Description |
+| --- | --- | --- |
+| Client credential access (Machine-to-machine access) | Set `subject_type` to `client`. | The client grant directly authorizes the application to access the API on its own behalf instead of the end user’s behalf. The permissions you define in the client grant are the ones the application is authorized to receive in the access token. |
+| User-delegated access | Set `subject_type` to `user`. | The client grant defines the maximum permissions the application can request from the API. The final permissions in the access token issued to the application on the user’s behalf are the intersection of the permissions:
- Requested by the application
- Allowed by the client grant
- Allowed by [Role-Based Access Control policies](/docs/manage-users/access-control/rbac) for the user
- [Consented to by the end user](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications), if applicable.
To learn more about user-delegated access flows, read [Authentication and Authorization Flows](/docs/get-started/authentication-and-authorization-flow). User-delegated access flows do not include the Client Credentials Flow. |
+
+
+You can modify the final scopes granted by the authorization server to the application or user using [Actions](/docs/customize/actions).
+
+
+## Client grant attributes
+
+A client grant has several attributes that you can define to configure application access to APIs using the Auth0 Management API:
+
+| Attribute | Description |
+| --- | --- |
+| `id` | Unique identifier of the client grant. |
+| `audience` | Unique identifier of the API the client grant is for. |
+| `client_id` | The unique ID of the application that is being granted access. |
+| `scopes` | An array of strings representing the permissions the application can request. |
+| `authorization_details_types` | An array of strings representing rich authorization data types that the application can request. This attribute can only be specified for user-delegated access flows. |
+| `subject_type` | The type of application access the client grant allows for:
- `user`: used for user-delegated access, which corresponds to all flows that generate a token associated with an end user.
- `client`: used for machine access, which corresponds to the Client Credentials Flow.
|
+| `allow_all_scopes` | Boolean. Indicates if all scopes defined on the API are allowed for the application. Future defined scopes, for the API, are automatically permitted. |
+| `organization_usage` | Determines how the application may use organizations when accessing the API via the Client Credentials Flow. Possible values are: `deny`, `allow`, or `require`.
To learn more about the Organization settings, read [Organizations for M2M Applications: Define Organization Behavior](/docs/manage-users/organizations/organizations-for-m2m-applications/configure-your-application-for-m2m-access#define-organization-behavior). |
+| `allow_any_organization` | Determines whether the application can access any organization when using the Client Credentials Flow.
To learn more about the Organization settings, read [Organizations for M2M Applications: Define Organization Behavior](/docs/manage-users/organizations/organizations-for-m2m-applications/configure-your-application-for-m2m-access#define-organization-behavior). |
+
+## Configure client grants
+
+You can configure client grants using the Auth0 Dashboard or the Management API.
+
+
+
+To configure client grants using the Auth0 Dashboard:
+
+1. Navigate to [Dashboard > Applications](https://manage.auth0.com/#/applications).
+2. Select the **Application** you want to configure.
+3. Select the **APIs** tab.
+4. Select **Edit** to authorize **User-Delegated Access**, **Client Access**, or both.
+
+
+For application-level authorization settings to take effect, you must set API Access Policy to Allow via client-grant. To learn more read, [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications).
+
+
+ * Configure the **User-Delegated Access Authorization** to **Unauthorized**, **Authorized**, or **All**.
+ * **Unauthorized**: No permission allowed.
+ * **Authorized**: Select desired permissions.
+ * **All**: Include all existing and future permissions.
+ * Configure the **Client Credential Access Authorization** to **Unauthorized**, **Authorized**, or **All**.
+ * **Unauthorized**: No permission allowed.
+ * **Authorized**: Select desired permissions.
+ * **All**: Include all existing and future permissions.
+5. Select **Save** to save the **Application's API** settings.
+
+
+
+To configure client grants, use the `/client-grants` endpoint.
+
+**Create client grant**
+
+To create a new client grant, make a [`POST`](https://auth0.com/docs/api/management/v2/client-grants/post-client-grants) request to the `/client-grants` endpoint:
+
+```bash lines
+curl --location 'https://{yourDomain}/api/v2/client-grants' \
+--header 'Content-Type: application/json' \
+--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
+--data '{
+ "client_id": "{CLIENT_ID}",
+ "audience": "https://api.my-service.com",
+ "scope": [
+ "read:item"
+ ],
+ "authorization_details_types":["payment"],
+ "subject_type": "user"
+}'
+```
+
+**Update client grant**
+
+To update an existing client grant, make a [`PATCH`](https://auth0.com/docs/api/management/v2/client-grants/patch-client-grants-by-id) request to `/client-grants/{id}`:
+
+```bash lines
+curl --location --request PATCH 'https://{yourDomain}/api/v2/client-grants/{CLIENT_GRANT_ID}' \
+--header 'Content-Type: application/json' \
+--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
+--data '{
+ "scope": [
+ "read:item",
+ "update:item"
+ ],
+ "authorization_details_types":["payment", "credits_transfer"]
+}'
+```
+
+**Delete client grant**
+
+To delete a client grant, make a [`DELETE`](https://auth0.com/docs/api/management/v2/client-grants/delete-client-grants-by-id) request to `/client-grants/{id}`:
+
+```bash lines
+curl --location --request DELETE 'https://{yourDomain}/api/v2/client-grants/{CLIENT_GRANT_ID}' \
+--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}'
+```
+
+**Retrieve client grants**
+
+You can also query and paginate through the `client-grants` collections by using parameters like `client_id`, `audience`, or `subject_type`:
+
+```bash lines
+curl --request GET \
+--url 'https://{yourDomain}/api/v2/client-grants?subject_type=user&audience=https%3A%2F%2Fapi.my-service.com' \
+--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
+--header 'Accept: application/json'
+```
+
+
+
+## Default permissions for third-party applications
+
+[Third-party applications](/docs/get-started/applications/third-party-applications) always require an explicit client grant to access any API, even when the API's [access policy](/docs/get-started/apis/api-access-policies-for-applications) is set to **Allow All**. To simplify management when you have many third-party applications or use [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration), configure default permissions that apply to all third-party applications automatically.
+
+A default third-party client grant uses the `default_for` attribute instead of a `client_id`. You can also define per-application permissions by creating a client grant with a specific `client_id`. When both exist for the same API, the per-application grant takes precedence.
+
+
+System APIs (the Management API, My Account API, and others) do not support default third-party client grants. Third-party applications cannot be granted access to system APIs.
+
+
+The `default_for` and `client_id` attributes are mutually exclusive. Each client grant must specify exactly one of them.
+
+To learn how to configure API access policies for third-party applications, read [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications#configure-api-access-policies).
+
+## Learn more
+
+* [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications)
+* [Application Grant Types](/docs/get-started/applications/application-grant-types)
+* [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+* [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications)
diff --git a/main/docs/fr-ca/get-started/applications/application-grant-types.mdx b/main/docs/fr-ca/get-started/applications/application-grant-types.mdx
index a9c8e1d171..90f6df215f 100644
--- a/main/docs/fr-ca/get-started/applications/application-grant-types.mdx
+++ b/main/docs/fr-ca/get-started/applications/application-grant-types.mdx
@@ -103,6 +103,6 @@ Processus d’authentification de l’utilisateur qui utilise un facteur en plus
## En savoir plus
* [Applications confidentielles et publiques](/docs/fr-ca/get-started/applications/confidential-and-public-applications)
-* [Activer les applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
+* [Activer les applications tierces](/docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications)
+* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/first-party-and-third-party-applications)
* [Paramètres fictifs d'URL de sous-domaine](/docs/fr-ca/get-started/applications/wildcards-for-subdomains)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/application-settings.mdx b/main/docs/fr-ca/get-started/applications/application-settings.mdx
index 3f09c9cb19..6edd4fee29 100644
--- a/main/docs/fr-ca/get-started/applications/application-settings.mdx
+++ b/main/docs/fr-ca/get-started/applications/application-settings.mdx
@@ -133,5 +133,5 @@ Protocole de gestion des identités des utilisateurs à travers les domaines." c
* [Supprimer les applications](/docs/fr-ca/get-started/applications/remove-applications)
* [Configurer des applications avec OIDC Discovery](/docs/fr-ca/get-started/applications/configure-applications-with-oidc-discovery)
* [Applications confidentielles et publiques](/docs/fr-ca/get-started/applications/confidential-and-public-applications)
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
+* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/first-party-and-third-party-applications)
* [Vérifier les messages d’erreur](/docs/fr-ca/troubleshoot/basic-issues/check-error-messages)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications.mdx b/main/docs/fr-ca/get-started/applications/confidential-and-public-applications.mdx
index 3be696720d..12cf36c173 100644
--- a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications.mdx
+++ b/main/docs/fr-ca/get-started/applications/confidential-and-public-applications.mdx
@@ -53,5 +53,5 @@ Les applications publiques ne pouvant contenir de secrets, les [jetons d’ID](/
## En savoir plus
* [Vérification du caractère confidentiel ou public d’une application](/docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-type)
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [User Consent and Third-Party Applications (Consentement de l’utilisateur et applications tierces)](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
\ No newline at end of file
+* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/first-party-and-third-party-applications)
+* [User Consent and Third-Party Applications (Consentement de l’utilisateur et applications tierces)](/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications.mdx b/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications.mdx
deleted file mode 100644
index 0ce6bab52d..0000000000
--- a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications.mdx
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: "Activer les applications tierces"
-'description': "Décrit comment activer les applications tierces pour votre locataire."
----
-
-Vous pouvez activer les applications tierces pour votre locataire. Consultez [Applications de première et de tierce parties](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) pour en savoir plus sur les différences entre les deux types d’application.
-
-1. [Update your application’s ownership to third-party](/docs/fr-ca/get-started/applications/confidential-and-public-applications/update-application-ownership) in Auth0.
-
- Par défaut, les applications enregistrées dans Auth0 sont des applications internes. Si vous voulez que votre application soit une application tierce, vous devez mettre à jour sa propriété.
-2. [Promouvoir les connexions que vous utiliserez avec des applications tierces au niveau du domaine](/docs/fr-ca/authenticate/identity-providers/promote-connections-to-domain-level) dans Auth0.
-
- Third-party applications can only authenticate users from [connections](/docs/fr-ca/connections) flagged as domain-level connections. Les connexions de niveau de domaine peuvent être activées pour des applications internes sélectionnées tout en étant également ouvertes à tous les utilisateurs d’applications tierces pour l’authentification.
-3. Mettez à jour la page de connexion de votre application. Si vous utilisez [Lock](/docs/fr-ca/libraries/lock/v11) dans la page de [Connexion universelle](/docs/fr-ca/universal-login/classic), vous devez également :
-
- 1. Faire une mise à niveau vers Lock version 11 ou ultérieure.
- 2. Définissez le drapeau `__useTenantInfo: config.isThirdPartyClient` lorsque vous instanciez Lock.
- 3. Pour les utilisateurs du Nuage privé uniquement : Définissez [l’option `configurationBaseUrl`](https://auth0.com/docs/libraries/lock/v11/configuration#configurationbaseurl-string-) sur `https://{config.auth0Domain}/` lorsque vous instanciez Lock.
-
-## Permissions current_user_\* de jeton d’accès
-
-Ni les applications internes ni les applications tierces ne peuvent utiliser les jetons d’ID pour invoquer les points de terminaison du Management API. Elles doivent à la place obtenir des jetons d’accèss avec les permissions suivantes current_user_\* requises par chaque point de terminaison :
-
-| Permission | Point de terminaison |
-| --- | --- |
-| `read:current_user` | Énumérer ou chercher des utilisateurs |
-| | Obtenir un utilisateur |
-| | Obtenir les inscriptions à MFA d’un utilisateur |
-| `update:current_user_metadata` | Mettre à jour un utilisateur |
-| | Supprimer le fournisseur multifacteur d’un utilisateur |
-| `create:current_user_device_credentials` | Créer une clé publique d’appareil |
-| `delete:current_user_device_credentials` | Supprimer un identifiant d’appareil |
-| `update:current_user_identities` | Lier un compte utilisateur |
-| | Dissocier l’identité d’un utilisateur |
-
-## Exemple de script
-
-```html lines
-
-...
-
-```
-
-## En savoir plus
-
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [User Consent and Third-Party Applications (Consentement de l’utilisateur et applications tierces)](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
-* [Promouvoir les connexions au niveau du domaine](/docs/fr-ca/authenticate/identity-providers/promote-connections-to-domain-level)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.mdx b/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.mdx
deleted file mode 100644
index 778e7651f7..0000000000
--- a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.mdx
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: "Applications de première et de tierce partie"
-'description': "Décrit la différence entre les types d’applications publiques et confidentielles."
----
-
-Les applications peuvent être classées en tant que première partie ou tierce partie, ce qui fait référence à la propriété de l’application. La principale différence concerne les personnes qui ont un accès administratif à votre domaine Auth0.
-
-## Applications de première partie
-
-Les applications de première partie sont celles qui sont contrôlées par l’organisation ou la personne qui possède le domaine Auth0. Par exemple, supposons que vous ayez créé une API Contoso et une application qui se connecte à `contoso.com` et utilise l’API Contoso. Vous enregistrerez l’API et l’application sous le même domaine Auth0, et l’application sera une application de première partie. Par défaut, toutes les applications créées via le [Auth0 Dashboard](https://manage.auth0.com/#/applications) sont des applications tierces.
-
-## Applications tierces
-
-Les applications tierces sont contrôlées par une personne qui ne devrait probablement pas avoir d’accès administratif à votre domaine Auth0. Les applications tierces permettent à des parties externes ou à des partenaires d’accéder en toute sécurité à des ressources protégées derrière votre API. Prenons l’exemple de Facebook. Supposons que vous ayez créé une application pour obtenir l’ID et le secret client afin de l’intégrer à votre service. Cette application est considérée comme une tierce partie car elle n’appartient pas à Facebook mais à une tierce partie qui souhaite s’intégrer aux API et aux services de Facebook.
-
-Toutes les applications créées par l’intermédiaire de [Enregistrement dynamique des clients](/docs/fr-ca/get-started/applications/dynamic-client-registration) seront des applications tierces. Les applications tierces ne peuvent pas être créées à l’aide du Dashboard, mais doivent l’être par l’intermédiaire de l’Auth0 Management API en définissant `is_first_party` sur `false`.
-
-Les applications tierces présentent les caractéristiques uniques suivantes :
-
-* **Consentement de l’utilisateur** : Vous devez exiger le consentement de l’utilisateur lorsque vous utilisez des API, car n’importe qui peut créer une application. Le fait d’exiger le consentement de l’utilisateur améliore la sécurité.
-* **Jetons d’ID**: Les [jetons d’ID](/docs/fr-ca/secure/tokens/id-tokens) générés pour les applications tierces ne contiennent que des informations minimales sur le profil utilisateur.
-* **Connexions** : Vous ne pouvez utiliser que des connexions au niveau du locataire ou du domaine. Pour plus d’informations, consultez [Activer les applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications).
-
-## En savoir plus
-
-* [Mise à jour de la propriété d’une application](/docs/fr-ca/get-started/applications/confidential-and-public-applications/update-application-ownership)
-* [Vérification du caractère confidentiel ou public d’une application](/docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-type)
-* [User Consent and Third-Party Applications (Consentement de l’utilisateur et applications tierces)](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/update-application-ownership.mdx b/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/update-application-ownership.mdx
deleted file mode 100644
index 79f4f2f4d9..0000000000
--- a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/update-application-ownership.mdx
+++ /dev/null
@@ -1,235 +0,0 @@
----
-title: "Mise à jour de la propriété d’une application"
-'description': "Découvrez comment mettre à jour la propriété d’une application à l’aide de l’Auth0 Management API. Cela vous permettra d’indiquer si une application est enregistrée avec Auth0 comme application première partie ou comme application tierce partie."
----
-import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
-
-import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-
-Vous pouvez utiliser l’Auth0 Management API pour mettre à jour la propriété d’une application, ce qui vous permettra de spécifier si une application est enregistrée avec Auth0 comme application première partie ou comme application tierce partie.
-
-Effectuez une requête `PATCH` au point de terminaison [Mettre à jour un client](/docs/fr-ca/api/management/v2#!/Clients/patch_clients_by_id). Assurez-vous de remplacer les valeurs des espaces réservés `{yourClientId}`, `{yourMgmtApiAccessToken}`, et `{ownershipBoolean}` avec les valeurs de votre ID client, votre jeton d’accès à Management API, et un booléen représentant la propriété de l’application, respectivement.
-
-
-```bash cURL
-curl --request PATCH \
- --url 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D' \
- --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
- --header 'cache-control: no-cache' \
- --header 'content-type: application/json' \
- --data '{ "is_first_party": "{ownershipBoolean}" }'
-```
-```csharp C#
-var client = new RestClient("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D");
-var request = new RestRequest(Method.PATCH);
-request.AddHeader("content-type", "application/json");
-request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}");
-request.AddHeader("cache-control", "no-cache");
-request.AddParameter("application/json", "{ "is_first_party": "{ownershipBoolean}" }", ParameterType.RequestBody);
-IRestResponse response = client.Execute(request);
-```
-```go Go
-package main
-
-import (
- "fmt"
- "strings"
- "net/http"
- "io/ioutil"
-)
-
-func main() {
-
- url := "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D"
-
- payload := strings.NewReader("{ "is_first_party": "{ownershipBoolean}" }")
-
- req, _ := http.NewRequest("PATCH", url, payload)
-
- req.Header.Add("content-type", "application/json")
- req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}")
- req.Header.Add("cache-control", "no-cache")
-
- res, _ := http.DefaultClient.Do(req)
-
- defer res.Body.Close()
- body, _ := ioutil.ReadAll(res.Body)
-
- fmt.Println(res)
- fmt.Println(string(body))
-
-}
-```
-```java Java
-HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D")
- .header("content-type", "application/json")
- .header("authorization", "Bearer {yourMgmtApiAccessToken}")
- .header("cache-control", "no-cache")
- .body("{ "is_first_party": "{ownershipBoolean}" }")
- .asString();
-```
-```javascript Node.JS
-var axios = require("axios").default;
-
-var options = {
- method: 'PATCH',
- url: 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D',
- headers: {
- 'content-type': 'application/json',
- authorization: 'Bearer {yourMgmtApiAccessToken}',
- 'cache-control': 'no-cache'
- },
- data: {is_first_party: '{ownershipBoolean}'}
-};
-
-axios.request(options).then(function (response) {
- console.log(response.data);
-}).catch(function (error) {
- console.error(error);
-});
-```
-```objc Obj-C
-#import
-
-NSDictionary *headers = @{ @"content-type": @"application/json",
- @"authorization": @"Bearer {yourMgmtApiAccessToken}",
- @"cache-control": @"no-cache" };
-NSDictionary *parameters = @{ @"is_first_party": @"{ownershipBoolean}" };
-
-NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];
-
-NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/clients/%7ByourClientId%7D"]
- cachePolicy:NSURLRequestUseProtocolCachePolicy
- timeoutInterval:10.0];
-[request setHTTPMethod:@"PATCH"];
-[request setAllHTTPHeaderFields:headers];
-[request setHTTPBody:postData];
-
-NSURLSession *session = [NSURLSession sharedSession];
-NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
- completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
- if (error) {
- NSLog(@"%@", error);
- } else {
- NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
- NSLog(@"%@", httpResponse);
- }
- }];
-[dataTask resume];
-```
-```php PHP
-$curl = curl_init();
-
-curl_setopt_array($curl, [
- CURLOPT_URL => "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D",
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_ENCODING => "",
- CURLOPT_MAXREDIRS => 10,
- CURLOPT_TIMEOUT => 30,
- CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
- CURLOPT_CUSTOMREQUEST => "PATCH",
- CURLOPT_POSTFIELDS => "{ "is_first_party": "{ownershipBoolean}" }",
- CURLOPT_HTTPHEADER => [
- "authorization: Bearer {yourMgmtApiAccessToken}",
- "cache-control: no-cache",
- "content-type: application/json"
- ],
-]);
-
-$response = curl_exec($curl);
-$err = curl_error($curl);
-
-curl_close($curl);
-
-if ($err) {
- echo "cURL Error #:" . $err;
-} else {
- echo $response;
-}
-```
-```python Python
-import http.client
-
-conn = http.client.HTTPSConnection("")
-
-payload = "{ "is_first_party": "{ownershipBoolean}" }"
-
-headers = {
- 'content-type': "application/json",
- 'authorization': "Bearer {yourMgmtApiAccessToken}",
- 'cache-control': "no-cache"
- }
-
-conn.request("PATCH", "/{yourDomain}/api/v2/clients/%7ByourClientId%7D", payload, headers)
-
-res = conn.getresponse()
-data = res.read()
-
-print(data.decode("utf-8"))
-```
-```ruby Ruby
-require 'uri'
-require 'net/http'
-require 'openssl'
-
-url = URI("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D")
-
-http = Net::HTTP.new(url.host, url.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-request = Net::HTTP::Patch.new(url)
-request["content-type"] = 'application/json'
-request["authorization"] = 'Bearer {yourMgmtApiAccessToken}'
-request["cache-control"] = 'no-cache'
-request.body = "{ "is_first_party": "{ownershipBoolean}" }"
-
-response = http.request(request)
-puts response.read_body
-```
-```swift Swift
-import Foundation
-
-let headers = [
- "content-type": "application/json",
- "authorization": "Bearer {yourMgmtApiAccessToken}",
- "cache-control": "no-cache"
-]
-let parameters = ["is_first_party": "{ownershipBoolean}"] as [String : Any]
-
-let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
-
-let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D")! as URL,
- cachePolicy: .useProtocolCachePolicy,
- timeoutInterval: 10.0)
-request.httpMethod = "PATCH"
-request.allHTTPHeaderFields = headers
-request.httpBody = postData as Data
-
-let session = URLSession.shared
-let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
- if (error != nil) {
- print(error)
- } else {
- let httpResponse = response as? HTTPURLResponse
- print(httpResponse)
- }
-})
-
-dataTask.resume()
-```
-
-
-| Valeur | Description |
-| --- | --- |
-| `{yourClientId}` | L’ID de l’application à mettre à jour. |
-| `MGMT_API_ACCESS_TOKEN` | [Jetons d’accès à Management API](/docs/fr-ca/api/management/v2/tokens) avec la scope `update:clients`. |
-| `OWNERSHIP_BOOLEAN` | La propriété que vous souhaitez spécifier pour l’application. Si l’application est de première partie, `is_first_party` elle doit avoir une valeur de `true`. Si l’application est tierce, `is_third_party` doit avoir une valeur de `false`. |
-
-## En savoir plus
-
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [Afficher la propriété d’une application](/docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-ownership)
-* [User Consent and Third-Party Applications (Consentement de l’utilisateur et applications tierces)](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
-* [Activer les applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications.mdx b/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications.mdx
deleted file mode 100644
index fcf60503c9..0000000000
--- a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications.mdx
+++ /dev/null
@@ -1,309 +0,0 @@
----
-title: "User Consent and Third-Party Applications (Consentement de l’utilisateur et applications tierces)"
-'description': "Apprenez à découpler les API des applications qui les utilisent et à définir les applications tierces que vous ne contrôlez pas ou auxquelles vous ne faites pas confiance."
----
-import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
-
-import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-
-Le pipeline d’authentification conforme à l’[OIDC](/docs/fr-ca/authenticate/protocols/openid-connect-protocol) prend charge la définition des serveurs de ressources (tels que les API) en tant qu’entités distinctes des applications. Cela vous permet de découpler les API des applications qui les consomment, et vous permet également de définir des [applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) permettant à des tiers d’accéder en toute sécurité à des ressources protégées derrière votre API.
-
-## Dialogue sur le consentement
-
-Si un utilisateur s’authentifie par l’intermédiaire d’une application tierce et que l’application demande l’autorisation d’accéder aux informations de l’utilisateur ou d’effectuer une action en son nom au niveau d’une API, l’utilisateur verra s’afficher une boîte de dialogue de consentement.
-
-Par exemple, cette demande :
-
-``` lines
-GET /authorize?
-client_id=some_third_party_client
-&redirect_uri=https://fabrikam.com/contoso_social
-&response_type=token id_token
-&__scope=openid profile email read:posts write:posts__
-&__audience=https://social.contoso.com__
-&nonce=...
-&state=...
-```
-
-Le dialogue de consentement de l’utilisateur s’affiche :
-
-
-
-Si l’utilisateur autorise la demande de l’application, cela crée une autorisation de l’utilisateur, laquelle représente le consentement de l’utilisateur à cette combinaison d’application, de serveur de ressources et de permissions demandées. L’application reçoit alors une réponse d’authentification réussie de la part d’Auth0, comme d’habitude.
-
-Une fois le consentement donné, l’utilisateur ne verra plus la boîte de dialogue de consentement lors des connexions suivantes, jusqu’à ce qu’il révoque explicitement son consentement.
-
-## Description du permission
-
-Par défaut, la page de consentement utilisera les noms des champs d’application pour demander le consentement de l’utilisateur. Comme indiqué ci-dessous, vous devez déf](/docs/images/ermissions à l’aide du format **action:resource_name**.
-
-
-
-La page de consentement regroupe les permissions d’une même ressource et affiche toutes les actions relatives à cette ressource sur une seule ligne. Par exemple, la configuration ci-dessus se traduirait par **Messages : consultez et écrivez vos messages**.
-
-Si vous souhaitez afficher le champ **Description** à la place, vous pouvez le faire en définissant le champ **use_scope_descriptions_for_consent** sur **true**. Cela affectera les invites de consentement pour toutes les API de ce locataire.
-
-Pour définir l’indicateur **use_scope_descriptions_for_consent** vous devrez faire la requête appropriée à l’API :
-
-
-```bash cURL
-curl --request PATCH \
- --url 'https://{yourDomain}/api/v2/tenants/settings' \
- --header 'authorization: Bearer API2_ACCESS_TOKEN' \
- --header 'cache-control: no-cache' \
- --header 'content-type: application/json' \
- --data '{ "flags": { "use_scope_descriptions_for_consent": true } }'
-```
-```csharp C#
-var client = new RestClient("https://{yourDomain}/api/v2/tenants/settings");
-var request = new RestRequest(Method.PATCH);
-request.AddHeader("content-type", "application/json");
-request.AddHeader("authorization", "Bearer API2_ACCESS_TOKEN");
-request.AddHeader("cache-control", "no-cache");
-request.AddParameter("application/json", "{ "flags": { "use_scope_descriptions_for_consent": true } }", ParameterType.RequestBody);
-IRestResponse response = client.Execute(request);
-```
-```go Go
-package main
-
-import (
- "fmt"
- "strings"
- "net/http"
- "io/ioutil"
-)
-
-func main() {
-
- url := "https://{yourDomain}/api/v2/tenants/settings"
-
- payload := strings.NewReader("{ "flags": { "use_scope_descriptions_for_consent": true } }")
-
- req, _ := http.NewRequest("PATCH", url, payload)
-
- req.Header.Add("content-type", "application/json")
- req.Header.Add("authorization", "Bearer API2_ACCESS_TOKEN")
- req.Header.Add("cache-control", "no-cache")
-
- res, _ := http.DefaultClient.Do(req)
-
- defer res.Body.Close()
- body, _ := ioutil.ReadAll(res.Body)
-
- fmt.Println(res)
- fmt.Println(string(body))
-
-}
-```
-```java Java
-HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/tenants/settings")
- .header("content-type", "application/json")
- .header("authorization", "Bearer API2_ACCESS_TOKEN")
- .header("cache-control", "no-cache")
- .body("{ "flags": { "use_scope_descriptions_for_consent": true } }")
- .asString();
-```
-```javascript Node.JS
-var axios = require("axios").default;
-
-var options = {
- method: 'PATCH',
- url: 'https://{yourDomain}/api/v2/tenants/settings',
- headers: {
- 'content-type': 'application/json',
- authorization: 'Bearer API2_ACCESS_TOKEN',
- 'cache-control': 'no-cache'
- },
- data: {flags: {use_scope_descriptions_for_consent: true}}
-};
-
-axios.request(options).then(function (response) {
- console.log(response.data);
-}).catch(function (error) {
- console.error(error);
-});
-```
-```objc Obj-C
-#import
-
-NSDictionary *headers = @{ @"content-type": @"application/json",
- @"authorization": @"Bearer API2_ACCESS_TOKEN",
- @"cache-control": @"no-cache" };
-NSDictionary *parameters = @{ @"flags": @{ @"use_scope_descriptions_for_consent": @YES } };
-
-NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];
-
-NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/tenants/settings"]
- cachePolicy:NSURLRequestUseProtocolCachePolicy
- timeoutInterval:10.0];
-[request setHTTPMethod:@"PATCH"];
-[request setAllHTTPHeaderFields:headers];
-[request setHTTPBody:postData];
-
-NSURLSession *session = [NSURLSession sharedSession];
-NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
- completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
- if (error) {
- NSLog(@"%@", error);
- } else {
- NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
- NSLog(@"%@", httpResponse);
- }
- }];
-[dataTask resume];
-```
-```php PHP
-$curl = curl_init();
-
-curl_setopt_array($curl, [
- CURLOPT_URL => "https://{yourDomain}/api/v2/tenants/settings",
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_ENCODING => "",
- CURLOPT_MAXREDIRS => 10,
- CURLOPT_TIMEOUT => 30,
- CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
- CURLOPT_CUSTOMREQUEST => "PATCH",
- CURLOPT_POSTFIELDS => "{ "flags": { "use_scope_descriptions_for_consent": true } }",
- CURLOPT_HTTPHEADER => [
- "authorization: Bearer API2_ACCESS_TOKEN",
- "cache-control: no-cache",
- "content-type: application/json"
- ],
-]);
-
-$response = curl_exec($curl);
-$err = curl_error($curl);
-
-curl_close($curl);
-
-if ($err) {
- echo "cURL Error #:" . $err;
-} else {
- echo $response;
-}
-```
-```python Python
-import http.client
-
-conn = http.client.HTTPSConnection("")
-
-payload = "{ "flags": { "use_scope_descriptions_for_consent": true } }"
-
-headers = {
- 'content-type': "application/json",
- 'authorization': "Bearer API2_ACCESS_TOKEN",
- 'cache-control': "no-cache"
- }
-
-conn.request("PATCH", "/{yourDomain}/api/v2/tenants/settings", payload, headers)
-
-res = conn.getresponse()
-data = res.read()
-
-print(data.decode("utf-8"))
-```
-```ruby Ruby
-require 'uri'
-require 'net/http'
-require 'openssl'
-
-url = URI("https://{yourDomain}/api/v2/tenants/settings")
-
-http = Net::HTTP.new(url.host, url.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-request = Net::HTTP::Patch.new(url)
-request["content-type"] = 'application/json'
-request["authorization"] = 'Bearer API2_ACCESS_TOKEN'
-request["cache-control"] = 'no-cache'
-request.body = "{ "flags": { "use_scope_descriptions_for_consent": true } }"
-
-response = http.request(request)
-puts response.read_body
-```
-```swift Swift
-import Foundation
-
-let headers = [
- "content-type": "application/json",
- "authorization": "Bearer API2_ACCESS_TOKEN",
- "cache-control": "no-cache"
-]
-let parameters = ["flags": ["use_scope_descriptions_for_consent": true]] as [String : Any]
-
-let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
-
-let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/tenants/settings")! as URL,
- cachePolicy: .useProtocolCachePolicy,
- timeoutInterval: 10.0)
-request.httpMethod = "PATCH"
-request.allHTTPHeaderFields = headers
-request.httpBody = postData as Data
-
-let session = URLSession.shared
-let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
- if (error != nil) {
- print(error)
- } else {
- let httpResponse = response as? HTTPURLResponse
- print(httpResponse)
- }
-})
-
-dataTask.resume()
-```
-
-
-## Traiter les autorisations rejetées
-
-Si un utilisateur décide de refuser le consentement à l’application, il sera redirigé vers le `redirect_uri` spécifié dans la demande avec une erreur `access_denied` :
-
-``` lines
-HTTP/1.1 302 Found
-Location: https://fabrikam.com/contoso_social#
- error=access_denied
- &state=...
-```
-
-## Ignorer le consentement pour les applications de première partie
-
-Les applications de première partie peuvent ignorer la boîte de dialogue de consentement, mais uniquement si l’API à laquelle elles tentent d’accéder au nom de l’utilisateur dispose de l’option **Permettre d’ignorer le consentement de l’utilisateur**.
-
-Pour naviguer jusqu’à la bascule **Permettre d’ignorer le consentement de l’utilisateur** , sélectionnez **Applications > API > (sélectionnez l’API) > Paramètres > Paramètres d’accès**.
-
-
-
-Remarque : cette option permet aux applications de première partie vérifiables d’ignorer le consentement. Compte tenu que `localhost` n’est jamais une première partie vérifiable (car des applications malveillantes peuvent s’exécuter sur `localhost` pour un utilisateur), Auth0 affichera toujours un dialogue de consentement pour les applications s’exécutant sur `localhost`, peu importe si elles sont marquées ou non comme applications de première partie. Au cours du développement, vous pouvez contourner cette limitation en modifiant votre fichier `/etc/hosts` en y ajoutant une entrée comme suit :
-
-`127.0.0.1 myapp.example`
-
-De la même façon, vous ne pouvez pas ignorer le consentement (même pour les applications première partie) si `localhost` apparaît dans n’importe quel domaine dans le paramètre **URL de rappel autorisées** dans [Dashboard > Applications > Settings (Paramètres)](https://manage.auth0.com/#/applications/{yourClientId}/settings). Assurez-vous de mettre à jour les **URL de rappel autorisées** et l’URL de rappel autorisée dans votre application pour correspondre au mapping du domaine mis à jour.
-
-
-
-Puisque les applications tierces sont jugées ne pas être fiables, elles ne peuvent pas ignorer les boîtes de dialogue de consentement.
-
-## Révoquer le consentement
-
-Si un utilisateur a donné son consentement mais que vous souhaitez le révoquer :
-
-1. Accédez à [Auth0 Dashboard > Gestion des utilisateurs > Utilisateurs](https://manage.auth0.com/#/users), et cliquez sur l’utilisateur pour lequel vous souhaitez révoquer le consentement.
-2. Cliquez sur l’onglet **Applications autorisées**,
-3. Cliquez sur **Révoquer** à côté de l’application.
-
-## Flux basés sur un mot de passe
-
-Lors de l’utilisation du [Flux de mot de passe du propriétaire de ressource](/docs/fr-ca/get-started/authentication-and-authorization-flow/resource-owner-password-flow), il n’y a pas de dialogue de consentement car l’utilisateur fournit directement son mot de passe à l’application, ce qui équivaut à accorder à l’application un accès complet au compte de l’utilisateur.
-
-## Obliger les utilisateurs à donner leur consentement
-
-Lors de la redirection vers le point de terminaison `/authorize`, l’inclusion du paramètre `prompt=consent` obligera les utilisateurs à donner leur consentement, même s’ils disposent déjà d’une autorisation d’accès à l’application et aux permissions demandées.
-
-## En savoir plus
-
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [Afficher la propriété d’une application](/docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-ownership)
-* [Applications confidentielles et publiques](/docs/fr-ca/get-started/applications/confidential-and-public-applications)
-* [Activer les applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
-* [Types d’autorisation d’application](/docs/fr-ca/get-started/applications/application-grant-types)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-ownership.mdx b/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-ownership.mdx
deleted file mode 100644
index d612b1a579..0000000000
--- a/main/docs/fr-ca/get-started/applications/confidential-and-public-applications/view-application-ownership.mdx
+++ /dev/null
@@ -1,193 +0,0 @@
----
-title: "Afficher la propriété d’une application"
-'description': "Apprenez comment vérifier si une application est enregistrée auprès d’Auth0 en tant qu’application première ou tierce partie à l’aide de Management API Auth0."
----
-import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
-
-import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-
-Vous pouvez utiliser Management API Auth0 pour vérifier si une application est enregistrée avec Auth0 comme application première partie ou comme application tierce partie.
-
-Effectuez une requête `GET` au point de terminaison [Récupérer un client](/docs/fr-ca/api/management/v2#!/Clients/get_clients_by_id). Assurez-vous de remplacer les valeurs des espaces réservés `{yourClientId}`
-et `{yourMgmtApiAccessToken}` avec votre ID client et votre jeton d’accès de Management API, respectivement.
-
-
-```bash cURL
-curl --request GET \
- --url 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true' \
- --header 'authorization: Bearer {yourMgmtApiAccessToken}'
-```
-```csharp C#
-var client = new RestClient("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true");
-var request = new RestRequest(Method.GET);
-request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}");
-IRestResponse response = client.Execute(request);
-```
-```go Go
-package main
-
-import (
- "fmt"
- "net/http"
- "io/ioutil"
-)
-
-func main() {
-
- url := "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true"
-
- req, _ := http.NewRequest("GET", url, nil)
-
- req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}")
-
- res, _ := http.DefaultClient.Do(req)
-
- defer res.Body.Close()
- body, _ := ioutil.ReadAll(res.Body)
-
- fmt.Println(res)
- fmt.Println(string(body))
-
-}
-```
-```java Java
-HttpResponse response = Unirest.get("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true")
- .header("authorization", "Bearer {yourMgmtApiAccessToken}")
- .asString();
-```
-```javascript Node.JS
-var axios = require("axios").default;
-
-var options = {
- method: 'GET',
- url: 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D',
- params: {fields: 'is_first_party', include_fields: 'true'},
- headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'}
-};
-
-axios.request(options).then(function (response) {
- console.log(response.data);
-}).catch(function (error) {
- console.error(error);
-});
-```
-```objc Obj-C
-#import
-
-NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" };
-
-NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true"]
- cachePolicy:NSURLRequestUseProtocolCachePolicy
- timeoutInterval:10.0];
-[request setHTTPMethod:@"GET"];
-[request setAllHTTPHeaderFields:headers];
-
-NSURLSession *session = [NSURLSession sharedSession];
-NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
- completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
- if (error) {
- NSLog(@"%@", error);
- } else {
- NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
- NSLog(@"%@", httpResponse);
- }
- }];
-[dataTask resume];
-```
-```php PHP
-$curl = curl_init();
-
-curl_setopt_array($curl, [
- CURLOPT_URL => "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true",
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_ENCODING => "",
- CURLOPT_MAXREDIRS => 10,
- CURLOPT_TIMEOUT => 30,
- CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
- CURLOPT_CUSTOMREQUEST => "GET",
- CURLOPT_HTTPHEADER => [
- "authorization: Bearer {yourMgmtApiAccessToken}"
- ],
-]);
-
-$response = curl_exec($curl);
-$err = curl_error($curl);
-
-curl_close($curl);
-
-if ($err) {
- echo "cURL Error #:" . $err;
-} else {
- echo $response;
-}
-```
-```python Python
-import http.client
-
-conn = http.client.HTTPSConnection("")
-
-headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" }
-
-conn.request("GET", "/{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true", headers=headers)
-
-res = conn.getresponse()
-data = res.read()
-
-print(data.decode("utf-8"))
-```
-```ruby Ruby
-require 'uri'
-require 'net/http'
-require 'openssl'
-
-url = URI("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true")
-
-http = Net::HTTP.new(url.host, url.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-request = Net::HTTP::Get.new(url)
-request["authorization"] = 'Bearer {yourMgmtApiAccessToken}'
-
-response = http.request(request)
-puts response.read_body
-```
-```swift Swift
-import Foundation
-
-let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"]
-
-let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true")! as URL,
- cachePolicy: .useProtocolCachePolicy,
- timeoutInterval: 10.0)
-request.httpMethod = "GET"
-request.allHTTPHeaderFields = headers
-
-let session = URLSession.shared
-let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
- if (error != nil) {
- print(error)
- } else {
- let httpResponse = response as? HTTPURLResponse
- print(httpResponse)
- }
-})
-
-dataTask.resume()
-```
-
-
-| Valeur | Description |
-| --- | --- |
-| `{yourClientId}` | Identifiant de l’application à mettre à jour. |
-| `MGMT_API_ACCESS_TOKEN` | [Jetons d’accès à Management API](/docs/fr-ca/api/management/v2/tokens) avec la permission `read:clients`. |
-
-Si votre application est première partie, le champ `is_first_party` aura une valeur de `true`. Si votre application est tierce partie, le champ `is_first_party` aura une valeur de `false`.
-
-## En savoir plus
-
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [Mise à jour de la propriété d’une application](/docs/fr-ca/get-started/applications/confidential-and-public-applications/update-application-ownership)
-* [User Consent and Third-Party Applications (Consentement de l’utilisateur et applications tierces)](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
-* [Activer les applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/dynamic-client-registration.mdx b/main/docs/fr-ca/get-started/applications/dynamic-client-registration.mdx
index 868a12f99e..9b8101633c 100644
--- a/main/docs/fr-ca/get-started/applications/dynamic-client-registration.mdx
+++ b/main/docs/fr-ca/get-started/applications/dynamic-client-registration.mdx
@@ -497,5 +497,5 @@ Si vous avez besoin d’un accès à l’API, après l’authentification, vous
## En savoir plus
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [User Consent and Third-Party Applications (Consentement de l’utilisateur et applications tierces)](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
\ No newline at end of file
+* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/first-party-and-third-party-applications)
+* [User Consent and Third-Party Applications (Consentement de l’utilisateur et applications tierces)](/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/first-party-and-third-party-applications.mdx b/main/docs/fr-ca/get-started/applications/first-party-and-third-party-applications.mdx
new file mode 100644
index 0000000000..3ad502d781
--- /dev/null
+++ b/main/docs/fr-ca/get-started/applications/first-party-and-third-party-applications.mdx
@@ -0,0 +1,209 @@
+---
+title: First-Party and Third-Party Applications
+description: "Learn the difference between first-party and third-party applications in Auth0."
+---
+
+import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
+import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
+
+When you register an application in Auth0, you decide whether it is first-party or third-party based on who owns and operates it.
+- First-party applications: Owned and operated by your organization. You control their deployment, credentials, and behavior.
+- Third-party applications: Owned and operated by an external organization, such as a partner, an independent developer, or an AI agent. You grant them access to your resources, but you cannot directly control what they do with that access.
+
+
+"Third-party" refers to operational control, not authorship. Many organizations outsource development of their own applications. For example, a contractor building your application does not make it third-party. The key distinction is: who deploys it, who holds the credentials, and who can stop it.
+
+
+Confidential/public and first-party/third-party are independent classifications. Confidential or public describes the application's authentication capability (whether it can hold a secret). First-party or third-party describes the trust relationship (who owns and operates the application).
+
+Both first-party and third-party applications can be confidential (Regular Web App) or public (SPA, Native). A third-party Regular Web App is both confidential and third-party.
+
+## First-party applications
+
+First-party applications are controlled by the same organization or person who owns the Auth0 domain. For example, let's say you created a Contoso API and an application that logs into `contoso.com` and consumes the Contoso API. You would register both the API and application under the same Auth0 domain, and the application would be a first-party application. By default, all applications created via the [Auth0 Dashboard](https://manage.auth0.com/#/applications) are first-party applications.
+
+## Third-party applications
+
+Third-party applications are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party applications enable external parties or partners to securely access protected resources behind your API.
+
+For example, if a partner company builds a data analytics dashboard to visualize information from your service, they must first register their application in your Auth0 tenant to obtain a client ID and secret. Even though this application is registered within your environment, it is considered third-party because the code and credentials are owned and operated by the partner, not by your organization.
+
+All applications created through [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) are third-party applications. To learn more about third-party applications in Auth0, read [Third-Party Applications](/docs/get-started/applications/third-party-applications).
+
+## First-party vs. third-party in Auth0
+
+The following table summarizes the differences between first-party and third-party applications in Auth0:
+
+| | **First-party** | **Third-party** |
+|---|---|---|
+| **API access** | Follows the API's configured access policy | Always requires an explicit [client grant](/docs/get-started/applications/application-access-to-apis-client-grants) |
+| **Auth0 system APIs** | Accessible in user flows | Not accessible in user flows |
+| **User consent** | Can be skipped (if enabled on the API) | Always required |
+| **Grant types** | All supported grant types | `authorization_code` and `refresh_token` |
+| **OIDC** | Supported | Not supported. Planned for a future release. |
+| **Rules** | Executed | Not supported. Results in error. |
+| **Non-OAuth protocols** (SAML, WsFed) | Supported | Not supported |
+| **Organizations** | Supported | Not supported. Planned for a future release. |
+| **Client ID format** | Standard format | `tpc_` prefix |
+| **Connections** | All enabled connections | Domain-level connections |
+
+To learn more about third-party applications in Auth0, read [Third-Party Applications](/docs/get-started/applications/third-party-applications).
+
+## Application ownership
+
+Application ownership is determined at creation time and cannot be changed afterward. By default, applications are created as first-party, which applies less restrictive security settings. To ensure the appropriate [security controls](/docs/get-started/applications/third-party-applications/security-controls) are applied, you must correctly identify applications owned by external parties as third-party when creating them through the Auth0 Dashboard or Management API. To learn how, read [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications).
+
+
+Application ownership is immutable. You cannot convert a third-party application to first-party or vice versa.
+
+
+## Check application ownership
+
+To check if an application is first-party or third-party:
+
+
+
+1. Navigate to **Applications > Applications**.
+2. Select the application. Third-party applications display a badge indicating they are third-party.
+
+
+
+
+Make a `GET` call to the [Get a Client endpoint](https://auth0.com/docs/api/management/v2#!/Clients/get_clients_by_id). Be sure to replace `{YOUR_CLIENT_ID}`
+and `{YOUR_MANAGEMENT_API_ACCESS_TOKEN}` placeholder values with your client ID and Management API Access Token, respectively.
+
+
+```bash cURL
+curl --request GET \
+ --url 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true' \
+ --header 'authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
+```
+```csharp C#
+var client = new RestClient("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true");
+var request = new RestRequest(Method.GET);
+request.AddHeader("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}");
+IRestResponse response = client.Execute(request);
+```
+```go Go
+package main
+
+import (
+ "fmt"
+ "net/http"
+ "io/ioutil"
+)
+
+func main() {
+
+ url := "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true"
+
+ req, _ := http.NewRequest("GET", url, nil)
+
+ req.Header.Add("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
+
+ res, _ := http.DefaultClient.Do(req)
+
+ defer res.Body.Close()
+ body, _ := ioutil.ReadAll(res.Body)
+
+ fmt.Println(res)
+ fmt.Println(string(body))
+
+}
+```
+```java Java
+HttpResponse response = Unirest.get("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true")
+ .header("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
+ .asString();
+```
+```javascript Node.JS
+var axios = require("axios").default;
+
+var options = {
+ method: 'GET',
+ url: 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}',
+ params: {fields: 'is_first_party', include_fields: 'true'},
+ headers: {authorization: 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'}
+};
+
+axios.request(options).then(function (response) {
+ console.log(response.data);
+}).catch(function (error) {
+ console.error(error);
+});
+```
+```php PHP
+$curl = curl_init();
+
+curl_setopt_array($curl, [
+ CURLOPT_URL => "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true",
+ CURLOPT_RETURNTRANSFER => true,
+ CURLOPT_ENCODING => "",
+ CURLOPT_MAXREDIRS => 10,
+ CURLOPT_TIMEOUT => 30,
+ CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
+ CURLOPT_CUSTOMREQUEST => "GET",
+ CURLOPT_HTTPHEADER => [
+ "authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}"
+ ],
+]);
+
+$response = curl_exec($curl);
+$err = curl_error($curl);
+
+curl_close($curl);
+
+if ($err) {
+ echo "cURL Error #:" . $err;
+} else {
+ echo $response;
+}
+```
+```python Python
+import http.client
+
+conn = http.client.HTTPSConnection("")
+
+headers = { 'authorization': "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}" }
+
+conn.request("GET", "/{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true", headers=headers)
+
+res = conn.getresponse()
+data = res.read()
+
+print(data.decode("utf-8"))
+```
+```ruby Ruby
+require 'uri'
+require 'net/http'
+require 'openssl'
+
+url = URI("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true")
+
+http = Net::HTTP.new(url.host, url.port)
+http.use_ssl = true
+http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+request = Net::HTTP::Get.new(url)
+request["authorization"] = 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
+
+response = http.request(request)
+puts response.read_body
+```
+
+
+| Value | Description |
+| --- | --- |
+| `YOUR_CLIENT_ID` | Τhe ID of the application to be updated. |
+| `YOUR_MANAGEMENT_API_ACCESS_TOKEN` | [Access Tokens for the Management API](https://auth0.com/docs/api/management/v2/tokens) with the [scope](/docs/glossary?term=scope) `read:clients`. |
+
+If the application is first-party, the `is_first_party` field will have a value of `true`. If the application is third-party, the `is_first_party` field will have a value of `false`.
+
+
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications)
+- [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
diff --git a/main/docs/fr-ca/get-started/applications/revoke-api-access.mdx b/main/docs/fr-ca/get-started/applications/revoke-api-access.mdx
new file mode 100644
index 0000000000..aaac63ccab
--- /dev/null
+++ b/main/docs/fr-ca/get-started/applications/revoke-api-access.mdx
@@ -0,0 +1,27 @@
+---
+title: "Revoke Access to APIs Using Application Grants"
+---
+Configuring your application grant so that the tokens you issue last for only a short period means that when it comes time for you to revoke access to a protected resource, you can simply delete the grant. At this point, the party with the access token only has a limited period between when you delete the grant and the token's expiration to make additional API requests. Because this is an easy (and safe) option to implement, we recommend you deny access to your APIs and other protected resources by revoking application grants.
+
+If, for example, you are using a Machine-to-Machine [application](/docs/get-started/applications) to access your [API](/docs/get-started/apis) and you have a partner that calls your API, and at the end of your existing contract, you and your partner decide not to renew your partnership. You now want to remove your partner's access to your API. The issue, however, is that you've given your partner an access token that lasts for a month.
+
+* What can you do in this situation?
+* How might you configure your Auth0 environment to make such situations easier to handle in the future?
+
+## Application grants
+
+The main issue in this scenario is the length of time for which the API access token is valid: one month.
+
+By default, Auth0 issues access tokens that last for 24 hours. Setting the token's lifetime to 24 hours means that your partner must repeat the client credentials exchange (or whichever grant you've implemented) to obtain a new access token every 24 hours. To deny access to your partner due to the expiration of your contract, you can simply delete the application grant so that when their existing token expires, they cannot request a new one.
+
+You can change the lifetime of a token by setting the `token_lifetime` option. The specific lifetime appropriate to your use case will vary, but we recommend setting this value to be as short as possible. A good starting point for determining this value would be the window you consider allowable for the delay between deleting the grant and final use of the API.
+
+### Delete an application grant
+
+To delete an application grant, make the appropriate `DELETE` call to the Management API's [Delete an Application Grant endpoint](https://auth0.com/docs/api/management/v2#!/Client_Grants/delete_client_grants_by_id). As part of the call, you'll need to specify the ID of the application grant you want to delete, which you can obtain via the Management API's [Get all Application Grants endpoint](https://auth0.com/docs/api/management/v2#!/Client_Grants/get_client_grants).
+
+You can also [update an Application's grant types](/docs/get-started/applications/update-grant-types) through the Auth0 Dashboard.
+
+## Learn more
+
+* [Data Security](/docs/secure/security-guidance/data-security)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/applications/third-party-applications.mdx b/main/docs/fr-ca/get-started/applications/third-party-applications.mdx
new file mode 100644
index 0000000000..90ead8345a
--- /dev/null
+++ b/main/docs/fr-ca/get-started/applications/third-party-applications.mdx
@@ -0,0 +1,86 @@
+---
+title: Third-Party Applications
+sidebarTitle: Overview
+description: Configure third-party applications to access your APIs with enhanced security controls.
+---
+import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
+import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
+
+Third-party applications are applications owned and operated by an external organization—a partner, independent developer, or AI agent—that authenticate your users and access your APIs.
+
+Unlike [first-party applications](/docs/get-started/applications/first-party-and-third-party-applications#first-party-applications) that you directly control, third-party applications operate independently: you grant them access to your resources, but you cannot control what they do with that access. To learn more about the differences between first-party and third-party applications, read [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications).
+
+Third-party applications have the following unique characteristics:
+
+* **Enhanced security controls**: Auth0 enforces [enhanced security controls](/docs/get-started/applications/third-party-applications/security-controls) for third-party applications, ensuring external applications can only access resources you explicitly authorize. Features intended for first-party use cases are not available.
+* **User Consent**: Auth0 always requires user consent when a third-party application requests access to APIs. Consent cannot be skipped.
+* **Connections**: Third-party applications can only authenticate users through domain-level connections. To learn more, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).
+
+## Use cases
+
+Common third-party application use cases include:
+
+- **Partner integrations**: External partners build applications that call your APIs on the user's behalf. For example, a CRM vendor integrates with your platform so that mutual customers can sync data between both products.
+- **AI agents and MCP clients**: AI-powered tools such as Claude Code, VS Code with Copilot, or custom MCP servers connect to your APIs to perform actions on the user's behalf. To learn more, read [Auth for MCP](https://auth0.com/ai/docs/mcp/intro/overview).
+- **Developer ecosystems**: You expose APIs for external developers to build applications on your platform, whether through a developer portal, a marketplace, or [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration).
+- **Cross App Access (XAA)**: A workforce application in another organization's tenant accesses your APIs through a trust relationship, where the requesting application is modeled as a third-party application in your tenant. To learn more, read [Cross App Access](/docs/secure/call-apis-on-users-behalf/xaa).
+
+## Supported client types
+
+Third-party applications support both confidential and public client types:
+
+| **Client type** | **Application type** | **Use case** |
+|---|---|---|
+| Confidential | Regular Web App | Server-side partner integrations |
+| Public | Single Page App | Browser-based partner widgets |
+| Public | Native | Mobile partner applications |
+
+## Supported grant types
+
+Third-party applications support:
+
+- `authorization_code` with mandatory PKCE
+- `refresh_token`
+
+Additional grant types such as `client_credentials` are planned for a future release.
+
+## Get started
+
+To set up a third-party application in Auth0, follow these steps:
+
+### Step 1: Create the application
+
+[Create a third-party application](/docs/get-started/applications/third-party-applications/configure-third-party-applications#create-a-third-party-application) using the Auth0 Dashboard or the Management API.
+
+### Step 2: Configure API access
+
+Third-party applications always require explicit authorization to access your APIs, even when the API's access policy is set to **Allow All.** You configure API access policies through [client grants](/docs/get-started/applications/application-access-to-apis-client-grants).
+
+You can configure default permissions that apply to all third-party applications automatically. This is useful in cases where you manage many third-party applications or use [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration). To learn more, read [Default Permissions for Third-Party Applications](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications).
+
+You can also define specific permissions for individual applications through [client grants](/docs/get-started/applications/application-access-to-apis-client-grants). Per-application permissions take precedence over the defaults. To learn more, read [Configure client grants](/docs/get-started/applications/application-access-to-apis-client-grants#configure-client-grants).
+
+### Step 3: Configure connections
+
+Third-party applications can only authenticate users through connections promoted to the domain level. Domain-level connections are available to all third-party applications in the tenant.
+
+To promote a connection to the domain level, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).
+
+### Step 4: Users provide consent
+
+When a user authenticates through a third-party application, Auth0 displays a consent dialog asking the user to approve the requested permissions. Consent is always required for third-party applications and cannot be skipped.
+
+To learn more, read [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications).
+
+## Dynamic Client Registration
+
+[Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) creates third-party applications with enhanced security controls by default. Before enabling DCR for third-party applications, you must [configure default API permissions](/docs/get-started/applications/dynamic-client-registration#configure-api-access-for-dcr-clients) so dynamically registered clients can access your APIs.
+
+## Learn more
+
+- [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications)
+- [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
+- [Troubleshoot Third-Party Applications](/docs/get-started/applications/third-party-applications/troubleshooting)
+- [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)
diff --git a/main/docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications.mdx b/main/docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications.mdx
new file mode 100644
index 0000000000..5248e848ab
--- /dev/null
+++ b/main/docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications.mdx
@@ -0,0 +1,224 @@
+---
+title: Configure Third-Party Applications
+description: "Create and configure third-party applications using the Auth0 Dashboard or Management API."
+---
+import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
+import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
+
+Create third-party applications that allow external developers, partners, or AI agents to access your APIs with enhanced security controls.
+
+## Prerequisites
+
+Before creating a third-party application, make sure you have:
+
+- An Auth0 tenant with at least one [API (resource server)](/docs/get-started/apis) configured
+- At least one [connection](/docs/authenticate/identity-providers) promoted to the [domain level](/docs/authenticate/identity-providers/promote-connections-to-domain-level) (for user-facing flows)
+
+## Create a third-party application
+
+Create a third-party application using the Auth0 Dashboard or Management API.
+
+
+1. Navigate to **Applications > Applications**.
+2. Select **Create Application**.
+3. Enter a name for the application and select the application type:
+ - Regular Web App for server-side confidential clients
+ - Single Page App for browser-based public clients
+ - Native for mobile or desktop public clients
+4. Check the **This application is owned by a third party** toggle.
+5. Select **Create**.
+
+
+
+
+
+Make a `POST` request to the `/api/v2/clients` endpoint with the following request body:
+
+
+```bash cURL wrap lines
+curl --request POST \
+ --url 'https://YOUR_DOMAIN/api/v2/clients' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "name": "Partner Application",
+ "is_first_party": false,
+ "app_type": "regular_web",
+ "callbacks": ["https://partner.example.com/callback"],
+ "grant_types": ["authorization_code", "refresh_token"],
+ "token_endpoint_auth_method": "client_secret_post"
+ }'
+```
+
+
+| **Parameter** | **Type** | **Description** |
+|---------------|----------|-----------------|
+| `name` | String | Required. The name of the application. |
+| `is_first_party` | Boolean | Indicates whether the application is first-party (`true`) or third-party (`false`). |
+| `app_type` | String | The type of application (e.g., `regular_web`, `native`, `spa`, `non_interactive`). |
+| `callbacks` | Array | A list of allowed callback URLs for the redirect after authentication. |
+| `grant_types` | Array | A list of types of OAuth2 grants this client is allowed to use. Third-party applications are only allowed to use `authorization_code` and `refresh_token`. To learn more, read [Supported grant types](/docs/get-started/applications/third-party-applications#supported-grant-types). |
+| `token_endpoint_auth_method` | String | The authentication method for the token endpoint (e.g., `client_secret_post`). |
+
+If successful, Auth0 creates the application with a `tpc_` client ID prefix, `authorization_code` and `refresh_token` grant types, and sets `third_party_security_mode` to `strict`, indicating that enhanced security controls are enabled.
+
+```json wrap lines
+{
+ "client_id": "tpc_aBcDeFgHiJkLmNoPqRsTuV",
+ "third_party_security_mode": "strict",
+ "is_first_party": false,
+ "name": "Partner Application",
+ "grant_types": ["authorization_code", "refresh_token"],
+ ...
+}
+```
+
+| **Parameter** | **Type** | **Description** |
+|---------------|----------|-----------------|
+| `client_id` |String |The unique identifier for the application with a `tpc` prefix to indicate it's a third-party application created with strict mode enabled. |
+| `third_party_security_mode` | String | Defines the security profile. Set to `strict` to enforce enhanced security constraints for third-party apps. |
+| `is_first_party` | Boolean | Must be set to `false` when using `strict` security mode to identify the app as third-party. |
+| `name` | String | The display name of the application. |
+| `grant_types` | Array | The OAuth2 grant types this application is authorized to use (e.g., authorization_code). |
+
+
+
+
+The `third_party_security_mode` property is set at creation and cannot be changed. To use a different security mode, create a new application.
+
+
+## Configure API access policies
+
+Third-party applications require explicit client grants to access APIs. You can configure API access policies in the following ways:
+- [Default permissions for all third-party applications](#default-permissions-for-all-third-party-applications)
+- [Per-application permissions](#per-application-permissions)
+
+### Default permissions for all third-party applications
+
+Default permissions define a baseline set of APIs and scopes available to all third-party applications. This is required for [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration), where you cannot configure access for each application individually.
+
+
+
+1. Navigate to **Applications > APIs** and select the API.
+2. Go to the **Settings** tab.
+3. Scroll to **Default Permissions for Third Party Apps**.
+4. Select **Authorized** for User Access or Client Access.
+5. Select the scopes to grant, then select **Save**.
+
+
+
+
+
+Make a `POST` request to the `/api/v2/client-grants` endpoint with the following request body:
+
+
+```bash cURL wrap lines
+curl --request POST \
+ --url 'https://YOUR_DOMAIN/api/v2/client-grants' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "default_for": "third_party_clients",
+ "audience": "https://api.example.com",
+ "scope": ["read:items", "write:items"],
+ "subject_type": "user"
+ }'
+```
+
+
+| **Parameter** | **Type** | **Description** |
+|---------------|----------|----------------|
+| `default_for` | String | Specifies if this grant is automatically applied to certain app types. Set to `third_party_clients` to ensure all third-party apps have access to this API by default. |
+| `audience` | String | The unique identifier (URI) of the API the grant is being created for. |
+| `scope` | Array | A list of permissions (scopes) that are allowed as part of this grant. |
+| `subject_type` | String | Defines the type of application access allowed for the API:
- `user`: Used for user-delegated access, which corresponds to flows that generate a token associated with an end-user.
- `client`: Used for machine-to-machine access, such as the Client Credentials Flow.
|
+
+
+### Per-application permissions
+
+To grant a specific third-party application broader or narrower access than the defaults, create a client grant for that application's `client_id`:
+
+
+```bash cURL wrap lines
+curl --request POST \
+ --url 'https://YOUR_DOMAIN/api/v2/client-grants' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "client_id": "tpc_aBcDeFgHiJkLmNoPqRsTuV",
+ "audience": "https://api.example.com",
+ "scope": ["read:items", "write:items", "delete:items"],
+ "subject_type": "user"
+ }'
+```
+
+| **Parameter** | **Type** | **Description** |
+|---------------|----------|----------------|
+| `client_id` | String | Specifies the application you want to create the client grant for. |
+| `audience` | String | The unique identifier (URI) of the API the grant is being created for. |
+| `scope` | Array | A list of permissions (scopes) that are allowed as part of this grant. |
+| `subject_type` | String | Defines the type of application access allowed for the API:
- `user`: Used for user-delegated access, which corresponds to flows that generate a token associated with an end-user.
- `client`: Used for machine-to-machine access, such as the Client Credentials Flow.
|
+
+
+When both a per-application grant and a default grant exist for the same API, the per-application grant takes precedence.
+
+To learn more, read [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants).
+
+## Configure connections
+
+Third-party applications can only authenticate users through domain-level connections. Once a connection is promoted to the domain level, it becomes available to all third-party applications in the tenant.
+
+To promote a connection:
+
+1. Navigate to **Auth0 Dashboard > Authentication** and select the connection type (Database, Social, Enterprise).
+2. Select the connection you want to use with third-party applications.
+3. Enable the **Promote Connection to Domain Level** toggle.
+
+To learn more, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).
+
+## Configure open redirect protection
+
+Third-party applications with enhanced security controls have **Open Redirect Protection** enabled by default. When enabled, Auth0 does not:
+- Redirect to the application's callback URL on authentication errors
+- Expose `application.callback_domain` in email templates
+
+Only disable **Open Redirect Protection** for third-party applications where the configured callback URIs are trusted. To learn more, read [Redirect Protection](/docs/get-started/applications/third-party-applications/security-controls#redirect-protection).
+
+
+
+1. Navigate to **Applications > Applications** and select the third-party application.
+2. Go to the **Settings** tab and scroll to **Open Redirect Protection**.
+3. Toggle the setting on or off.
+4. Select **Save**.
+
+
+
+
+
+Set the `redirection_policy` property when creating or updating the application:
+
+```bash
+curl --request PATCH \
+ --url 'https://{yourDomain}/api/v2/clients/{CLIENT_ID}' \
+ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "redirection_policy": "allow_always"
+ }'
+```
+
+Set to `open_redirect_protection` to enable (default) or `allow_always` to disable.
+
+
+
+## Dynamic Client Registration
+
+All [dynamically registered clients](/docs/get-started/applications/dynamic-client-registration) are third-party applications. Before enabling DCR, configure [default API permissions](#default-permissions-for-all-third-party-applications) so that dynamically registered clients can access your APIs.
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
+- [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration)
+- [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level)
diff --git a/main/docs/fr-ca/get-started/applications/third-party-applications/permissive-mode.mdx b/main/docs/fr-ca/get-started/applications/third-party-applications/permissive-mode.mdx
new file mode 100644
index 0000000000..4531390303
--- /dev/null
+++ b/main/docs/fr-ca/get-started/applications/third-party-applications/permissive-mode.mdx
@@ -0,0 +1,110 @@
+---
+title: Permissive Mode for Third-Party Applications
+description: "Learn about permissive mode for third-party applications."
+---
+
+Customers who have at least one tenant using third-party applications before April 2026 may have applications operating in permissive mode. This mode preserves pre-existing behavior for backward compatibility.
+
+## Who can use permissive mode
+
+Permissive mode is available to customers who have at least one tenant with third-party applications before April 2026. All tenants under that customer's account can create permissive third-party applications, even tenants that did not previously have third-party applications.
+
+These customers can:
+
+- Continue operating pre-existing third-party applications with their current behavior
+- Create new third-party applications with `third_party_security_mode: "permissive"` via the Management API
+- Create new applications with enhanced security controls at any time
+
+Customers without prior third-party application usage always create applications with enhanced security controls. They cannot use permissive mode.
+
+## What permissive mode means
+
+Third-party applications in permissive mode behave similarly to first-party applications in terms of available features:
+
+- Most grant types are available (authorization code, implicit, client credentials, device code)
+- OIDC scopes and ID tokens are supported
+- API access follows the API's configured [access policy](/docs/get-started/apis/api-access-policies-for-applications) (not forced to require a client grant)
+- Standard client ID format (no `tpc_` prefix)
+- All client properties can be configured
+
+Permissive mode requires more configuration effort from the admin to enforce security controls. You are responsible for:
+
+- Configuring [API access policies](/docs/get-started/apis/api-access-policies-for-applications) on each API to control which third-party applications can access them
+- Reviewing which grant types and features are enabled for each application
+- Monitoring third-party application behavior through [tenant logs](/docs/deploy-monitor/logs)
+
+## The `third_party_security_mode` property
+
+Every third-party application has a `third_party_security_mode` property that indicates its security mode. This property is set at creation and cannot be changed.
+
+| **Value** | **Meaning** |
+|---|---|
+| `strict` | Enhanced security controls. OAuth 2.1 alignment, explicit API authorization, focused feature set. |
+| `permissive` | Pre-existing behavior. All features available, admin configures security controls manually. |
+
+Third-party applications created before the introduction of security modes return `third_party_security_mode: "permissive"` in API responses.
+
+## Feature comparison
+
+| **Capability** | **Enhanced security controls (strict)** | **Pre-existing behavior (permissive)** |
+|---|---|---|
+| **Grant types** | `authorization_code`, `refresh_token` | Most grant types (except `password`) |
+| **PKCE** | Mandatory | Optional |
+| **OIDC** | Not supported. Planned for a future release. | Supported |
+| **API authorization** | Always requires explicit client grant | Follows API access policy |
+| **Classic Login** | Not supported | Supported |
+| **Legacy endpoints** | Not supported | Available |
+| **Client ID format** | `tpc_` prefix | Standard format |
+| **Configurable properties** | [Curated set of properties](/docs/get-started/applications/third-party-applications/security-controls#restricted-client-configuration) | All properties |
+| **Future capabilities** | Rate limits and future improved security and management capabilities | Not available |
+| **Creation via Dashboard** | Supported | Not available via Dashboard |
+
+## Dynamic Client Registration in permissive mode
+
+If your account is eligible for permissive mode and you use [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration), you can control the security mode for dynamically registered clients with a separate tenant setting.
+
+
+
+1. Navigate to **Settings > Advanced**.
+2. Under **Dynamic Client Registration (DCR) Security Mode**, select **Permissive**.
+3. Select **Save**.
+
+
+
+
+
+```bash
+curl --request PATCH \
+ --url 'https://{yourDomain}/api/v2/tenants/settings' \
+ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "dynamic_client_registration_security_mode": "permissive"
+ }'
+```
+
+
+
+The `dynamic_client_registration_security_mode` setting is independent of the default for applications created via `POST /api/v2/clients`. You can configure it at any time.
+
+
+If you set `dynamic_client_registration_security_mode` to `strict`, configure [default API permissions](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications) first. Without them, dynamically registered clients cannot access any APIs.
+
+
+## Adopt enhanced security controls
+
+Auth0 recommends adopting enhanced security controls for all new third-party applications. The `third_party_security_mode` property cannot be changed after an application is created — you cannot convert an existing permissive application to strict, or vice versa. Instead, you choose which security mode to use when creating new applications going forward.
+
+To understand how the default for new applications is changing and how to prepare, read [Migrate to Enhanced Security for Third-Party Applications](/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications).
+
+
+If you need to replace an existing permissive application with a strict one, you must create a new application. This invalidates all existing refresh tokens and user grants for the old application. Coordinate the cutover with the external party to minimize disruption.
+
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Migrate to Enhanced Security for Third-Party Applications](/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications)
+- [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)
+- [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications)
diff --git a/main/docs/fr-ca/get-started/applications/third-party-applications/security-controls.mdx b/main/docs/fr-ca/get-started/applications/third-party-applications/security-controls.mdx
new file mode 100644
index 0000000000..44dbe00b48
--- /dev/null
+++ b/main/docs/fr-ca/get-started/applications/third-party-applications/security-controls.mdx
@@ -0,0 +1,175 @@
+---
+title: Security Controls for Third-Party Applications
+description: "Learn about the security controls Auth0 enforces for third-party applications, including OAuth 2.1 and API authorization."
+---
+
+Auth0 enforces enhanced security controls for third-party applications to ensure:
+
+- **Protocol-level security**: Align with [OAuth 2.1 best practices](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1) to ensure modern, secure authorization flows.
+- **Feature scope**: Ensure that external applications can only access resources you explicitly authorize.
+
+
+Auth0 regularly enhances security for third-party applications. Only features explicitly documented as supported should be used in production. Unsupported features may be modified or restricted without notice in future updates.
+
+
+## OAuth 2.1 standards
+
+Third-party applications enforce modern OAuth standards:
+
+- **PKCE mandatory**: All authorization code flows require [Proof Key for Code Exchange](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). This prevents authorization code interception attacks.
+- **Supported grant types**: Only `authorization_code` and `refresh_token` are available. Additional grant types such as `client_credentials` are planned for a future release.
+- **Implicit and password grants not supported**: Legacy grant types that expose tokens in the browser URL or require direct credential handling are not available for third-party applications.
+
+## Explicit API authorization
+
+Third-party applications always require a [client grant](/docs/get-started/applications/application-access-to-apis-client-grants) to access any API, regardless of the API's [access policy](/docs/get-started/apis/api-access-policies-for-applications).
+
+| **API access policy** | **First-party applications** | **Third-party applications** |
+|---|---|---|
+| Allow All | Access granted | Requires client grant |
+| Require Client Grant | Requires client grant | Requires client grant |
+| Deny | Access denied | Access denied |
+
+Third-party applications must have an explicit grant, even when an API is configured with an **Allow All** policy. You can configure a per-application grant or a [default third-party permission](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications).
+
+Third-party applications cannot be granted access to [system APIs](/docs/get-started/apis#system-apis) such as the Management API or My Account API.
+
+## Restricted client configuration
+
+You can only configure a curated set of client properties for third-party applications. When new properties are added to Auth0, they are not available for third-party applications unless explicitly reviewed and added to the supported set.
+
+Key supported properties include:
+
+| **Property** | **Notes** |
+|---|---|
+| `name`, `description`, `logo_uri` | Basic metadata |
+| `callbacks` | Redirect URIs |
+| `allowed_origins`, `web_origins` | CORS and web_message origins |
+| `grant_types` | Must be `authorization_code` or `refresh_token` |
+| `token_endpoint_auth_method` | Authentication method for the token endpoint |
+| `app_type` | Must be `regular_web`, `spa`, `native`, or `non_interactive` |
+| `client_metadata` | Custom key-value metadata |
+| `jwt_configuration.lifetime_in_seconds` | Access token lifetime (defaults to 3600) |
+| `jwt_configuration.alg` | Signing algorithm (must be `RS256`; `HS256` not supported) |
+| `refresh_token.*` | Rotation, expiration, leeway, lifetime settings |
+| `client_authentication_methods` | Private Key JWT (`private_key_jwt` only; no mTLS) |
+| `require_proof_of_possession` | DPoP configuration |
+| `redirection_policy` | Redirect behavior for error flows and email templates |
+
+For the complete list of supported properties, read the [Create a Client endpoint](https://auth0.com/docs/api/management/v2/clients/post-clients) in the Management API reference.
+
+## Client ID format
+
+Third-party applications have a `client_id` with a `tpc_` prefix assigned at creation. This prefix enables Auth0 to classify and manage third-party application traffic separately, including rate limits for third-party applications.
+
+The security mode and application ownership are permanent design decisions:
+
+- `third_party_security_mode` cannot be changed after creation.
+- Third-party applications cannot be converted to first-party applications, and vice versa.
+
+## Refresh token settings
+
+Third-party applications enforce secure refresh token settings:
+
+- **Expiration required**: Non-expiring refresh tokens are not available. Infinite idle lifetime is not available.
+- **Rotation enabled by default for public clients**: SPA and Native third-party applications have refresh token rotation enabled by default, aligned with the [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1) and [MCP](https://modelcontextprotocol.io/specification/draft/basic/authorization) requirements.
+- **Configurable**: Admins can adjust rotation, leeway, and lifetime settings for manually created third-party applications.
+
+## Redirect protection
+
+The `redirection_policy` property controls how Auth0 handles redirects for third-party applications. It accepts two values:
+
+| **Value** | **Behavior** |
+|---|---|
+| `open_redirect_protection` (default for third-party apps) | Auth0 does not redirect to the app callback on authentication errors. The `application.callback_domain` variable is not exposed in email templates. |
+| `allow_always` | Standard redirect behavior. |
+
+Redirects without user interaction can be an attack vector for phishing when the redirect URI is controlled by an untrusted party (open redirect). Only set `redirection_policy` to `allow_always` for applications where the configured callback URIs are trusted.
+
+When `open_redirect_protection` is active:
+
+- Authentication errors display an error page instead of redirecting to the application.
+- Email templates (email verification, password reset, user blocked) will not have access to `{{ application.callback_domain }}`, so a fallback must be configured alongside any use of `{{ application.callback_domain }}`. For example:
+
+```liquid wrap lines
+{% if application.callback_domain == '' %}
+ https://YOUR_FALLBACK_DOMAIN
+{% endif %}
+{% if application.callback_domain != '' %}
+ {{ application.callback_domain }}/result-page
+{% endif %}
+```
+
+## `/authorize` parameter validation
+
+Auth0 validates the parameters sent to the `/authorize` endpoint for third-party applications. Only standard OAuth 2.0 and OpenID Connect parameters are accepted.
+
+**Allowed parameters:**
+
+- `acr_values`
+- `audience`
+- `authorization_details`
+- `client_id`
+- `code_challenge`
+- `code_challenge_method`
+- `connection`
+- `correlation_id`
+- `display`
+- `dpop_jkt`
+- `ext-*` (custom parameters)
+- `login_hint`
+- `max_age`
+- `nonce`
+- `prompt`
+- `redirect_uri`
+- `resource`
+- `response_type`
+- `scope`
+- `state`
+- `ui_locales`
+
+**Not supported:**
+
+- `claims`
+- `id_token_hint`
+- `invitation`
+- `login_ticket`
+- `request` (JAR)
+- `request_uri` (PAR)
+- `screen_hint`
+
+Requests with unsupported parameters receive an `invalid_request` error.
+
+## Backward compatibility
+
+Some tenants that were using third-party applications before April 2026 may have applications operating with different security settings for backward compatibility. To learn more, read [Permissive Mode for Third-Party Applications](/docs/get-started/applications/third-party-applications/permissive-mode).
+
+## Features not supported
+
+The following features are not supported for third-party applications:
+
+| **Feature** | **Status** |
+|---|---|
+| **OIDC scopes and ID tokens** | Not supported. Planned for a future release. |
+| **`/userinfo` endpoint** | Not supported. |
+| **Auth0 system APIs** (Management API, MFA API, My Account API, My Orgs API) | Not supported. Third-party applications cannot access system APIs in user flows. |
+| **MFA during refresh token exchange** | Not supported. Refresh token transactions that trigger MFA will result in an error. |
+| **Rules** | Not supported. Tenants with active Rules will receive an error when a strict third-party application triggers a login flow. |
+| **Non-OAuth Authentication API endpoints** (`/dbconnections/*`, `/passwordless/*`) | Not supported. |
+| **Legacy endpoints** (`/delegation`, `/oauth/ro`) | Not supported. |
+| **SAML, WsFed** | Not supported. |
+| **Classic Login** | Not supported. Use [Universal Login](/docs/authenticate/login/auth0-universal-login). |
+| **PAR, CIBA, Device Code** | Not supported. Planned for a future release. |
+| **Logout endpoints** | Not supported. Use `POST /oauth/revoke` to revoke tokens. |
+| **Cross-origin authentication** | Not supported. |
+| **Backchannel logout** | Not supported. Planned for a future release. |
+| **Client ID import** | Not supported. |
+| **Wildcard subdomains in URLs** | Not supported. Callback URLs, allowed origins, and web origins must use exact URLs. |
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications)
+- [Troubleshoot Third-Party Applications](/docs/get-started/applications/third-party-applications/troubleshooting)
+- [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)
+- [Permissive Mode for Third-Party Applications](/docs/get-started/applications/third-party-applications/permissive-mode)
diff --git a/main/docs/fr-ca/get-started/applications/third-party-applications/troubleshooting.mdx b/main/docs/fr-ca/get-started/applications/third-party-applications/troubleshooting.mdx
new file mode 100644
index 0000000000..1817368095
--- /dev/null
+++ b/main/docs/fr-ca/get-started/applications/third-party-applications/troubleshooting.mdx
@@ -0,0 +1,136 @@
+---
+title: Troubleshoot Third-Party Applications
+description: "Resolve common errors when working with third-party applications in Auth0."
+---
+
+Use this page to resolve common errors when integrating with third-party applications. For an overview of third-party application capabilities and restrictions, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls).
+
+## Identify third-party application issues
+
+If you encounter an error during an OAuth flow, check if the application is a third-party application:
+
+- **Client ID prefix**: Third-party applications have a `client_id` that starts with `tpc_`.
+- **Tenant logs**: In [Auth0 Dashboard > Monitoring > Logs](https://manage.auth0.com/#/logs), filter by the application to review error events.
+
+## Common errors
+
+### `unauthorized_client` when requesting tokens
+
+**Cause**: The third-party application does not have a client grant for the requested API. Third-party applications always require an explicit client grant, even when the API access policy is set to **Allow All**.
+
+**Solution**: Create a client grant for the application or configure default permissions for third-party applications. To learn more, read [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants).
+
+```bash
+curl --request POST \
+ --url 'https://YOUR_DOMAIN/api/v2/client-grants' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "default_for": "third_party_clients",
+ "audience": "https://api.example.com",
+ "scope": ["read:items", "write:items"],
+ "subject_type": "user"
+ }'
+```
+
+### `unauthorized_client` even with "Allow All" API policy
+
+**Cause**: The API's access policy setting of **Allow All** applies only to first-party applications. Third-party applications always require an explicit client grant regardless of this setting.
+
+**Solution**: Configure a [default permission for third-party applications](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications) or create a per-application client grant.
+
+### `invalid_request` on `/authorize` with unsupported parameters
+
+**Cause**: Third-party applications enforce strict parameter validation on the `/authorize` endpoint. Parameters such as `screen_hint`, `login_ticket`, `invitation`, `request` (JAR), and `request_uri` (PAR) are not supported.
+
+**Solution**: Remove unsupported parameters from your authorization request. For the list of allowed parameters, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls#authorize-parameter-validation).
+
+### `unsupported_response_type` for `id_token` or `token`
+
+**Cause**: Implicit flow (`response_type=token` or `response_type=id_token`) is not available for third-party applications.
+
+**Solution**: Use `response_type=code` with [PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce).
+
+### No ID token returned from `/oauth/token`
+
+**Cause**: Third-party applications with enhanced security controls do not return ID tokens or process OIDC scopes (`openid`, `profile`, `email`) in this release. The token endpoint will return an access token but no `id_token`.
+
+**Solution**: Use API-scoped access tokens to retrieve the information your application needs. OIDC support for third-party applications is planned for a future release.
+
+### Grant type not supported
+
+**Cause**: Only `authorization_code` and `refresh_token` grant types are supported. Grant types such as `implicit`, `password`, `client_credentials`, and `urn:ietf:params:oauth:grant-type:device_code` are not available.
+
+**Solution**: Update the application to use the [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce).
+
+### Classic Login not working
+
+**Cause**: [Classic Login](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/classic-experience) is not supported for third-party applications.
+
+**Solution**: Use [Universal Login](/docs/authenticate/login/auth0-universal-login). Universal Login is the recommended login experience for all applications.
+
+### Client ID starts with `tpc_`
+
+**Cause**: Third-party applications automatically receive a `tpc_` prefix on their client ID for traffic classification. This is assigned at creation and cannot be changed.
+
+**Solution**: This is expected behavior. Update any client-side validation or database constraints to accommodate the longer client ID format.
+
+### Cannot change `is_first_party` or security mode
+
+**Cause**: The security mode and application ownership are permanent design decisions set at creation. They cannot be changed afterward.
+
+**Solution**: Create a new application with the desired configuration. You cannot convert an existing application between first-party and third-party, or between security modes.
+
+### Email verification or password reset shows an error page
+
+**Cause**: The application's `redirection_policy` is set to `open_redirect_protection`, which prevents Auth0 from exposing `application.callback_domain` in email templates.
+
+**Solution**: Update your email templates with a Liquid conditional that provides a fallback for third-party applications:
+
+```liquid wrap lines
+{% if application.callback_domain == '' %}
+ https://YOUR_FALLBACK_DOMAIN
+{% endif %}
+{% if application.callback_domain != '' %}
+ {{ application.callback_domain }}/result-page
+{% endif %}
+```
+
+Alternatively, set `redirection_policy` to `allow_always` for trusted third-party applications created via the Dashboard or Management API. To learn more, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls#redirect-protection).
+
+### DCR client cannot access any API
+
+**Cause**: Dynamically registered clients require default permissions configured before they can request tokens. Without default permissions, third-party DCR clients have no API access.
+
+**Solution**: Configure default permissions for third-party applications on each API the DCR clients need to access. To learn more, read [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications#default-permissions-for-all-third-party-applications).
+
+### `/userinfo` returns error
+
+**Cause**: The `/userinfo` endpoint is not available for third-party applications in this release.
+
+**Solution**: Use API-scoped access tokens to retrieve the information your application needs. OIDC support, including `/userinfo`, is planned for a future release.
+
+### `/oauth/revoke` works but logout endpoints do not
+
+**Cause**: Logout endpoints (`/v2/logout`) are not available for third-party applications.
+
+**Solution**: Use `POST /oauth/revoke` to revoke refresh tokens. The application is responsible for clearing its own session state.
+
+### Connection not available for a third-party application
+
+**Cause**: The connection is not promoted to the domain level. Third-party applications can only authenticate users through domain-level connections.
+
+**Solution**: Promote the connection to the domain level. To learn more, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).
+
+### Refresh token rotation causing issues
+
+**Cause**: Refresh token rotation is enabled by default for public (SPA, Native) third-party applications, aligned with OAuth 2.1 requirements.
+
+**Solution**: Ensure your application handles rotating refresh tokens correctly, where each token exchange returns a new refresh token, and the previous one is invalidated. Admins can adjust rotation settings for manually created applications via the Dashboard or Management API.
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications)
+- [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)
diff --git a/main/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications.mdx b/main/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications.mdx
new file mode 100644
index 0000000000..f408751ca5
--- /dev/null
+++ b/main/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications.mdx
@@ -0,0 +1,125 @@
+---
+title: User Consent and Third-Party Applications
+description: "Learn how Auth0 handles user consent when applications request access to APIs on the user's behalf."
+validatedOn: 2026-03-31
+---
+import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
+import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
+
+OAuth allows applications to access APIs on the user's behalf. Before an application can act on a user's behalf, the user must explicitly approve the requested permissions. This approval step is called user consent.
+
+For [third-party applications](/docs/get-started/applications/third-party-applications), user consent is always required. The user must approve every authorization request. For [first-party applications](/docs/get-started/applications/first-party-and-third-party-applications), consent can be skipped when configured, because you control the application and trust it to act appropriately.
+
+## Consent dialog
+
+When a third-party application redirects a user to the `/authorize` endpoint and requests access to an API, Auth0 displays a consent dialog listing the permissions the application is requesting.
+
+The following authorization request displays a consent dialog asking the user to approve the `read:posts` and `write:posts` permissions for the API:
+
+```http wrap lines
+GET /authorize?
+ client_id=tpc_THIRD_PARTY_CLIENT_ID
+ &redirect_uri=https://partner.example.com/callback
+ &response_type=code
+ &scope=read:posts write:posts
+ &audience=https://social.example.com
+ &code_challenge=CODE_CHALLENGE
+ &code_challenge_method=S256
+ &state=STATE_VALUE
+```
+
+
+
+If the user approves, Auth0 creates a user grant representing the user's consent to this combination of application, API, and requested scopes. The application receives an authorization code as usual.
+
+Once consent has been given, the user does not see the consent dialog during subsequent logins until consent is revoked explicitly.
+
+
+Third-party applications with enhanced security controls do not support OIDC scopes (`openid`, `profile`, `email`) in this release. The consent dialog shows API scopes only. OIDC support for third-party applications is planned for a future release.
+
+
+## Scope descriptions
+
+By default, the consent page uses scope names to prompt for the user's consent. As shown below, define scopes using the `action:resource_name` format for clear display:
+
+
+
+The consent page groups scopes for the same API and displays all actions in a single line. For example, the configuration above results in **Posts: read and write your posts**.
+
+To display the **Description** field instead of the scope name, set the tenant's `use_scope_descriptions_for_consent` flag to `true`:
+
+
+```bash cURL wrap lines
+curl --request PATCH \
+ --url 'https://YOUR_DOMAIN/api/v2/tenants/settings' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{ "flags": { "use_scope_descriptions_for_consent": true } }'
+```
+
+
+This setting affects consent prompts for all APIs on the tenant.
+
+## Handle rejected permissions
+
+When a user declines consent, the behavior depends on the application's [redirection policy](/docs/get-started/applications/third-party-applications/security-controls#redirect-protection):
+
+- **`open_redirect_protection`** (default for third-party apps): Auth0 displays an error page instead of redirecting. This prevents open redirect attacks.
+- **`allow_always`**: Auth0 redirects to the `redirect_uri` with an `access_denied` error:
+
+```http wrap lines
+HTTP/1.1 302 Found
+Location: https://partner.example.com/callback?
+ error=access_denied
+ &state=STATE_VALUE
+```
+
+## Skip consent for first-party applications
+
+First-party applications can skip the consent dialog when the API has the **Allow Skipping User Consent** option enabled.
+
+To navigate to the **Allow Skipping User Consent** toggle, select **Applications > APIs > (select the API) > Settings > Access Settings**.
+
+Third-party applications always require consent and cannot skip the consent dialog.
+
+
+Even when consent is skipped for first-party applications, a login confirmation prompt may still appear when the application uses a non-verifiable callback URI (such as `localhost` or a custom URI scheme). This protects users against application impersonation on the same device. To learn more, read [Measures Against Application Impersonation](/docs/secure/security-guidance/measures-against-app-impersonation).
+
+
+## Revoke consent
+
+To revoke a user's consent for a specific application:
+
+1. Navigate to **Auth0 Dashboard > User Management > Users**.
+2. Select the user.
+3. Select the **Authorized Applications** tab.
+4. Select **Revoke** next to the application.
+
+## Password-based flows
+
+When using the [Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow), no consent dialog is involved because the user directly provides their password to the application, which is equivalent to granting the application full access to the user's account.
+
+## Force consent
+
+To force users to provide consent on every login (even if they have an existing grant), include `prompt=consent` in the `/authorize` request:
+
+```http wrap lines
+GET /authorize?
+ client_id=tpc_THIRD_PARTY_CLIENT_ID
+ &redirect_uri=https://partner.example.com/callback
+ &response_type=code
+ &scope=read:posts write:posts
+ &audience=https://social.example.com
+ &prompt=consent
+ &code_challenge=CODE_CHALLENGE
+ &code_challenge_method=S256
+ &state=STATE_VALUE
+```
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Application Grant Types](/docs/get-started/applications/application-grant-types)
+- [Measures Against Application Impersonation](/docs/secure/security-guidance/measures-against-app-impersonation)
diff --git a/main/docs/fr-ca/get-started/applications/wildcards-for-subdomains.mdx b/main/docs/fr-ca/get-started/applications/wildcards-for-subdomains.mdx
index 95ef572803..a621af6385 100644
--- a/main/docs/fr-ca/get-started/applications/wildcards-for-subdomains.mdx
+++ b/main/docs/fr-ca/get-started/applications/wildcards-for-subdomains.mdx
@@ -59,5 +59,5 @@ Les restrictions suivantes s’appliquent lors de l’utilisation du paramètre
## En savoir plus
* [Applications confidentielles et publiques](/docs/fr-ca/get-started/applications/confidential-and-public-applications)
-* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [Activer les applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
\ No newline at end of file
+* [Applications de première et de tierce partie](/docs/fr-ca/get-started/applications/first-party-and-third-party-applications)
+* [Activer les applications tierces](/docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/fr-ca/get-started/architecture-scenarios/business-to-business/authorization.mdx b/main/docs/fr-ca/get-started/architecture-scenarios/business-to-business/authorization.mdx
index 1b36535adf..3a35266005 100644
--- a/main/docs/fr-ca/get-started/architecture-scenarios/business-to-business/authorization.mdx
+++ b/main/docs/fr-ca/get-started/architecture-scenarios/business-to-business/authorization.mdx
@@ -69,7 +69,7 @@ Les [permissions OIDC](/docs/fr-ca/get-started/apis/scopes/openid-connect-scopes
## Intégration d’une API
-Dans ce scénario, votre locataire Auth0 peut fournir un [jeton d’accès](/docs/fr-ca/secure/tokens/access-tokens) OAuth2, généralement sous la forme d’un [JWT](/docs/fr-ca/secure/tokens/json-web-tokens), qui peut être utilisé par votre API pour restreindre l’accès à certains utilisateurs. De plus, Auth0 prend en charge ce qui est généralement appelé des [Applications de première et de tierce parties](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications).
+Dans ce scénario, votre locataire Auth0 peut fournir un [jeton d’accès](/docs/fr-ca/secure/tokens/access-tokens) OAuth2, généralement sous la forme d’un [JWT](/docs/fr-ca/secure/tokens/json-web-tokens), qui peut être utilisé par votre API pour restreindre l’accès à certains utilisateurs. De plus, Auth0 prend en charge ce qui est généralement appelé des [Applications de première et de tierce parties](/docs/fr-ca/get-started/applications/first-party-and-third-party-applications).
Agissant en tant que serveur d’autorisation et avec le consentement de l’utilisateur (le propriétaire de la ressource), votre locataire Auth0 peut être utilisé pour fournir un jeton d’accès, généralement exprimé sous la forme d’un [JWT](/docs/fr-ca/secure/tokens/json-web-tokens) à une application (client) afin qu’elle puisse accéder à des ressources protégées hébergées par un serveur de ressources au nom du propriétaire de la ressource. Le jeton d’accès émis est généralement transmis en tant que jeton du porteur dans l’en-tête d’autorisation HTTP envoyé à une API.
@@ -81,7 +81,7 @@ Les jetons d’accès OAuth2 sont principalement conçus pour sécuriser les API
-OAuth2 a été conçu spécifiquement pour l’accès des tiers. Par exemple, un utilisateur (propriétaire de la ressource) peut vouloir utiliser une application (un client) qui n’appartient pas à la même organisation que le service qui fournit les données de l’utilisateur (le serveur de ressources). Dans ce cas, lorsque l’application doit accéder aux données dont l’utilisateur est propriétaire, elle est redirigée vers l’organisation où se trouvent les données de l’utilisateur, qui à son tour authentifie l’utilisateur et l’invite ensuite à donner à l’application la permission d’accéder à ses données. Cette demande d’autorisation est appelée [consentement](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) et constitue une grande partie de la prise en charge des [applications tierces](/docs/fr-ca/scopes/api-scopes#example-an-api-called-by-a-third-party-application). Si vous prévoyez d’intégrer des applications tierces, il est important de les marquer comme telles dès le début afin qu’Auth0 puisse gérer la demande de consentement de l’utilisateur.
+OAuth2 a été conçu spécifiquement pour l’accès des tiers. Par exemple, un utilisateur (propriétaire de la ressource) peut vouloir utiliser une application (un client) qui n’appartient pas à la même organisation que le service qui fournit les données de l’utilisateur (le serveur de ressources). Dans ce cas, lorsque l’application doit accéder aux données dont l’utilisateur est propriétaire, elle est redirigée vers l’organisation où se trouvent les données de l’utilisateur, qui à son tour authentifie l’utilisateur et l’invite ensuite à donner à l’application la permission d’accéder à ses données. Cette demande d’autorisation est appelée [consentement](/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications) et constitue une grande partie de la prise en charge des [applications tierces](/docs/fr-ca/scopes/api-scopes#example-an-api-called-by-a-third-party-application). Si vous prévoyez d’intégrer des applications tierces, il est important de les marquer comme telles dès le début afin qu’Auth0 puisse gérer la demande de consentement de l’utilisateur.
En revanche, si votre organisation est propriétaire de la ou des applications, des données utilisateur elles-mêmes et de la ou des API par lesquelles ces données sont accessibles, le consentement n’est généralement pas nécessaire car les interactions sont toutes de [première partie](/docs/fr-ca/scopes/api-scopes#example-an-api-called-by-a-first-party-application). Si vous ne créez que des applications de première partie, vous pouvez vous assurer que vous ne présentez pas à vos utilisateurs des écrans de consentement inutiles [en permettant d’ignorer le consentement de l’utilisateur](/docs/fr-ca/get-started/apis) dans le cadre de la définition d’un service de ressources.
diff --git a/main/docs/fr-ca/get-started/architecture-scenarios/business-to-consumer/authorization.mdx b/main/docs/fr-ca/get-started/architecture-scenarios/business-to-consumer/authorization.mdx
index 3d7c99915f..f00a3b1b90 100644
--- a/main/docs/fr-ca/get-started/architecture-scenarios/business-to-consumer/authorization.mdx
+++ b/main/docs/fr-ca/get-started/architecture-scenarios/business-to-consumer/authorization.mdx
@@ -58,7 +58,7 @@ Les[permissions OIDC](/docs/fr-ca/get-started/apis/scopes/openid-connect-scopes)
## Intégration de l’API
-Dans ce scénario, votre locataire Auth0 peut fournir un [jeton d’accès](/docs/fr-ca/secure/tokens/access-tokens)OAuth2, généralement exprimé sous forme de [JWT](/docs/fr-ca/secure/tokens/json-web-tokens), qui peut être utilisé par votre API pour restreindre l’accès à certaines parties. De plus, Auth0 prend en charge ce qui est théoriquement décrit comme [Applications de première et de tierce parties](/docs/fr-ca/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications).
+Dans ce scénario, votre locataire Auth0 peut fournir un [jeton d’accès](/docs/fr-ca/secure/tokens/access-tokens)OAuth2, généralement exprimé sous forme de [JWT](/docs/fr-ca/secure/tokens/json-web-tokens), qui peut être utilisé par votre API pour restreindre l’accès à certaines parties. De plus, Auth0 prend en charge ce qui est théoriquement décrit comme [Applications de première et de tierce parties](/docs/fr-ca/get-started/applications/first-party-and-third-party-applications).
Agissant comme serveur d’autorisations, et avec le consentement de l’utilisateur (le propriétaire des ressources), votre locataire Auth0 peut être utilisé pour fournir un jeton d’accès (généralement exprimé sous forme de [JWT](/docs/fr-ca/secure/tokens/json-web-tokens) ) à une application (client) afin qu’elle puisse accéder à des ressources protégées hébergées par un serveur de ressources au nom du propriétaire des ressources. Le jeton d’accès émis est généralement transmis en tant que jeton du porteur dans l’en-tête d’autorisation HTTP envoyé à une API.
@@ -70,7 +70,7 @@ Les jetons d’accès OAuth2 sont principalement conçus pour sécuriser les API
-OAuth2 a été conçu spécifiquement en tenant compte de l’accès de tiers. Par exemple, un scénario pourrait être qu’un utilisateur (propriétaire des ressources) souhaite utiliser une application (un client) qui n’appartient pas à la même organisation que le service qui fournit les données de l’utilisateur (le serveur de ressources). Dans ce cas, lorsque l’application a besoin d’accéder aux données que possède l’utilisateur, elle redirige vers l’organisation où se trouvent les données de l’utilisateur, qui authentifie ensuite l’utilisateur et l’invite à donner à l’application la permission d’accéder à ses données. Cette demande de permission est appelée fourniture de [consentement](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) et constitue une grande partie de ce que signifie apporter un soutien aux [applications tierces](/docs/fr-ca/scopes/api-scopes#example-an-api-called-by-a-third-party-application). Si vous prévoyez d’intégrer des applications tierces, il est important de les marquer comme tierces dès le départ afin qu’Auth0 gère la demande de consentement de l’utilisateur.
+OAuth2 a été conçu spécifiquement en tenant compte de l’accès de tiers. Par exemple, un scénario pourrait être qu’un utilisateur (propriétaire des ressources) souhaite utiliser une application (un client) qui n’appartient pas à la même organisation que le service qui fournit les données de l’utilisateur (le serveur de ressources). Dans ce cas, lorsque l’application a besoin d’accéder aux données que possède l’utilisateur, elle redirige vers l’organisation où se trouvent les données de l’utilisateur, qui authentifie ensuite l’utilisateur et l’invite à donner à l’application la permission d’accéder à ses données. Cette demande de permission est appelée fourniture de [consentement](/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications) et constitue une grande partie de ce que signifie apporter un soutien aux [applications tierces](/docs/fr-ca/scopes/api-scopes#example-an-api-called-by-a-third-party-application). Si vous prévoyez d’intégrer des applications tierces, il est important de les marquer comme tierces dès le départ afin qu’Auth0 gère la demande de consentement de l’utilisateur.
En revanche, si votre organisation possède les applications, les données utilisateur elles-mêmes et les API par lesquelles ces données sont accessibles, alors le consentement n’est généralement pas nécessaire, car toutes les interactions sont de [première partie](/docs/fr-ca/scopes/api-scopes#example-an-api-called-by-a-first-party-application). Si vous ne créez que des applications de première partie, vous pouvez vous assurer de ne pas présenter à vos utilisateurs des écrans de consentement inutiles en [permettant d’omettre la partie réservée au consentement de l’utilisateur](/docs/fr-ca/get-started/apis) dans le cadre de toute définition de service de ressources.
diff --git a/main/docs/fr-ca/libraries/auth0-single-page-app-sdk.mdx b/main/docs/fr-ca/libraries/auth0-single-page-app-sdk.mdx
index f9c6e99d01..39c915bd2c 100644
--- a/main/docs/fr-ca/libraries/auth0-single-page-app-sdk.mdx
+++ b/main/docs/fr-ca/libraries/auth0-single-page-app-sdk.mdx
@@ -306,7 +306,7 @@ $('#getToken').click(async () => {
});
```
-La méthode `getTokenSilently()` nécessite que **Autoriser le contournement du consentement utilisateur** soit activé dans vos [Paramètres API dans Dashboard](https://manage.auth0.com/#/apis). En outre, le consentement de l’utilisateur [ne peut pas être ignoré sur ’localhost’](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications).
+La méthode `getTokenSilently()` nécessite que **Autoriser le contournement du consentement utilisateur** soit activé dans vos [Paramètres API dans Dashboard](https://manage.auth0.com/#/apis). En outre, le consentement de l’utilisateur [ne peut pas être ignoré sur ’localhost’](/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications).
### Obtenir un jeton d’accès avec une fenêtre contextuelle
diff --git a/main/docs/fr-ca/libraries/auth0js.mdx b/main/docs/fr-ca/libraries/auth0js.mdx
index 0a3426d507..84389ec978 100644
--- a/main/docs/fr-ca/libraries/auth0js.mdx
+++ b/main/docs/fr-ca/libraries/auth0js.mdx
@@ -98,7 +98,7 @@ Si vous ne spécifiez pas au moins la permission ci-dessus lors de l’initialis
`Consent required. Lorsque vous utilisez la méthode getSSOData, l’utilisateur doit être authentifié avec la permission suivante : openid profile email`
-Cela ne se produira pas si vous exécutez votre application en production ou si vous spécifiez la permission `openid profile email`. Vous pouvez en lire davantage à ce sujet dans le document [Consentement de l’utilisateur et applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications).
+Cela ne se produira pas si vous exécutez votre application en production ou si vous spécifiez la permission `openid profile email`. Vous pouvez en lire davantage à ce sujet dans le document [Consentement de l’utilisateur et applications tierces](/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications).
@@ -241,7 +241,7 @@ Service qui, après qu’un utilisateur se soit connecté à une application, le
1. Les deux applications tentant d’utiliser la SSO doivent être des applications de première partie. La SSO avec des applications tierces ne fonctionnera pas.
2. Elles doivent utiliser des domaines personnalisés et avoir à la fois les applications qui souhaitent bénéficier de la SSO et le locataire Auth0 sur le même domaine. Traditionnellement, les domaines Auth0 sont au format `foo.auth0.com`, mais les domaines personnalisés vous permettent d’utiliser le même domaine pour chacune des applications en question, ainsi que pour votre client Auth0, ce qui évite le risque d’attaques CSRF (Cross-Site Request Forgery).
-Nous recommandons d’utiliser une connexion universelle au lieu de configurer la SSO dans des scénarios de connexion intégrée. La connexion universelle est la manière la plus fiable et stable de mettre en place la SSO, et c’est la seule option si vous devez utiliser plusieurs domaines pour vos applications, ou si vous utilisez des [applications tiers](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications).
+Nous recommandons d’utiliser une connexion universelle au lieu de configurer la SSO dans des scénarios de connexion intégrée. La connexion universelle est la manière la plus fiable et stable de mettre en place la SSO, et c’est la seule option si vous devez utiliser plusieurs domaines pour vos applications, ou si vous utilisez des [applications tiers](/docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications).
## Connexion sans mot de passe
diff --git a/main/docs/fr-ca/libraries/lock.mdx b/main/docs/fr-ca/libraries/lock.mdx
index 1ba444ab32..b23951d3c7 100644
--- a/main/docs/fr-ca/libraries/lock.mdx
+++ b/main/docs/fr-ca/libraries/lock.mdx
@@ -214,7 +214,7 @@ Service qui, après qu’un utilisateur se soit connecté à une application, le
1. Les deux applications tentant d’utiliser la SSO doivent être des applications de première partie. La SSO avec des applications tierces ne fonctionnera pas.
2. Elles doivent utiliser des domaines personnalisés et avoir à la fois les applications qui souhaitent bénéficier de la SSO et le locataire Auth0 sur le même domaine. Traditionnellement, les domaines Auth0 sont au format `foo.auth0.com`, mais les domaines personnalisés vous permettent d’utiliser le même domaine pour chacune des applications en question, ainsi que pour votre client Auth0, ce qui évite le risque d’attaques CSRF (Cross-Site Request Forgery).
-Nous recommandons d’utiliser une connexion universelle au lieu de configurer la SSO dans des scénarios de connexion intégrée. La connexion universelle est la manière la plus fiable et stable de mettre en place la SSO, et c’est la seule option si vous devez utiliser plusieurs domaines pour vos applications, ou si vous utilisez des [applications tiers](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications).
+Nous recommandons d’utiliser une connexion universelle au lieu de configurer la SSO dans des scénarios de connexion intégrée. La connexion universelle est la manière la plus fiable et stable de mettre en place la SSO, et c’est la seule option si vous devez utiliser plusieurs domaines pour vos applications, ou si vous utilisez des [applications tiers](/docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications).
## Codes d’erreur et descriptions
diff --git a/main/docs/fr-ca/libraries/lock/lock-authentication-parameters.mdx b/main/docs/fr-ca/libraries/lock/lock-authentication-parameters.mdx
index 36c5c792bd..2e7f2c30c4 100644
--- a/main/docs/fr-ca/libraries/lock/lock-authentication-parameters.mdx
+++ b/main/docs/fr-ca/libraries/lock/lock-authentication-parameters.mdx
@@ -40,7 +40,7 @@ Si vous ne spécifiez pas au moins la permission par défaut du `openid profile
`Consent required. Lorsque vous utilisez la méthode getSSOData, l’utilisateur doit être authentifié avec la permission suivante : openid profile email`
-Cela ne se produira **pas** si vous exécutez votre application en production ou si vous spécifiez la permission `openid profile email`. Vous pouvez en lire davantage à ce sujet dans le document [Consentement de l’utilisateur et applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications).
+Cela ne se produira **pas** si vous exécutez votre application en production ou si vous spécifiez la permission `openid profile email`. Vous pouvez en lire davantage à ce sujet dans le document [Consentement de l’utilisateur et applications tierces](/docs/fr-ca/get-started/applications/third-party-applications/user-consent-and-third-party-applications).
diff --git a/main/docs/fr-ca/secure/tokens/json-web-tokens/json-web-token-claims.mdx b/main/docs/fr-ca/secure/tokens/json-web-tokens/json-web-token-claims.mdx
index bf2e20d153..8d4a1c8423 100644
--- a/main/docs/fr-ca/secure/tokens/json-web-tokens/json-web-token-claims.mdx
+++ b/main/docs/fr-ca/secure/tokens/json-web-tokens/json-web-token-claims.mdx
@@ -27,7 +27,7 @@ Il existe deux types de demandes JWT :
## Demandes enregistrées
-La spécification JWT définit sept demandes réservées qui ne sont pas obligatoires, mais qui sont recommandées pour permettre l’interopérabilité avec des [applications tierces](/docs/fr-ca/get-started/applications/confidential-and-public-applications/enable-third-party-applications). Il s’agit de :
+La spécification JWT définit sept demandes réservées qui ne sont pas obligatoires, mais qui sont recommandées pour permettre l’interopérabilité avec des [applications tierces](/docs/fr-ca/get-started/applications/third-party-applications/configure-third-party-applications). Il s’agit de :
* `iss` (issuer) : Émetteur du JWT
* `sub` (subject) : Sujet du JWT (l’utilisateur)
diff --git a/main/docs/fr-ca/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx b/main/docs/fr-ca/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx
index 369aafbb06..93978fa446 100644
--- a/main/docs/fr-ca/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx
+++ b/main/docs/fr-ca/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx
@@ -57,7 +57,7 @@ Learn how to [Configure and Implement Multi-resource refresh token](/docs/fr-ca/
## Limitations
* Each access token issued through MRRT is scoped to a single API. If your application requires access to multiple APIs, you must request separate access tokens for each API.
-* MRRT supports only [first-party applications](https://auth0.com/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications#first-party-applications).
-* MRRT supports APIs configured to [allow skipping user consent](https://auth0.com/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications#skip-consent-for-first-party-applications).
+* MRRT supports only [first-party applications](https://auth0.com/docs/get-started/applications/first-party-and-third-party-applications#first-party-applications).
+* MRRT supports APIs configured to [allow skipping user consent](https://auth0.com/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications#skip-consent-for-first-party-applications).
* The Auth0 Management API can not be included in the MRRT policies.
\ No newline at end of file
diff --git a/main/docs/get-started/applications.mdx b/main/docs/get-started/applications.mdx
index 3a0cdb0a16..e4ef9f0019 100644
--- a/main/docs/get-started/applications.mdx
+++ b/main/docs/get-started/applications.mdx
@@ -14,7 +14,7 @@ Auth0 categorizes apps based on these characteristics:
+ **Native application**: Mobile or Desktop applications that run natively on a device (such as iOS or Android). To learn how to set up a native application, read [Register Native Applications](/docs/get-started/auth0-overview/create-applications/native-apps).
+ **Machine to machine (M2M) application**: Non-interactive applications, such as command-line tools, daemons, IoT devices, or services running on your backend. Typically, you use this option if you have a service that requires access to an API. To learn how to set up a native application, read [Register Machine-to-Machine Applications](/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps).
* **Credential security**: According to the [OAuth 2.0 spec](https://tools.ietf.org/html/rfc6749#section-2.1), apps can be classified as either public or confidential; confidential apps can hold credentials securely, while public apps cannot. To learn more, read [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications).
-* **Ownership**: Whether an app is classified as first- or third-party depends on app ownership and control. First-party apps are controlled by the same organization or person that owns the Auth0 domain. Third-party apps enable external parties or partners to securely access protected resources behind your API. To learn more, read [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications).
+* **Ownership**: Whether an app is classified as first- or third-party depends on app ownership and control. First-party apps are controlled by the same organization or person that owns the Auth0 domain. Third-party apps enable external parties or partners to securely access protected resources behind your API. To learn more, read [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications).
## Manage applications settings
@@ -46,7 +46,7 @@ Auth0 provides many different authentication and authorization grant types or fl
* [Application Settings](/docs/get-started/applications/application-settings)
* [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications)
-* [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
+* [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications)
* [Application Grant Types](/docs/get-started/applications/application-grant-types)
* [Subdomain URL Placeholders](/docs/get-started/applications/wildcards-for-subdomains)
* [Dynamic Application Registration](/docs/get-started/applications/dynamic-client-registration)
diff --git a/main/docs/get-started/applications/application-access-to-apis-client-grants.mdx b/main/docs/get-started/applications/application-access-to-apis-client-grants.mdx
index 553771c277..73b7a43d3e 100644
--- a/main/docs/get-started/applications/application-access-to-apis-client-grants.mdx
+++ b/main/docs/get-started/applications/application-access-to-apis-client-grants.mdx
@@ -37,7 +37,7 @@ The following table explains how client grants control application access to API
| Access type | subject_type attribute | Description |
| --- | --- | --- |
| Client credential access (Machine-to-machine access) | Set `subject_type` to `client`. | The client grant directly authorizes the application to access the API on its own behalf instead of the end user’s behalf. The permissions you define in the client grant are the ones the application is authorized to receive in the access token. |
-| User-delegated access | Set `subject_type` to `user`. | The client grant defines the maximum permissions the application can request from the API. The final permissions in the access token issued to the application on the user’s behalf are the intersection of the permissions:
- Requested by the application
- Allowed by the client grant
- Allowed by [Role-Based Access Control policies](/docs/manage-users/access-control/rbac) for the user
- [Consented to by the end user](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications), if applicable.
To learn more about user-delegated access flows, read [Authentication and Authorization Flows](/docs/get-started/authentication-and-authorization-flow). User-delegated access flows do not include the Client Credentials Flow. |
+| User-delegated access | Set `subject_type` to `user`. | The client grant defines the maximum permissions the application can request from the API. The final permissions in the access token issued to the application on the user’s behalf are the intersection of the permissions:
- Requested by the application
- Allowed by the client grant
- Allowed by [Role-Based Access Control policies](/docs/manage-users/access-control/rbac) for the user
- [Consented to by the end user](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications), if applicable.
To learn more about user-delegated access flows, read [Authentication and Authorization Flows](/docs/get-started/authentication-and-authorization-flow). User-delegated access flows do not include the Client Credentials Flow. |
You can modify the final scopes granted by the authorization server to the application or user using [Actions](/docs/customize/actions).
diff --git a/main/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications.mdx b/main/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications.mdx
deleted file mode 100644
index 71a5583761..0000000000
--- a/main/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications.mdx
+++ /dev/null
@@ -1,83 +0,0 @@
----
-description: Describes how to enable third-party applications for your tenant.
-title: Enable Third-Party Applications
----
-You can enable third-party applications for your tenant. See [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) for details on the differences between the two types of applications.
-
-1. [Update your application's ownership to third-party](/docs/get-started/applications/confidential-and-public-applications/update-application-ownership) in Auth0.
-
- By default, applications registered in Auth0 are first-party applications. If you want your application to be a third-party application, you must update its ownership.
-2. [Promote the connections you will use with third-party applications to domain level](/docs/authenticate/identity-providers/promote-connections-to-domain-level) in Auth0.
-
- Third-party applications can only authenticate users from [connections](/docs/authenticate/identity-providers) flagged as domain-level connections. Domain-level connections can be enabled for selected first-party applications while also being open to all third-party application users for authentication.
-3. Update your application's login page. If you use [Lock](/docs/libraries/lock) in the [Universal Login Page](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/classic-experience), you must also:
-
- 1. Upgrade to Lock version 11 or later.
- 2. Set the `__useTenantInfo: config.isThirdPartyClient` flag when instantiating Lock.
- 3. For Private Cloud users only: Set the [`configurationBaseUrl` option](/docs/libraries/lock/lock-configuration#configurationbaseurl-string-) to `https://{config.auth0Domain}/` when instantiating Lock.
-
-## Access token current_user_\* scopes
-
-Neither first- nor third-party applications can use ID tokens to invoke Management API endpoints. Instead, they should get access tokens with the following `current_user_*` scopes required by each endpoint:
-
-| Scope | Endpoint |
-| --- | --- |
-| `read:current_user` | List or search users |
-| | Get a user |
-| | Get user MFA enrollments |
-| `update:current_user_metadata` | Update a user |
-| | Delete a user's multi-factor provider |
-| `create:current_user_device_credentials` | Create a device public key |
-| `delete:current_user_device_credentials` | Delete a device credential |
-| `update:current_user_identities` | Link a user account |
-| | Unlink a user identity |
-
-## Script example
-
-```html lines expandable
-
-...
-
-```
-
-
-
-
-
-
-## Learn more
-
-* [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
-* [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level)
\ No newline at end of file
diff --git a/main/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.mdx b/main/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.mdx
deleted file mode 100644
index 2e52ed2a85..0000000000
--- a/main/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.mdx
+++ /dev/null
@@ -1,28 +0,0 @@
----
-description: Describes the difference between confidential and public application types.
-title: First-Party and Third-Party Applications
-validatedOn: 2026-02-06
----
-Applications can be classified as either first-party or third-party, which refers to the ownership of the application. The main difference relates to who has administrative access to your Auth0 domain.
-
-## First-party applications
-
-First-party applications are those controlled by the same organization or person who owns the Auth0 domain. For example, let's say you created both a Contoso API and an application that logs into `contoso.com` and consumes the Contoso API. You would register both the API and application under the same Auth0 domain, and the application would be a first-party application. By default, all applications created via the [Auth0 Dashboard](https://manage.auth0.com/#/applications) are first-party applications.
-
-## Third-party applications
-
-Third-party applications are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party applications enable external parties or partners to securely access protected resources behind your API. An example of this is with Facebook, let's say you created an application to get a client ID and secret to integrate with your service. That application is considered third-party because it is not owned by Facebook but a third-party that wants to integrate with Facebook APIs and services.
-
-All applications created through [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) will be third-party. Third-party applications cannot be created using the Dashboard, but must be created through the Auth0 Management API by setting `is_first_party` to `false`.
-
-Third-party applications have the following unique characteristics:
-
-* **User Consent**: You must require user consent when consuming APIs because anyone can create an application. Requiring the user to provide consent improves security.
-* **ID Tokens**: [ID tokens](/docs/secure/tokens/id-tokens) generated for third-party applications hold only minimum user profile information.
-* **Connections**: You can only use tenant-level connections or domain connections. For more information, see [Enable Third-party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications).
-
-## Learn more
-
-* [Update Application Ownership](/docs/get-started/applications/confidential-and-public-applications/update-application-ownership)
-* [Check if Application is Confidential or Public](/docs/get-started/applications/confidential-and-public-applications/view-application-type)
-* [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
diff --git a/main/docs/get-started/applications/confidential-and-public-applications/update-application-ownership.mdx b/main/docs/get-started/applications/confidential-and-public-applications/update-application-ownership.mdx
deleted file mode 100644
index 8e842ff2e0..0000000000
--- a/main/docs/get-started/applications/confidential-and-public-applications/update-application-ownership.mdx
+++ /dev/null
@@ -1,175 +0,0 @@
----
-description: Learn how to update application ownership using the Auth0 Management API. This will let you specify whether an application is registered with Auth0 as a first-party or third-party application.
-title: Update Application Ownership
-validatedOn: 2026-02-06
----
-import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
-
-import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-
-You can use Auth0's Management API to update application ownership, which allows you to specify whether an application is registered with Auth0 as a first-party or third-party application.
-
-Make a `PATCH` call to the [Update a Client endpoint](https://auth0.com/docs/api/management/v2#!/Clients/patch_clients_by_id). Be sure to replace `{YOUR_CLIENT_ID}`, `{YOUR_MANAGEMENT_API_ACCESS_TOKEN}`, and `{OWNERSHIP_BOOLEN}` placeholder values with your client ID, Management API Access Token, and boolean representing the application's ownership, respectively.
-
-
-```bash cURL
-curl --request PATCH \
- --url 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}' \
- --header 'authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
- --header 'cache-control: no-cache' \
- --header 'content-type: application/json' \
- --data '{ "is_first_party": "{OWNERSHIP_BOOLEN}" }'
-```
-```csharp C#
-var client = new RestClient("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}");
-var request = new RestRequest(Method.PATCH);
-request.AddHeader("content-type", "application/json");
-request.AddHeader("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}");
-request.AddHeader("cache-control", "no-cache");
-request.AddParameter("application/json", "{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }", ParameterType.RequestBody);
-IRestResponse response = client.Execute(request);
-```
-```go Go
-package main
-
-import (
- "fmt"
- "strings"
- "net/http"
- "io/ioutil"
-)
-
-func main() {
-
- url := "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}"
-
- payload := strings.NewReader("{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }")
-
- req, _ := http.NewRequest("PATCH", url, payload)
-
- req.Header.Add("content-type", "application/json")
- req.Header.Add("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
- req.Header.Add("cache-control", "no-cache")
-
- res, _ := http.DefaultClient.Do(req)
-
- defer res.Body.Close()
- body, _ := ioutil.ReadAll(res.Body)
-
- fmt.Println(res)
- fmt.Println(string(body))
-
-}
-```
-```java Java
-HttpResponse response = Unirest.patch("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}")
- .header("content-type", "application/json")
- .header("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
- .header("cache-control", "no-cache")
- .body("{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }")
- .asString();
-```
-```javascript Node.JS
-var axios = require("axios").default;
-
-var options = {
- method: 'PATCH',
- url: 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}',
- headers: {
- 'content-type': 'application/json',
- authorization: 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}',
- 'cache-control': 'no-cache'
- },
- data: {is_first_party: '{OWNERSHIP_BOOLEAN}'}
-};
-
-axios.request(options).then(function (response) {
- console.log(response.data);
-}).catch(function (error) {
- console.error(error);
-});
-```
-```php PHP
-$curl = curl_init();
-
-curl_setopt_array($curl, [
- CURLOPT_URL => "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}",
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_ENCODING => "",
- CURLOPT_MAXREDIRS => 10,
- CURLOPT_TIMEOUT => 30,
- CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
- CURLOPT_CUSTOMREQUEST => "PATCH",
- CURLOPT_POSTFIELDS => "{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }",
- CURLOPT_HTTPHEADER => [
- "authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}",
- "cache-control: no-cache",
- "content-type: application/json"
- ],
-]);
-
-$response = curl_exec($curl);
-$err = curl_error($curl);
-
-curl_close($curl);
-
-if ($err) {
- echo "cURL Error #:" . $err;
-} else {
- echo $response;
-}
-```
-```python Python
-import http.client
-
-conn = http.client.HTTPSConnection("")
-
-payload = "{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }"
-
-headers = {
- 'content-type': "application/json",
- 'authorization': "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}",
- 'cache-control': "no-cache"
- }
-
-conn.request("PATCH", "/{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}", payload, headers)
-
-res = conn.getresponse()
-data = res.read()
-
-print(data.decode("utf-8"))
-```
-```ruby Ruby
-require 'uri'
-require 'net/http'
-require 'openssl'
-
-url = URI("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}")
-
-http = Net::HTTP.new(url.host, url.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-request = Net::HTTP::Patch.new(url)
-request["content-type"] = 'application/json'
-request["authorization"] = 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
-request["cache-control"] = 'no-cache'
-request.body = "{ "is_first_party": "{OWNERSHIP_BOOLEAN}" }"
-
-response = http.request(request)
-puts response.read_body
-```
-
-
-| Value | Description |
-| --- | --- |
-| `YOUR_CLIENT_ID` | Τhe ID of the application to be updated. |
-| `YOUR_MANAGEMENT_API_ACCESS_TOKEN` | [Access Tokens for the Management API](https://auth0.com/docs/api/management/v2/tokens) with the [scope](/docs/glossary?term=scope) `update:clients`. |
-| `OWNERSHIP_BOOLEAN` | The ownership you would like to specify for the application. If the application is first-party, `is_first_party` should have a value of `true`. If the application is third-party, `is_first_party` should have a value of `false`. |
-
-## Learn more
-
-* [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [View Application Ownership](/docs/get-started/applications/confidential-and-public-applications/view-application-ownership)
-* [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
-* [Enable Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
diff --git a/main/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications.mdx b/main/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications.mdx
deleted file mode 100644
index ab53673917..0000000000
--- a/main/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications.mdx
+++ /dev/null
@@ -1,250 +0,0 @@
----
-description: Learn how to decouple APIs from applications that consume them and define third-party apps that you don't control or may not trust.
-title: User Consent and Third-Party Applications
-validatedOn: 2026-02-06
----
-import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
-
-import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-
-The [OIDC](/docs/authenticate/protocols/openid-connect-protocol)-conformant authentication pipeline supports defining resource servers (such as APIs) as entities separate from applications. This lets you decouple APIs from the applications that consume them, and also lets you define [third-party applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications) that allow external parties to securely access protected resources behind your API.
-
-## Consent dialog
-
-If a user authenticates through a third-party application and the application requests authorization to access the user's information or perform some action at an API on their behalf, the user will see a consent dialog.
-
-For example, this request:
-
-```http lines
-GET /authorize?
-client_id=some_third_party_client
-&redirect_uri=https://fabrikam.com/contoso_social
-&response_type=token id_token
-&__scope=openid profile email read:posts write:posts__
-&__audience=https://social.contoso.com__
-&nonce=...
-&state=...
-```
-
-Will result in this user consent dialog:
-
-
-
-If the user allows the application's request, this creates a user grant, which represents the user's consent to this combination of application, resource server, and requested scopes. The application then receives a successful authentication response from Auth0 as usual.
-
-Once consent has been given, the user won't see the consent dialog during subsequent logins until consent is revoked explicitly.
-
-## Scope descriptions
-
-By default, the consent page will use the scopes' names to prompt for the user's consent. As shown below, you should define scopes using the `action:resource_name` format.
-
-
-
-The consent page groups scopes for the same resource and displays all actions for that resource in a single line. For example, the configuration above would result in **Posts: read and write your posts**.
-
-If you would like to display the **Description** field instead, you can do so by setting the tenant's `use_scope_descriptions_for_consent` to `true`. This will affect consent prompts for all of the APIs on that tenant.
-
-To set the `use_scope_descriptions_for_consent` flag, you will need to make the appropriate call to the API:
-
-
-```bash cURL
-curl --request PATCH \
- --url 'https://{YOUR_DOMAIN}/api/v2/tenants/settings' \
- --header 'authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
- --header 'cache-control: no-cache' \
- --header 'content-type: application/json' \
- --data '{ "flags": { "use_scope_descriptions_for_consent": true } }'
-```
-```csharp C#
-var client = new RestClient("https://{YOUR_DOMAIN}/api/v2/tenants/settings");
-var request = new RestRequest(Method.PATCH);
-request.AddHeader("content-type", "application/json");
-request.AddHeader("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}");
-request.AddHeader("cache-control", "no-cache");
-request.AddParameter("application/json", "{ "flags": { "use_scope_descriptions_for_consent": true } }", ParameterType.RequestBody);
-IRestResponse response = client.Execute(request);
-```
-```go Go
-package main
-
-import (
- "fmt"
- "strings"
- "net/http"
- "io/ioutil"
-)
-
-func main() {
-
- url := "https://{YOUR_DOMAIN}/api/v2/tenants/settings"
-
- payload := strings.NewReader("{ "flags": { "use_scope_descriptions_for_consent": true } }")
-
- req, _ := http.NewRequest("PATCH", url, payload)
-
- req.Header.Add("content-type", "application/json")
- req.Header.Add("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
- req.Header.Add("cache-control", "no-cache")
-
- res, _ := http.DefaultClient.Do(req)
-
- defer res.Body.Close()
- body, _ := ioutil.ReadAll(res.Body)
-
- fmt.Println(res)
- fmt.Println(string(body))
-
-}
-```
-```java Java
-HttpResponse response = Unirest.patch("https://{YOUR_DOMAIN}/api/v2/tenants/settings")
- .header("content-type", "application/json")
- .header("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
- .header("cache-control", "no-cache")
- .body("{ "flags": { "use_scope_descriptions_for_consent": true } }")
- .asString();
-```
-```javascript Node.JS
-var axios = require("axios").default;
-
-var options = {
- method: 'PATCH',
- url: 'https://{YOUR_DOMAIN}/api/v2/tenants/settings',
- headers: {
- 'content-type': 'application/json',
- authorization: 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}',
- 'cache-control': 'no-cache'
- },
- data: {flags: {use_scope_descriptions_for_consent: true}}
-};
-
-axios.request(options).then(function (response) {
- console.log(response.data);
-}).catch(function (error) {
- console.error(error);
-});
-```
-```php PHP
-$curl = curl_init();
-
-curl_setopt_array($curl, [
- CURLOPT_URL => "https://{YOUR_DOMAIN}/api/v2/tenants/settings",
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_ENCODING => "",
- CURLOPT_MAXREDIRS => 10,
- CURLOPT_TIMEOUT => 30,
- CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
- CURLOPT_CUSTOMREQUEST => "PATCH",
- CURLOPT_POSTFIELDS => "{ "flags": { "use_scope_descriptions_for_consent": true } }",
- CURLOPT_HTTPHEADER => [
- "authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}",
- "cache-control: no-cache",
- "content-type: application/json"
- ],
-]);
-
-$response = curl_exec($curl);
-$err = curl_error($curl);
-
-curl_close($curl);
-
-if ($err) {
- echo "cURL Error #:" . $err;
-} else {
- echo $response;
-}
-```
-```python Python
-import http.client
-
-conn = http.client.HTTPSConnection("")
-
-payload = "{ "flags": { "use_scope_descriptions_for_consent": true } }"
-
-headers = {
- 'content-type': "application/json",
- 'authorization': "Bearer API2_ACCESS_TOKEN",
- 'cache-control': "no-cache"
- }
-
-conn.request("PATCH", "/{YOUR_DOMAIN}/api/v2/tenants/settings", payload, headers)
-
-res = conn.getresponse()
-data = res.read()
-
-print(data.decode("utf-8"))
-```
-```ruby Ruby
-require 'uri'
-require 'net/http'
-require 'openssl'
-
-url = URI("https://{YOUR_DOMAIN}/api/v2/tenants/settings")
-
-http = Net::HTTP.new(url.host, url.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-request = Net::HTTP::Patch.new(url)
-request["content-type"] = 'application/json'
-request["authorization"] = 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
-request["cache-control"] = 'no-cache'
-request.body = "{ "flags": { "use_scope_descriptions_for_consent": true } }"
-
-response = http.request(request)
-puts response.read_body
-```
-
-
-## Handle rejected permissions
-
-If a user decides to reject consent to the application, they will be redirected to the `redirect_uri` specified in the request with an `access_denied` error:
-
-```http lines
-HTTP/1.1 302 Found
-Location: https://fabrikam.com/contoso_social#
- error=access_denied
- &state=...
-```
-
-## Skip consent for first-party applications
-
-First-party applications can skip the consent dialog, but only if the API they are trying to access on behalf of the user has the **Allow Skipping User Consent** option enabled.
-
-To navigate to the **Allow Skipping User Consent** toggle, select **Applications > APIs > (select the api) > Settings > Access Settings.**
-
-
-
-Note that this option only allows verifiable first-party applications to skip consent at the moment. As `localhost` is never a verifiable first-party (because any malicious application may run on `localhost` for a user), Auth0 will always display the consent dialog for applications running on `localhost` regardless of whether they are marked as first-party applications. During development, you can work around this by modifying your `/etc/hosts` file to add an entry such as the following:
-
-`127.0.0.1 myapp.example`
-
-Similarly, you cannot skip consent (even for first-party applications) if `localhost` is used in the application's `redirect_uri` parameter and is present in any of the application's **Allowed Callback URLs** (found in [Dashboard > Applications > Settings](https://manage.auth0.com/#/applications)).
-
-
-
-Since third-party applications are assumed to be untrusted, they are not able to skip consent dialogs.
-
-## Revoke consent
-
-If a user has provided consent but you would like to revoke it:
-
-1. Go to [Auth0 Dashboard > User Management > Users](https://manage.auth0.com/#/users), and click the user for whom you would like to revoke consent.
-2. Click the **Authorized Applications** tab,
-3. Click **Revoke** next to the appropriate application.
-
-## Password-based flows
-
-When using the [Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow), no consent dialog is involved because the user directly provides their password to the application, which is equivalent to granting the application full access to the user's account.
-
-## Force users to provide consent
-
-When redirecting to the `/authorize` endpoint, including the `prompt=consent` parameter will force users to provide consent, even if they have an existing user grant for the application and requested scopes.
-
-## Learn more
-
-* [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [View Application Ownership](/docs/get-started/applications/confidential-and-public-applications/view-application-ownership)
-* [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications)
-* [Enable Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
-* [Application Grant Types](/docs/get-started/applications/application-grant-types)
diff --git a/main/docs/get-started/applications/confidential-and-public-applications/view-application-ownership.mdx b/main/docs/get-started/applications/confidential-and-public-applications/view-application-ownership.mdx
deleted file mode 100644
index 879197b73a..0000000000
--- a/main/docs/get-started/applications/confidential-and-public-applications/view-application-ownership.mdx
+++ /dev/null
@@ -1,147 +0,0 @@
----
-description: Learn how to check whether an application is registered with Auth0 as a first-party or third-party app using the Auth0 Management API.
-title: View Application Ownership
-validatedOn: 2026-02-06
----
-import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
-
-import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-
-You can use Auth0's Management API to check whether an application is registered with Auth0 as a first-party or third-party application.
-
-Make a `GET` call to the [Get a Client endpoint](https://auth0.com/docs/api/management/v2#!/Clients/get_clients_by_id). Be sure to replace `{YOUR_CLIENT_ID}`
-and `{YOUR_MANAGEMENT_API_ACCESS_TOKEN}` placeholder values with your client ID and Management API Access Token, respectively.
-
-
-```bash cURL
-curl --request GET \
- --url 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true' \
- --header 'authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
-```
-```csharp C#
-var client = new RestClient("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true");
-var request = new RestRequest(Method.GET);
-request.AddHeader("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}");
-IRestResponse response = client.Execute(request);
-```
-```go Go
-package main
-
-import (
- "fmt"
- "net/http"
- "io/ioutil"
-)
-
-func main() {
-
- url := "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true"
-
- req, _ := http.NewRequest("GET", url, nil)
-
- req.Header.Add("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
-
- res, _ := http.DefaultClient.Do(req)
-
- defer res.Body.Close()
- body, _ := ioutil.ReadAll(res.Body)
-
- fmt.Println(res)
- fmt.Println(string(body))
-
-}
-```
-```java Java
-HttpResponse response = Unirest.get("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true")
- .header("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
- .asString();
-```
-```javascript Node.JS
-var axios = require("axios").default;
-
-var options = {
- method: 'GET',
- url: 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}',
- params: {fields: 'is_first_party', include_fields: 'true'},
- headers: {authorization: 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'}
-};
-
-axios.request(options).then(function (response) {
- console.log(response.data);
-}).catch(function (error) {
- console.error(error);
-});
-```
-```php PHP
-$curl = curl_init();
-
-curl_setopt_array($curl, [
- CURLOPT_URL => "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true",
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_ENCODING => "",
- CURLOPT_MAXREDIRS => 10,
- CURLOPT_TIMEOUT => 30,
- CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
- CURLOPT_CUSTOMREQUEST => "GET",
- CURLOPT_HTTPHEADER => [
- "authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}"
- ],
-]);
-
-$response = curl_exec($curl);
-$err = curl_error($curl);
-
-curl_close($curl);
-
-if ($err) {
- echo "cURL Error #:" . $err;
-} else {
- echo $response;
-}
-```
-```python Python
-import http.client
-
-conn = http.client.HTTPSConnection("")
-
-headers = { 'authorization': "Bearer {YOUR_MANAGEMENT_API_ACCES_TOKEN}" }
-
-conn.request("GET", "/{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true", headers=headers)
-
-res = conn.getresponse()
-data = res.read()
-
-print(data.decode("utf-8"))
-```
-```ruby Ruby
-require 'uri'
-require 'net/http'
-require 'openssl'
-
-url = URI("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true")
-
-http = Net::HTTP.new(url.host, url.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-request = Net::HTTP::Get.new(url)
-request["authorization"] = 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
-
-response = http.request(request)
-puts response.read_body
-```
-
-
-| Value | Description |
-| --- | --- |
-| `YOUR_CLIENT_ID` | Τhe ID of the application to be updated. |
-| `YOUR_MANAGEMENT_API_ACCESS_TOKEN` | [Access Tokens for the Management API](https://auth0.com/docs/api/management/v2/tokens) with the [scope](/docs/glossary?term=scope) `read:clients`. |
-
-If the application is first-party, the `is_first_party` field will have a value of `true`. If the application is third-party, the `is_first_party` field will have a value of `false`.
-
-## Learn more
-
-* [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [Update Application Ownership](/docs/get-started/applications/confidential-and-public-applications/update-application-ownership)
-* [User Consent and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
-* [Enable Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
diff --git a/main/docs/get-started/applications/wildcards-for-subdomains.mdx b/main/docs/get-started/applications/wildcards-for-subdomains.mdx
index 5175686f16..d1e2edb8df 100644
--- a/main/docs/get-started/applications/wildcards-for-subdomains.mdx
+++ b/main/docs/get-started/applications/wildcards-for-subdomains.mdx
@@ -120,5 +120,5 @@ You can combine the Custom Domain placeholder with the `{organization_name}` pla
## Learn more
* [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications)
-* [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [Enable Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
+* [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications)
+* [Enable Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications)
diff --git a/main/docs/get-started/architecture-scenarios/business-to-business/authorization.mdx b/main/docs/get-started/architecture-scenarios/business-to-business/authorization.mdx
index 0cb1e46567..211b965a1c 100644
--- a/main/docs/get-started/architecture-scenarios/business-to-business/authorization.mdx
+++ b/main/docs/get-started/architecture-scenarios/business-to-business/authorization.mdx
@@ -84,7 +84,7 @@ context.idToken["http://yourdomain.com/claims/organization"] = "organization A";
## API integration
-In this scenario your Auth0 tenant can provide an OAuth2 [Access Token](/docs/secure/tokens/access-tokens), typically expressed as a [JWT](/docs/secure/tokens/json-web-tokens), which can be used by your API to restrict access to certain parties. In addition, Auth0 provides support for what is notionally described as both [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications).
+In this scenario your Auth0 tenant can provide an OAuth2 [Access Token](/docs/secure/tokens/access-tokens), typically expressed as a [JWT](/docs/secure/tokens/json-web-tokens), which can be used by your API to restrict access to certain parties. In addition, Auth0 provides support for what is notionally described as both [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications).
Acting as the authorization server, and with the consent of the user (the resource owner), your Auth0 tenant can be used to provide an Access Token—typically expressed as a [JWT](/docs/secure/tokens/json-web-tokens)—to an application (client) so that it can access a protected resources hosted by a resource server on behalf of the resource owner. The issued Access Token is typically passed as the Bearer token in the HTTP Authorization header sent to an API.
@@ -96,7 +96,7 @@ OAuth2 Access Tokens are primarily designed for use in securing public facing AP
-OAuth2 was designed specifically with third-party access in mind, For example, a scenario might be that a user (resource owner) wants to use an application (a client) that does not belong to the same organization as the service that provides the user's data (the reseource server). In this case, when the application needs to access data that the user owns, it redirects to the organization where the user’s data resides, which in turn authenticates the user and then prompts the user to give the application permission to access their data. This prompting for permission is referred to as providing [consent](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) and is a large part of what providing support for [third party applications](/docs/get-started/apis/scopes/api-scopes#example-an-api-called-by-a-third-party-application) entails. If you are planning to integrate third-party applications, then it's important you mark them as third-party early on so that Auth0 will handle prompting for user consent.
+OAuth2 was designed specifically with third-party access in mind, For example, a scenario might be that a user (resource owner) wants to use an application (a client) that does not belong to the same organization as the service that provides the user's data (the reseource server). In this case, when the application needs to access data that the user owns, it redirects to the organization where the user’s data resides, which in turn authenticates the user and then prompts the user to give the application permission to access their data. This prompting for permission is referred to as providing [consent](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications) and is a large part of what providing support for [third party applications](/docs/get-started/apis/scopes/api-scopes#example-an-api-called-by-a-third-party-application) entails. If you are planning to integrate third-party applications, then it's important you mark them as third-party early on so that Auth0 will handle prompting for user consent.
On the other hand, if your organization owns the application(s), the user data itself and the API(s) through which that data is accessed, then consent is not typically required as the interactions are all [first-party](/docs/get-started/apis/scopes/api-scopes#example-an-api-called-by-a-first-party-application). If you're only creating first-party applications, then you can ensure that you are not presenting your users with any unnecessary consent screen(s) by [allowing user consent to be skipped](/docs/get-started/apis) as part of any resource service definition.
diff --git a/main/docs/get-started/architecture-scenarios/business-to-consumer/authorization.mdx b/main/docs/get-started/architecture-scenarios/business-to-consumer/authorization.mdx
index 8ff97f066f..29699bcf5a 100644
--- a/main/docs/get-started/architecture-scenarios/business-to-consumer/authorization.mdx
+++ b/main/docs/get-started/architecture-scenarios/business-to-consumer/authorization.mdx
@@ -66,7 +66,7 @@ When you are considering adding custom claims, we recommend that you store any a
## API integration
-In this scenario your Auth0 tenant can provide an OAuth2 [Access Token](/docs/secure/tokens/access-tokens), typically expressed as a [JWT](/docs/secure/tokens/json-web-tokens), which can be used by your API to restrict access to certain parties. In addition, Auth0 provides support for what is notionally described as both [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications).
+In this scenario your Auth0 tenant can provide an OAuth2 [Access Token](/docs/secure/tokens/access-tokens), typically expressed as a [JWT](/docs/secure/tokens/json-web-tokens), which can be used by your API to restrict access to certain parties. In addition, Auth0 provides support for what is notionally described as both [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications).
Acting as the authorization server, and with the consent of the user (the resource owner), your Auth0 tenant can be used to provide an Access Token - typically expressed as a [JWT](/docs/secure/tokens/json-web-tokens) - to an application (client) so that it can access a protected resource hosted by a resource server on behalf of the resource owner. The issued Access Token is typically passed as the Bearer token in the HTTP Authorization header sent to an API.
@@ -78,7 +78,7 @@ OAuth2 Access Tokens are primarily designed for use in securing public facing AP
-OAuth2 was designed specifically with third-party access in mind, for example, a scenario might be that a user (resource owner) wants to use an application (a client) that does not belong to the same organization as the service that provides the user's data (the resource server). In this case, when the application needs to access data that the user owns, it redirects to the organization where the user’s data resides, which in turn authenticates the user and then prompts the user to give the application permission to access their data. This prompting for permission is referred to as providing [consent](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) and is a large part of what providing support for [third party applications](/docs/get-started/apis/scopes/api-scopes#example-an-api-called-by-a-third-party-application) entails. If you are planning to integrate third-party applications, then it's important you mark them as third-party early on so that Auth0 will handle prompting for user consent.
+OAuth2 was designed specifically with third-party access in mind, for example, a scenario might be that a user (resource owner) wants to use an application (a client) that does not belong to the same organization as the service that provides the user's data (the resource server). In this case, when the application needs to access data that the user owns, it redirects to the organization where the user’s data resides, which in turn authenticates the user and then prompts the user to give the application permission to access their data. This prompting for permission is referred to as providing [consent](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications) and is a large part of what providing support for [third party applications](/docs/get-started/apis/scopes/api-scopes#example-an-api-called-by-a-third-party-application) entails. If you are planning to integrate third-party applications, then it's important you mark them as third-party early on so that Auth0 will handle prompting for user consent.
On the other hand, if your organization owns the application(s), the user data itself and the API(s) through which that data is accessed, then consent is not typically required as the interactions are all [first-party](/docs/get-started/apis/scopes/api-scopes#example-an-api-called-by-a-first-party-application). If you're only creating first-party applications, then you can ensure that you are not presenting your users with any unnecessary consent screen(s) by [allowing user consent to be skipped](/docs/get-started/apis) as part of any resource service definition.
diff --git a/main/docs/get-started/auth0-overview/create-applications/register-applications-with-cimd.mdx b/main/docs/get-started/auth0-overview/create-applications/register-applications-with-cimd.mdx
new file mode 100644
index 0000000000..2f9c0a43a2
--- /dev/null
+++ b/main/docs/get-started/auth0-overview/create-applications/register-applications-with-cimd.mdx
@@ -0,0 +1,466 @@
+---
+description: Learn how to register applications with the Client ID Metadata Document (CIMD).
+title: Register Applications with CIMD
+---
+Register an application in Auth0 by importing an externally hosted Client ID Metadata Document (CIMD) from a URL. A CIMD is a JSON file hosted on your domain (e.g., `https://example-client.com/mcp-metadata.json`). The CIMD's URL is the application's client ID and proves domain ownership, ensuring only trusted tenant administrators can register applications.
+
+When you import an application from its CIMD URL, Auth0 fetches, validates, and persists the metadata to register the application as a third-party CIMD client. While Auth0 maintains a record of these settings, the hosted CIMD remains the source of truth; metadata updates are synchronized through manual refreshes. This application registration process is called **manual CIMD registration**.
+
+Manual CIMD registration has the following benefits:
+
+1. Uses asymmetric cryptography (public/private keys) instead of shared symmetric secrets that can be leaked.
+2. Application owners manage client metadata directly in the CIMD; Auth0 simply pulls and persists these updates.
+3. The client ID is the CIMD URL hosted on a secure HTTPS domain, which serves as a human-readable proof of ownership in audit logs.
+4. The CIMD can list multiple public keys to avoid downtime during key rotation.
+
+
+Third-party applications, including CIMD clients, do not support organizations. Organizations support for third-party applications will be introduced in a future release.
+
+
+
+Rate limits for CIMD clients will be introduced in a future release. You will be able to set an application-level rate limit that applies to all CIMD clients to prevent them from exceeding the tenant's rate limit.
+
+
+## Use cases
+
+Common use cases for manual CIMD registration include:
+
+* **MCP clients**: Host their metadata on a secure HTTPS domain at a well-known URL, proving ownership of their identity. Auth0 can then fetch client configuration directly from the source.
+* **Third-party integrations**: Partner applications, SaaS platforms, and external services that authenticate users on behalf of organizations. These applications manage their own client metadata and cryptographic keys, enabling independent updates and key rotation without sharing secrets.
+
+## How it works
+
+The following is an example CIMD for a public MCP client:
+
+```json https://example-client.com/mcp-metadata.json wrap lines
+{
+ "client_id": "https://example-client.com/mcp-metadata.json",
+ "client_name": "Example MCP Tool Server",
+ "description": "MCP server providing tools for data analysis",
+ "logo_uri": "https://example-client.com/logo.png",
+ "application_type": "web",
+ "grant_types": ["authorization_code", "refresh_token"],
+ "redirect_uris": [
+ "https://example-client.com/callback"
+ ],
+ "token_endpoint_auth_method": "none",
+ "response_types": ["code"]
+}
+```
+
+Instead of generating a client secret, manual CIMD registration uses asymmetric cryptography, in which the client proves its identity with a private key. Auth0 then verifies it using a public key hosted at the CIMD URL. You can list multiple public keys in an application's CIMD file, allowing for minimal downtime during key rotation.
+
+The following diagram shows the end-to-end manual CIMD flow:
+* **Phase 1**: Registration
+* **Phase 2**: Authorization
+
+```mermaid
+sequenceDiagram
+ %%{init: { "sequence": { "mirrorActors": true }}}%%
+
+ rect rgb(240, 248, 255)
+ Note over Tenant Admin,Auth0: Registration Phase
+ participant Tenant Admin
+ participant Auth0
+ participant Domain
+
+ Tenant Admin->>Auth0: Create CIMD app
+ Auth0->>Tenant Admin: POST /register
(external_client_id = https://.../client.json)
+ Auth0->>Domain: GET https://.../client.json
+ Domain-->>Auth0: Client metadata (CIMD JSON)
+ Auth0->>Auth0: Validate + store client
+ end
+
+ rect rgb(240, 255, 240)
+ Note over Client,Auth0: Authorization Phase
+ actor User
+ participant Client
+ participant Auth0
+
+ User->>Client: Start login
+ Client->>Auth0: /authorize?client_id = https://.../client.json,
(Auth0 resolves client by external_client_id == client_id)
+ Auth0->>User: Consent screen
(client metadata)
+ User->>Auth0: Approve
+ Auth0-->>Client: Authorization code
+ Client->>Auth0: Exchange code
+ Auth0->>Client: Complete login & redirect to client redirect_uri
+ Client->>Auth0: Request resource access token with /oauth/token
+ Auth0-->>Client: Return resource access token
(includes client_id=https://../client.json)
+ end
+```
+
+### Phase 1: Registration
+
+During manual CIMD registration, a tenant admin registers the application by importing its externally hosted metadata to Auth0:
+
+1. **Application creation**: The tenant admin creates a CIMD app by selecting **Import from URL** in the Auth0 Dashboard.
+2. **Registration request**: The Auth0 Dashboard sends a request to the Management API's `/register` endpoint, providing the `external_client_id` (the HTTPS URL of the CIMD).
+3. **Metadata fetch**: The Management API makes a GET request to the client's domain to retrieve the CIMD (`client.json`).
+4. **Security validation**: Auth0 validates the CIMD URL against the [CIMD URL validation rules](#cimd-url-validation-rules) and the JSON against the [CIMD validation rules](#cimd-json-validation-rules), verifying that the internal `client_id` matches the CIMD URL, among other checks.
+5. **Persistence**: Once validated, Auth0 stores the client configuration in the database, linking the internal Auth0 `client_id` with the `external_client_id` and the mapped metadata (e.g., `client_name`, callbacks).
+6. **Confirmation**: The API returns a success response; the application has been successfully registered as a CIMD client in Auth0.
+
+### Phase 2: Authorization
+
+Once registered, the application uses its CIMD URL as its identity during the OAuth flow.
+
+1. **Start login**: The user logs in to the application.
+2. **Authorization request**: The application makes a request to the Auth0 Authorization Server, passing its CIMD URL as the `client_id`.
+3. **Client resolution**: The Auth0 Authorization Server queries the database to resolve the provided URL to the stored client configuration.
+4. **User consent**: Auth0 displays a consent screen to the user, identifying the application by the `client_name` retrieved from the CIMD metadata.
+5. **User approval**: After the user approves consent, Auth0 redirects the user back to the application with an authorization code.
+6. **Token exchange**: The application exchanges the authorization code for an access token at the token endpoint.
+7. **Login complete**: The Auth0 Authorization Server returns an access token where the `client_id` is set to the CIMD URL. The user is successfully logged in to the application.
+
+## Prerequisites
+
+Before registering an application with manual CIMD, make sure your tenant and application meet the following requirements:
+
+### Tenant configuration
+
+* **Enable CIMD support**: Enable the **Client ID Metadata Document Registration** toggle in your tenant settings to import CIMD via URL.
+* **Resource Parameter Compatibility Profile (Optional)**: For MCP clients, we recommend enabling this profile in your tenant settings. This allows the authorization server to handle resource-specific requests (RFC 8707) by checking the resource parameter if the audience is not provided.
+
+### Supported client types
+
+You can register the following client types with manual CIMD in Auth0:
+
+* **Public clients**: Ideal for native or browser-based apps that cannot securely store secrets. Set `token_endpoint_auth_method` to `none` in their metadata and use Proof Key for Code Exchange (PKCE) for secure authorization flows.
+* **Confidential clients**: Applications capable of protecting a private key. Use `token_endpoint_auth_method: private_key_jwt` and provide a `jwks_uri` to host their public keys.
+* **Application type**: Must be a native or regular web application.
+
+Manual CIMD registration is strictly limited to [third-party applications](/docs/get-started/applications/third-party-applications) (`is_first_party: false`). Once registered, [configure your CIMD client as a third-party application](/docs/get-started/applications/third-party-applications) in Auth0.
+
+### Security controls
+
+* **Forbidden auth methods**: CIMD clients cannot use authentication methods based on shared symmetric secrets, such as `client_secret_post`, `client_secret_basic`, or `client_secret_jwt`.
+* **URL host restrictions**: The CIMD URL must be hosted on a valid HTTPS domain. Links to localhost, 127.0.0.1, or private IP ranges are rejected to prevent SSRF and identity spoofing.
+* **JWKS origin policy**: If using `private_key_jwt`, your `jwks_uri` must share the exact same origin (scheme, host, and port) as your CIMD URL.
+
+## Register applications with manual CIMD in Auth0
+
+When creating an application in Auth0, register it manually with CIMD using the Auth0 Dashboard or Management API.
+
+
+
+
+To register an application with manual CIMD using the Auth0 Dashboard:
+
+1. Navigate to **Applications > Applications**.
+2. Select **Create Application > Import from URL**.
+3. Enter the CIMD URL. Then, select **Preview**. Auth0 validates the CIMD URL against the CIMD URL validation rules.
+4. If your CIMD URL is valid, Auth0 loads the CIMD and validates it against the CIMD JSON validation rules. Preview your client metadata and troubleshoot it for any validation errors.
+5. To register your application as a CIMD client, select **Create**.
+
+
+
+
+To register an application with manual CIMD using the Management API:
+
+1. [**Preview CIMD**](#preview-cimd): Validate the CIMD URL and CIMD with Auth0
+2. [**Register CIMD client**](#register-cimd-client): Register the application as a CIMD client in Auth0
+
+### Preview CIMD
+
+To preview the CIMD, make a POST request to the `/api/v2/clients/cimd/preview` endpoint and pass the following:
+
+* `external_client_id`: The CIMD URL for the application
+
+The `/api/v2/clients/cimd/preview` endpoint loads and validates the `external_client_id` and the CIMD at that URL, allowing you to preview the client metadata and any validation errors.
+
+The following request passes `https://mcpserver.example.com/client.json` as the `external_client_id` to the `/api/v2/clients/cimd/preview` endpoint:
+
+```bash
+curl --request POST \
+ --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/cimd/preview' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "external_client_id": "https://mcpserver.example.com/client.json"
+ }'
+```
+
+If successful, Auth0 returns a response like the following:
+
+```json
+{
+ "mapped_fields": {
+ "external_client_id": "https://mcpserver.example.com/client.json",
+ "redirect_uris": ["https://mcpserver.example.com/callback"],
+ "client_name": "MCP Tool Server",
+ "logo_uri": "https://mcpserver.example.com/logo.png",
+ "grant_types": ["authorization_code"],
+ "scope": "read write"
+ },
+ "validation": {
+ "valid": true,
+ "warnings": [
+ "Grant type not supported: 'implicit'",
+ "Property not supported: 'nfv_token_signed_response_alg'"
+ ]
+ }
+}
+```
+
+### Register CIMD client
+
+Once you've verified the client metadata, make a POST request to the `/api/v2/clients/cimd/register` endpoint and pass the following:
+
+* `external_client_id`: The CIMD URL for the application
+* `scopes`: the `create:clients` scope
+
+The `/api/v2/clients/cimd/register` endpoint registers the CIMD application.
+
+The following request passes `https://mcpserver.example.com/client.json` as the `external_client_id` to the `/api/v2/clients/cimd/register` endpoint:
+
+```bash
+curl --request POST \
+ --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/cimd/register' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "external_client_id": "https://mcpserver.example.com/client.json"
+ }'
+```
+
+If successful, Auth0 returns a response like the following:
+
+```
+Location: /api/v2/clients/F8gx1EKvYaa54jOPmaLWpgoI90T
+```
+
+```json
+{
+ "client_id": "F8gx1EKvYaa54jOPmaLWpgoI90T"
+ "mapped_fields": {
+ "external_client_id": "https://mcpserver.example.com/client.json",
+ "redirect_uris": ["https://mcpserver.example.com/callback"],
+ "client_name": "MCP Tool Server",
+ "logo_uri": "https://mcpserver.example.com/logo.png",
+ "grant_types": ["authorization_code"],
+ "scope": "read write"
+ },
+ "validation": {
+ "valid": true,
+ "warnings": [
+ "Grant type not supported: 'implicit'",
+ "Property not supported: 'nfv_token_signed_response_alg'"
+ ]
+ }
+}
+```
+
+
+
+
+## Configure CIMD client as third-party application
+
+Manual CIMD registration is strictly limited to [third-party applications](/docs/get-started/applications/third-party-applications) (`is_first_party: false`). Once you've registered your CIMD client, configure it as a third-party application in Auth0. To learn more, read [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications).
+
+## Refresh client metadata
+
+Once you've registered the CIMD client, you can manually refresh client metadata. Auth0 fetches fresh client metadata from the CIMD, which you can preview and save.
+
+In the Auth0 Dashboard:
+
+1. Navigate to **Applications > Applications** and select your CIMD client.
+2. At the top-right corner, select **Refresh Client Metadata**.
+3. Select **Refresh Preview** to preview the latest client metadata in the CIMD. Review any validation warnings or errors.
+4. Select **Save**.
+
+## Get CIMD client
+
+To get a CIMD client, make a GET request to the `/v2/clients/{clientId}` endpoint, where `{clientID}` is the Auth0-generated client ID assigned to the CIMD client:
+
+```bash
+curl --request GET \
+ --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/F8gx1EKvYaa54jOPmaLWpgoI90T' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json'
+```
+
+Alternatively, pass the `external_client_id`, or the CIMD URL, as the query parameter to the `/v2/clients` endpoint:
+
+```bash
+curl --request GET \
+ --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients?external_client_id=' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json'
+```
+
+If successful, Auth0 returns a response like the following:
+
+```json
+{
+ "tenant": "YOUR_TENANT",
+ "global": false,
+ "is_token_endpoint_ip_header_trusted": false,
+ "external_client_id": "https://YOUR_DOMAIN/.well-known/client-metadata.json",
+ "name": "YOUR_CLIENT_NAME",
+ "callbacks": [
+ "https://YOUR_DOMAIN/callback"
+ ],
+ "is_first_party": false,
+ "oidc_conformant": true,
+ "third_party_security_mode": "strict",
+ "external_metadata_type": "cimd",
+ "external_metadata_created_by": "admin",
+ "sso_disabled": false,
+ "cross_origin_auth": false,
+ "redirection_policy": "open_redirect_protection",
+ "refresh_token": {
+ "expiration_type": "expiring",
+ "leeway": 0,
+ "token_lifetime": 2592000,
+ "idle_token_lifetime": 1296000,
+ "infinite_token_lifetime": false,
+ "infinite_idle_token_lifetime": false,
+ "rotation_type": "rotating"
+ },
+ "signing_keys": [
+ {
+ "cert": "-----BEGIN CERTIFICATE-----\r\n...\r\n-----END CERTIFICATE-----",
+ "pkcs7": "-----BEGIN PKCS7-----\r\n...\r\n-----END PKCS7-----\r\n",
+ "subject": "deprecated"
+ }
+ ],
+ "client_id": "",
+ "callback_url_template": false,
+ "client_secret": "YOUR_CLIENT_SECRET",
+ "jwt_configuration": {
+ "alg": "RS256",
+ "lifetime_in_seconds": 3600,
+ "secret_encoded": false
+ },
+ "token_endpoint_auth_method": "none",
+ "app_type": "regular_web",
+ "grant_types": [
+ "authorization_code"
+ ],
+ "custom_login_page_on": true
+}
+```
+
+## Update CIMD client
+
+You can update the fields for a registered CIMD client. Updating the CIMD client in Auth0 does not automatically update the CIMD hosted on the application's domain.
+
+You can only update the following fields for CIMD clients:
+
+| Field | Description |
+|-------|-------------|
+| `app_type` | The Auth0 application type. For CIMD, this maps from `application_type` and is restricted to `native` (for native apps) or `regular_web` (for web apps). |
+| `grant_types` | The OAuth 2.0 grant types allowed. For CIMD, this is restricted to `authorization_code` and `refresh_token`. Other types are filtered out during mapping. |
+| `jwt_configuration.alg` | The algorithm used to sign the ID Token. As strict third-party clients, CIMD applications are typically restricted to secure asymmetric algorithms such as RS256, RS512, or PS256. |
+| `description` | A free-text description of the client. Mapped directly from CIMD metadata with a maximum limit of 140 characters. |
+| `oidc_conformant` | Must be enabled for strict third-party clients. This ensures the client follows OIDC specifications and is generally not modifiable for CIMD clients. |
+| `allowed_origins` | A list of URLs allowed for Cross-Origin Resource Sharing (CORS). Typically used by browser-based applications. |
+| `web_origins` | A list of URLs allowed for web-based flows (e.g., Silent Authentication). |
+| `refresh_token.*` | Configuration for refresh token behavior, including `rotation_type`, `leeway`, and various lifetime settings. These control how long a refresh token remains valid and if it rotates upon use. |
+| `organization_*` | Settings for organization-specific flows, including `usage`, `require_behaviour`, `discovery_methods`, and `default_organization`. These determine how the client interacts with Auth0 Organizations. |
+| `client_metadata` | Arbitrary key-value pairs used to store additional information about the client that does not map to standard Auth0 properties. |
+| `require_proof_of_possession` | Indicates if the client must demonstrate proof of possession of a key, often used with DPoP or mTLS. |
+
+To update a CIMD client, make a PATCH request to the `/v2/clients/{clientId}` endpoint, where `{clientID}` is the Auth0-generated client ID assigned to the CIMD client:
+
+```bash
+curl --location --request PATCH 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/tpc_vKqE8g5y1MZ1zQFy9aLJde' \
+--header 'Content-Type: application/json' \
+--header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+--data '{ "description": "This is my test CIMD client"}'
+```
+
+If successful, Auth0 should return a response like the following:
+
+```json
+{
+ "tenant": "YOUR_TENANT",
+ "global": false,
+ "is_token_endpoint_ip_header_trusted": false,
+ "name": "YOUR_CLIENT_NAME",
+ "callbacks": [
+ "https://YOUR_APPLICATION_URL/callback"
+ ],
+ "is_first_party": false,
+ "oidc_conformant": true,
+ "third_party_security_mode": "strict",
+ "sso_disabled": false,
+ "cross_origin_auth": false,
+ "redirection_policy": "open_redirect_protection",
+ "refresh_token": {
+ "expiration_type": "expiring",
+ "leeway": 0,
+ "token_lifetime": 2592000,
+ "idle_token_lifetime": 1296000,
+ "infinite_token_lifetime": false,
+ "infinite_idle_token_lifetime": false,
+ "rotation_type": "rotating"
+ },
+ "description": "This is my CIMD test client",
+ "signing_keys": [
+ {
+ "cert": "-----BEGIN CERTIFICATE-----\r\n...\r\n-----END CERTIFICATE-----\r\n",
+ "pkcs7": "-----BEGIN PKCS7-----\r\n...\r\n-----END PKCS7-----\r\n",
+ "subject": "/CN=YOUR_AUTH0_DOMAIN"
+ }
+ ],
+ "client_id": "",
+ "callback_url_template": false,
+ "client_secret": "YOUR_CLIENT_SECRET",
+ "jwt_configuration": {
+ "alg": "RS256",
+ "lifetime_in_seconds": 3600,
+ "secret_encoded": false
+ },
+ "token_endpoint_auth_method": "none",
+ "app_type": "regular_web",
+ "grant_types": [
+ "authorization_code"
+ ],
+ "custom_login_page_on": true
+}
+```
+
+## CIMD URL validation rules
+
+To pass validation in Auth0, CIMD URLs must meet the following requirements:
+
+| Category | Rule | Requirement |
+|----------|------|-------------|
+| **Protocol** | HTTPS Required | Must use the `https://` scheme. |
+| **Host** | No Localhost | `localhost`, `127.0.0.1`, and `::1` are rejected. |
+| | Valid Hostname | Must contain a non-empty hostname; triple-slashes (e.g., `https:///`) are forbidden. |
+| **Path** | Path Component | Must contain a path beyond the root `/`. |
+| | No Dot Segments | Must not contain `.` or `..` (including encoded `%2e`) in the path. |
+| **Constraints** | Length Limit | Maximum of 120 bytes. |
+| | No Whitespace | No leading or trailing whitespace allowed. |
+| | Format | Must be a non-empty string parseable as a URL. |
+| **Forbidden** | No Credentials | No username or password allowed in the URL. |
+| | No Fragments | Fragment identifiers (`#`) are not permitted. |
+| | No Query | Query strings (`?`) are not permitted. |
+| | No Port 0 | Port 0 is reserved and forbidden. |
+| **Encoding** | Percent-Encoding | `%` must be followed by exactly two hex digits. |
+
+## CIMD JSON validation rules
+
+Auth0 applies the following CIMD JSON validation rules:
+
+* **Unsupported properties**: Properties not defined in the specification are ignored during mapping but are reported as warnings in the validation response.
+* **Inline JWKS**: Providing an inline `jwks` object instead of a `jwks_uri` is not supported and will trigger an `invalid_client_metadata` error.
+* **Private keys**: Any JWKS retrieved via `jwks_uri` that contains private key material (the `d` parameter) will be rejected.
+* **Fetch security**: Both the CIMD document and the `jwks_uri` are subject to a 5KB and 12KB size limit respectively, and neither allows HTTP redirects.
+
+Auth0 supports the following CIMD properties:
+
+| Property | Required | Type | Validation Rules | Auth0 Mapping |
+|----------|----------|------|------------------|---------------|
+| `client_id` | Yes | String | Must be a valid HTTPS URL that exactly matches the document's hosted location. | Internal ID |
+| `client_name` | Yes | String | Must be a non-empty string. | `name` |
+| `redirect_uris` | Conditional | String Array | Required if `grant_types` includes `authorization_code` or `implicit`. Must be unique HTTPS URIs (loopback allowed for native apps). | `callbacks` |
+| `grant_types` | Yes | String Array | Must include at least one supported type (`authorization_code` or `refresh_token`). Unsupported types trigger warnings and are filtered out. | `grant_types` |
+| `application_type` | No | String | Only `native` or `web` are allowed. Unknown values are rejected. Defaults to `web`. | `app_type` |
+| `token_endpoint_auth_method` | No | String | Supports `none` or `private_key_jwt`. Symmetric secret methods (e.g., `client_secret_post`) are forbidden. | `token_endpoint_auth_method` |
+| `jwks_uri` | Conditional | String | Required if `token_endpoint_auth_method` is `private_key_jwt`. Must be an HTTPS URL sharing the same origin as the `client_id`. | `jwks_uri` |
+| `logo_uri` | No | String | Must be a valid HTTP or HTTPS URL. | `logo_uri` |
+| `description` | No | String | Free text with a maximum limit of 140 characters. | `description` |
+| `response_types` | No | String Array | Validated for OIDC consistency but not persisted. Generates a warning if it contains `code` while `authorization_code` is missing from `grant_types`. | (None) |
diff --git a/main/docs/ja-jp/get-started/applications.mdx b/main/docs/ja-jp/get-started/applications.mdx
index feedc5d8b9..89a6f69fca 100644
--- a/main/docs/ja-jp/get-started/applications.mdx
+++ b/main/docs/ja-jp/get-started/applications.mdx
@@ -14,7 +14,7 @@ Auth0では、次の特性に基づいてアプリが分類されます。
+ **Native application(ネイティブアプリケーション)** :デバイス(iOSやAndroidなど)上でネイティブに実行される携帯電話アプリケーションまたはデスクトップアプリケーション。通常の Web アプリケーションのセットアップ方法については、[[Register Native Applications(ネイティブアプリケーションの登録)]](/docs/ja-jp/get-started/auth0-overview/create-applications/native-apps)をお読みください。
+ **マシンツーマシン(M2M)アプリケーション** :コマンドラインツール、デーモン、IoTデバイス、バックエンドで実行されているサービスなどの非対話型アプリケーション。通常、このオプションはAPIへのアクセスが必要なサービスがある場合に使用します。通常のWebアプリケーションのセットアップ方法については、[[Register Machine-to-Machine Applications(マシンツーマシンアプリケーションを登録)]](/docs/ja-jp/get-started/auth0-overview/create-applications/machine-to-machine-apps)をお読みください。
* **資格情報のセキュリティ** :[OAuth 2.0 spec](https://tools.ietf.org/html/rfc6749#section-2.1)によると、アプリはパブリックまたは機密に分類できます。機密アプリは資格情報を安全に保持できますが、パブリックアプリはそれができません。詳細については、「[機密アプリケーションとパブリックアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications)」をお読みください。
-* **所有権** :アプリがファーストパーティとサードパーティのどちらに分類されるかは、アプリの所有権と管理によって決まります。ファーストパーティアプリは、Auth0ドメインを所有する同じ組織または個人によって管理されます。サードパーティアプリを使用すると、外部パーティやパートナーがAPIの背後にある保護されたリソースに安全にアクセスできるようになります。詳細については、[[First-Party and Third-Party Applications(ファーストパーティとサードパーティのアプリケーション)]](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)をお読みください。
+* **所有権** :アプリがファーストパーティとサードパーティのどちらに分類されるかは、アプリの所有権と管理によって決まります。ファーストパーティアプリは、Auth0ドメインを所有する同じ組織または個人によって管理されます。サードパーティアプリを使用すると、外部パーティやパートナーがAPIの背後にある保護されたリソースに安全にアクセスできるようになります。詳細については、[[First-Party and Third-Party Applications(ファーストパーティとサードパーティのアプリケーション)]](/docs/ja-jp/get-started/applications/first-party-and-third-party-applications)をお読みください。
## アプリケーション設定の管理
@@ -46,7 +46,7 @@ Auth0にはさまざまな認証フローと認可フローが用意されてい
* [[Application Settings(アプリケーションの設定)]](/docs/ja-jp/get-started/applications/application-settings)
* [機密アプリケーションと公開アプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications)
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
+* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/first-party-and-third-party-applications)
* [アプリケーションの付与タイプ](/docs/ja-jp/get-started/applications/application-grant-types)
* [サブドメインURLプレースホルダー](/docs/ja-jp/get-started/applications/wildcards-for-subdomains)
* [動的なアプリケーション登録](/docs/ja-jp/get-started/applications/dynamic-client-registration)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/application-grant-types.mdx b/main/docs/ja-jp/get-started/applications/application-grant-types.mdx
index d342efc3ff..232db04ffc 100644
--- a/main/docs/ja-jp/get-started/applications/application-grant-types.mdx
+++ b/main/docs/ja-jp/get-started/applications/application-grant-types.mdx
@@ -100,6 +100,6 @@ Dashboardを使ってこれらの付与タイプを有効・無効にする場
## もっと詳しく
* [機密アプリケーションと公開アプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications)
-* [サードパーティアプリケーションを有効にする](/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
+* [サードパーティアプリケーションを有効にする](/docs/ja-jp/get-started/applications/third-party-applications/configure-third-party-applications)
+* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/first-party-and-third-party-applications)
* [サブドメインURLプレースホルダー](/docs/ja-jp/get-started/applications/wildcards-for-subdomains)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/application-settings.mdx b/main/docs/ja-jp/get-started/applications/application-settings.mdx
index b99be28bee..78989b2e3b 100644
--- a/main/docs/ja-jp/get-started/applications/application-settings.mdx
+++ b/main/docs/ja-jp/get-started/applications/application-settings.mdx
@@ -129,5 +129,5 @@ WS-Federation設定を管理または追加します。
* [アプリケーションを削除する](/docs/ja-jp/get-started/applications/remove-applications)
* [OIDC Discoveryを使ってアプリケーションを構成する](/docs/ja-jp/get-started/applications/configure-applications-with-oidc-discovery)
* [機密アプリケーションと公開アプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications)
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
+* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/first-party-and-third-party-applications)
* [エラーメッセージを確認する](/docs/ja-jp/troubleshoot/basic-issues/check-error-messages)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications.mdx b/main/docs/ja-jp/get-started/applications/confidential-and-public-applications.mdx
index e439f6b5e1..c99ec6ad67 100644
--- a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications.mdx
+++ b/main/docs/ja-jp/get-started/applications/confidential-and-public-applications.mdx
@@ -52,5 +52,5 @@ Dashboardでアプリケーションを作成すると、Auth0から新しいア
## もっと詳しく
* [アプリケーションが機密か公開かを確認する](/docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-type)
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [ユーザーの同意とサードパーティアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
\ No newline at end of file
+* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/first-party-and-third-party-applications)
+* [ユーザーの同意とサードパーティアプリケーション](/docs/ja-jp/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications.mdx b/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications.mdx
deleted file mode 100644
index 5ad8b2bc01..0000000000
--- a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications.mdx
+++ /dev/null
@@ -1,79 +0,0 @@
----
-title: "サードパーティアプリケーションを有効にする"
-'description': "テナントに対してサードパーティアプリケーションを有効にする方法を説明します。"
----
-
-テナントに対して、サードパーティのアプリケーションを有効にすることができます。2種類のアプリケーションの違いについては、「[ファーストパーティとサードパーティのアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)」を参照してください。
-
-1. Auth0で[アプリケーションの所有者をサードパーティに変更](/docs/ja-jp/get-started/applications/confidential-and-public-applications/update-application-ownership)します。
-
- デフォルトでは、Auth0に登録されたアプリケーションは、ファーストパーティアプリケーションになります。アプリケーションをサードパーティアプリケーションにしたい場合は、所有者を変更しなければなりません。
-2. Auth0で[サードパーティアプリケーションに使用したい接続をドメインレベルに昇格](/docs/ja-jp/authenticate/identity-providers/promote-connections-to-domain-level)させます。
-
- サードパーティアプリケーションは、ドメインレベル接続のフラグを持つ[接続](/docs/ja-jp/connections)からのユーザーのみ認証できます。ドメインレベルの接続は、選択したファーストパーティアプリケーションに対して有効にした場合でも、すべてのサードパーティアプリケーションユーザーが認証に使用できます。
-3. アプリケーションのログインページを更新します。[Lock](/docs/ja-jp/libraries/lock/v11)を[ユニバーサルログインページ](/docs/ja-jp/universal-login/classic)で使用する場合には、以下が必要です。
-
- 1. Lockをバージョン11以降にアップグレードする
- 2. Lockをインスタンス化する際に`__useTenantInfo: config.isThirdPartyClient`フラグを設定する
- 3. プライベートクラウドのユーザーのみ:Lockをインスタンス化する際に[`configurationBaseUrl`オプション](https://auth0.com/docs/libraries/lock/v11/configuration#configurationbaseurl-string-)を`https://{config.auth0Domain}/`に設定する
-
-## アクセストークンのcurrent_user_\*スコープ
-
-ファーストパーティやサードパーティのアプリケーションがIDトークンを使ってManagement APIエンドポイントを呼び出すことはできません。その場合には、それぞれのエンドポイントに必要な以下の`current_user_*`スコープを使ってアクセストークンを取得します。
-
-| スコープ | エンドポイント |
-| --- | --- |
-| `read:current_user` | ユーザーを一覧表示または検索する |
-| | ユーザーを取得する |
-| | ユーザーMFA登録を取得する |
-| `update:current_user_metadata` | ユーザーを更新する |
-| | ユーザーの多要素プロバイダーを削除する |
-| `create:current_user_device_credentials` | デバイスの公開鍵を作成する |
-| `delete:current_user_device_credentials` | デバイスの資格情報を削除する |
-| `update:current_user_identities` | ユーザーアカウントをリンクする |
-| | ユーザーIDをリンク解除する |
-
-## スクリプトの例
-
-```html lines
-
-...
-
-```
-
-## もっと詳しく
-
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [ユーザーの同意とサードパーティアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
-* [接続をドメインレベルに昇格する](/docs/ja-jp/authenticate/identity-providers/promote-connections-to-domain-level)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.mdx b/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.mdx
deleted file mode 100644
index e975f7b2cf..0000000000
--- a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.mdx
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: "ファーストパーティーアプリケーションとサードパーティーアプリケーション"
-'description': "機密アプリケーションと公開アプリケーションの種類の違いを説明します。"
----
-
-アプリケーションは、その所有権において、ファーストパーティーとサードパーティーのいずれかに分類されます。主な相違点は、Auth0ドメインへ管理アクセス権を誰が持っているかということです。
-
-## ファーストパーティーアプリケーション
-
-ファーストパーティーアプリは、Auth0ドメインを所有する同じ組織または個人によって管理されます。たとえば、Contoso APIと、`contoso.com`にログインしてContoso APIを利用するアプリケーションの両方を作成したとしましょう。この場合、APIとアプリケーションの両方を同じAuth0ドメインで登録することになり、アプリケーションはファーストパーティーアプリケーションとなります。デフォルトでは、[Auth0 Dashboard](https://manage.auth0.com/#/applications)で作成されたアプリケーションはすべてファーストパーティーアプリケーションです。
-
-## サードパーティーアプリケーション
-
-サードパーティーアプリケーションは、Auth0ドメインへの管理アクセス権を持っていない可能性が最も高い人物によって管理されます。サードパーティーアプリを使用すると、外部パーティーやパートナーがAPIの背後にある保護されたリソースに安全にアクセスできるようになります。この例として、FacebookでクライアントIDとシークレットを取得するためにアプリケーションを作成し、サービスに統合するとしましょう。このアプリケーションはFacebookでなく、Facebook APIとサービスに統合したいサードパーティーによって所有されているため、サードパーティーアプリケーションとみなされます。
-
-[動的クライアント登録](/docs/ja-jp/get-started/applications/dynamic-client-registration)で作成されるアプリケーションはすべてサードパーティーのものです。サードパーティーアプリケーションはDashboardを使って作成できず、Auth0 Management APIで`is_first_party`を`false`に設定して作成する必要があります。
-
-サードパーティーアプリケーションは以下の独自の特徴を持っています。
-
-* **ユーザーの同意** :アプリケーションは誰でも作成できるため、APIを利用するときは、ユーザーの同意を義務付ける必要があります。これによってセキュリティが向上します。
-* **IDトークン** :サードパーティーアプリケーション向けに生成された[IDトークン](/docs/ja-jp/secure/tokens/id-tokens)には、最小限のユーザープロファイル情報しか含まれていません。
-* **接続** :テナントレベルの接続かドメイン接続のみを使用することができます。詳細については、「[サードパーティーアプリケーションを有効にする](/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications)」を参照してください。
-
-## もっと詳しく
-
-* [アプリケーションの所有権を更新する](/docs/ja-jp/get-started/applications/confidential-and-public-applications/update-application-ownership)
-* [アプリケーションが機密か公開かを確認する](/docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-type)
-* [ユーザーの同意とサードパーティアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/update-application-ownership.mdx b/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/update-application-ownership.mdx
deleted file mode 100644
index e91da4ec42..0000000000
--- a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/update-application-ownership.mdx
+++ /dev/null
@@ -1,234 +0,0 @@
----
-title: "アプリケーションの所有権を更新する"
-'description': "Auth0 Management APIを使用してアプリケーションの所有権を更新する方法を説明します。これにより、アプリケーションをAuth0にファーストパーティーアプリケーションとして登録するのか、サードパーティーアプリケーションとして登録するのかを指定できます。"
----
-import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
-
-import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-
-Auth0のManagement APIを使用して、アプリケーションの所有権を更新することができます。これにより、アプリケーションをAuth0にファーストパーティーアプリケーションとして登録するのか、サードパーティーアプリケーションとして登録するのかを指定できます。
-
-[クライアント更新エンドポイント](/docs/ja-jp/api/management/v2#!/Clients/patch_clients_by_id)に`PATCH`呼び出しを行います。必ず、`{yourClientId}`、`{yourMgmtApiAccessToken}`、および`{ownershipBoolean}`のプレースホルダーの値を、それぞれご自身のクライアントID、Management APIのアクセストークン、アプリケーションの所有権を表すブール値に置き換えてください。
-
-
-```bash cURL
-curl --request PATCH \
- --url 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D' \
- --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
- --header 'cache-control: no-cache' \
- --header 'content-type: application/json' \
- --data '{ "is_first_party": "{ownershipBoolean}" }'
-```
-```csharp C#
-var client = new RestClient("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D");
-var request = new RestRequest(Method.PATCH);
-request.AddHeader("content-type", "application/json");
-request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}");
-request.AddHeader("cache-control", "no-cache");
-request.AddParameter("application/json", "{ "is_first_party": "{ownershipBoolean}" }", ParameterType.RequestBody);
-IRestResponse response = client.Execute(request);
-```
-```go Go
-package main
-
-import (
- "fmt"
- "strings"
- "net/http"
- "io/ioutil"
-)
-
-func main() {
-
- url := "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D"
-
- payload := strings.NewReader("{ "is_first_party": "{ownershipBoolean}" }")
-
- req, _ := http.NewRequest("PATCH", url, payload)
-
- req.Header.Add("content-type", "application/json")
- req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}")
- req.Header.Add("cache-control", "no-cache")
-
- res, _ := http.DefaultClient.Do(req)
-
- defer res.Body.Close()
- body, _ := ioutil.ReadAll(res.Body)
-
- fmt.Println(res)
- fmt.Println(string(body))
-
-}
-```
-```java Java
-HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D")
- .header("content-type", "application/json")
- .header("authorization", "Bearer {yourMgmtApiAccessToken}")
- .header("cache-control", "no-cache")
- .body("{ "is_first_party": "{ownershipBoolean}" }")
- .asString();
-```
-```javascript Node.JS
-var axios = require("axios").default;
-
-var options = {
- method: 'PATCH',
- url: 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D',
- headers: {
- 'content-type': 'application/json',
- authorization: 'Bearer {yourMgmtApiAccessToken}',
- 'cache-control': 'no-cache'
- },
- data: {is_first_party: '{ownershipBoolean}'}
-};
-
-axios.request(options).then(function (response) {
- console.log(response.data);
-}).catch(function (error) {
- console.error(error);
-});
-```
-```objc Obj-C
-#import
-
-NSDictionary *headers = @{ @"content-type": @"application/json",
- @"authorization": @"Bearer {yourMgmtApiAccessToken}",
- @"cache-control": @"no-cache" };
-NSDictionary *parameters = @{ @"is_first_party": @"{ownershipBoolean}" };
-
-NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];
-
-NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/clients/%7ByourClientId%7D"]
- cachePolicy:NSURLRequestUseProtocolCachePolicy
- timeoutInterval:10.0];
-[request setHTTPMethod:@"PATCH"];
-[request setAllHTTPHeaderFields:headers];
-[request setHTTPBody:postData];
-
-NSURLSession *session = [NSURLSession sharedSession];
-NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
- completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
- if (error) {
- NSLog(@"%@", error);
- } else {
- NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
- NSLog(@"%@", httpResponse);
- }
- }];
-[dataTask resume];
-```
-```php PHP
-$curl = curl_init();
-
-curl_setopt_array($curl, [
- CURLOPT_URL => "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D",
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_ENCODING => "",
- CURLOPT_MAXREDIRS => 10,
- CURLOPT_TIMEOUT => 30,
- CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
- CURLOPT_CUSTOMREQUEST => "PATCH",
- CURLOPT_POSTFIELDS => "{ "is_first_party": "{ownershipBoolean}" }",
- CURLOPT_HTTPHEADER => [
- "authorization: Bearer {yourMgmtApiAccessToken}",
- "cache-control: no-cache",
- "content-type: application/json"
- ],
-]);
-
-$response = curl_exec($curl);
-$err = curl_error($curl);
-
-curl_close($curl);
-
-if ($err) {
- echo "cURL Error #:" . $err;
-} else {
- echo $response;
-}
-```
-```python Python
-import http.client
-
-conn = http.client.HTTPSConnection("")
-
-payload = "{ "is_first_party": "{ownershipBoolean}" }"
-
-headers = {
- 'content-type': "application/json",
- 'authorization': "Bearer {yourMgmtApiAccessToken}",
- 'cache-control': "no-cache"
- }
-
-conn.request("PATCH", "/{yourDomain}/api/v2/clients/%7ByourClientId%7D", payload, headers)
-
-res = conn.getresponse()
-data = res.read()
-
-print(data.decode("utf-8"))
-```
-```ruby Ruby
-require 'uri'
-require 'net/http'
-require 'openssl'
-
-url = URI("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D")
-
-http = Net::HTTP.new(url.host, url.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-request = Net::HTTP::Patch.new(url)
-request["content-type"] = 'application/json'
-request["authorization"] = 'Bearer {yourMgmtApiAccessToken}'
-request["cache-control"] = 'no-cache'
-request.body = "{ "is_first_party": "{ownershipBoolean}" }"
-
-response = http.request(request)
-puts response.read_body
-```
-```swift Swift
-import Foundation
-
-let headers = [
- "content-type": "application/json",
- "authorization": "Bearer {yourMgmtApiAccessToken}",
- "cache-control": "no-cache"
-]
-let parameters = ["is_first_party": "{ownershipBoolean}"] as [String : Any]
-
-let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
-
-let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D")! as URL,
- cachePolicy: .useProtocolCachePolicy,
- timeoutInterval: 10.0)
-request.httpMethod = "PATCH"
-request.allHTTPHeaderFields = headers
-request.httpBody = postData as Data
-
-let session = URLSession.shared
-let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
- if (error != nil) {
- print(error)
- } else {
- let httpResponse = response as? HTTPURLResponse
- print(httpResponse)
- }
-})
-
-dataTask.resume()
-```
-
-
-| 値 | 説明 |
-| --- | --- |
-| `{yourClientId}` | 更新されるアプリケーションのID。 |
-| `MGMT_API_ACCESS_TOKEN` | `update:clients`のスコープを持つ[Management APIのアクセストークン](/docs/ja-jp/api/management/v2/tokens)。 |
-| `OWNERSHIP_BOOLEAN` | アプリケーションに対して指定したい所有権。アプリケーションがファーストパーティの場合は、`is_first_party`の値が`true`になります。アプリケーションがサードパーティの場合は、`is_first_party`の値が`false`になります。 |
-
-## もっと詳しく
-
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [アプリケーションの所有権を表示する](/docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-ownership)
-* [ユーザーの同意とサードパーティアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
-* [サードパーティアプリケーションを有効にする](/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications.mdx b/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications.mdx
deleted file mode 100644
index 6a3a98ea06..0000000000
--- a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications.mdx
+++ /dev/null
@@ -1,309 +0,0 @@
----
-title: "ユーザーの同意とサードパーティアプリケーション"
-'description': "APIを、それを使用するアプリケーションから切り離す方法と、自分で制御していない、信頼できないサードパーティアプリの定義について説明します。"
----
-import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
-
-import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-
-[OIDC](/docs/ja-jp/authenticate/protocols/openid-connect-protocol)準拠の認証パイプラインでは、リソースサーバー(APIなど)をアプリケーションとは別のエンティティとして定義することができます。そうすることで、APIを使用するアプリケーションからAPIを切り離すだけでなく、[サードパーティアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)を定義して、外部パーティに対し、APIの内部で保護されているリソースへの安全なアクセスを許可することができます。
-
-## 同意ダイアログ
-
-ユーザーがサードパーティアプリケーションを通じて認証を行い、そのアプリケーションがユーザー情報へのアクセスや、代理としてAPIで何らかのアクションを行うことへの認可を求める場合、ユーザーに対して同意ダイアログが表示されます。
-
-たとえば、このような要求:
-
-``` lines
-GET /authorize?
-client_id=some_third_party_client
-&redirect_uri=https://fabrikam.com/contoso_social
-&response_type=token id_token
-&__scope=openid profile email read:posts write:posts__
-&__audience=https://social.contoso.com__
-&nonce=...
-&state=...
-```
-
-は、次のようなユーザー同意ダイアログになります。
-
-
-
-ユーザーがアプリケーションの要求を承認すると、ユーザー権限付与が作成されます。付与は、このアプリケーション、このリソースサーバー、このスコープの組み合わせに対するユーザーの同意を表します。アプリケーションは、その後、通常どおりにAuth0から認証成功の応答を受け取ります。
-
-一度同意が与えられると、その同意が明示的に取り消されるまで、ログイン時に同意ダイアログが表示されなくなります。
-
-## スコープの説明
-
-デフォルトでは、同意ページは、スコープの名前を使ってユーザーの同意を求めます。下の図のように、スコープ名を **action:resource_name** 形式で定義します。
-
-
-
-同意ページは、同じリソースに対するスコープをグループにまとめ、そのリソースに対するアクションを1行に表示します。たとえば上記の構成では、 **Posts: read and write your posts(投稿:あなたの投稿の読み取りと書き出し)** と表示されます。
-
-代わりに **[Description(説明)]** フィールドを表示したい場合は、テナントの **use_scope_descriptions_for_consent** を **true** に設定します。これは、そのテナント上のすべてのAPIの同意プロンプトに影響します。
-
-**use_scope_descriptions_for_consent** フラグを設定するには、APIに適切な呼び出しをする必要があります。
-
-
-```bash cURL
-curl --request PATCH \
- --url 'https://{yourDomain}/api/v2/tenants/settings' \
- --header 'authorization: Bearer API2_ACCESS_TOKEN' \
- --header 'cache-control: no-cache' \
- --header 'content-type: application/json' \
- --data '{ "flags": { "use_scope_descriptions_for_consent": true } }'
-```
-```csharp C#
-var client = new RestClient("https://{yourDomain}/api/v2/tenants/settings");
-var request = new RestRequest(Method.PATCH);
-request.AddHeader("content-type", "application/json");
-request.AddHeader("authorization", "Bearer API2_ACCESS_TOKEN");
-request.AddHeader("cache-control", "no-cache");
-request.AddParameter("application/json", "{ "flags": { "use_scope_descriptions_for_consent": true } }", ParameterType.RequestBody);
-IRestResponse response = client.Execute(request);
-```
-```go Go
-package main
-
-import (
- "fmt"
- "strings"
- "net/http"
- "io/ioutil"
-)
-
-func main() {
-
- url := "https://{yourDomain}/api/v2/tenants/settings"
-
- payload := strings.NewReader("{ "flags": { "use_scope_descriptions_for_consent": true } }")
-
- req, _ := http.NewRequest("PATCH", url, payload)
-
- req.Header.Add("content-type", "application/json")
- req.Header.Add("authorization", "Bearer API2_ACCESS_TOKEN")
- req.Header.Add("cache-control", "no-cache")
-
- res, _ := http.DefaultClient.Do(req)
-
- defer res.Body.Close()
- body, _ := ioutil.ReadAll(res.Body)
-
- fmt.Println(res)
- fmt.Println(string(body))
-
-}
-```
-```java Java
-HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/tenants/settings")
- .header("content-type", "application/json")
- .header("authorization", "Bearer API2_ACCESS_TOKEN")
- .header("cache-control", "no-cache")
- .body("{ "flags": { "use_scope_descriptions_for_consent": true } }")
- .asString();
-```
-```javascript Node.JS
-var axios = require("axios").default;
-
-var options = {
- method: 'PATCH',
- url: 'https://{yourDomain}/api/v2/tenants/settings',
- headers: {
- 'content-type': 'application/json',
- authorization: 'Bearer API2_ACCESS_TOKEN',
- 'cache-control': 'no-cache'
- },
- data: {flags: {use_scope_descriptions_for_consent: true}}
-};
-
-axios.request(options).then(function (response) {
- console.log(response.data);
-}).catch(function (error) {
- console.error(error);
-});
-```
-```objc Obj-C
-#import
-
-NSDictionary *headers = @{ @"content-type": @"application/json",
- @"authorization": @"Bearer API2_ACCESS_TOKEN",
- @"cache-control": @"no-cache" };
-NSDictionary *parameters = @{ @"flags": @{ @"use_scope_descriptions_for_consent": @YES } };
-
-NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];
-
-NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/tenants/settings"]
- cachePolicy:NSURLRequestUseProtocolCachePolicy
- timeoutInterval:10.0];
-[request setHTTPMethod:@"PATCH"];
-[request setAllHTTPHeaderFields:headers];
-[request setHTTPBody:postData];
-
-NSURLSession *session = [NSURLSession sharedSession];
-NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
- completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
- if (error) {
- NSLog(@"%@", error);
- } else {
- NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
- NSLog(@"%@", httpResponse);
- }
- }];
-[dataTask resume];
-```
-```php PHP
-$curl = curl_init();
-
-curl_setopt_array($curl, [
- CURLOPT_URL => "https://{yourDomain}/api/v2/tenants/settings",
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_ENCODING => "",
- CURLOPT_MAXREDIRS => 10,
- CURLOPT_TIMEOUT => 30,
- CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
- CURLOPT_CUSTOMREQUEST => "PATCH",
- CURLOPT_POSTFIELDS => "{ "flags": { "use_scope_descriptions_for_consent": true } }",
- CURLOPT_HTTPHEADER => [
- "authorization: Bearer API2_ACCESS_TOKEN",
- "cache-control: no-cache",
- "content-type: application/json"
- ],
-]);
-
-$response = curl_exec($curl);
-$err = curl_error($curl);
-
-curl_close($curl);
-
-if ($err) {
- echo "cURL Error #:" . $err;
-} else {
- echo $response;
-}
-```
-```python Python
-import http.client
-
-conn = http.client.HTTPSConnection("")
-
-payload = "{ "flags": { "use_scope_descriptions_for_consent": true } }"
-
-headers = {
- 'content-type': "application/json",
- 'authorization': "Bearer API2_ACCESS_TOKEN",
- 'cache-control': "no-cache"
- }
-
-conn.request("PATCH", "/{yourDomain}/api/v2/tenants/settings", payload, headers)
-
-res = conn.getresponse()
-data = res.read()
-
-print(data.decode("utf-8"))
-```
-```ruby Ruby
-require 'uri'
-require 'net/http'
-require 'openssl'
-
-url = URI("https://{yourDomain}/api/v2/tenants/settings")
-
-http = Net::HTTP.new(url.host, url.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-request = Net::HTTP::Patch.new(url)
-request["content-type"] = 'application/json'
-request["authorization"] = 'Bearer API2_ACCESS_TOKEN'
-request["cache-control"] = 'no-cache'
-request.body = "{ "flags": { "use_scope_descriptions_for_consent": true } }"
-
-response = http.request(request)
-puts response.read_body
-```
-```swift Swift
-import Foundation
-
-let headers = [
- "content-type": "application/json",
- "authorization": "Bearer API2_ACCESS_TOKEN",
- "cache-control": "no-cache"
-]
-let parameters = ["flags": ["use_scope_descriptions_for_consent": true]] as [String : Any]
-
-let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
-
-let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/tenants/settings")! as URL,
- cachePolicy: .useProtocolCachePolicy,
- timeoutInterval: 10.0)
-request.httpMethod = "PATCH"
-request.allHTTPHeaderFields = headers
-request.httpBody = postData as Data
-
-let session = URLSession.shared
-let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
- if (error != nil) {
- print(error)
- } else {
- let httpResponse = response as? HTTPURLResponse
- print(httpResponse)
- }
-})
-
-dataTask.resume()
-```
-
-
-## 拒否された許可に対処する
-
-ユーザーがアプリケーションへの同意を拒否した場合は、要求の中で指定された`redirect_uri`に、`access_denied`エラーと共にリダイレクトされます。
-
-``` lines
-HTTP/1.1 302 Found
-Location: https://fabrikam.com/contoso_social#
- error=access_denied
- &state=...
-```
-
-## ファーストパーティアプリケーションに対して同意をスキップする
-
-ファーストパーティアプリケーションは、同意ダイアログをスキップできますが、これはユーザーの代わりにアクセスしようとしているAPIの **[Allow Skipping User Consent(ユーザー同意のスキップの許可)]** オプションが有効になっている場合にのみ可能です。
-
-
-
-現時点では、検証可能なファーストパーティアプリケーションのみが同意ダイアログをスキップできます。`localhost`は検証可能なファーストパーティーになり得ない(ユーザーが悪意のあるアプリケーションを`localhost`で実行する可能性がある)ため、ファーストパーティーアプリケーションであるかにかかわらず、`localhost`で実行されるアプリケーションには常に同意ダイアログが表示されます。開発中には、以下のようなエントリーを`/etc/hosts`ファイルに追加すると、これを回避することができます。
-
-`127.0.0.1 myapp.example`
-
-同様に、「`localhost`」がアプリケーションの **Allowed Callback URLs(許可されているコールバックURL)** 設定([[Dashboard]>[Applications(アプリケーション)]>[Settings(設定)]](https://manage.auth0.com/#/applications/{yourClientId}/settings))にあるいずれかのドメインに含まれている場合、(ファーストパーティーアプリケーションであっても)同意はスキップできません。必ず、 **Allowed Callback URLs(許可されているコールバックURL)** を更新して、アプリケーションに構成したコールバックURLと更新後のドメインマッピングが一致するようにしてください。
-
-
-
-サードパーティアプリケーションは信頼できないものとみなされるため、同意ダイアログをスキップできません。
-
-ユーザーが、一度同意したものの、それを取り消したい場合は:
-
-## 同意を取り消す
-
-[リソース所有者のパスワードフロー](/docs/ja-jp/get-started/authentication-and-authorization-flow/resource-owner-password-flow)を使うときは、同意ダイアログは使用されません。ユーザーが直接アプリケーションにパスワードを入力し、これがアプリケーションに対してユーザーアカウントへのフルアクセスを付与したことと同じになるためです。
-
-1. [[Auth0 Dashboard]>[User Management(ユーザー管理]>[Users(ユーザー)]](https://manage.auth0.com/#/users)に移動し、同意を取り消すユーザーをクリックします。
-2. **[Authorized Application(認可アプリケーション)]** タブをクリックします。
-3. 該当するアプリケーションの横にある **[Revoke(取り消し)]** をクリックします。
-
-## パスワードベースのフロー
-
-`/authorize`エンドポイントにリダイレクトするときに`prompt=consent`パラメーターを含めることで、ユーザーに対して同意を強制できます。これは、ユーザーにアプリケーションと要求されたスコープに対するユーザー付与がすでにある場合でも同じです。
-
-## ユーザーに同意を強制する
-
-同意ダイアログのUIは、カスタマイズすることも、カスタムドメインに設定することもできません。
-
-## もっと詳しく
-
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [アプリケーションの所有権を表示する](/docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-ownership)
-* [機密アプリケーションと公開アプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications)
-* [サードパーティアプリケーションを有効にする](/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
-* [アプリケーションの付与タイプ](/docs/ja-jp/get-started/applications/application-grant-types)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-ownership.mdx b/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-ownership.mdx
deleted file mode 100644
index 554253f5f8..0000000000
--- a/main/docs/ja-jp/get-started/applications/confidential-and-public-applications/view-application-ownership.mdx
+++ /dev/null
@@ -1,191 +0,0 @@
----
-title: "アプリケーションの所有権を表示する"
-'description': "Auth0 Management APIを使用して、アプリケーションがAuth0にファーストパーティーアプリとして登録されているのか、サードパーティーアプリとして登録されているのかを確認する方法について説明します。"
----
-import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
-
-import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
-
-Auth0のManagement APIを使って、アプリケーションがAuth0にファーストパーティーアプリケーションとして登録されているのか、サードパーティーアプリケーションとして登録されているのかを確認することができます。
-
-[クライアント取得エンドポイント](/docs/ja-jp/api/management/v2#!/Clients/get_clients_by_id)に`GET`呼び出しを行います。必ず、`{yourClientId}`と`{yourMgmtApiAccessToken}`のプレースホルダーの値を、それぞれご自身のクライアントIDとManagement APIのアクセストークンに置き換えてください。
-
-
-```bash cURL
-curl --request GET \
- --url 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true' \
- --header 'authorization: Bearer {yourMgmtApiAccessToken}'
-```
-```csharp C#
-var client = new RestClient("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true");
-var request = new RestRequest(Method.GET);
-request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}");
-IRestResponse response = client.Execute(request);
-```
-```go Go
-package main
-
-import (
- "fmt"
- "net/http"
- "io/ioutil"
-)
-
-func main() {
-
- url := "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true"
-
- req, _ := http.NewRequest("GET", url, nil)
-
- req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}")
-
- res, _ := http.DefaultClient.Do(req)
-
- defer res.Body.Close()
- body, _ := ioutil.ReadAll(res.Body)
-
- fmt.Println(res)
- fmt.Println(string(body))
-
-}
-```
-```java Java
-HttpResponse response = Unirest.get("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true")
- .header("authorization", "Bearer {yourMgmtApiAccessToken}")
- .asString();
-```
-```javascript Node.JS
-var axios = require("axios").default;
-
-var options = {
- method: 'GET',
- url: 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D',
- params: {fields: 'is_first_party', include_fields: 'true'},
- headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'}
-};
-
-axios.request(options).then(function (response) {
- console.log(response.data);
-}).catch(function (error) {
- console.error(error);
-});
-```
-```objc Obj-C
-#import
-
-NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" };
-
-NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true"]
- cachePolicy:NSURLRequestUseProtocolCachePolicy
- timeoutInterval:10.0];
-[request setHTTPMethod:@"GET"];
-[request setAllHTTPHeaderFields:headers];
-
-NSURLSession *session = [NSURLSession sharedSession];
-NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
- completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
- if (error) {
- NSLog(@"%@", error);
- } else {
- NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
- NSLog(@"%@", httpResponse);
- }
- }];
-[dataTask resume];
-```
-```php PHP
-$curl = curl_init();
-
-curl_setopt_array($curl, [
- CURLOPT_URL => "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true",
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_ENCODING => "",
- CURLOPT_MAXREDIRS => 10,
- CURLOPT_TIMEOUT => 30,
- CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
- CURLOPT_CUSTOMREQUEST => "GET",
- CURLOPT_HTTPHEADER => [
- "authorization: Bearer {yourMgmtApiAccessToken}"
- ],
-]);
-
-$response = curl_exec($curl);
-$err = curl_error($curl);
-
-curl_close($curl);
-
-if ($err) {
- echo "cURL Error #:" . $err;
-} else {
- echo $response;
-}
-```
-```python Python
-import http.client
-
-conn = http.client.HTTPSConnection("")
-
-headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" }
-
-conn.request("GET", "/{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true", headers=headers)
-
-res = conn.getresponse()
-data = res.read()
-
-print(data.decode("utf-8"))
-```
-```ruby Ruby
-require 'uri'
-require 'net/http'
-require 'openssl'
-
-url = URI("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true")
-
-http = Net::HTTP.new(url.host, url.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-request = Net::HTTP::Get.new(url)
-request["authorization"] = 'Bearer {yourMgmtApiAccessToken}'
-
-response = http.request(request)
-puts response.read_body
-```
-```swift Swift
-import Foundation
-
-let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"]
-
-let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D?fields=is_first_party&include_fields=true")! as URL,
- cachePolicy: .useProtocolCachePolicy,
- timeoutInterval: 10.0)
-request.httpMethod = "GET"
-request.allHTTPHeaderFields = headers
-
-let session = URLSession.shared
-let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
- if (error != nil) {
- print(error)
- } else {
- let httpResponse = response as? HTTPURLResponse
- print(httpResponse)
- }
-})
-
-dataTask.resume()
-```
-
-
-| 値 | 説明 |
-| --- | --- |
-| `{yourClientId}` | 更新するアプリケーションのID。 |
-| `MGMT_API_ACCESS_TOKEN` | スコープが`read:clients`の[Management API](/docs/ja-jp/api/management/v2/tokens)のアクセストークン。 |
-
-アプリケーションがファーストパーティーの場合は、`is_first_party`フィールドの値が`true`になります。アプリケーションがサードパーティーの場合は、`is_first_party`フィールドの値が`false`になります。
-
-## もっと詳しく
-
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [アプリケーションの所有権を更新する](/docs/ja-jp/get-started/applications/confidential-and-public-applications/update-application-ownership)
-* [ユーザーの同意とサードパーティアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
-* [サードパーティアプリケーションを有効にする](/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/dynamic-client-registration.mdx b/main/docs/ja-jp/get-started/applications/dynamic-client-registration.mdx
index c941a49d4c..994520041d 100644
--- a/main/docs/ja-jp/get-started/applications/dynamic-client-registration.mdx
+++ b/main/docs/ja-jp/get-started/applications/dynamic-client-registration.mdx
@@ -496,5 +496,5 @@ APIアクセスを必要とする場合は、認証後にURLのハッシュフ
## もっと詳しく
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [ユーザーの同意とサードパーティアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)
\ No newline at end of file
+* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/first-party-and-third-party-applications)
+* [ユーザーの同意とサードパーティアプリケーション](/docs/ja-jp/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/first-party-and-third-party-applications.mdx b/main/docs/ja-jp/get-started/applications/first-party-and-third-party-applications.mdx
new file mode 100644
index 0000000000..3ad502d781
--- /dev/null
+++ b/main/docs/ja-jp/get-started/applications/first-party-and-third-party-applications.mdx
@@ -0,0 +1,209 @@
+---
+title: First-Party and Third-Party Applications
+description: "Learn the difference between first-party and third-party applications in Auth0."
+---
+
+import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
+import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
+
+When you register an application in Auth0, you decide whether it is first-party or third-party based on who owns and operates it.
+- First-party applications: Owned and operated by your organization. You control their deployment, credentials, and behavior.
+- Third-party applications: Owned and operated by an external organization, such as a partner, an independent developer, or an AI agent. You grant them access to your resources, but you cannot directly control what they do with that access.
+
+
+"Third-party" refers to operational control, not authorship. Many organizations outsource development of their own applications. For example, a contractor building your application does not make it third-party. The key distinction is: who deploys it, who holds the credentials, and who can stop it.
+
+
+Confidential/public and first-party/third-party are independent classifications. Confidential or public describes the application's authentication capability (whether it can hold a secret). First-party or third-party describes the trust relationship (who owns and operates the application).
+
+Both first-party and third-party applications can be confidential (Regular Web App) or public (SPA, Native). A third-party Regular Web App is both confidential and third-party.
+
+## First-party applications
+
+First-party applications are controlled by the same organization or person who owns the Auth0 domain. For example, let's say you created a Contoso API and an application that logs into `contoso.com` and consumes the Contoso API. You would register both the API and application under the same Auth0 domain, and the application would be a first-party application. By default, all applications created via the [Auth0 Dashboard](https://manage.auth0.com/#/applications) are first-party applications.
+
+## Third-party applications
+
+Third-party applications are controlled by someone who most likely should not have administrative access to your Auth0 domain. Third-party applications enable external parties or partners to securely access protected resources behind your API.
+
+For example, if a partner company builds a data analytics dashboard to visualize information from your service, they must first register their application in your Auth0 tenant to obtain a client ID and secret. Even though this application is registered within your environment, it is considered third-party because the code and credentials are owned and operated by the partner, not by your organization.
+
+All applications created through [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) are third-party applications. To learn more about third-party applications in Auth0, read [Third-Party Applications](/docs/get-started/applications/third-party-applications).
+
+## First-party vs. third-party in Auth0
+
+The following table summarizes the differences between first-party and third-party applications in Auth0:
+
+| | **First-party** | **Third-party** |
+|---|---|---|
+| **API access** | Follows the API's configured access policy | Always requires an explicit [client grant](/docs/get-started/applications/application-access-to-apis-client-grants) |
+| **Auth0 system APIs** | Accessible in user flows | Not accessible in user flows |
+| **User consent** | Can be skipped (if enabled on the API) | Always required |
+| **Grant types** | All supported grant types | `authorization_code` and `refresh_token` |
+| **OIDC** | Supported | Not supported. Planned for a future release. |
+| **Rules** | Executed | Not supported. Results in error. |
+| **Non-OAuth protocols** (SAML, WsFed) | Supported | Not supported |
+| **Organizations** | Supported | Not supported. Planned for a future release. |
+| **Client ID format** | Standard format | `tpc_` prefix |
+| **Connections** | All enabled connections | Domain-level connections |
+
+To learn more about third-party applications in Auth0, read [Third-Party Applications](/docs/get-started/applications/third-party-applications).
+
+## Application ownership
+
+Application ownership is determined at creation time and cannot be changed afterward. By default, applications are created as first-party, which applies less restrictive security settings. To ensure the appropriate [security controls](/docs/get-started/applications/third-party-applications/security-controls) are applied, you must correctly identify applications owned by external parties as third-party when creating them through the Auth0 Dashboard or Management API. To learn how, read [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications).
+
+
+Application ownership is immutable. You cannot convert a third-party application to first-party or vice versa.
+
+
+## Check application ownership
+
+To check if an application is first-party or third-party:
+
+
+
+1. Navigate to **Applications > Applications**.
+2. Select the application. Third-party applications display a badge indicating they are third-party.
+
+
+
+
+Make a `GET` call to the [Get a Client endpoint](https://auth0.com/docs/api/management/v2#!/Clients/get_clients_by_id). Be sure to replace `{YOUR_CLIENT_ID}`
+and `{YOUR_MANAGEMENT_API_ACCESS_TOKEN}` placeholder values with your client ID and Management API Access Token, respectively.
+
+
+```bash cURL
+curl --request GET \
+ --url 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true' \
+ --header 'authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
+```
+```csharp C#
+var client = new RestClient("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true");
+var request = new RestRequest(Method.GET);
+request.AddHeader("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}");
+IRestResponse response = client.Execute(request);
+```
+```go Go
+package main
+
+import (
+ "fmt"
+ "net/http"
+ "io/ioutil"
+)
+
+func main() {
+
+ url := "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true"
+
+ req, _ := http.NewRequest("GET", url, nil)
+
+ req.Header.Add("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
+
+ res, _ := http.DefaultClient.Do(req)
+
+ defer res.Body.Close()
+ body, _ := ioutil.ReadAll(res.Body)
+
+ fmt.Println(res)
+ fmt.Println(string(body))
+
+}
+```
+```java Java
+HttpResponse response = Unirest.get("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true")
+ .header("authorization", "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}")
+ .asString();
+```
+```javascript Node.JS
+var axios = require("axios").default;
+
+var options = {
+ method: 'GET',
+ url: 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}',
+ params: {fields: 'is_first_party', include_fields: 'true'},
+ headers: {authorization: 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'}
+};
+
+axios.request(options).then(function (response) {
+ console.log(response.data);
+}).catch(function (error) {
+ console.error(error);
+});
+```
+```php PHP
+$curl = curl_init();
+
+curl_setopt_array($curl, [
+ CURLOPT_URL => "https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true",
+ CURLOPT_RETURNTRANSFER => true,
+ CURLOPT_ENCODING => "",
+ CURLOPT_MAXREDIRS => 10,
+ CURLOPT_TIMEOUT => 30,
+ CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
+ CURLOPT_CUSTOMREQUEST => "GET",
+ CURLOPT_HTTPHEADER => [
+ "authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}"
+ ],
+]);
+
+$response = curl_exec($curl);
+$err = curl_error($curl);
+
+curl_close($curl);
+
+if ($err) {
+ echo "cURL Error #:" . $err;
+} else {
+ echo $response;
+}
+```
+```python Python
+import http.client
+
+conn = http.client.HTTPSConnection("")
+
+headers = { 'authorization': "Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}" }
+
+conn.request("GET", "/{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true", headers=headers)
+
+res = conn.getresponse()
+data = res.read()
+
+print(data.decode("utf-8"))
+```
+```ruby Ruby
+require 'uri'
+require 'net/http'
+require 'openssl'
+
+url = URI("https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID}?fields=is_first_party&include_fields=true")
+
+http = Net::HTTP.new(url.host, url.port)
+http.use_ssl = true
+http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+request = Net::HTTP::Get.new(url)
+request["authorization"] = 'Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
+
+response = http.request(request)
+puts response.read_body
+```
+
+
+| Value | Description |
+| --- | --- |
+| `YOUR_CLIENT_ID` | Τhe ID of the application to be updated. |
+| `YOUR_MANAGEMENT_API_ACCESS_TOKEN` | [Access Tokens for the Management API](https://auth0.com/docs/api/management/v2/tokens) with the [scope](/docs/glossary?term=scope) `read:clients`. |
+
+If the application is first-party, the `is_first_party` field will have a value of `true`. If the application is third-party, the `is_first_party` field will have a value of `false`.
+
+
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications)
+- [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
diff --git a/main/docs/ja-jp/get-started/applications/revoke-api-access.mdx b/main/docs/ja-jp/get-started/applications/revoke-api-access.mdx
new file mode 100644
index 0000000000..aaac63ccab
--- /dev/null
+++ b/main/docs/ja-jp/get-started/applications/revoke-api-access.mdx
@@ -0,0 +1,27 @@
+---
+title: "Revoke Access to APIs Using Application Grants"
+---
+Configuring your application grant so that the tokens you issue last for only a short period means that when it comes time for you to revoke access to a protected resource, you can simply delete the grant. At this point, the party with the access token only has a limited period between when you delete the grant and the token's expiration to make additional API requests. Because this is an easy (and safe) option to implement, we recommend you deny access to your APIs and other protected resources by revoking application grants.
+
+If, for example, you are using a Machine-to-Machine [application](/docs/get-started/applications) to access your [API](/docs/get-started/apis) and you have a partner that calls your API, and at the end of your existing contract, you and your partner decide not to renew your partnership. You now want to remove your partner's access to your API. The issue, however, is that you've given your partner an access token that lasts for a month.
+
+* What can you do in this situation?
+* How might you configure your Auth0 environment to make such situations easier to handle in the future?
+
+## Application grants
+
+The main issue in this scenario is the length of time for which the API access token is valid: one month.
+
+By default, Auth0 issues access tokens that last for 24 hours. Setting the token's lifetime to 24 hours means that your partner must repeat the client credentials exchange (or whichever grant you've implemented) to obtain a new access token every 24 hours. To deny access to your partner due to the expiration of your contract, you can simply delete the application grant so that when their existing token expires, they cannot request a new one.
+
+You can change the lifetime of a token by setting the `token_lifetime` option. The specific lifetime appropriate to your use case will vary, but we recommend setting this value to be as short as possible. A good starting point for determining this value would be the window you consider allowable for the delay between deleting the grant and final use of the API.
+
+### Delete an application grant
+
+To delete an application grant, make the appropriate `DELETE` call to the Management API's [Delete an Application Grant endpoint](https://auth0.com/docs/api/management/v2#!/Client_Grants/delete_client_grants_by_id). As part of the call, you'll need to specify the ID of the application grant you want to delete, which you can obtain via the Management API's [Get all Application Grants endpoint](https://auth0.com/docs/api/management/v2#!/Client_Grants/get_client_grants).
+
+You can also [update an Application's grant types](/docs/get-started/applications/update-grant-types) through the Auth0 Dashboard.
+
+## Learn more
+
+* [Data Security](/docs/secure/security-guidance/data-security)
\ No newline at end of file
diff --git a/main/docs/ja-jp/get-started/applications/third-party-applications.mdx b/main/docs/ja-jp/get-started/applications/third-party-applications.mdx
new file mode 100644
index 0000000000..90ead8345a
--- /dev/null
+++ b/main/docs/ja-jp/get-started/applications/third-party-applications.mdx
@@ -0,0 +1,86 @@
+---
+title: Third-Party Applications
+sidebarTitle: Overview
+description: Configure third-party applications to access your APIs with enhanced security controls.
+---
+import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
+import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
+
+Third-party applications are applications owned and operated by an external organization—a partner, independent developer, or AI agent—that authenticate your users and access your APIs.
+
+Unlike [first-party applications](/docs/get-started/applications/first-party-and-third-party-applications#first-party-applications) that you directly control, third-party applications operate independently: you grant them access to your resources, but you cannot control what they do with that access. To learn more about the differences between first-party and third-party applications, read [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications).
+
+Third-party applications have the following unique characteristics:
+
+* **Enhanced security controls**: Auth0 enforces [enhanced security controls](/docs/get-started/applications/third-party-applications/security-controls) for third-party applications, ensuring external applications can only access resources you explicitly authorize. Features intended for first-party use cases are not available.
+* **User Consent**: Auth0 always requires user consent when a third-party application requests access to APIs. Consent cannot be skipped.
+* **Connections**: Third-party applications can only authenticate users through domain-level connections. To learn more, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).
+
+## Use cases
+
+Common third-party application use cases include:
+
+- **Partner integrations**: External partners build applications that call your APIs on the user's behalf. For example, a CRM vendor integrates with your platform so that mutual customers can sync data between both products.
+- **AI agents and MCP clients**: AI-powered tools such as Claude Code, VS Code with Copilot, or custom MCP servers connect to your APIs to perform actions on the user's behalf. To learn more, read [Auth for MCP](https://auth0.com/ai/docs/mcp/intro/overview).
+- **Developer ecosystems**: You expose APIs for external developers to build applications on your platform, whether through a developer portal, a marketplace, or [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration).
+- **Cross App Access (XAA)**: A workforce application in another organization's tenant accesses your APIs through a trust relationship, where the requesting application is modeled as a third-party application in your tenant. To learn more, read [Cross App Access](/docs/secure/call-apis-on-users-behalf/xaa).
+
+## Supported client types
+
+Third-party applications support both confidential and public client types:
+
+| **Client type** | **Application type** | **Use case** |
+|---|---|---|
+| Confidential | Regular Web App | Server-side partner integrations |
+| Public | Single Page App | Browser-based partner widgets |
+| Public | Native | Mobile partner applications |
+
+## Supported grant types
+
+Third-party applications support:
+
+- `authorization_code` with mandatory PKCE
+- `refresh_token`
+
+Additional grant types such as `client_credentials` are planned for a future release.
+
+## Get started
+
+To set up a third-party application in Auth0, follow these steps:
+
+### Step 1: Create the application
+
+[Create a third-party application](/docs/get-started/applications/third-party-applications/configure-third-party-applications#create-a-third-party-application) using the Auth0 Dashboard or the Management API.
+
+### Step 2: Configure API access
+
+Third-party applications always require explicit authorization to access your APIs, even when the API's access policy is set to **Allow All.** You configure API access policies through [client grants](/docs/get-started/applications/application-access-to-apis-client-grants).
+
+You can configure default permissions that apply to all third-party applications automatically. This is useful in cases where you manage many third-party applications or use [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration). To learn more, read [Default Permissions for Third-Party Applications](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications).
+
+You can also define specific permissions for individual applications through [client grants](/docs/get-started/applications/application-access-to-apis-client-grants). Per-application permissions take precedence over the defaults. To learn more, read [Configure client grants](/docs/get-started/applications/application-access-to-apis-client-grants#configure-client-grants).
+
+### Step 3: Configure connections
+
+Third-party applications can only authenticate users through connections promoted to the domain level. Domain-level connections are available to all third-party applications in the tenant.
+
+To promote a connection to the domain level, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).
+
+### Step 4: Users provide consent
+
+When a user authenticates through a third-party application, Auth0 displays a consent dialog asking the user to approve the requested permissions. Consent is always required for third-party applications and cannot be skipped.
+
+To learn more, read [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications).
+
+## Dynamic Client Registration
+
+[Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) creates third-party applications with enhanced security controls by default. Before enabling DCR for third-party applications, you must [configure default API permissions](/docs/get-started/applications/dynamic-client-registration#configure-api-access-for-dcr-clients) so dynamically registered clients can access your APIs.
+
+## Learn more
+
+- [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications)
+- [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
+- [Troubleshoot Third-Party Applications](/docs/get-started/applications/third-party-applications/troubleshooting)
+- [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)
diff --git a/main/docs/ja-jp/get-started/applications/third-party-applications/configure-third-party-applications.mdx b/main/docs/ja-jp/get-started/applications/third-party-applications/configure-third-party-applications.mdx
new file mode 100644
index 0000000000..5248e848ab
--- /dev/null
+++ b/main/docs/ja-jp/get-started/applications/third-party-applications/configure-third-party-applications.mdx
@@ -0,0 +1,224 @@
+---
+title: Configure Third-Party Applications
+description: "Create and configure third-party applications using the Auth0 Dashboard or Management API."
+---
+import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
+import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
+
+Create third-party applications that allow external developers, partners, or AI agents to access your APIs with enhanced security controls.
+
+## Prerequisites
+
+Before creating a third-party application, make sure you have:
+
+- An Auth0 tenant with at least one [API (resource server)](/docs/get-started/apis) configured
+- At least one [connection](/docs/authenticate/identity-providers) promoted to the [domain level](/docs/authenticate/identity-providers/promote-connections-to-domain-level) (for user-facing flows)
+
+## Create a third-party application
+
+Create a third-party application using the Auth0 Dashboard or Management API.
+
+
+1. Navigate to **Applications > Applications**.
+2. Select **Create Application**.
+3. Enter a name for the application and select the application type:
+ - Regular Web App for server-side confidential clients
+ - Single Page App for browser-based public clients
+ - Native for mobile or desktop public clients
+4. Check the **This application is owned by a third party** toggle.
+5. Select **Create**.
+
+
+
+
+
+Make a `POST` request to the `/api/v2/clients` endpoint with the following request body:
+
+
+```bash cURL wrap lines
+curl --request POST \
+ --url 'https://YOUR_DOMAIN/api/v2/clients' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "name": "Partner Application",
+ "is_first_party": false,
+ "app_type": "regular_web",
+ "callbacks": ["https://partner.example.com/callback"],
+ "grant_types": ["authorization_code", "refresh_token"],
+ "token_endpoint_auth_method": "client_secret_post"
+ }'
+```
+
+
+| **Parameter** | **Type** | **Description** |
+|---------------|----------|-----------------|
+| `name` | String | Required. The name of the application. |
+| `is_first_party` | Boolean | Indicates whether the application is first-party (`true`) or third-party (`false`). |
+| `app_type` | String | The type of application (e.g., `regular_web`, `native`, `spa`, `non_interactive`). |
+| `callbacks` | Array | A list of allowed callback URLs for the redirect after authentication. |
+| `grant_types` | Array | A list of types of OAuth2 grants this client is allowed to use. Third-party applications are only allowed to use `authorization_code` and `refresh_token`. To learn more, read [Supported grant types](/docs/get-started/applications/third-party-applications#supported-grant-types). |
+| `token_endpoint_auth_method` | String | The authentication method for the token endpoint (e.g., `client_secret_post`). |
+
+If successful, Auth0 creates the application with a `tpc_` client ID prefix, `authorization_code` and `refresh_token` grant types, and sets `third_party_security_mode` to `strict`, indicating that enhanced security controls are enabled.
+
+```json wrap lines
+{
+ "client_id": "tpc_aBcDeFgHiJkLmNoPqRsTuV",
+ "third_party_security_mode": "strict",
+ "is_first_party": false,
+ "name": "Partner Application",
+ "grant_types": ["authorization_code", "refresh_token"],
+ ...
+}
+```
+
+| **Parameter** | **Type** | **Description** |
+|---------------|----------|-----------------|
+| `client_id` |String |The unique identifier for the application with a `tpc` prefix to indicate it's a third-party application created with strict mode enabled. |
+| `third_party_security_mode` | String | Defines the security profile. Set to `strict` to enforce enhanced security constraints for third-party apps. |
+| `is_first_party` | Boolean | Must be set to `false` when using `strict` security mode to identify the app as third-party. |
+| `name` | String | The display name of the application. |
+| `grant_types` | Array | The OAuth2 grant types this application is authorized to use (e.g., authorization_code). |
+
+
+
+
+The `third_party_security_mode` property is set at creation and cannot be changed. To use a different security mode, create a new application.
+
+
+## Configure API access policies
+
+Third-party applications require explicit client grants to access APIs. You can configure API access policies in the following ways:
+- [Default permissions for all third-party applications](#default-permissions-for-all-third-party-applications)
+- [Per-application permissions](#per-application-permissions)
+
+### Default permissions for all third-party applications
+
+Default permissions define a baseline set of APIs and scopes available to all third-party applications. This is required for [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration), where you cannot configure access for each application individually.
+
+
+
+1. Navigate to **Applications > APIs** and select the API.
+2. Go to the **Settings** tab.
+3. Scroll to **Default Permissions for Third Party Apps**.
+4. Select **Authorized** for User Access or Client Access.
+5. Select the scopes to grant, then select **Save**.
+
+
+
+
+
+Make a `POST` request to the `/api/v2/client-grants` endpoint with the following request body:
+
+
+```bash cURL wrap lines
+curl --request POST \
+ --url 'https://YOUR_DOMAIN/api/v2/client-grants' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "default_for": "third_party_clients",
+ "audience": "https://api.example.com",
+ "scope": ["read:items", "write:items"],
+ "subject_type": "user"
+ }'
+```
+
+
+| **Parameter** | **Type** | **Description** |
+|---------------|----------|----------------|
+| `default_for` | String | Specifies if this grant is automatically applied to certain app types. Set to `third_party_clients` to ensure all third-party apps have access to this API by default. |
+| `audience` | String | The unique identifier (URI) of the API the grant is being created for. |
+| `scope` | Array | A list of permissions (scopes) that are allowed as part of this grant. |
+| `subject_type` | String | Defines the type of application access allowed for the API:
- `user`: Used for user-delegated access, which corresponds to flows that generate a token associated with an end-user.
- `client`: Used for machine-to-machine access, such as the Client Credentials Flow.
|
+
+
+### Per-application permissions
+
+To grant a specific third-party application broader or narrower access than the defaults, create a client grant for that application's `client_id`:
+
+
+```bash cURL wrap lines
+curl --request POST \
+ --url 'https://YOUR_DOMAIN/api/v2/client-grants' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "client_id": "tpc_aBcDeFgHiJkLmNoPqRsTuV",
+ "audience": "https://api.example.com",
+ "scope": ["read:items", "write:items", "delete:items"],
+ "subject_type": "user"
+ }'
+```
+
+| **Parameter** | **Type** | **Description** |
+|---------------|----------|----------------|
+| `client_id` | String | Specifies the application you want to create the client grant for. |
+| `audience` | String | The unique identifier (URI) of the API the grant is being created for. |
+| `scope` | Array | A list of permissions (scopes) that are allowed as part of this grant. |
+| `subject_type` | String | Defines the type of application access allowed for the API:
- `user`: Used for user-delegated access, which corresponds to flows that generate a token associated with an end-user.
- `client`: Used for machine-to-machine access, such as the Client Credentials Flow.
|
+
+
+When both a per-application grant and a default grant exist for the same API, the per-application grant takes precedence.
+
+To learn more, read [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants).
+
+## Configure connections
+
+Third-party applications can only authenticate users through domain-level connections. Once a connection is promoted to the domain level, it becomes available to all third-party applications in the tenant.
+
+To promote a connection:
+
+1. Navigate to **Auth0 Dashboard > Authentication** and select the connection type (Database, Social, Enterprise).
+2. Select the connection you want to use with third-party applications.
+3. Enable the **Promote Connection to Domain Level** toggle.
+
+To learn more, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).
+
+## Configure open redirect protection
+
+Third-party applications with enhanced security controls have **Open Redirect Protection** enabled by default. When enabled, Auth0 does not:
+- Redirect to the application's callback URL on authentication errors
+- Expose `application.callback_domain` in email templates
+
+Only disable **Open Redirect Protection** for third-party applications where the configured callback URIs are trusted. To learn more, read [Redirect Protection](/docs/get-started/applications/third-party-applications/security-controls#redirect-protection).
+
+
+
+1. Navigate to **Applications > Applications** and select the third-party application.
+2. Go to the **Settings** tab and scroll to **Open Redirect Protection**.
+3. Toggle the setting on or off.
+4. Select **Save**.
+
+
+
+
+
+Set the `redirection_policy` property when creating or updating the application:
+
+```bash
+curl --request PATCH \
+ --url 'https://{yourDomain}/api/v2/clients/{CLIENT_ID}' \
+ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "redirection_policy": "allow_always"
+ }'
+```
+
+Set to `open_redirect_protection` to enable (default) or `allow_always` to disable.
+
+
+
+## Dynamic Client Registration
+
+All [dynamically registered clients](/docs/get-started/applications/dynamic-client-registration) are third-party applications. Before enabling DCR, configure [default API permissions](#default-permissions-for-all-third-party-applications) so that dynamically registered clients can access your APIs.
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications)
+- [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration)
+- [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level)
diff --git a/main/docs/ja-jp/get-started/applications/third-party-applications/permissive-mode.mdx b/main/docs/ja-jp/get-started/applications/third-party-applications/permissive-mode.mdx
new file mode 100644
index 0000000000..4531390303
--- /dev/null
+++ b/main/docs/ja-jp/get-started/applications/third-party-applications/permissive-mode.mdx
@@ -0,0 +1,110 @@
+---
+title: Permissive Mode for Third-Party Applications
+description: "Learn about permissive mode for third-party applications."
+---
+
+Customers who have at least one tenant using third-party applications before April 2026 may have applications operating in permissive mode. This mode preserves pre-existing behavior for backward compatibility.
+
+## Who can use permissive mode
+
+Permissive mode is available to customers who have at least one tenant with third-party applications before April 2026. All tenants under that customer's account can create permissive third-party applications, even tenants that did not previously have third-party applications.
+
+These customers can:
+
+- Continue operating pre-existing third-party applications with their current behavior
+- Create new third-party applications with `third_party_security_mode: "permissive"` via the Management API
+- Create new applications with enhanced security controls at any time
+
+Customers without prior third-party application usage always create applications with enhanced security controls. They cannot use permissive mode.
+
+## What permissive mode means
+
+Third-party applications in permissive mode behave similarly to first-party applications in terms of available features:
+
+- Most grant types are available (authorization code, implicit, client credentials, device code)
+- OIDC scopes and ID tokens are supported
+- API access follows the API's configured [access policy](/docs/get-started/apis/api-access-policies-for-applications) (not forced to require a client grant)
+- Standard client ID format (no `tpc_` prefix)
+- All client properties can be configured
+
+Permissive mode requires more configuration effort from the admin to enforce security controls. You are responsible for:
+
+- Configuring [API access policies](/docs/get-started/apis/api-access-policies-for-applications) on each API to control which third-party applications can access them
+- Reviewing which grant types and features are enabled for each application
+- Monitoring third-party application behavior through [tenant logs](/docs/deploy-monitor/logs)
+
+## The `third_party_security_mode` property
+
+Every third-party application has a `third_party_security_mode` property that indicates its security mode. This property is set at creation and cannot be changed.
+
+| **Value** | **Meaning** |
+|---|---|
+| `strict` | Enhanced security controls. OAuth 2.1 alignment, explicit API authorization, focused feature set. |
+| `permissive` | Pre-existing behavior. All features available, admin configures security controls manually. |
+
+Third-party applications created before the introduction of security modes return `third_party_security_mode: "permissive"` in API responses.
+
+## Feature comparison
+
+| **Capability** | **Enhanced security controls (strict)** | **Pre-existing behavior (permissive)** |
+|---|---|---|
+| **Grant types** | `authorization_code`, `refresh_token` | Most grant types (except `password`) |
+| **PKCE** | Mandatory | Optional |
+| **OIDC** | Not supported. Planned for a future release. | Supported |
+| **API authorization** | Always requires explicit client grant | Follows API access policy |
+| **Classic Login** | Not supported | Supported |
+| **Legacy endpoints** | Not supported | Available |
+| **Client ID format** | `tpc_` prefix | Standard format |
+| **Configurable properties** | [Curated set of properties](/docs/get-started/applications/third-party-applications/security-controls#restricted-client-configuration) | All properties |
+| **Future capabilities** | Rate limits and future improved security and management capabilities | Not available |
+| **Creation via Dashboard** | Supported | Not available via Dashboard |
+
+## Dynamic Client Registration in permissive mode
+
+If your account is eligible for permissive mode and you use [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration), you can control the security mode for dynamically registered clients with a separate tenant setting.
+
+
+
+1. Navigate to **Settings > Advanced**.
+2. Under **Dynamic Client Registration (DCR) Security Mode**, select **Permissive**.
+3. Select **Save**.
+
+
+
+
+
+```bash
+curl --request PATCH \
+ --url 'https://{yourDomain}/api/v2/tenants/settings' \
+ --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "dynamic_client_registration_security_mode": "permissive"
+ }'
+```
+
+
+
+The `dynamic_client_registration_security_mode` setting is independent of the default for applications created via `POST /api/v2/clients`. You can configure it at any time.
+
+
+If you set `dynamic_client_registration_security_mode` to `strict`, configure [default API permissions](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications) first. Without them, dynamically registered clients cannot access any APIs.
+
+
+## Adopt enhanced security controls
+
+Auth0 recommends adopting enhanced security controls for all new third-party applications. The `third_party_security_mode` property cannot be changed after an application is created — you cannot convert an existing permissive application to strict, or vice versa. Instead, you choose which security mode to use when creating new applications going forward.
+
+To understand how the default for new applications is changing and how to prepare, read [Migrate to Enhanced Security for Third-Party Applications](/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications).
+
+
+If you need to replace an existing permissive application with a strict one, you must create a new application. This invalidates all existing refresh tokens and user grants for the old application. Coordinate the cutover with the external party to minimize disruption.
+
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Migrate to Enhanced Security for Third-Party Applications](/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications)
+- [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)
+- [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications)
diff --git a/main/docs/ja-jp/get-started/applications/third-party-applications/security-controls.mdx b/main/docs/ja-jp/get-started/applications/third-party-applications/security-controls.mdx
new file mode 100644
index 0000000000..44dbe00b48
--- /dev/null
+++ b/main/docs/ja-jp/get-started/applications/third-party-applications/security-controls.mdx
@@ -0,0 +1,175 @@
+---
+title: Security Controls for Third-Party Applications
+description: "Learn about the security controls Auth0 enforces for third-party applications, including OAuth 2.1 and API authorization."
+---
+
+Auth0 enforces enhanced security controls for third-party applications to ensure:
+
+- **Protocol-level security**: Align with [OAuth 2.1 best practices](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1) to ensure modern, secure authorization flows.
+- **Feature scope**: Ensure that external applications can only access resources you explicitly authorize.
+
+
+Auth0 regularly enhances security for third-party applications. Only features explicitly documented as supported should be used in production. Unsupported features may be modified or restricted without notice in future updates.
+
+
+## OAuth 2.1 standards
+
+Third-party applications enforce modern OAuth standards:
+
+- **PKCE mandatory**: All authorization code flows require [Proof Key for Code Exchange](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). This prevents authorization code interception attacks.
+- **Supported grant types**: Only `authorization_code` and `refresh_token` are available. Additional grant types such as `client_credentials` are planned for a future release.
+- **Implicit and password grants not supported**: Legacy grant types that expose tokens in the browser URL or require direct credential handling are not available for third-party applications.
+
+## Explicit API authorization
+
+Third-party applications always require a [client grant](/docs/get-started/applications/application-access-to-apis-client-grants) to access any API, regardless of the API's [access policy](/docs/get-started/apis/api-access-policies-for-applications).
+
+| **API access policy** | **First-party applications** | **Third-party applications** |
+|---|---|---|
+| Allow All | Access granted | Requires client grant |
+| Require Client Grant | Requires client grant | Requires client grant |
+| Deny | Access denied | Access denied |
+
+Third-party applications must have an explicit grant, even when an API is configured with an **Allow All** policy. You can configure a per-application grant or a [default third-party permission](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications).
+
+Third-party applications cannot be granted access to [system APIs](/docs/get-started/apis#system-apis) such as the Management API or My Account API.
+
+## Restricted client configuration
+
+You can only configure a curated set of client properties for third-party applications. When new properties are added to Auth0, they are not available for third-party applications unless explicitly reviewed and added to the supported set.
+
+Key supported properties include:
+
+| **Property** | **Notes** |
+|---|---|
+| `name`, `description`, `logo_uri` | Basic metadata |
+| `callbacks` | Redirect URIs |
+| `allowed_origins`, `web_origins` | CORS and web_message origins |
+| `grant_types` | Must be `authorization_code` or `refresh_token` |
+| `token_endpoint_auth_method` | Authentication method for the token endpoint |
+| `app_type` | Must be `regular_web`, `spa`, `native`, or `non_interactive` |
+| `client_metadata` | Custom key-value metadata |
+| `jwt_configuration.lifetime_in_seconds` | Access token lifetime (defaults to 3600) |
+| `jwt_configuration.alg` | Signing algorithm (must be `RS256`; `HS256` not supported) |
+| `refresh_token.*` | Rotation, expiration, leeway, lifetime settings |
+| `client_authentication_methods` | Private Key JWT (`private_key_jwt` only; no mTLS) |
+| `require_proof_of_possession` | DPoP configuration |
+| `redirection_policy` | Redirect behavior for error flows and email templates |
+
+For the complete list of supported properties, read the [Create a Client endpoint](https://auth0.com/docs/api/management/v2/clients/post-clients) in the Management API reference.
+
+## Client ID format
+
+Third-party applications have a `client_id` with a `tpc_` prefix assigned at creation. This prefix enables Auth0 to classify and manage third-party application traffic separately, including rate limits for third-party applications.
+
+The security mode and application ownership are permanent design decisions:
+
+- `third_party_security_mode` cannot be changed after creation.
+- Third-party applications cannot be converted to first-party applications, and vice versa.
+
+## Refresh token settings
+
+Third-party applications enforce secure refresh token settings:
+
+- **Expiration required**: Non-expiring refresh tokens are not available. Infinite idle lifetime is not available.
+- **Rotation enabled by default for public clients**: SPA and Native third-party applications have refresh token rotation enabled by default, aligned with the [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1) and [MCP](https://modelcontextprotocol.io/specification/draft/basic/authorization) requirements.
+- **Configurable**: Admins can adjust rotation, leeway, and lifetime settings for manually created third-party applications.
+
+## Redirect protection
+
+The `redirection_policy` property controls how Auth0 handles redirects for third-party applications. It accepts two values:
+
+| **Value** | **Behavior** |
+|---|---|
+| `open_redirect_protection` (default for third-party apps) | Auth0 does not redirect to the app callback on authentication errors. The `application.callback_domain` variable is not exposed in email templates. |
+| `allow_always` | Standard redirect behavior. |
+
+Redirects without user interaction can be an attack vector for phishing when the redirect URI is controlled by an untrusted party (open redirect). Only set `redirection_policy` to `allow_always` for applications where the configured callback URIs are trusted.
+
+When `open_redirect_protection` is active:
+
+- Authentication errors display an error page instead of redirecting to the application.
+- Email templates (email verification, password reset, user blocked) will not have access to `{{ application.callback_domain }}`, so a fallback must be configured alongside any use of `{{ application.callback_domain }}`. For example:
+
+```liquid wrap lines
+{% if application.callback_domain == '' %}
+ https://YOUR_FALLBACK_DOMAIN
+{% endif %}
+{% if application.callback_domain != '' %}
+ {{ application.callback_domain }}/result-page
+{% endif %}
+```
+
+## `/authorize` parameter validation
+
+Auth0 validates the parameters sent to the `/authorize` endpoint for third-party applications. Only standard OAuth 2.0 and OpenID Connect parameters are accepted.
+
+**Allowed parameters:**
+
+- `acr_values`
+- `audience`
+- `authorization_details`
+- `client_id`
+- `code_challenge`
+- `code_challenge_method`
+- `connection`
+- `correlation_id`
+- `display`
+- `dpop_jkt`
+- `ext-*` (custom parameters)
+- `login_hint`
+- `max_age`
+- `nonce`
+- `prompt`
+- `redirect_uri`
+- `resource`
+- `response_type`
+- `scope`
+- `state`
+- `ui_locales`
+
+**Not supported:**
+
+- `claims`
+- `id_token_hint`
+- `invitation`
+- `login_ticket`
+- `request` (JAR)
+- `request_uri` (PAR)
+- `screen_hint`
+
+Requests with unsupported parameters receive an `invalid_request` error.
+
+## Backward compatibility
+
+Some tenants that were using third-party applications before April 2026 may have applications operating with different security settings for backward compatibility. To learn more, read [Permissive Mode for Third-Party Applications](/docs/get-started/applications/third-party-applications/permissive-mode).
+
+## Features not supported
+
+The following features are not supported for third-party applications:
+
+| **Feature** | **Status** |
+|---|---|
+| **OIDC scopes and ID tokens** | Not supported. Planned for a future release. |
+| **`/userinfo` endpoint** | Not supported. |
+| **Auth0 system APIs** (Management API, MFA API, My Account API, My Orgs API) | Not supported. Third-party applications cannot access system APIs in user flows. |
+| **MFA during refresh token exchange** | Not supported. Refresh token transactions that trigger MFA will result in an error. |
+| **Rules** | Not supported. Tenants with active Rules will receive an error when a strict third-party application triggers a login flow. |
+| **Non-OAuth Authentication API endpoints** (`/dbconnections/*`, `/passwordless/*`) | Not supported. |
+| **Legacy endpoints** (`/delegation`, `/oauth/ro`) | Not supported. |
+| **SAML, WsFed** | Not supported. |
+| **Classic Login** | Not supported. Use [Universal Login](/docs/authenticate/login/auth0-universal-login). |
+| **PAR, CIBA, Device Code** | Not supported. Planned for a future release. |
+| **Logout endpoints** | Not supported. Use `POST /oauth/revoke` to revoke tokens. |
+| **Cross-origin authentication** | Not supported. |
+| **Backchannel logout** | Not supported. Planned for a future release. |
+| **Client ID import** | Not supported. |
+| **Wildcard subdomains in URLs** | Not supported. Callback URLs, allowed origins, and web origins must use exact URLs. |
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications)
+- [Troubleshoot Third-Party Applications](/docs/get-started/applications/third-party-applications/troubleshooting)
+- [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)
+- [Permissive Mode for Third-Party Applications](/docs/get-started/applications/third-party-applications/permissive-mode)
diff --git a/main/docs/ja-jp/get-started/applications/third-party-applications/troubleshooting.mdx b/main/docs/ja-jp/get-started/applications/third-party-applications/troubleshooting.mdx
new file mode 100644
index 0000000000..1817368095
--- /dev/null
+++ b/main/docs/ja-jp/get-started/applications/third-party-applications/troubleshooting.mdx
@@ -0,0 +1,136 @@
+---
+title: Troubleshoot Third-Party Applications
+description: "Resolve common errors when working with third-party applications in Auth0."
+---
+
+Use this page to resolve common errors when integrating with third-party applications. For an overview of third-party application capabilities and restrictions, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls).
+
+## Identify third-party application issues
+
+If you encounter an error during an OAuth flow, check if the application is a third-party application:
+
+- **Client ID prefix**: Third-party applications have a `client_id` that starts with `tpc_`.
+- **Tenant logs**: In [Auth0 Dashboard > Monitoring > Logs](https://manage.auth0.com/#/logs), filter by the application to review error events.
+
+## Common errors
+
+### `unauthorized_client` when requesting tokens
+
+**Cause**: The third-party application does not have a client grant for the requested API. Third-party applications always require an explicit client grant, even when the API access policy is set to **Allow All**.
+
+**Solution**: Create a client grant for the application or configure default permissions for third-party applications. To learn more, read [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants).
+
+```bash
+curl --request POST \
+ --url 'https://YOUR_DOMAIN/api/v2/client-grants' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{
+ "default_for": "third_party_clients",
+ "audience": "https://api.example.com",
+ "scope": ["read:items", "write:items"],
+ "subject_type": "user"
+ }'
+```
+
+### `unauthorized_client` even with "Allow All" API policy
+
+**Cause**: The API's access policy setting of **Allow All** applies only to first-party applications. Third-party applications always require an explicit client grant regardless of this setting.
+
+**Solution**: Configure a [default permission for third-party applications](/docs/get-started/applications/application-access-to-apis-client-grants#default-permissions-for-third-party-applications) or create a per-application client grant.
+
+### `invalid_request` on `/authorize` with unsupported parameters
+
+**Cause**: Third-party applications enforce strict parameter validation on the `/authorize` endpoint. Parameters such as `screen_hint`, `login_ticket`, `invitation`, `request` (JAR), and `request_uri` (PAR) are not supported.
+
+**Solution**: Remove unsupported parameters from your authorization request. For the list of allowed parameters, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls#authorize-parameter-validation).
+
+### `unsupported_response_type` for `id_token` or `token`
+
+**Cause**: Implicit flow (`response_type=token` or `response_type=id_token`) is not available for third-party applications.
+
+**Solution**: Use `response_type=code` with [PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce).
+
+### No ID token returned from `/oauth/token`
+
+**Cause**: Third-party applications with enhanced security controls do not return ID tokens or process OIDC scopes (`openid`, `profile`, `email`) in this release. The token endpoint will return an access token but no `id_token`.
+
+**Solution**: Use API-scoped access tokens to retrieve the information your application needs. OIDC support for third-party applications is planned for a future release.
+
+### Grant type not supported
+
+**Cause**: Only `authorization_code` and `refresh_token` grant types are supported. Grant types such as `implicit`, `password`, `client_credentials`, and `urn:ietf:params:oauth:grant-type:device_code` are not available.
+
+**Solution**: Update the application to use the [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce).
+
+### Classic Login not working
+
+**Cause**: [Classic Login](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/classic-experience) is not supported for third-party applications.
+
+**Solution**: Use [Universal Login](/docs/authenticate/login/auth0-universal-login). Universal Login is the recommended login experience for all applications.
+
+### Client ID starts with `tpc_`
+
+**Cause**: Third-party applications automatically receive a `tpc_` prefix on their client ID for traffic classification. This is assigned at creation and cannot be changed.
+
+**Solution**: This is expected behavior. Update any client-side validation or database constraints to accommodate the longer client ID format.
+
+### Cannot change `is_first_party` or security mode
+
+**Cause**: The security mode and application ownership are permanent design decisions set at creation. They cannot be changed afterward.
+
+**Solution**: Create a new application with the desired configuration. You cannot convert an existing application between first-party and third-party, or between security modes.
+
+### Email verification or password reset shows an error page
+
+**Cause**: The application's `redirection_policy` is set to `open_redirect_protection`, which prevents Auth0 from exposing `application.callback_domain` in email templates.
+
+**Solution**: Update your email templates with a Liquid conditional that provides a fallback for third-party applications:
+
+```liquid wrap lines
+{% if application.callback_domain == '' %}
+ https://YOUR_FALLBACK_DOMAIN
+{% endif %}
+{% if application.callback_domain != '' %}
+ {{ application.callback_domain }}/result-page
+{% endif %}
+```
+
+Alternatively, set `redirection_policy` to `allow_always` for trusted third-party applications created via the Dashboard or Management API. To learn more, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls#redirect-protection).
+
+### DCR client cannot access any API
+
+**Cause**: Dynamically registered clients require default permissions configured before they can request tokens. Without default permissions, third-party DCR clients have no API access.
+
+**Solution**: Configure default permissions for third-party applications on each API the DCR clients need to access. To learn more, read [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications#default-permissions-for-all-third-party-applications).
+
+### `/userinfo` returns error
+
+**Cause**: The `/userinfo` endpoint is not available for third-party applications in this release.
+
+**Solution**: Use API-scoped access tokens to retrieve the information your application needs. OIDC support, including `/userinfo`, is planned for a future release.
+
+### `/oauth/revoke` works but logout endpoints do not
+
+**Cause**: Logout endpoints (`/v2/logout`) are not available for third-party applications.
+
+**Solution**: Use `POST /oauth/revoke` to revoke refresh tokens. The application is responsible for clearing its own session state.
+
+### Connection not available for a third-party application
+
+**Cause**: The connection is not promoted to the domain level. Third-party applications can only authenticate users through domain-level connections.
+
+**Solution**: Promote the connection to the domain level. To learn more, read [Promote Connections to Domain Level](/docs/authenticate/identity-providers/promote-connections-to-domain-level).
+
+### Refresh token rotation causing issues
+
+**Cause**: Refresh token rotation is enabled by default for public (SPA, Native) third-party applications, aligned with OAuth 2.1 requirements.
+
+**Solution**: Ensure your application handles rotating refresh tokens correctly, where each token exchange returns a new refresh token, and the previous one is invalidated. Admins can adjust rotation settings for manually created applications via the Dashboard or Management API.
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Configure Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications)
+- [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)
diff --git a/main/docs/ja-jp/get-started/applications/third-party-applications/user-consent-and-third-party-applications.mdx b/main/docs/ja-jp/get-started/applications/third-party-applications/user-consent-and-third-party-applications.mdx
new file mode 100644
index 0000000000..f408751ca5
--- /dev/null
+++ b/main/docs/ja-jp/get-started/applications/third-party-applications/user-consent-and-third-party-applications.mdx
@@ -0,0 +1,125 @@
+---
+title: User Consent and Third-Party Applications
+description: "Learn how Auth0 handles user consent when applications request access to APIs on the user's behalf."
+validatedOn: 2026-03-31
+---
+import {AuthCodeBlock} from "/snippets/AuthCodeBlock.jsx";
+import {AuthCodeGroup} from "/snippets/AuthCodeGroup.jsx";
+
+OAuth allows applications to access APIs on the user's behalf. Before an application can act on a user's behalf, the user must explicitly approve the requested permissions. This approval step is called user consent.
+
+For [third-party applications](/docs/get-started/applications/third-party-applications), user consent is always required. The user must approve every authorization request. For [first-party applications](/docs/get-started/applications/first-party-and-third-party-applications), consent can be skipped when configured, because you control the application and trust it to act appropriately.
+
+## Consent dialog
+
+When a third-party application redirects a user to the `/authorize` endpoint and requests access to an API, Auth0 displays a consent dialog listing the permissions the application is requesting.
+
+The following authorization request displays a consent dialog asking the user to approve the `read:posts` and `write:posts` permissions for the API:
+
+```http wrap lines
+GET /authorize?
+ client_id=tpc_THIRD_PARTY_CLIENT_ID
+ &redirect_uri=https://partner.example.com/callback
+ &response_type=code
+ &scope=read:posts write:posts
+ &audience=https://social.example.com
+ &code_challenge=CODE_CHALLENGE
+ &code_challenge_method=S256
+ &state=STATE_VALUE
+```
+
+
+
+If the user approves, Auth0 creates a user grant representing the user's consent to this combination of application, API, and requested scopes. The application receives an authorization code as usual.
+
+Once consent has been given, the user does not see the consent dialog during subsequent logins until consent is revoked explicitly.
+
+
+Third-party applications with enhanced security controls do not support OIDC scopes (`openid`, `profile`, `email`) in this release. The consent dialog shows API scopes only. OIDC support for third-party applications is planned for a future release.
+
+
+## Scope descriptions
+
+By default, the consent page uses scope names to prompt for the user's consent. As shown below, define scopes using the `action:resource_name` format for clear display:
+
+
+
+The consent page groups scopes for the same API and displays all actions in a single line. For example, the configuration above results in **Posts: read and write your posts**.
+
+To display the **Description** field instead of the scope name, set the tenant's `use_scope_descriptions_for_consent` flag to `true`:
+
+
+```bash cURL wrap lines
+curl --request PATCH \
+ --url 'https://YOUR_DOMAIN/api/v2/tenants/settings' \
+ --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
+ --header 'Content-Type: application/json' \
+ --data '{ "flags": { "use_scope_descriptions_for_consent": true } }'
+```
+
+
+This setting affects consent prompts for all APIs on the tenant.
+
+## Handle rejected permissions
+
+When a user declines consent, the behavior depends on the application's [redirection policy](/docs/get-started/applications/third-party-applications/security-controls#redirect-protection):
+
+- **`open_redirect_protection`** (default for third-party apps): Auth0 displays an error page instead of redirecting. This prevents open redirect attacks.
+- **`allow_always`**: Auth0 redirects to the `redirect_uri` with an `access_denied` error:
+
+```http wrap lines
+HTTP/1.1 302 Found
+Location: https://partner.example.com/callback?
+ error=access_denied
+ &state=STATE_VALUE
+```
+
+## Skip consent for first-party applications
+
+First-party applications can skip the consent dialog when the API has the **Allow Skipping User Consent** option enabled.
+
+To navigate to the **Allow Skipping User Consent** toggle, select **Applications > APIs > (select the API) > Settings > Access Settings**.
+
+Third-party applications always require consent and cannot skip the consent dialog.
+
+
+Even when consent is skipped for first-party applications, a login confirmation prompt may still appear when the application uses a non-verifiable callback URI (such as `localhost` or a custom URI scheme). This protects users against application impersonation on the same device. To learn more, read [Measures Against Application Impersonation](/docs/secure/security-guidance/measures-against-app-impersonation).
+
+
+## Revoke consent
+
+To revoke a user's consent for a specific application:
+
+1. Navigate to **Auth0 Dashboard > User Management > Users**.
+2. Select the user.
+3. Select the **Authorized Applications** tab.
+4. Select **Revoke** next to the application.
+
+## Password-based flows
+
+When using the [Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow), no consent dialog is involved because the user directly provides their password to the application, which is equivalent to granting the application full access to the user's account.
+
+## Force consent
+
+To force users to provide consent on every login (even if they have an existing grant), include `prompt=consent` in the `/authorize` request:
+
+```http wrap lines
+GET /authorize?
+ client_id=tpc_THIRD_PARTY_CLIENT_ID
+ &redirect_uri=https://partner.example.com/callback
+ &response_type=code
+ &scope=read:posts write:posts
+ &audience=https://social.example.com
+ &prompt=consent
+ &code_challenge=CODE_CHALLENGE
+ &code_challenge_method=S256
+ &state=STATE_VALUE
+```
+
+## Learn more
+
+- [Third-Party Applications](/docs/get-started/applications/third-party-applications)
+- [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications)
+- [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)
+- [Application Grant Types](/docs/get-started/applications/application-grant-types)
+- [Measures Against Application Impersonation](/docs/secure/security-guidance/measures-against-app-impersonation)
diff --git a/main/docs/ja-jp/get-started/applications/wildcards-for-subdomains.mdx b/main/docs/ja-jp/get-started/applications/wildcards-for-subdomains.mdx
index 0363858331..330653fead 100644
--- a/main/docs/ja-jp/get-started/applications/wildcards-for-subdomains.mdx
+++ b/main/docs/ja-jp/get-started/applications/wildcards-for-subdomains.mdx
@@ -59,5 +59,5 @@ title: "サブドメインURLプレースホルダー"
## もっと詳しく
* [機密アプリケーションと公開アプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications)
-* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [サードパーティアプリケーションを有効にする](/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications)
\ No newline at end of file
+* [ファーストパーティーアプリケーションとサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/first-party-and-third-party-applications)
+* [サードパーティアプリケーションを有効にする](/docs/ja-jp/get-started/applications/third-party-applications/configure-third-party-applications)
\ No newline at end of file
diff --git a/main/docs/ja-jp/libraries/auth0-single-page-app-sdk.mdx b/main/docs/ja-jp/libraries/auth0-single-page-app-sdk.mdx
index 56703094f3..da1062c735 100644
--- a/main/docs/ja-jp/libraries/auth0-single-page-app-sdk.mdx
+++ b/main/docs/ja-jp/libraries/auth0-single-page-app-sdk.mdx
@@ -305,7 +305,7 @@ $('#getToken').click(async () => {
});
```
-`getTokenSilently()`メソッドを使用する場合は、**[Allow Skipping User Consent(ユーザー同意をスキップさせる)]** が[DashboardのAPI設定](https://manage.auth0.com/#/apis)で有効になっている必要があります。さらに、ユーザー同意を['localhost'でスキップすることはできません](/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)。
+`getTokenSilently()`メソッドを使用する場合は、**[Allow Skipping User Consent(ユーザー同意をスキップさせる)]** が[DashboardのAPI設定](https://manage.auth0.com/#/apis)で有効になっている必要があります。さらに、ユーザー同意を['localhost'でスキップすることはできません](/docs/ja-jp/get-started/applications/third-party-applications/user-consent-and-third-party-applications)。
### ポップアップでアクセストークンを取得する
diff --git a/main/docs/ja-jp/libraries/lock.mdx b/main/docs/ja-jp/libraries/lock.mdx
index dbd7570947..b309bd1dc7 100644
--- a/main/docs/ja-jp/libraries/lock.mdx
+++ b/main/docs/ja-jp/libraries/lock.mdx
@@ -212,7 +212,7 @@ var lockPasswordless = new Auth0LockPasswordless(
1. SSOを行おうとするアプリケーションの両方が、ファーストパーティーのアプリケーションでなくてはなりません。サードパーティーのアプリケーションではSSOが動作しません。
2. カスタムドメインを使用していること、SSOを実装しようとしているアプリケーションとAuth0テナントが同じドメインにあることが必要です。従来、Auth0ドメインの形式は`foo.auth0.com`ですが、カスタムドメインを使用すると、該当するすべてのアプリケーションとAuth0テナントに同じドメインを使用してCSRF攻撃のリスクを回避できます。
-埋め込みログインの実装では、SSOをセットアップする代わりに、ユニバーサルログインの使用をお勧めします。ユニバーサル ログインは、SSOを実行するための最も信頼性が高く安定した方法であり、アプリケーションに複数のドメインを使用する必要がある場合や、[サードパーティアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications)を使用する必要がある場合に実行できる唯一の方法です。
+埋め込みログインの実装では、SSOをセットアップする代わりに、ユニバーサルログインの使用をお勧めします。ユニバーサル ログインは、SSOを実行するための最も信頼性が高く安定した方法であり、アプリケーションに複数のドメインを使用する必要がある場合や、[サードパーティアプリケーション](/docs/ja-jp/get-started/applications/third-party-applications/configure-third-party-applications)を使用する必要がある場合に実行できる唯一の方法です。
## エラーコードと説明
diff --git a/main/docs/ja-jp/libraries/lock/lock-authentication-parameters.mdx b/main/docs/ja-jp/libraries/lock/lock-authentication-parameters.mdx
index b2d442f9bb..ab2568bfcc 100644
--- a/main/docs/ja-jp/libraries/lock/lock-authentication-parameters.mdx
+++ b/main/docs/ja-jp/libraries/lock/lock-authentication-parameters.mdx
@@ -39,7 +39,7 @@ Lockの初期化時に少なくともデフォルトのスコープ(`openid pr
`Consent required.When using getSSOData, the user has to be authenticated with the following scope: openid profile email`(同意が必要です。getSSODataを使用する場合、ユーザーはopenid profile emailのスコープで認証される必要があります)
-このエラーは、アプリケーションを運用環境で実行している場合や、スコープに`openid profile email`を指定した場合には発生**しません** 。詳細については、「[ユーザーの同意とサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications)」をお読みください。
+このエラーは、アプリケーションを運用環境で実行している場合や、スコープに`openid profile email`を指定した場合には発生**しません** 。詳細については、「[ユーザーの同意とサードパーティーアプリケーション](/docs/ja-jp/get-started/applications/third-party-applications/user-consent-and-third-party-applications)」をお読みください。
diff --git a/main/docs/ja-jp/secure/tokens/json-web-tokens/json-web-token-claims.mdx b/main/docs/ja-jp/secure/tokens/json-web-tokens/json-web-token-claims.mdx
index 5c5993aa88..151f199705 100644
--- a/main/docs/ja-jp/secure/tokens/json-web-tokens/json-web-token-claims.mdx
+++ b/main/docs/ja-jp/secure/tokens/json-web-tokens/json-web-token-claims.mdx
@@ -26,7 +26,7 @@ JWTクレームには以下の2種類があります。
## 登録クレーム
-JTW仕様は、予約済みのクレームを7つ定義しています。これらは必須ではありませんが、[サードパーティーアプリケーション](/docs/ja-jp/get-started/applications/confidential-and-public-applications/enable-third-party-applications)との相互運用性を確保するために推奨されています。これには、以下が含まれます。
+JTW仕様は、予約済みのクレームを7つ定義しています。これらは必須ではありませんが、[サードパーティーアプリケーション](/docs/ja-jp/get-started/applications/third-party-applications/configure-third-party-applications)との相互運用性を確保するために推奨されています。これには、以下が含まれます。
* `iss`(発行者):JWTの発行者
* `sub`(件名):JWT(ユーザー)の件名
diff --git a/main/docs/ja-jp/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx b/main/docs/ja-jp/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx
index f6d2fa3817..326b524a2d 100644
--- a/main/docs/ja-jp/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx
+++ b/main/docs/ja-jp/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx
@@ -53,6 +53,6 @@ Learn how to [Configure and Implement Multi-resource refresh token](/docs/ja-jp/
## Limitations
* Each access token issued through MRRT is scoped to a single API. If your application requires access to multiple APIs, you must request separate access tokens for each API.
-* MRRT supports only [first-party applications](https://auth0.com/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications#first-party-applications).
-* MRRT supports APIs configured to [allow skipping user consent](https://auth0.com/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications#skip-consent-for-first-party-applications).
+* MRRT supports only [first-party applications](https://auth0.com/docs/get-started/applications/first-party-and-third-party-applications#first-party-applications).
+* MRRT supports APIs configured to [allow skipping user consent](https://auth0.com/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications#skip-consent-for-first-party-applications).
* The Auth0 Management API can not be included in the MRRT policies.
\ No newline at end of file
diff --git a/main/docs/libraries/auth0-single-page-app-sdk.mdx b/main/docs/libraries/auth0-single-page-app-sdk.mdx
index 5bfb04d0b4..9464f2afbe 100644
--- a/main/docs/libraries/auth0-single-page-app-sdk.mdx
+++ b/main/docs/libraries/auth0-single-page-app-sdk.mdx
@@ -303,7 +303,7 @@ $('#getToken').click(async () => {
});
```
-The `getTokenSilently()` method requires you to have **Allow Skipping User Consent** enabled in your [API Settings in the Dashboard](https://manage.auth0.com/#/apis). Additionally, user consent [cannot be skipped on 'localhost'](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications).
+The `getTokenSilently()` method requires you to have **Allow Skipping User Consent** enabled in your [API Settings in the Dashboard](https://manage.auth0.com/#/apis). Additionally, user consent [cannot be skipped on 'localhost'](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications).
### Get Access Token with popup
diff --git a/main/docs/libraries/auth0js.mdx b/main/docs/libraries/auth0js.mdx
index b56de1028c..e15b008ce0 100644
--- a/main/docs/libraries/auth0js.mdx
+++ b/main/docs/libraries/auth0js.mdx
@@ -97,7 +97,7 @@ If you don't specify at least the above scope when initializing auth0.js, and yo
`Consent required. When using getSSOData, the user has to be authenticated with the following scope: openid profile email`
-That will not happen when you run your application in production or if you specify the `openid profile email` scope. You can read more about this in the [User consent and third-party applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) document.
+That will not happen when you run your application in production or if you specify the `openid profile email` scope. You can read more about this in the [User consent and third-party applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications) document.
@@ -237,7 +237,7 @@ Apps with embedded login must meet two criteria in order to have Universal Login instead of setting up SSO in embedded login scenarios. Universal Login is the most reliable and stable way to perform SSO, and is the only way to do so if you must use multiple domains for your applications, or use [third-party applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications).
+Our recommendation is to use Universal Login instead of setting up SSO in embedded login scenarios. Universal Login is the most reliable and stable way to perform SSO, and is the only way to do so if you must use multiple domains for your applications, or use [third-party applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications).
## Error Codes and Descriptions
diff --git a/main/docs/libraries/lock/lock-authentication-parameters.mdx b/main/docs/libraries/lock/lock-authentication-parameters.mdx
index c449e99f95..a73613752e 100644
--- a/main/docs/libraries/lock/lock-authentication-parameters.mdx
+++ b/main/docs/libraries/lock/lock-authentication-parameters.mdx
@@ -38,7 +38,7 @@ If you don't manually specify at least the default scope of `openid profile emai
`Consent required. When using getSSOData, the user has to be authenticated with the following scope: openid profile email`
-That will **not** happen when you run your application in production or if you specify the `openid profile email` scope. You can read more about this in the [User consent and third-party applications](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) document.
+That will **not** happen when you run your application in production or if you specify the `openid profile email` scope. You can read more about this in the [User consent and third-party applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications) document.
diff --git a/main/docs/secure/security-guidance/measures-against-app-impersonation.mdx b/main/docs/secure/security-guidance/measures-against-app-impersonation.mdx
index 08ad676623..d70c8c4955 100644
--- a/main/docs/secure/security-guidance/measures-against-app-impersonation.mdx
+++ b/main/docs/secure/security-guidance/measures-against-app-impersonation.mdx
@@ -38,7 +38,7 @@ As defined in the [OAuth2 for Native Apps](https://datatracker.ietf.org/doc/html
The confirmation screen displays when:
1. The `redirect_uri` present in the request uses a non-verifiable URI (i.e. a custom URI scheme or a loopback URI).
-2. The user has not been prompted with any other screen in the current login transaction (such as when a [consent screen](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications) populates for third-party applications, or when MFA is required).
+2. The user has not been prompted with any other screen in the current login transaction (such as when a [consent screen](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications) populates for third-party applications, or when MFA is required).
In these cases, the application presents the end user with a confirmation prompt.
diff --git a/main/docs/secure/tokens/json-web-tokens/json-web-token-claims.mdx b/main/docs/secure/tokens/json-web-tokens/json-web-token-claims.mdx
index 7fa6c0f559..3fa998b638 100644
--- a/main/docs/secure/tokens/json-web-tokens/json-web-token-claims.mdx
+++ b/main/docs/secure/tokens/json-web-tokens/json-web-token-claims.mdx
@@ -30,7 +30,7 @@ There are two types of JWT claims:
## Registered claims
-The JWT specification defines seven reserved claims that are not required, but are recommended to allow interoperability with [third-party applications](/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications). These are:
+The JWT specification defines seven reserved claims that are not required, but are recommended to allow interoperability with [third-party applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications). These are:
* `iss` (issuer): Issuer of the JWT
* `sub` (subject): Subject of the JWT (the user)
diff --git a/main/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx b/main/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx
index ecd0492d2c..3a584ef276 100644
--- a/main/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx
+++ b/main/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token.mdx
@@ -48,6 +48,6 @@ Learn how to [Configure and Implement Multi-resource refresh token](/docs/secure
## Limitations
* Each access token issued through MRRT is scoped to a single API. If your application requires access to multiple APIs, you must request separate access tokens for each API.
-* MRRT supports only [first-party applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications#first-party-applications).
-* MRRT supports APIs configured to [allow skipping user consent](/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications#skip-consent-for-first-party-applications).
+* MRRT supports only [first-party applications](/docs/get-started/applications/first-party-and-third-party-applications#first-party-applications).
+* MRRT supports APIs configured to [allow skipping user consent](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications#skip-consent-for-first-party-applications).
* The Auth0 Management API can not be included in the MRRT policies.