- Receive a
tpc_client ID prefix - Require PKCE for authorization code flows
- Support only
authorization_codeandrefresh_tokengrant types. Theclient_credentialsgrant type is not available via DCR. - Can only access APIs through explicit client grants
- Can only use domain-level connections for authentication
Enable Dynamic Client Registration
By default, Dynamic Client Registration is disabled for all tenants. To enable Dynamic Client Registration, use the Auth0 Dashboard or Management API.- Auth0 Dashboard
- Management API
- Navigate to Dashboard > Settings > Advanced and enable Dynamic Client Registration (DCR).
Configure API access for DCR clients
Before enabling DCR, configure default permissions for third-party applications on the APIs that dynamically registered clients should access. Without default permissions, DCR clients will not be able to access any API. Default permissions define a baseline set of APIs and scopes available to all third-party applications automatically. This is essential for DCR because you cannot configure per-application client grants during the registration flow. To learn how to configure default permissions, read Configure Third-Party Applications.Register an application
To dynamically register an application, make aPOST request to the /oidc/register endpoint. Because Auth0 supports Open Dynamic Registration, the /oidc/register endpoint accepts registration requests without an access token.
If successful, Auth0 returns the application credentials:
Third-party developers cannot modify application settings after registration. If changes are necessary, they must contact the tenant owner.
client_id and configured redirect_uris.
Tenant Access Control List (ACL)
Auth0 provides a Tenant Access Control List (ACL) to manage traffic to the/oidc/register endpoint. You can restrict who can send DCR requests by configuring ACL rules based on:
- Source IP addresses and CIDR ranges
- Geolocation
- Other request signals
dcr scope to an ACL rule. To learn more, read Tenant ACL Reference.
Rate limits
The/oidc/register endpoint is rate-limited to 5 requests per second per tenant. To learn more about rate limits, read Rate Limit Configuration.