Authorization Endpoint

The access token received from the authorization server in the OAuth 2.0 flow.

Specifies the type of response you expect. Determines which OAuth 2.0 flow to use.

• code - Authorization Code Flow (returns authorization code)
• token - Implicit Flow for Access Token (returns access token)
• id_token - Implicit Flow for ID Token (returns ID token)
• id_token token - Implicit Flow (returns both)
• code id_token - Hybrid Flow
• code token - Hybrid Flow
• code id_token token - Hybrid Flow

Your application's Client ID. You can find this value in your Application Settings.

The URL to which Auth0 will redirect the browser after authorization has been granted by the user. This URL must be registered in your application's Allowed Callback URLs settings.

Note: Required for most flows, but may be optional if a default is configured.

Space-delimited list of scopes you want to request authorization for. Include openid to get an ID Token. Include offline_access to get a Refresh Token.

OIDC Scopes:

• openid - Required for OpenID Connect
• profile - User profile info (name, picture, etc.)
• email - User email address
• address - User address
• phone - User phone number
• offline_access - Refresh token

Custom Scopes: You can also request custom API scopes defined in your Auth0 APIs.

An opaque arbitrary alphanumeric string your app adds to the initial request that Auth0 includes when redirecting back to your application. This value must be used by the application to prevent CSRF attacks.

Recommended: Always include this parameter for security.

The unique identifier of the target API you want to access. This is the API Identifier found in your API settings.

When to use: Include this when requesting an Access Token to call a specific API.

Generated challenge from the code_verifier for PKCE flow. Required when using Authorization Code Flow with PKCE.

Format: BASE64URL(SHA256(code_verifier))

PKCE Flow: Used to prevent authorization code interception attacks in public clients (SPAs, mobile apps).

Method used to generate the challenge. Auth0 supports S256 (SHA-256).

Required when: Using code_challenge parameter.

A random string value used to associate a client session with an ID Token and to mitigate replay attacks. The nonce value is included in the ID Token.

Required when: Using response_type that includes id_token (Implicit or Hybrid flows).

The name of the connection configured for your application. Forces the user to sign in with a specific connection.

Examples: google-oauth2, facebook, Username-Password-Authentication, windowslive, linkedin

When to use: To skip the Auth0 Universal Login page and go directly to a specific identity provider.

Controls the authentication prompts presented to the user.

Values:

• none - Silent authentication (no prompts, fails if user is not logged in)
• login - Forces the user to re-enter credentials
• consent - Forces consent prompt even if consent was previously given
• select_account - Prompts user to select an account (when multiple sessions exist)

Use case: none is used for checking if a user is already authenticated without interrupting their experience.

ID of the organization to use when authenticating a user. When not provided, if your application is configured to Display Organization Prompt, the user will be able to enter the organization name when authenticating.

Use case: Authenticate users in the context of a specific organization (B2B scenarios).

Ticket ID of the organization invitation. When inviting a member to an Organization, your application should handle invitation acceptance by forwarding the invitation parameter along with the organization parameter when the user accepts the invitation.

Use case: Organization member invitation acceptance flow.

Hint to the Authorization Server about the login identifier the user might use to log in. Can be an email address or other identifier.

Use case: Pre-fill the username/email field on the login page.

Space-separated string that specifies the authentication context class reference values. Used to request specific authentication methods (e.g., MFA).

Example: http://schemas.openid.net/pape/policies/2007/06/multi-factor

Maximum authentication age in seconds. If the elapsed time since the last authentication is greater than this value, the user must re-authenticate.

Use case: Require recent authentication for sensitive operations.

Space-delimited list of locales used to constrain the language list for the login page. The first locale on the list must match an enabled locale in your tenant.

Example: en es fr

Specifies how the result of the authorization request is formatted.

Values:

• query - Response parameters encoded in query string (default for code)
• fragment - Response parameters encoded in URL fragment (default for token)
• form_post - Response parameters sent as form POST to redirect_uri
• web_message - For silent authentication in iframes

The JWK Thumbprint of the DPoP proof-of-possession public key using SHA-256 hash function (as defined in RFC 7638).

Use case: Demonstrating Proof-of-Possession (DPoP) for enhanced security in OAuth 2.0.