auth0 · dlozlla · May 12, 2026 · May 15, 2026
@@ -104,7 +104,7 @@ If you are using the Dashboard to enable or disable these grant types, be aware
 |---|---|
 | `authorization_code` | Yes (PKCE mandatory) |
 | `refresh_token` | Yes |
-| `client_credentials` | Planned for a future release |
+| `client_credentials` | Yes (confidential clients only) |
 | `implicit` | No |
 | `password` | No |
 | `urn:ietf:params:oauth:grant-type:device_code` | No |

@@ -141,7 +141,7 @@ For troubleshooting help, read [Troubleshoot Invalid Token Errors](/docs/trouble
 
 ### Grant Types
 
-Select grant types to enable or disable for your application. Available grant types are based on the application type and [application ownership](/docs/get-started/applications/first-party-and-third-party-applications). Third-party applications with enhanced security controls only support `authorization_code` and `refresh_token`.
+Select grant types to enable or disable for your application. Available grant types are based on the application type and [application ownership](/docs/get-started/applications/first-party-and-third-party-applications). Third-party applications with enhanced security controls support `authorization_code`, `refresh_token`, and `client_credentials`.
 
 <Frame>![Dashboard Applications Application Settings Tab Advanced Settings Grant Types tab](/docs/images/cdy7uua7fh8z/4ZMq4VfeGsKsKfZVFwSqe8/a0057749551915ac8d24b151bc27e875/Grant_Types_-_English.png)</Frame>
 

@@ -12,7 +12,7 @@ All applications created through Dynamic Client Registration are [third-party ap
 
 - Receive a `tpc_` client ID prefix
 - Require PKCE for authorization code flows
-- Support only `authorization_code` and `refresh_token` grant types
+- Support only `authorization_code` and `refresh_token` grant types. The `client_credentials` grant type is not available via DCR.
 - Can only access APIs through explicit [client grants](/docs/get-started/applications/application-access-to-apis-client-grants)
 - Can only use [domain-level connections](/docs/authenticate/identity-providers/promote-connections-to-domain-level) for authentication
 
@@ -78,7 +78,7 @@ curl --request POST \
 | `client_name` | The name of the application to create. |
 | `redirect_uris` (required) | An array of URLs that Auth0 will accept as valid callback URLs at the end of an authentication flow. |
 | `token_endpoint_auth_method` | The authentication method for the token endpoint. Use `none` for public clients (SPA, Native) or `client_secret_post` (default) for confidential clients. |
-| `grant_types` | The grant types the application wants to use. Filtered down in response to reflect the ones it will be allowed to use. Third-party applications support `authorization_code` and `refresh_token`. |
+| `grant_types` | The grant types the application wants to use. Filtered down in response to reflect the ones it will be allowed to use. Applications created through DCR support `authorization_code` and `refresh_token`. |
 | `response_types` | The response types the application will use. Use `code` for authorization code flow. |
 
 If successful, Auth0 returns the application credentials:

@@ -39,11 +39,11 @@ The following table summarizes the differences between first-party and third-par
 | **API access** | Follows the API's configured access policy | Always requires an explicit [client grant](/docs/get-started/applications/application-access-to-apis-client-grants) |
 | **Auth0 system APIs** | Accessible in user flows | Not accessible in user flows |
 | **User consent** | Can be skipped (if enabled on the API) | Always required |
-| **Grant types** | All supported grant types | `authorization_code` and `refresh_token` |
+| **Grant types** | All supported grant types | `authorization_code`, `refresh_token`, and `client_credentials` |
 | **OIDC** | Supported | Not supported. Planned for a future release. |
 | **Rules** | Executed | Not supported. Results in error. |
 | **Non-OAuth protocols** (SAML, WsFed) | Supported | Not supported |
-| **Organizations** | Supported | Not supported. Planned for a future release. |
+| **Organizations** | Supported | Machine-to-machine access supported via [organization client grants](/docs/manage-users/organizations/configure-organizations/configure-organization-client-grants). User flows planned for a future release. |
 | **Client ID format** | Standard format | `tpc_` prefix |
 | **Connections** | All enabled connections | Domain-level connections |
 

@@ -41,8 +41,7 @@ Third-party applications support:
 
 - `authorization_code` with mandatory PKCE
 - `refresh_token`
-
-Additional grant types such as `client_credentials` are planned for a future release.
+- `client_credentials` (confidential clients only)
 
 ## Get started
 

@@ -57,7 +57,7 @@ curl --request POST \
 | `is_first_party` | Boolean | Indicates whether the application is first-party (`true`) or third-party (`false`). | 
 | `app_type` | String | The type of application (e.g., `regular_web`, `native`, `spa`, `non_interactive`). |
 | `callbacks` | Array | A list of allowed callback URLs for the redirect after authentication. |
-| `grant_types` | Array | A list of types of OAuth2 grants this client is allowed to use. Third-party applications are only allowed to use `authorization_code` and `refresh_token`. To learn more, read [Supported grant types](/docs/get-started/applications/third-party-applications#supported-grant-types). |
+| `grant_types` | Array | A list of types of OAuth2 grants this client is allowed to use. Third-party applications support `authorization_code`, `refresh_token`, and `client_credentials`. To learn more, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls). |
 | `token_endpoint_auth_method` |  String | The authentication method for the token endpoint (e.g., `client_secret_post`). |
 
 If successful, Auth0 creates the application with a `tpc_` Client ID prefix, `authorization_code` and `refresh_token` grant types, and sets `third_party_security_mode` to `strict`, indicating that enhanced security controls are enabled.

@@ -48,7 +48,7 @@ Third-party applications created before the introduction of security modes retur
 
 | **Capability** | **Enhanced security controls (strict)** | **Pre-existing behavior (permissive)** |
 |---|---|---|
-| **Grant types** | `authorization_code`, `refresh_token` | Most grant types (except `password`) |
+| **Grant types** | `authorization_code`, `refresh_token`, `client_credentials` | Most grant types (except `password`) |
 | **PKCE** | Mandatory | Optional |
 | **OIDC** | Not supported. Planned for a future release. | Supported |
 | **API authorization** | Always requires explicit client grant | Follows API access policy |

@@ -17,7 +17,7 @@ Auth0 regularly enhances security for third-party applications. Only features ex
 Third-party applications enforce modern OAuth standards:
 
 - **PKCE mandatory**: All authorization code flows require [Proof Key for Code Exchange](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). This prevents authorization code interception attacks.
-- **Supported grant types**: Only `authorization_code` and `refresh_token` are available. Additional grant types such as `client_credentials` are planned for a future release.
+- **Supported grant types**: `authorization_code`, `refresh_token`, and `client_credentials`.
 - **Implicit and password grants not supported**: Legacy grant types that expose tokens in the browser URL or require direct credential handling are not available for third-party applications.
 
 ## Explicit API authorization
@@ -34,6 +34,20 @@ Third-party applications must have an explicit grant, even when an API is config
 
 Third-party applications cannot be granted access to [system APIs](/docs/get-started/apis#system-apis) such as the Management API or My Account API.
 
+## Machine-to-machine (Client Credentials)
+
+Third-party applications support the `client_credentials` grant type for machine-to-machine access. This enables backend partner integrations and server-to-server API access without user involvement.
+
+**Requirements and constraints:**
+
+- The application must be a confidential client (`token_endpoint_auth_method` must not be `none`).
+- [Organizations](/docs/manage-users/organizations): Machine-to-machine access with Organizations is supported. An explicit [organization client grant](/docs/manage-users/organizations/configure-organizations/configure-organization-client-grants) is required for each organization. The `allow_any_organization` option is not permitted for third-party applications. Default client grants for third-party applications cannot be used to configure `organization_usage`.
+- Not available for applications created through [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) or [CIMD](/docs/get-started/applications/third-party-applications/configure-third-party-applications#cimd).
+
+**Extensibility:**
+
+- [Actions](/docs/customize/actions) with the credentials-exchange trigger execute normally.
+
 ## Restricted client configuration
 
 You can only configure a curated set of client properties for third-party applications. When new properties are added to Auth0, they are not available for third-party applications unless explicitly reviewed and added to the supported set.
@@ -45,7 +59,7 @@ Key supported properties include:
 | `name`, `description`, `logo_uri` | Basic metadata |
 | `callbacks` | Redirect URIs |
 | `allowed_origins`, `web_origins` | CORS and web_message origins |
-| `grant_types` | Must be `authorization_code` or `refresh_token` |
+| `grant_types` | Must be `authorization_code`, `refresh_token`, or `client_credentials` |
 | `token_endpoint_auth_method` | Authentication method for the token endpoint |
 | `app_type` | Must be `regular_web`, `spa`, `native`, or `non_interactive` |
 | `client_metadata` | Custom key-value metadata |
@@ -155,6 +169,7 @@ The following features are not supported for third-party applications:
 | **Auth0 system APIs** (Management API, MFA API, My Account API, My Orgs API) | Not supported. Third-party applications cannot access system APIs in user flows. |
 | **MFA during refresh token exchange** | Not supported. Refresh token transactions that trigger MFA will result in an error. |
 | **Rules** | Not supported. Tenants with active Rules will receive an error when a strict third-party application triggers a login flow. |
+| **Hooks** (credentials-exchange) | Not supported. Tenants with an active credentials-exchange Hook will receive an error. Migrate to [Actions](/docs/customize/actions) for credentials-exchange extensibility. |
 | **Non-OAuth Authentication API endpoints** (`/dbconnections/*`, `/passwordless/*`) | Not supported. |
 | **Legacy endpoints** (`/delegation`, `/oauth/ro`) | Not supported. |
 | **SAML, WsFed** | Not supported. |

@@ -59,9 +59,9 @@ curl --request POST \
 
 ### Grant type not supported
 
-**Cause**: Only `authorization_code` and `refresh_token` grant types are supported. Grant types such as `implicit`, `password`, `client_credentials`, and `urn:ietf:params:oauth:grant-type:device_code` are not available.
+**Cause**: Only `authorization_code`, `refresh_token`, and `client_credentials` grant types are supported. Grant types such as `implicit`, `password`, and `urn:ietf:params:oauth:grant-type:device_code` are not available.
 
-**Solution**: Update the application to use the [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce).
+**Solution**: For user flows, use the [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). For machine-to-machine access, use the [Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow) with a confidential client (`token_endpoint_auth_method` must not be `none`).
 
 ### Classic Login not working
 

@@ -118,7 +118,7 @@ To learn more, read [Default permissions for third-party applications](/docs/get
 ##### 3. Validate compatibility
 
 Test your workflows for creating third-party applications with enhanced security controls enabled. Confirm that:
-* Your applications can use `authorization_code` and `refresh_token` grant types
+* Your applications can use `authorization_code`, `refresh_token`, or `client_credentials` grant types
 * PKCE is implemented in your authorization flows
 * You do not require OIDC scopes
 * You do not require Classic Login or legacy endpoints
@@ -264,7 +264,7 @@ The following table compares the capabilities available to each security mode:
 
 | Capability | Enhanced Security Controls | Existing Behavior |
 |---|---|---|
-| **Grant types** | `authorization_code`, `refresh_token` | All grant types available |
+| **Grant types** | `authorization_code`, `refresh_token`, `client_credentials` | All grant types available |
 | **PKCE** | Mandatory | Optional |
 | **OIDC** | Not available. Planned for a future release. | Supported |
 | **API authorization** | Always requires explicit client grant | Follows API's access policy |