> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes grant types and how they relate to applications.

# Application Grant Types

Application grant types (or flows) are methods through which applications can gain [Access Tokens](/docs/secure/tokens/access-tokens) and by which you grant limited access to your resources to another entity without exposing credentials. The [OAuth 2.0 protocol](/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use) supports several types of grants, which allow different types of access.

Based on the needs of your application, some grant types are more appropriate than others. Auth0 provides many different authentication and <Tooltip tip="Authorization Flow: Authorization grant (or workflow) specified in the OAuth 2.0 framework." cta="View Glossary" href="/docs/glossary?term=authorization+flows">authorization flows</Tooltip> and allows you to indicate which grant types are appropriate based on the `grant_types` property of your application.

For example, if you want to secure a mobile application, the [Authorization Code Flow with Proof Key for Code Exchange (PKCE)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce) is the most appropriate.

Alternatively, if you want to secure a client-side application, such as a single-page application (SPA), and aren't passing tokens between servers, the [Implicit Flow with Form Post](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) is the most appropriate.

Various grant types are valid when registering applications. These can be divided into the following categories:

* **Specification-conforming grants**: Grants defined by and conforming to external specifications, such as <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect (OIDC).
* **Auth0 extension grants**: Auth0-specific grants that conform to the [OAuth extension mechanism](https://tools.ietf.org/html/rfc6749#section-4.5) to support additional clients or to provide a bridge between <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth">OAuth</Tooltip> and other trust frameworks.
* **Auth0 legacy grants**: Traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.

## Available grant types

### Specification-conforming grants

| Grant Type                                     | Description                                                                                                           |
| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
| `implicit`                                     | [Implicit Grant](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post)                |
| `authorization_code`                           | [Authorization Code Grant](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow)           |
| `client_credentials`                           | [Client Credentials Grant](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow)           |
| `password`                                     | [Resource Owner Password Grant](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow) |
| `refresh_token`                                | [Use Refresh Tokens](/docs/secure/tokens/refresh-tokens/use-refresh-tokens)                                           |
| `urn:ietf:params:oauth:grant-type:device_code` | [Device Authorization Grant](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow)       |

### Auth0 extension grants

| **Grant Type**                                            | **Description**                                                                                                            |
| --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
| **`http://auth0.com/oauth/grant-type/password-realm`**    | Use an extension grant similar to the Resource Owner Password Grant that includes the ability to indicate a specific realm |
| **`http://auth0.com/oauth/grant-type/mfa-oob`**           | Multi-factor Authentication OOB Grant Request                                                                              |
| **`http://auth0.com/oauth/grant-type/mfa-otp`**           | Multi-factor Authentication OTP Grant Request                                                                              |
| **`http://auth0.com/oauth/grant-type/mfa-recovery-code`** | Multi-factor Authentication Recovery Grant Request                                                                         |
| **`http://auth0.com/oauth/grant-type/passwordless/otp`**  | Embedded Passwordless Login Grant Request                                                                                  |

### Auth0 legacy grants

Legacy grants include:

* `http://auth0.com/oauth/legacy/grant-type/ro`
* `http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer`
* `http://auth0.com/oauth/legacy/grant-type/delegation/refresh_token`
* `http://auth0.com/oauth/legacy/grant-type/delegation/id_token`
* `http://auth0.com/oauth/legacy/grant-type/access_token`

Legacy grant types are traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.

As of 08 June 2017, all applications were given a `grant_types` property that must be populated. To avoid changes in functionality for Auth0 customers at that time, we populated the `grant_types` property for all existing applications with all Auth0 legacy, Auth0 extension, and specification-conforming grant types.

At this time, new Auth0 customers were no longer able to add legacy grant types to their applications. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. If you were a customer prior to 8 June 2017, you can [enable a legacy grant type](/docs/get-started/applications/update-grant-types) using either the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> or the Auth0 <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.

If you're currently using a legacy grant type, refer to the chart below to see which of the secure alternatives you should use instead. For example, if you're implementing <Tooltip tip="Passwordless: Form of authentication that does not rely on a password as the first factor." cta="View Glossary" href="/docs/glossary?term=Passwordless">Passwordless</Tooltip> Authentication,

use [Universal Login](/docs/authenticate/login/auth0-universal-login) instead of the `oauth/ro` endpoint.

## Grant type mapping

When registered, applications have access to different grant types based on their application type, specifically whether the application is confidential or public. Additionally, trusted first-party applications have access to additional grant types.

### Public applications

When a Native Application or Single-Page Application (SPA) is registered in the Dashboard, it's automatically flagged as a public application, which is indicated by the `token_endpoint_auth_method` flag being set to `none`. By default, Auth0 creates public applications with the following `grant_types` enabled:

* `implicit`
* `authorization_code`
* `refresh_token`

Native Apps can also use the `device_code` grant type.

Public applications cannot use the `client_credentials` grant type. To use this grant type, you must configure the application to be confidential rather than public. Use the Auth0 Management API [Update a client](https://auth0.com/docs/api/management/v2#!/Clients/patch_clients_by_id) endpoint to set the `token_endpoint_auth_method` to `client_secret_post,` `client_secret_basic`, or `private_key_jwt`. To learn more, read [Application Credentials](/docs/secure/application-credentials).

### Confidential applications

When a Regular Web Application or Machine-to-Machine (M2M) Application is registered in the Auth0 Dashboard, it's automatically flagged as a confidential application, which is indicated by the `token_endpoint_auth_method` flag being set to anything except `none`. By default, Auth0 creates confidential applications with the following `grant_types` enabled:

* `implicit`
* `authorization_code`
* `refresh_token`
* `client_credentials`

### Trusted first-party applications

Trusted first-party applications have the same `grant_types` enabled as confidential applications, along with the following:

* `password`
* `http://auth0.com/oauth/grant-type/password-realm`
* `http://auth0.com/oauth/grant-type/mfa-oob`
* `http://auth0.com/oauth/grant-type/mfa-otp`
* `http://auth0.com/oauth/grant-type/mfa-recovery-code`

If you are using the Dashboard to enable or disable these grant types, be aware that all the Password and <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> grant types are enabled when you add the `Password` or `MFA` grant type to your application. You cannot select them individually.

## Third-party application restrictions

[Third-party applications](/docs/get-started/applications/third-party-applications) support a limited set of grant types aligned with [OAuth 2.1 best practices](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1):

| **Grant type**                                 | **Available for third-party applications** |
| ---------------------------------------------- | ------------------------------------------ |
| `authorization_code`                           | Yes (PKCE mandatory)                       |
| `refresh_token`                                | Yes                                        |
| `client_credentials`                           | Yes (confidential clients only)            |
| `implicit`                                     | No                                         |
| `password`                                     | No                                         |
| `urn:ietf:params:oauth:grant-type:device_code` | No                                         |
| MFA grants                                     | No                                         |
| Legacy grants                                  | No                                         |

To learn more, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls).

## Learn more

* [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications)
* [Third-Party Applications](/docs/get-started/applications/third-party-applications)
* [First-Party and Third-Party Applications](/docs/get-started/applications/first-party-and-third-party-applications)
* [Subdomain URL Placeholders](/docs/get-started/applications/wildcards-for-subdomains)