CINXE.COM
Highly Regulated Identity
<!DOCTYPE html><html data-theme="light" data-reactroot=""><head><meta charSet="utf-8"/><link rel="preconnect" href="https://cdn.auth0.com" crossorigin="anonymous"/><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"/><title>Highly Regulated Identity</title><meta name="google-site-verification" content="4aSwkVvotRegQ6g32k-21r38Fls9sO8VT5LytKdin3o"/><meta name="author" content="Auth0"/><meta name="description" content="Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. "/><meta name="breadcrumbs" content="[{"title":"Secure","url":"/docs/secure"},{"title":"Highly Regulated Identity","url":"/docs/secure/highly-regulated-identity"}]"/><meta name="keywords" content="auth0, authentication, sso, passwordless, user, profile, applications, identity, providers, nodejs, ruby, scala, angular, go, php, rails"/><link rel="canonical" href="https://auth0.com/docs/secure/highly-regulated-identity"/><meta name="twitter:creator" content="@auth0"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Highly Regulated Identity"/><meta name="twitter:description" content="Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. "/><meta property="og:title" content="Highly Regulated Identity"/><meta property="og:site_name" content="Auth0 Docs"/><meta property="og:url" content="https://auth0.com/docs/"/><meta property="og:type" content="website"/><meta property="og:description" content="Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. "/><meta property="og:image" content="https://cdn2.auth0.com/docs/1.14124.0/img/share-image.png"/><link rel="stylesheet" href="https://cdn.auth0.com/quantum-fonts/lib/1.1.0/inter/css/all.css"/><link rel="stylesheet" href="https://cdn.auth0.com/quantum-fonts/lib/1.1.0/aeonik/css/all.css"/><link id="favicon" rel="shortcut icon mask-icon" href="https://cdn.auth0.com/quantum-assets/dist/latest/favicons/auth0-favicon-onlight.png"/><script> (() => { if (typeof window !== 'undefined' && window.matchMedia('(prefers-color-scheme)').media !== 'not all') { const favIcon = document.querySelector('link#favicon'); const darkModeMediaQuery = window.matchMedia('(prefers-color-scheme: dark)'); const onUpdate = () => { if (darkModeMediaQuery.matches) { favIcon.setAttribute('href', 'https://cdn.auth0.com/quantum-assets/dist/latest/favicons/auth0-favicon-ondark.png'); } else { favIcon.setAttribute('href', 'https://cdn.auth0.com/quantum-assets/dist/latest/favicons/auth0-favicon-onlight.png'); } } darkModeMediaQuery.addListener(onUpdate); onUpdate(); } })(); </script><link rel="stylesheet" href="https://cdn2.auth0.com/docs/1.14124.0/css/styleguide.core.css"/><link rel="stylesheet" href="https://cdn2.auth0.com/website/styleguide/components/2.0.11/components.min.css"/><link rel="stylesheet" href="https://cdn2.auth0.com/docs/1.14124.0/js/commons.61085f4fbc4d2723126f.css"/><script>window.env = {"AUTH0_DOMAIN":"auth0.auth0.com","DOMAIN_URL_APP":"https://manage.auth0.com","DOMAIN_URL_DOCS":"https://auth0.com/docs","DOMAIN_URL_SERVER":"{tenant}.auth0.com","DOMAIN_URL_SUPPORT":"https://support.auth0.com","DOMAIN_URL_SIGNUP":"https://auth0.com/signup?&signUpData=%7B%22category%22%3A%22docs%22%7D","MEDIA_URL":"https://cdn2.auth0.com/docs/1.14124.0/media","ASSET_URL":"https://cdn2.auth0.com/docs/1.14124.0","NODE_ENV":"production","PINGDOM_ID":"565cb401abe53d7b2cda7732","SENTRY_DSN":"https://4bff0b0adb29427b68c6b791fff0bf07@o27592.ingest.us.sentry.io/102638","SERVICE_VERSION":"1.14124.0","CONTENT_PACKAGE_VERSION":"1.0.2549","COVEO_ORG_ID":"oktaproduction9ounvcxa","COVEO_SEARCH_URL":"https://platform.cloud.coveo.com/rest/search/v2","COVEO_ANALYTICS_URL":"https://analytics.cloud.coveo.com/rest/ua/v15","CSRF_TOKEN":"hckjpaun-j9jbAEKks9L9Acn2zJoHOLklfBg"};</script><script>window.DOMPurify || document.write(unescape("%3Cscript src='/docs/vendor/dompurify-3.0.5.min.js'%3E%3C/script%3E"))</script><script>window.jQuery || document.write(unescape("%3Cscript src='/docs/vendor/jquery-2.2.4.min.js'%3E%3C/script%3E"))</script><script async="" src="//cdn2.auth0.com/styleguide/vendor/bootstrap-3.2.0.min.js"></script><script src="https://cdn2.auth0.com/docs/1.14124.0/js/commons.7aca95b5a3bbc1885533.bundle.js"></script><script src="https://cdn2.auth0.com/docs/1.14124.0/js/browser.df9d04530244600ef7cb.bundle.js"></script><style id="jss-server-side"><style data-emotion="css-light-global 0"></style><style data-emotion="css-light-global ptrnj3">html{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;box-sizing:border-box;-webkit-text-size-adjust:100%;}*,*::before,*::after{box-sizing:inherit;}strong,b{font-weight:700;}body{margin:0;color:#191919;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:1rem;line-height:1.5;letter-spacing:0em;background-color:#FFFFFF;}@media print{body{background-color:#fff;}}body::backdrop{background-color:#FFFFFF;}html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td,article,aside,canvas,details,embed,figure,figcaption,footer,header,hgroup,menu,nav,output,ruby,section,summary,time,mark,audio,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;font-variant-numeric:slashed-zero;vertical-align:baseline;}button{font:inherit;text-align:left;}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section{display:block;}ol,ul{list-style:none;}blockquote,q{quotes:none;}blockquote:before,blockquote:after,q:before,q:after{content:none;}table{border-collapse:collapse;border-spacing:0;}strong,b{font-weight:700;}body,input,textarea,button,select{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;}</style><style data-emotion="css-light-global 1prfaxn">@-webkit-keyframes mui-auto-fill{from{display:block;}}@keyframes mui-auto-fill{from{display:block;}}@-webkit-keyframes mui-auto-fill-cancel{from{display:block;}}@keyframes mui-auto-fill-cancel{from{display:block;}}</style><style data-emotion="css-light 1451177 12z6ra4 99yi95 1tsb9g0 3cyd2n zrm49i 1nsqnny 1lntznf s3wuk0 1b17vdj 3p6qou hdw1oc 1ijv1n9 1rdp59y tjz9nw 1fgj6q9 tohr37 1h20m4j 8og4x3 1c8nkz9 1osspdq yl2thz 1a66avx 1etdfq6 absfm6 105k4h6 1mamkk4 ezihch 1c09ki7 po40j3 1wlfc9m 1y9rv62 1d1pobz 1f4mg9y lj7bu0 gjlwnj 1fnpbqv 7wfy9u 1ibmmut 13g1c2 vwtx2w 1nz6ure 1uvmhse nhb8h9 xdqqc7 12z0wuy ewr4mf axw7ok tq75vo 1iymi0i 1ut66dz 7t4v2s lti6cy 3djh8h hdbujw 1njuh7n 127ud2i w8rns 1v28jvd e4wg0l 1ume9uy 1ahyw7i 10ib5jr lvunq8 1kmlmk0 151tvvp qw3jjx ve6lx2 1890uci cnjcq1 146h36z up5kby 10lfzun 1v33see 1xlk6nz">.css-light-1451177{vertical-align:middle;width:auto;fill:#191919;}.css-light-12z6ra4{background-color:#FFFFFF;color:#191919;-webkit-transition:box-shadow 300ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:box-shadow 300ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:0px 16px 16px rgba(0, 0, 0, 0.1);display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;width:100%;box-sizing:border-box;-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;position:fixed;z-index:1100;top:0;left:auto;right:0;background-color:#F6F6F6;color:rgba(0, 0, 0, 0.87);box-shadow:none;height:64px;z-index:20;background-image:none;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;border-bottom:0;top:0;background-color:#FFFFFF;color:#1E212A;padding:0px 24px;background-color:#FFFFFF;position:fixed;}@media print{.css-light-12z6ra4{position:absolute;}}@media (max-width:1167.95px){.css-light-12z6ra4{padding:0;}}.css-light-99yi95{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;height:100%;max-width:100%;padding:0px 16px;max-width:1440px;width:inherit;padding:0;overflow:hidden;border-bottom:1px solid #E8E8E8;}@media (max-width:1167.95px){.css-light-99yi95{max-width:100%;padding:0px 24px;}}.css-light-1tsb9g0{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}.css-light-1tsb9g0>:not(:last-child){margin-right:16px;}.css-light-3cyd2n{margin-right:24px;}.css-light-zrm49i{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-flex:1;-ms-flex:1;flex:1;-webkit-box-pack:justify;-webkit-justify-content:space-between;justify-content:space-between;}.css-light-zrm49i>:not(:last-child){margin-right:16px;}.css-light-1nsqnny.Mui-focused .MuiAutocomplete-clearIndicator{visibility:visible;}@media (pointer: fine){.css-light-1nsqnny:hover .MuiAutocomplete-clearIndicator{visibility:visible;}}.css-light-1nsqnny .MuiAutocomplete-tag{margin:3px;max-width:calc(100% - 6px);}.css-light-1nsqnny .MuiAutocomplete-inputRoot{-webkit-box-flex-wrap:wrap;-webkit-flex-wrap:wrap;-ms-flex-wrap:wrap;flex-wrap:wrap;}.MuiAutocomplete-hasPopupIcon.css-light-1nsqnny .MuiAutocomplete-inputRoot,.MuiAutocomplete-hasClearIcon.css-light-1nsqnny .MuiAutocomplete-inputRoot{padding-right:30px;}.MuiAutocomplete-hasPopupIcon.MuiAutocomplete-hasClearIcon.css-light-1nsqnny .MuiAutocomplete-inputRoot{padding-right:56px;}.css-light-1nsqnny .MuiAutocomplete-inputRoot .MuiAutocomplete-input{width:0;min-width:30px;}.css-light-1nsqnny .MuiInput-root{padding-bottom:1px;}.css-light-1nsqnny .MuiInput-root .MuiInput-input{padding:4px 4px 4px 0px;}.css-light-1nsqnny .MuiInput-root.MuiInputBase-sizeSmall .MuiInput-input{padding:2px 4px 3px 0;}.css-light-1nsqnny .MuiOutlinedInput-root{padding:9px;}.MuiAutocomplete-hasPopupIcon.css-light-1nsqnny .MuiOutlinedInput-root,.MuiAutocomplete-hasClearIcon.css-light-1nsqnny .MuiOutlinedInput-root{padding-right:39px;}.MuiAutocomplete-hasPopupIcon.MuiAutocomplete-hasClearIcon.css-light-1nsqnny .MuiOutlinedInput-root{padding-right:65px;}.css-light-1nsqnny .MuiOutlinedInput-root .MuiAutocomplete-input{padding:7.5px 4px 7.5px 6px;}.css-light-1nsqnny .MuiOutlinedInput-root .MuiAutocomplete-endAdornment{right:9px;}.css-light-1nsqnny .MuiOutlinedInput-root.MuiInputBase-sizeSmall{padding:6px;}.css-light-1nsqnny .MuiOutlinedInput-root.MuiInputBase-sizeSmall .MuiAutocomplete-input{padding:2.5px 4px 2.5px 6px;}.css-light-1nsqnny .MuiFilledInput-root{padding-top:19px;padding-left:8px;}.MuiAutocomplete-hasPopupIcon.css-light-1nsqnny .MuiFilledInput-root,.MuiAutocomplete-hasClearIcon.css-light-1nsqnny .MuiFilledInput-root{padding-right:39px;}.MuiAutocomplete-hasPopupIcon.MuiAutocomplete-hasClearIcon.css-light-1nsqnny .MuiFilledInput-root{padding-right:65px;}.css-light-1nsqnny .MuiFilledInput-root .MuiFilledInput-input{padding:7px 4px;}.css-light-1nsqnny .MuiFilledInput-root .MuiAutocomplete-endAdornment{right:9px;}.css-light-1nsqnny .MuiFilledInput-root.MuiInputBase-sizeSmall{padding-bottom:1px;}.css-light-1nsqnny .MuiFilledInput-root.MuiInputBase-sizeSmall .MuiFilledInput-input{padding:2.5px 4px;}.css-light-1nsqnny .MuiInputBase-hiddenLabel{padding-top:8px;}.css-light-1nsqnny .MuiAutocomplete-input{-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;text-overflow:ellipsis;opacity:1;}.css-light-1nsqnny .MuiAutocomplete-tag{margin:1px;}.css-light-1nsqnny .MuiAutocomplete-inputRoot{min-height:40px;}.css-light-1nsqnny .MuiAutocomplete-inputRoot[class*="MuiOutlinedInput-root"]{padding:2px 8px 2px 4px;}.css-light-1nsqnny .MuiAutocomplete-inputRoot[class*="MuiOutlinedInput-root"] .MuiAutocomplete-input{padding:4px 8px;}.css-light-1nsqnny .MuiAutocomplete-inputRoot[class*="MuiOutlinedInput-root"] .MuiAutocomplete-input:first-child{padding-left:14px;}.css-light-1nsqnny .MuiAutocomplete-inputRoot[class*="MuiOutlinedInput-root"] .MuiAutocomplete-endAdornment{right:6px;}.css-light-1lntznf{display:grid;grid-template-columns:minmax(0, 1fr);gap:24px;max-width:1216px;width:auto;margin:0 auto;width:260px;max-width:auto;margin:0;}@media (max-width:1167.95px){.css-light-1lntznf{max-width:100%;margin:0px 24px;}}@media (max-width:1207.95px){.css-light-1lntznf{display:none;}}.css-light-s3wuk0{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:1rem;line-height:1.4375em;letter-spacing:0em;color:#191919;box-sizing:border-box;position:relative;cursor:text;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;font-weight:400;margin:0;position:relative;border-radius:4px;padding-left:14px;background-color:#FFFFFF;width:auto;height:34px;}.css-light-s3wuk0.Mui-disabled{color:#686868;cursor:default;}.css-light-s3wuk0.Mui-disabled{background-color:#F1F1F1;color:#8E8E8E;}.css-light-s3wuk0:hover .MuiOutlinedInput-notchedOutline{border-color:#191919;}@media (hover: none){.css-light-s3wuk0:hover .MuiOutlinedInput-notchedOutline{border-color:rgba(0, 0, 0, 0.23);}}.css-light-s3wuk0.Mui-focused .MuiOutlinedInput-notchedOutline{border-color:#3F59E4;border-width:2px;}.css-light-s3wuk0.Mui-error .MuiOutlinedInput-notchedOutline{border-color:#C32F26;}.css-light-s3wuk0.Mui-disabled .MuiOutlinedInput-notchedOutline{border-color:rgba(0, 0, 0, 0.26);}.css-light-s3wuk0 .MuiOutlinedInput-notchedOutline{border-color:#8E8E8E;}.css-light-s3wuk0.Mui-disabled .MuiOutlinedInput-notchedOutline,.css-light-s3wuk0.Mui-disabled:hover .MuiOutlinedInput-notchedOutline{border-color:#D7D7D7;}.css-light-s3wuk0.Mui-disabled.Mui-error .MuiOutlinedInput-notchedOutline{border-color:#C32F26;}.css-light-s3wuk0:hover .MuiOutlinedInput-notchedOutline{border-color:#686868;}.css-light-s3wuk0.Mui-focused .MuiOutlinedInput-notchedOutline{border-width:2px;border-color:#3F59E4;box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-s3wuk0.Mui-focused:hover .MuiOutlinedInput-notchedOutline{border-color:#3F59E4;box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-s3wuk0.Mui-error .MuiOutlinedInput-notchedOutline{border-color:#C32F26;border-width:2px;}.css-light-s3wuk0.Mui-error.css-light-s3wuk0.Mui-focused .MuiOutlinedInput-notchedOutline{border-color:#C32F26;box-shadow:rgba(195, 47, 38, 0.25) 0px 0px 0px 0.25em;}.css-light-1b17vdj{font:inherit;letter-spacing:inherit;color:currentColor;padding:4px 0 5px;border:0;box-sizing:content-box;background:none;height:1.4375em;margin:0;-webkit-tap-highlight-color:transparent;display:block;min-width:0;width:100%;-webkit-animation-name:mui-auto-fill-cancel;animation-name:mui-auto-fill-cancel;-webkit-animation-duration:10ms;animation-duration:10ms;padding-top:1px;height:unset;padding:9px 16px;padding-top:5px;padding-bottom:5px;padding:8.5px 14px;padding-left:0;padding:9px 16px;padding-top:6px;padding-bottom:6px;padding-left:12px;padding-right:12px;padding-left:0;}.css-light-1b17vdj::-webkit-input-placeholder{color:currentColor;opacity:0.42;-webkit-transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-1b17vdj::-moz-placeholder{color:currentColor;opacity:0.42;-webkit-transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-1b17vdj:-ms-input-placeholder{color:currentColor;opacity:0.42;-webkit-transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-1b17vdj::-ms-input-placeholder{color:currentColor;opacity:0.42;-webkit-transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-1b17vdj:focus{outline:0;}.css-light-1b17vdj:invalid{box-shadow:none;}.css-light-1b17vdj::-webkit-search-decoration{-webkit-appearance:none;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1b17vdj::-webkit-input-placeholder{opacity:0!important;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1b17vdj::-moz-placeholder{opacity:0!important;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1b17vdj:-ms-input-placeholder{opacity:0!important;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1b17vdj::-ms-input-placeholder{opacity:0!important;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1b17vdj:focus::-webkit-input-placeholder{opacity:0.42;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1b17vdj:focus::-moz-placeholder{opacity:0.42;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1b17vdj:focus:-ms-input-placeholder{opacity:0.42;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1b17vdj:focus::-ms-input-placeholder{opacity:0.42;}.css-light-1b17vdj.Mui-disabled{opacity:1;-webkit-text-fill-color:#686868;}.css-light-1b17vdj:-webkit-autofill{-webkit-animation-duration:5000s;animation-duration:5000s;-webkit-animation-name:mui-auto-fill;animation-name:mui-auto-fill;}.css-light-1b17vdj:-webkit-autofill{border-radius:inherit;}.css-light-1b17vdj[type='number']{padding-right:4px;}.css-light-3p6qou{text-align:left;position:absolute;bottom:0;right:0;top:-5px;left:0;margin:0;padding:0 8px;pointer-events:none;border-radius:inherit;border-style:solid;border-width:1px;overflow:hidden;min-width:0%;border-color:rgba(0, 0, 0, 0.23);top:0;-webkit-transition:box-shadow 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-width 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:box-shadow 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-width 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-3p6qou legend{display:none;}.css-light-hdw1oc{float:unset;overflow:hidden;padding:0;line-height:11px;-webkit-transition:width 150ms cubic-bezier(0.0, 0, 0.2, 1) 0ms;transition:width 150ms cubic-bezier(0.0, 0, 0.2, 1) 0ms;}.css-light-1ijv1n9{display:grid;gap:40px;margin-right:24px;grid-auto-columns:min-content;grid-auto-flow:column;grid-template-columns:none;}@media (min-width:0px){.css-light-1ijv1n9{grid-template-columns:minmax(0,1fr);}}@media (min-width:600px){.css-light-1ijv1n9{grid-template-columns:minmax(0,1fr);}}@media (min-width:960px){.css-light-1ijv1n9{grid-template-columns:repeat(2, minmax(0,1fr));}}@media (min-width:960px){.css-light-1ijv1n9{grid-template-columns:none;}}@media (max-width:1079.95px){.css-light-1ijv1n9{gap:16px;}}@media (max-width:959.95px){.css-light-1ijv1n9{display:none;}}.css-light-1rdp59y{margin:0;display:inline;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-text-decoration:none;text-decoration:none;border-radius:2px;outline:none;color:#191919;font-weight:500;white-space:nowrap;}.css-light-1rdp59y:focus-visible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1rdp59y:hover{-webkit-text-decoration:none;text-decoration:none;color:#191919;}.css-light-1rdp59y:active{color:#191919;}.css-light-1rdp59y>.QuantumLink-icon{line-height:1;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}.css-light-1rdp59y>svg{width:1em;height:1em;}.css-light-1rdp59y>svg:first-child{-webkit-margin-end:8px;margin-inline-end:8px;}.css-light-tjz9nw{display:grid;gap:8px;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;border-top:0;padding:0;}@media (min-width:0px){.css-light-tjz9nw{grid-template-columns:none;}}@media (min-width:600px){.css-light-tjz9nw{grid-template-columns:none;}}@media (min-width:960px){.css-light-tjz9nw{grid-template-columns:none;}}@media (max-width:959.95px){.css-light-tjz9nw{display:none;margin:0;}}@media (min-width:0px){.css-light-tjz9nw{grid-template-columns:none;}}@media (min-width:600px){.css-light-tjz9nw{grid-template-columns:none;}}@media (min-width:960px){.css-light-tjz9nw{grid-template-columns:none;}}.css-light-1fgj6q9{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.8125rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:3px 9px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;border:1px solid rgba(104, 104, 104, 0.5);color:#686868;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;padding:5px 11px;background-color:#FFFFFF;border-color:#D7D7D7;padding:3px 9px;color:#191919;text-transform:none;}.css-light-1fgj6q9::-moz-focus-inner{border-style:none;}.css-light-1fgj6q9.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-light-1fgj6q9{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-light-1fgj6q9:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(104, 104, 104, 0.04);border:1px solid #686868;}@media (hover: none){.css-light-1fgj6q9:hover{background-color:transparent;}}.css-light-1fgj6q9.Mui-disabled{color:rgba(0, 0, 0, 0.26);border:1px solid #F1F1F1;}.css-light-1fgj6q9:hover{box-shadow:none;}.css-light-1fgj6q9.Mui-focusVisible{box-shadow:none;}.css-light-1fgj6q9:active{box-shadow:none;}.css-light-1fgj6q9.Mui-disabled{box-shadow:none;}.css-light-1fgj6q9.Mui-disabled,.css-light-1fgj6q9:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-1fgj6q9:focus,.css-light-1fgj6q9.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1fgj6q9:hover,.css-light-1fgj6q9.Mui-hover{background-color:#F1F1F1;border-color:#D7D7D7;}.css-light-1fgj6q9:active,.css-light-1fgj6q9.Mui-active{background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-tohr37{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:6px 16px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:inherit;border-color:currentColor;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;background-color:transparent;color:#191919;padding:5px 12px;padding:3px 10px;text-transform:none;}.css-light-tohr37::-moz-focus-inner{border-style:none;}.css-light-tohr37.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-light-tohr37{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-light-tohr37:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-light-tohr37:hover{background-color:transparent;}}.css-light-tohr37.Mui-disabled{color:rgba(0, 0, 0, 0.26);}.css-light-tohr37:hover{box-shadow:none;}.css-light-tohr37.Mui-focusVisible{box-shadow:none;}.css-light-tohr37:active{box-shadow:none;}.css-light-tohr37.Mui-disabled{box-shadow:none;}.css-light-tohr37.Mui-disabled,.css-light-tohr37:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-tohr37:focus,.css-light-tohr37.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1h20m4j{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.8125rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:4px 10px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#fff;background-color:#3F59E4;box-shadow:0px 6px 8px rgba(0, 0, 0, 0.1);box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;padding:4px 10px;background-color:#3F59E4;color:#FFFFFF;text-transform:none;}.css-light-1h20m4j::-moz-focus-inner{border-style:none;}.css-light-1h20m4j.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-light-1h20m4j{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-light-1h20m4j:hover{-webkit-text-decoration:none;text-decoration:none;background-color:#263588;box-shadow:0px 16px 16px rgba(0, 0, 0, 0.1);}@media (hover: none){.css-light-1h20m4j:hover{background-color:#3F59E4;}}.css-light-1h20m4j:active{box-shadow:0px 16px 16px rgba(0, 0, 0, 0.1);}.css-light-1h20m4j.Mui-focusVisible{box-shadow:0px 16px 16px rgba(0, 0, 0, 0.1);}.css-light-1h20m4j.Mui-disabled{color:rgba(0, 0, 0, 0.26);box-shadow:none;background-color:#F1F1F1;}.css-light-1h20m4j:hover{box-shadow:none;}.css-light-1h20m4j.Mui-focusVisible{box-shadow:none;}.css-light-1h20m4j:active{box-shadow:none;}.css-light-1h20m4j.Mui-disabled{box-shadow:none;}.css-light-1h20m4j.Mui-disabled,.css-light-1h20m4j:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-1h20m4j:focus,.css-light-1h20m4j.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1h20m4j:hover,.css-light-1h20m4j.Mui-hover{background-color:#3449BA;}.css-light-1h20m4j:active,.css-light-1h20m4j.Mui-active{background-color:#263588;}.css-light-8og4x3{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;gap:4px;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;margin:0px 4px 0px 12px;}@media (max-width:959.95px){.css-light-8og4x3{-webkit-flex-direction:row-reverse;-ms-flex-direction:row-reverse;flex-direction:row-reverse;}}.css-light-1c8nkz9{margin:0;-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;border-width:0;border-style:solid;border-color:#E8E8E8;border-bottom-width:0;margin-top:8px;margin-bottom:8px;height:auto;border-right-width:thin;-webkit-align-self:stretch;-ms-flex-item-align:stretch;align-self:stretch;border-color:#E8E8E8;}.css-light-1osspdq{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;font-size:1rem;height:2.125rem;width:2.125rem;background-color:transparent;color:#191919;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-1osspdq::-moz-focus-inner{border-style:none;}.css-light-1osspdq.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-light-1osspdq{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-light-1osspdq:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-light-1osspdq:hover{background-color:transparent;}}.css-light-1osspdq.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-light-1osspdq.Mui-disabled,.css-light-1osspdq:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-1osspdq:hover,.css-light-1osspdq.Mui-hover{background-color:#F1F1F1;}.css-light-1osspdq:active,.css-light-1osspdq.Mui-active{background-color:#E8E8E8;}.css-light-1osspdq:focus,.css-light-1osspdq.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1osspdq.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-light-1osspdq>svg:first-child{height:1em;width:1em;}.css-light-yl2thz{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;font-size:1rem;height:2.125rem;width:2.125rem;background-color:transparent;color:#191919;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;display:inherit;}.css-light-yl2thz::-moz-focus-inner{border-style:none;}.css-light-yl2thz.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-light-yl2thz{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-light-yl2thz:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-light-yl2thz:hover{background-color:transparent;}}.css-light-yl2thz.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-light-yl2thz.Mui-disabled,.css-light-yl2thz:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-yl2thz:hover,.css-light-yl2thz.Mui-hover{background-color:#F1F1F1;}.css-light-yl2thz:active,.css-light-yl2thz.Mui-active{background-color:#E8E8E8;}.css-light-yl2thz:focus,.css-light-yl2thz.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-yl2thz.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-light-yl2thz>svg:first-child{height:1em;width:1em;}@media (min-width:960px){.css-light-yl2thz{display:none;}}.css-light-yl2thz svg:first-child{width:1.5em;height:1.5em;}.css-light-1a66avx{-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;z-index:0;}.css-light-1a66avx .MuiDrawer-paperAnchorTop{z-index:19;top:64px;padding:24px;bottom:0;}@media (min-width:960px){.css-light-1a66avx{display:none;}}.css-light-1etdfq6{background-color:#FFFFFF;color:#191919;-webkit-transition:box-shadow 300ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:box-shadow 300ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:0px 6px 8px rgba(0, 0, 0, 0.1);overflow-y:auto;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;height:auto;-webkit-flex:1 0 auto;-ms-flex:1 0 auto;flex:1 0 auto;z-index:1200;-webkit-overflow-scrolling:touch;position:fixed;top:0;outline:0;left:0;right:0;max-height:100%;border-bottom:1px solid #E8E8E8;}.css-light-absfm6{height:100%;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;}.css-light-105k4h6{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:1rem;line-height:1.4375em;letter-spacing:0em;color:#191919;box-sizing:border-box;position:relative;cursor:text;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;font-weight:400;position:relative;border-radius:4px;padding-left:14px;background-color:#FFFFFF;width:auto;height:34px;}.css-light-105k4h6.Mui-disabled{color:#686868;cursor:default;}.css-light-105k4h6.Mui-disabled{background-color:#F1F1F1;color:#8E8E8E;}.css-light-105k4h6:hover .MuiOutlinedInput-notchedOutline{border-color:#191919;}@media (hover: none){.css-light-105k4h6:hover .MuiOutlinedInput-notchedOutline{border-color:rgba(0, 0, 0, 0.23);}}.css-light-105k4h6.Mui-focused .MuiOutlinedInput-notchedOutline{border-color:#3F59E4;border-width:2px;}.css-light-105k4h6.Mui-error .MuiOutlinedInput-notchedOutline{border-color:#C32F26;}.css-light-105k4h6.Mui-disabled .MuiOutlinedInput-notchedOutline{border-color:rgba(0, 0, 0, 0.26);}.css-light-105k4h6 .MuiOutlinedInput-notchedOutline{border-color:#8E8E8E;}.css-light-105k4h6.Mui-disabled .MuiOutlinedInput-notchedOutline,.css-light-105k4h6.Mui-disabled:hover .MuiOutlinedInput-notchedOutline{border-color:#D7D7D7;}.css-light-105k4h6.Mui-disabled.Mui-error .MuiOutlinedInput-notchedOutline{border-color:#C32F26;}.css-light-105k4h6:hover .MuiOutlinedInput-notchedOutline{border-color:#686868;}.css-light-105k4h6.Mui-focused .MuiOutlinedInput-notchedOutline{border-width:2px;border-color:#3F59E4;box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-105k4h6.Mui-focused:hover .MuiOutlinedInput-notchedOutline{border-color:#3F59E4;box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-105k4h6.Mui-error .MuiOutlinedInput-notchedOutline{border-color:#C32F26;border-width:2px;}.css-light-105k4h6.Mui-error.css-light-105k4h6.Mui-focused .MuiOutlinedInput-notchedOutline{border-color:#C32F26;box-shadow:rgba(195, 47, 38, 0.25) 0px 0px 0px 0.25em;}.css-light-1mamkk4{font:inherit;letter-spacing:inherit;color:currentColor;padding:4px 0 5px;border:0;box-sizing:content-box;background:none;height:1.4375em;margin:0;-webkit-tap-highlight-color:transparent;display:block;min-width:0;width:100%;-webkit-animation-name:mui-auto-fill-cancel;animation-name:mui-auto-fill-cancel;-webkit-animation-duration:10ms;animation-duration:10ms;height:unset;padding:9px 16px;padding:16.5px 14px;padding-left:0;padding:9px 16px;padding-left:0;}.css-light-1mamkk4::-webkit-input-placeholder{color:currentColor;opacity:0.42;-webkit-transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-1mamkk4::-moz-placeholder{color:currentColor;opacity:0.42;-webkit-transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-1mamkk4:-ms-input-placeholder{color:currentColor;opacity:0.42;-webkit-transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-1mamkk4::-ms-input-placeholder{color:currentColor;opacity:0.42;-webkit-transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:opacity 200ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-1mamkk4:focus{outline:0;}.css-light-1mamkk4:invalid{box-shadow:none;}.css-light-1mamkk4::-webkit-search-decoration{-webkit-appearance:none;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1mamkk4::-webkit-input-placeholder{opacity:0!important;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1mamkk4::-moz-placeholder{opacity:0!important;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1mamkk4:-ms-input-placeholder{opacity:0!important;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1mamkk4::-ms-input-placeholder{opacity:0!important;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1mamkk4:focus::-webkit-input-placeholder{opacity:0.42;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1mamkk4:focus::-moz-placeholder{opacity:0.42;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1mamkk4:focus:-ms-input-placeholder{opacity:0.42;}label[data-shrink=false]+.MuiInputBase-formControl .css-light-1mamkk4:focus::-ms-input-placeholder{opacity:0.42;}.css-light-1mamkk4.Mui-disabled{opacity:1;-webkit-text-fill-color:#686868;}.css-light-1mamkk4:-webkit-autofill{-webkit-animation-duration:5000s;animation-duration:5000s;-webkit-animation-name:mui-auto-fill;animation-name:mui-auto-fill;}.css-light-1mamkk4:-webkit-autofill{border-radius:inherit;}.css-light-ezihch{display:grid;grid-template-columns:minmax(0, 1fr);gap:0px;overflow-y:auto;-webkit-flex:1;-ms-flex:1;flex:1;-webkit-align-content:flex-start;-ms-flex-line-pack:flex-start;align-content:flex-start;margin:16px -24px 0px;}.css-light-1c09ki7{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1rem;line-height:1.5;letter-spacing:0em;display:inline;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-text-decoration:none;text-decoration:none;border-radius:2px;outline:none;color:#191919;border-bottom:1px solid #E8E8E8;height:72px;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;white-space:nowrap;padding:0px 24px;}.css-light-1c09ki7:focus-visible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1c09ki7:hover{-webkit-text-decoration:none;text-decoration:none;color:#191919;}.css-light-1c09ki7:active{color:#191919;}.css-light-1c09ki7>.QuantumLink-icon{line-height:1;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}.css-light-1c09ki7>svg{width:1em;height:1em;}.css-light-1c09ki7>svg:first-child{-webkit-margin-end:8px;margin-inline-end:8px;}.css-light-po40j3{display:grid;gap:16px;grid-auto-columns:initial;grid-auto-flow:row;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;border-top:1px solid #E8E8E8;padding:16px 24px 0px;}@media (min-width:0px){.css-light-po40j3{grid-template-columns:1fr 1fr;}}@media (min-width:600px){.css-light-po40j3{grid-template-columns:1fr 1fr;}}@media (min-width:960px){.css-light-po40j3{grid-template-columns:1fr 1fr;}}@media (max-width:959.95px){.css-light-po40j3{display:grid;margin:0px -24px;}}@media (min-width:0px){.css-light-po40j3{grid-template-columns:1fr 1fr;}}@media (min-width:600px){.css-light-po40j3{grid-template-columns:1fr 1fr;}}@media (min-width:960px){.css-light-po40j3{grid-template-columns:1fr 1fr;}}.css-light-1wlfc9m{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.9375rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:7px 21px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;border:1px solid rgba(104, 104, 104, 0.5);color:#686868;width:100%;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;width:100%;font-size:0.875rem;padding:5px 11px;background-color:#FFFFFF;border-color:#D7D7D7;padding:8px 15px;color:#191919;text-transform:none;-webkit-order:2;-ms-flex-order:2;order:2;grid-column:1/3;}.css-light-1wlfc9m::-moz-focus-inner{border-style:none;}.css-light-1wlfc9m.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-light-1wlfc9m{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-light-1wlfc9m:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(104, 104, 104, 0.04);border:1px solid #686868;}@media (hover: none){.css-light-1wlfc9m:hover{background-color:transparent;}}.css-light-1wlfc9m.Mui-disabled{color:rgba(0, 0, 0, 0.26);border:1px solid #F1F1F1;}.css-light-1wlfc9m:hover{box-shadow:none;}.css-light-1wlfc9m.Mui-focusVisible{box-shadow:none;}.css-light-1wlfc9m:active{box-shadow:none;}.css-light-1wlfc9m.Mui-disabled{box-shadow:none;}.css-light-1wlfc9m.Mui-disabled,.css-light-1wlfc9m:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-1wlfc9m:focus,.css-light-1wlfc9m.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1wlfc9m:hover,.css-light-1wlfc9m.Mui-hover{background-color:#F1F1F1;border-color:#D7D7D7;}.css-light-1wlfc9m:active,.css-light-1wlfc9m.Mui-active{background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-1y9rv62{display:inherit;margin-right:-4px;margin-left:8px;}.css-light-1y9rv62>*:nth-of-type(1){font-size:22px;}.css-light-1y9rv62>*:first-child{font-size:1rem;height:1em;width:1em;}.css-light-1d1pobz{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.9375rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:7px 21px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;border:1px solid currentColor;color:inherit;border-color:currentColor;width:100%;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;width:100%;font-size:0.875rem;padding:5px 11px;background-color:#FFFFFF;border-color:#D7D7D7;padding:8px 15px;text-transform:none;-webkit-order:1;-ms-flex-order:1;order:1;}.css-light-1d1pobz::-moz-focus-inner{border-style:none;}.css-light-1d1pobz.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-light-1d1pobz{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-light-1d1pobz:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-light-1d1pobz:hover{background-color:transparent;}}.css-light-1d1pobz.Mui-disabled{color:rgba(0, 0, 0, 0.26);border:1px solid #F1F1F1;}.css-light-1d1pobz:hover{box-shadow:none;}.css-light-1d1pobz.Mui-focusVisible{box-shadow:none;}.css-light-1d1pobz:active{box-shadow:none;}.css-light-1d1pobz.Mui-disabled{box-shadow:none;}.css-light-1d1pobz.Mui-disabled,.css-light-1d1pobz:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-1d1pobz:focus,.css-light-1d1pobz.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1f4mg9y{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.9375rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:8px 22px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#fff;background-color:#3F59E4;box-shadow:0px 6px 8px rgba(0, 0, 0, 0.1);width:100%;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;width:100%;font-size:0.875rem;padding:9px 16px;background-color:#3F59E4;color:#FFFFFF;text-transform:none;}.css-light-1f4mg9y::-moz-focus-inner{border-style:none;}.css-light-1f4mg9y.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-light-1f4mg9y{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-light-1f4mg9y:hover{-webkit-text-decoration:none;text-decoration:none;background-color:#263588;box-shadow:0px 16px 16px rgba(0, 0, 0, 0.1);}@media (hover: none){.css-light-1f4mg9y:hover{background-color:#3F59E4;}}.css-light-1f4mg9y:active{box-shadow:0px 16px 16px rgba(0, 0, 0, 0.1);}.css-light-1f4mg9y.Mui-focusVisible{box-shadow:0px 16px 16px rgba(0, 0, 0, 0.1);}.css-light-1f4mg9y.Mui-disabled{color:rgba(0, 0, 0, 0.26);box-shadow:none;background-color:#F1F1F1;}.css-light-1f4mg9y:hover{box-shadow:none;}.css-light-1f4mg9y.Mui-focusVisible{box-shadow:none;}.css-light-1f4mg9y:active{box-shadow:none;}.css-light-1f4mg9y.Mui-disabled{box-shadow:none;}.css-light-1f4mg9y.Mui-disabled,.css-light-1f4mg9y:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-1f4mg9y:focus,.css-light-1f4mg9y.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1f4mg9y:hover,.css-light-1f4mg9y.Mui-hover{background-color:#3449BA;}.css-light-1f4mg9y:active,.css-light-1f4mg9y.Mui-active{background-color:#263588;}.css-light-lj7bu0{margin:0;display:inline;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-text-decoration:none;text-decoration:none;border-radius:2px;outline:none;color:#3F59E4;font-weight:500;white-space:nowrap;}.css-light-lj7bu0:focus-visible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-lj7bu0:hover{-webkit-text-decoration:none;text-decoration:none;color:#3449BA;}.css-light-lj7bu0:active{color:#263588;}.css-light-lj7bu0>.QuantumLink-icon{line-height:1;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}.css-light-lj7bu0>svg{width:1em;height:1em;}.css-light-lj7bu0>svg:first-child{-webkit-margin-end:8px;margin-inline-end:8px;}.css-light-gjlwnj{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1rem;line-height:1.5;letter-spacing:0em;display:inline;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-text-decoration:none;text-decoration:none;border-radius:2px;outline:none;color:#3F59E4;border-bottom:1px solid #E8E8E8;height:72px;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;white-space:nowrap;padding:0px 24px;}.css-light-gjlwnj:focus-visible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-gjlwnj:hover{-webkit-text-decoration:none;text-decoration:none;color:#3449BA;}.css-light-gjlwnj:active{color:#263588;}.css-light-gjlwnj>.QuantumLink-icon{line-height:1;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}.css-light-gjlwnj>svg{width:1em;height:1em;}.css-light-gjlwnj>svg:first-child{-webkit-margin-end:8px;margin-inline-end:8px;}.css-light-1fnpbqv{padding:0px 24px;margin-top:60px;}@media (max-width:1167.95px){.css-light-1fnpbqv{padding:0;}}.css-light-7wfy9u{display:grid;grid-template-columns:minmax(0, 1fr);gap:24px;max-width:1440px;width:auto;margin:0 auto;margin:0 auto;}@media (max-width:1167.95px){.css-light-7wfy9u{max-width:100%;margin:0px 24px;}}.css-light-1ibmmut{display:grid;gap:24px;grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-align-items:flex-start;-webkit-box-align:flex-start;-ms-flex-align:flex-start;align-items:flex-start;gap:40px;}@media (min-width:0px){.css-light-1ibmmut{grid-template-columns:minmax(0,1fr);}}@media (min-width:600px){.css-light-1ibmmut{grid-template-columns:minmax(0,1fr);}}@media (min-width:960px){.css-light-1ibmmut{grid-template-columns:repeat(2, minmax(0,1fr));}}@media (min-width:960px){.css-light-1ibmmut{grid-template-columns:none;}}.css-light-13g1c2{width:304px;height:calc(100vh - 64px);position:-webkit-sticky;position:sticky;top:0;padding-right:4px;padding-bottom:16px;border-right:1px solid #E8E8E8;}.css-light-vwtx2w{display:grid;grid-template-columns:minmax(0, 1fr);gap:16px;height:100%;-webkit-transform:translateY(0px);-moz-transform:translateY(0px);-ms-transform:translateY(0px);transform:translateY(0px);-webkit-transition:visibility 0s linear 0.2s,-webkit-transform 0.2s linear;transition:visibility 0s linear 0.2s,transform 0.2s linear;padding-top:24px;-webkit-align-content:flex-start;-ms-flex-line-pack:flex-start;align-content:flex-start;}.css-light-1nz6ure{display:grid;grid-template-columns:minmax(0, 1fr);gap:40px;}.css-light-1uvmhse{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;color:#686868;}.css-light-nhb8h9{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-flex-wrap:wrap;-webkit-flex-wrap:wrap;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;padding:0;margin:0;list-style:none;}.css-light-xdqqc7{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;display:inline;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-text-decoration:none;text-decoration:none;border-radius:2px;outline:none;color:#3F59E4;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;cursor:pointer;}.css-light-xdqqc7:focus-visible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-xdqqc7:hover{-webkit-text-decoration:none;text-decoration:none;color:#3449BA;}.css-light-xdqqc7:active{color:#263588;}.css-light-xdqqc7>.QuantumLink-icon{line-height:1;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}.css-light-xdqqc7>svg{width:1em;height:1em;}.css-light-xdqqc7>svg:first-child{-webkit-margin-end:8px;margin-inline-end:8px;}.css-light-xdqqc7.active{color:#191919;}.css-light-xdqqc7 .QuantumBreadcrumbsItem-icon{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;font-size:1rem;}.css-light-xdqqc7 .QuantumBreadcrumbsItem-icon>svg{height:1em;width:1em;}.css-light-12z0wuy{margin-right:8px;}.css-light-ewr4mf{margin:0;display:inline;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-text-decoration:none;text-decoration:none;border-radius:2px;outline:none;color:#3F59E4;}.css-light-ewr4mf:focus-visible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-ewr4mf:hover{-webkit-text-decoration:none;text-decoration:none;color:#3449BA;}.css-light-ewr4mf:active{color:#263588;}.css-light-ewr4mf>.QuantumLink-icon{line-height:1;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}.css-light-ewr4mf>svg{width:1em;height:1em;}.css-light-ewr4mf>svg:first-child{-webkit-margin-end:8px;margin-inline-end:8px;}.css-light-axw7ok{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;gap:8px;}.css-light-tq75vo{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.125rem;line-height:1.5rem;letter-spacing:-0.1px;color:#191919;font-weight:500;}.css-light-1iymi0i{list-style:none;margin:0;padding:0;overflow-y:scroll;overflow-x:hidden;}.css-light-1iymi0i::-webkit-scrollbar{width:0;background:transparent;}.css-light-1iymi0i li:first-child>a{padding-top:0;}.css-light-1iymi0i .externalLink{margin-left:8px;}.css-light-1ut66dz{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;letter-spacing:0.25px;font-size:0.75rem;line-height:1.125rem;font-weight:500;text-transform:uppercase;padding-top:24px;padding-bottom:8px;}.css-light-7t4v2s .QuantumSidebarLink-title,.css-light-7t4v2s .QuantumSidebarLink-availabilityLabel,.css-light-7t4v2s .QuantumSidebarLink-decoration,.css-light-7t4v2s .QuantumSidebarLink-endIcon{opacity:1;will-change:opacity;-webkit-transition:opacity 225ms cubic-bezier(0.4, 0, 1, 1) 113ms;transition:opacity 225ms cubic-bezier(0.4, 0, 1, 1) 113ms;}.css-light-7t4v2s .QuantumSidebarLink-link{padding-left:0;}.css-light-7t4v2s .QuantumSidebarLink-startIcon{width:0;}.css-light-7t4v2s .QuantumSidebarLink-endIcon{margin-right:8px;}.css-light-7t4v2s .QuantumSidebarLink-title{margin-left:0;white-space:normal;}.css-light-lti6cy{padding-left:0;margin-left:0px;max-width:300px;font-weight:500;padding:8px;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-size:0.875rem;line-height:1.25rem;letter-spacing:0em;color:#191919;border-radius:4px;-webkit-text-decoration:none;text-decoration:none;width:100%;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;cursor:pointer;background:transparent;border:none;-webkit-transition:color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;--identicons-color-light:#D7D7D7;--identicons-color-base:#B9B9B9;--identicons-color-dark:#686868;}.css-light-lti6cy .QuantumSidebarLink-title{color:#686868;}.css-light-lti6cy:focus{box-shadow:none;}.css-light-lti6cy:hover{color:#3F59E4;-webkit-text-decoration:none;text-decoration:none;--identicons-color-light:#CFD6F8;--identicons-color-base:#AAB6F3;--identicons-color-dark:#3F59E4;}.css-light-lti6cy:focus-visible{outline:none;box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-3djh8h{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;width:1.25rem;font-size:1.25rem;}.css-light-3djh8h>svg{width:1em;height:1em;-webkit-transition:fill 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,-webkit-transform 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:fill 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,transform 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-hdbujw{white-space:nowrap;overflow:hidden;text-overflow:ellipsis;margin-left:10px;min-width:2rem;}.css-light-1njuh7n{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;margin-left:auto;color:#B9B9B9;}.css-light-1njuh7n>svg{width:1em;height:1em;-webkit-transition:fill 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,-webkit-transform 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:fill 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,transform 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-127ud2i{padding-left:0;margin-left:8px;max-width:292px;font-weight:400;padding:8px;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-size:0.75rem;line-height:1.4rem;letter-spacing:0em;color:#686868;padding-top:4px;padding-bottom:4px;border-radius:4px;-webkit-text-decoration:none;text-decoration:none;width:100%;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;cursor:pointer;background:transparent;border:none;-webkit-transition:color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;--identicons-color-light:#D7D7D7;--identicons-color-base:#B9B9B9;--identicons-color-dark:#686868;}.css-light-127ud2i .QuantumSidebarLink-title{color:#686868;}.css-light-127ud2i:focus{box-shadow:none;}.css-light-127ud2i .QuantumSidebarLink-startIcon{font-size:1rem;}.css-light-127ud2i:hover{color:#3F59E4;-webkit-text-decoration:none;text-decoration:none;--identicons-color-light:#CFD6F8;--identicons-color-base:#AAB6F3;--identicons-color-dark:#3F59E4;}.css-light-127ud2i:focus-visible{outline:none;box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-w8rns{height:100%;}.css-light-1v28jvd{height:100%;width:776px;}@media (max-width:823.95px){.css-light-1v28jvd{width:100%;}}.css-light-e4wg0l{display:grid;grid-template-columns:minmax(0, 1fr);padding-top:40px;padding-bottom:40px;gap:40px;}.css-light-1ume9uy{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-text-decoration:none;text-decoration:none;border-radius:0;outline:0;color:#686868;vertical-align:initial;position:relative;-webkit-tap-highlight-color:transparent;background-color:transparent;border:0;margin:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-moz-appearance:none;-webkit-appearance:none;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;cursor:pointer;}.css-light-1ume9uy:focus-visible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-1ume9uy:hover{-webkit-text-decoration:none;text-decoration:none;color:#555555;}.css-light-1ume9uy:active{color:#3E3E3E;}.css-light-1ume9uy::-moz-focus-inner{border-style:none;}.css-light-1ume9uy>.QuantumLink-icon{line-height:1;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}.css-light-1ume9uy>svg{width:1em;height:1em;}.css-light-1ume9uy>svg:first-child{-webkit-margin-end:8px;margin-inline-end:8px;}.css-light-1ume9uy.active{color:#191919;}.css-light-1ume9uy .QuantumBreadcrumbsItem-icon{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;font-size:1rem;}.css-light-1ume9uy .QuantumBreadcrumbsItem-icon>svg{height:1em;width:1em;}.css-light-1ahyw7i{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;margin-left:8px;margin-right:8px;color:#B9B9B9;font-size:0.875rem;}.css-light-10ib5jr{margin-bottom:40px;}.css-light-lvunq8{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2.5rem;line-height:2.75rem;letter-spacing:-0.8px;}@media (max-width:599.95px){.css-light-lvunq8{font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}}@media (max-width:-0.05px){.css-light-lvunq8{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}.css-light-1kmlmk0{display:grid;grid-template-columns:minmax(0, 1fr);gap:16px;}.css-light-151tvvp>*{margin-top:1.5em;margin-bottom:1.5em;}.css-light-151tvvp>h3{margin-top:2.5em;margin-bottom:1em;}.css-light-151tvvp>h3>code{font-size:0.8em;}.css-light-151tvvp>h4{margin-top:2.5em;margin-bottom:0.75em;font-weight:600;}.css-light-151tvvp>h4>code{font-size:0.8em;}.css-light-151tvvp>h5{margin-top:2em;margin-bottom:0.75em;font-weight:600;}.css-light-151tvvp>h6{margin-top:1.75em;margin-bottom:0.75em;font-weight:600;}.css-light-151tvvp>p{margin-top:1em;margin-bottom:1em;line-height:1.6;}.css-light-151tvvp>p>code{font-size:0.8em;}.css-light-151tvvp strong{font-weight:600;}.css-light-151tvvp>ul,.css-light-151tvvp>ol{padding-left:1.25em!important;}.css-light-151tvvp>ul>li,.css-light-151tvvp>ol>li{margin-bottom:.25em;}.css-light-151tvvp>ul>li{list-style-type:square;}.css-light-151tvvp>ol>li{list-style-type:decimal;}.css-light-151tvvp code{padding-top:1px;color:#191919;}.css-light-151tvvp>img,.css-light-151tvvp>ul img,.css-light-151tvvp>ol img{margin-top:1.5em;margin-bottom:1.5em;}.css-light-151tvvp img{max-width:100%;}.css-light-151tvvp>*:first-child{margin-top:0;}.css-light-151tvvp>*:last-child{margin-bottom:0;}.css-light-151tvvp>a,.css-light-151tvvp>p>a{color:#3F59E4;-webkit-text-decoration:none;text-decoration:none;}.css-light-151tvvp>a:hover,.css-light-151tvvp>p>a:hover{color:#3449BA;-webkit-text-decoration:none;text-decoration:none;}.css-light-151tvvp>*,.css-light-151tvvp >p,.css-light-151tvvp >img,.css-light-151tvvp li>img{margin-top:16px;margin-bottom:16px;}.css-light-151tvvp img{max-width:100%;}.css-light-151tvvp h1{font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2.5rem;line-height:2.75rem;letter-spacing:-0.8px;}@media (max-width:599.95px){.css-light-151tvvp h1{font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}}@media (max-width:-0.05px){.css-light-151tvvp h1{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}.css-light-151tvvp h2{font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-light-151tvvp h2{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-light-151tvvp h2{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}.css-light-151tvvp h3{font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}@media (max-width:599.95px){.css-light-151tvvp h3{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}@media (max-width:-0.05px){.css-light-151tvvp h3{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}.css-light-151tvvp h4{font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-light-151tvvp h4{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}.css-light-151tvvp h5{font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}.css-light-151tvvp p{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:1rem;line-height:1.5;letter-spacing:-0.01px;margin:0px 0px 16px;}.css-light-151tvvp small{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0;}.css-light-151tvvp b,.css-light-151tvvp strong{letter-spacing:0;font-weight:700;}.css-light-151tvvp a:not(.QuantumLink-root,.btn){font-weight:500;color:#3F59E4;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-text-decoration:none;text-decoration:none;}.css-light-151tvvp a:not(.QuantumLink-root,.btn):hover{-webkit-text-decoration:underline;text-decoration:underline;color:#3449BA;}.css-light-151tvvp .QuantumAlert-root a{-webkit-text-decoration:underline;text-decoration:underline;color:inherit;}.css-light-151tvvp .QuantumAlert-root a:hover{color:inherit;}.css-light-151tvvp a[href^=http]::after{margin-left:4px;position:relative;top:1px;content:url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%2214%22%20height%3D%2214%22%20viewBox%3D%220%200%2024%2024%22%20fill%3D%22none%22%20stroke%3D%22%233F59E4%22%20stroke-width%3D%222%22%20stroke-linecap%3D%22round%22%20stroke-linejoin%3D%22round%22%20class%3D%22css-0%22%3E%3Cpath%20d%3D%22M18%2013v6a2%202%200%200%201-2%202H5a2%202%200%200%201-2-2V8a2%202%200%200%201%202-2h6%22%3E%3C%2Fpath%3E%3Cpolyline%20points%3D%2215%203%2021%203%2021%209%22%3E%3C%2Fpolyline%3E%3Cline%20x1%3D%2210%22%20y1%3D%2214%22%20x2%3D%2221%22%20y2%3D%223%22%3E%3C%2Fline%3E%3C%2Fsvg%3E");}.css-light-151tvvp ul,.css-light-151tvvp ol{padding-left:40px;}.css-light-151tvvp ul>li{list-style-type:disc;}.css-light-151tvvp ol>li{list-style-type:number;}.css-light-151tvvp ul>li,.css-light-151tvvp ol>li{font-size:1rem;margin:8px 0px;}.css-light-151tvvp .tablew{overflow-x:auto;scroll-behavior:smooth;webkit-overflow-scrolling:touch;}.css-light-151tvvp .table{font-size:0.875rem;letter-spacing:0.15px;border-collapse:collapse;}@media (max-width:823.95px){.css-light-151tvvp .table th{white-space:nowrap;}}.css-light-151tvvp .table tr>td,.css-light-151tvvp .table tr>th{line-height:1.25rem;padding:8px;vertical-align:top;border-top:1px solid #E8E8E8;}.css-light-151tvvp .table th{text-align:left;}.css-light-151tvvp .table>thead>tr>th{border-bottom:2px solid #E8E8E8;border-top:none;}.css-light-151tvvp .table>tbody>tr:nth-child(odd){background:#F6F6F6;}.css-light-151tvvp .panel{background-color:inherit;}.css-light-151tvvp .aside-container{padding:32px;border-radius:24px;border:1px solid #E8E8E8;}.css-light-151tvvp .aside-container .aside-heading{margin-bottom:12px;}.css-light-151tvvp .aside-container .aside-heading h4{margin-top:0;margin-bottom:0;}.css-light-151tvvp .aside-container .aside-body ul{padding-left:24px;}.css-light-151tvvp code:not(.code-highlight-prism),.css-light-151tvvp p>code{font-family:Roboto Mono,Menlo,Monaco,Consolas,Courier New,monospace;font-size:0.875rem;line-height:1.25rem;letter-spacing:0.15px;font-weight:400;-webkit-font-smoothing:subpixel-antialiased;padding:0px 6px 2px;border-radius:3px;}.css-light-151tvvp code small,.css-light-151tvvp p>code small{font-family:Roboto Mono,Menlo,Monaco,Consolas,Courier New,monospace;font-size:0.75rem;line-height:1.125rem;letter-spacing:0.25px;font-weight:400;-webkit-font-smoothing:subpixel-antialiased;}.css-light-151tvvp .code-picker .languages-bar .dropdown .dropdown-menu{background:#FFFFFF;list-style:none;padding-left:24px;}.css-light-151tvvp .code-picker .languages-bar>ul li{list-style-type:none;}.css-light-151tvvp .code-picker .languages-bar>ul>li.active>a{color:#263588;}.css-light-151tvvp .connections-container{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:justify;-webkit-justify-content:space-between;justify-content:space-between;-webkit-box-flex-wrap:wrap;-webkit-flex-wrap:wrap;-ms-flex-wrap:wrap;flex-wrap:wrap;}.css-light-151tvvp .connections-container:after{content:none;-webkit-flex:auto;-ms-flex:auto;flex:auto;}.css-light-151tvvp .connection{padding:24px 16px;border:1px solid #E8E8E8;-webkit-flex-basis:23%;-ms-flex-preferred-size:23%;flex-basis:23%;margin-bottom:16px;margin-right:2.6666666%;overflow:hidden;-webkit-transition:-webkit-transform 0.2s,border 0.2s;transition:transform 0.2s,border 0.2s;}.css-light-151tvvp .connection:nth-child(4n){margin-right:0;}.css-light-151tvvp .connection.connection-public:hover{border:1px solid #E8E8E8;box-shadow:0px 2px 4px rgb(0 0 0 / 12%);-webkit-transform:scale(1.02);-moz-transform:scale(1.02);-ms-transform:scale(1.02);transform:scale(1.02);-webkit-text-decoration:none;text-decoration:none;}.css-light-151tvvp .connection.connection-public:focus{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}@media (max-width:599.95px){.css-light-151tvvp .connection{-webkit-flex-basis:48%;-ms-flex-preferred-size:48%;flex-basis:48%;margin-right:4%;}.css-light-151tvvp .connection:nth-child(2n){margin-right:0;}}.css-light-151tvvp .connection-content{text-align:center;}.css-light-151tvvp .connection-title{font-size:1.125rem;line-height:1.25rem;margin-top:16px;margin-bottom:0;}.css-light-151tvvp .connection-image-wrap{display:inline-block;vertical-align:middle;}.css-light-151tvvp .connection-image-wrap img{max-height:60px;max-width:60px;}.css-light-151tvvp .title-portal-container{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:baseline;-webkit-box-align:baseline;-ms-flex-align:baseline;align-items:baseline;gap:4px;-webkit-transform:translateX(-20px);-moz-transform:translateX(-20px);-ms-transform:translateX(-20px);transform:translateX(-20px);}.css-light-151tvvp .title-portal-container:hover{cursor:pointer;}.css-light-151tvvp .title-portal-container:hover .title-portal-icon{opacity:1;}.css-light-151tvvp .title-portal-container .title-portal-icon{color:#686868;opacity:0;}.css-light-151tvvp .title-portal-container .title-portal-text{margin-top:24px;scroll-margin-top:88px;}.css-light-151tvvp .title-portal-container h2.title-portal-text{margin-top:40px;margin-bottom:8px;}.css-light-151tvvp .tooltip-portal-underlined-word{font-style:normal;border-bottom:1px dotted #686868;}.css-light-151tvvp .alert-content>p{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0;}.css-light-151tvvp .alert-content bold,.css-light-151tvvp .alert-content strong{font-weight:500;}.css-light-151tvvp .alert-content>p>a{font-weight:500;color:#191919;}.css-light-151tvvp .alert-content>p>a:hover{-webkit-text-decoration:none;text-decoration:none;}.css-light-151tvvp code .alert-content{font-family:Roboto Mono,Menlo,Monaco,Consolas,Courier New,monospace;font-size:0.875rem;line-height:1.25rem;letter-spacing:0.15px;font-weight:400;-webkit-font-smoothing:subpixel-antialiased;}.css-light-151tvvp .QuantumAlert-standardWarning,.css-light-151tvvp .alert-portal-severity-warning{background-color:#FEF2B3;}.css-light-151tvvp .QuantumAlert-standardWarning $icon,.css-light-151tvvp .alert-portal-severity-warning $icon{color:#786713;}.css-light-151tvvp .QuantumAlert-standardInfo,.css-light-151tvvp .alert-portal-severity-info{background-color:#EEF0FD;}.css-light-151tvvp .QuantumAlert-standardInfo $icon,.css-light-151tvvp .alert-portal-severity-info $icon{color:#3F59E4;}.css-light-151tvvp .alert-portal-content:last-child{margin-bottom:0;}.css-light-151tvvp .alert-portal-content p{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0;}.css-light-151tvvp .alert-portal-content p:last-child{margin-bottom:0;}.css-light-151tvvp .alert-portal-content code{font-family:Roboto Mono,Menlo,Monaco,Consolas,Courier New,monospace;font-size:0.875rem;line-height:1.25rem;letter-spacing:0.15px;font-weight:400;-webkit-font-smoothing:subpixel-antialiased;padding-left:3px;padding-right:3px;}.css-light-151tvvp .alert-portal-content bold,.css-light-151tvvp .alert-portal-content strong,.css-light-151tvvp .alert-portal-content b{font-weight:500;font-size:0.875rem;}.css-light-151tvvp .MuiTabs-flexContainer{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}.css-light-151tvvp .MuiTab-root{margin-left:0;margin-right:16px;font-family:Inter,fakt-web,-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,Helvetica,Arial,sans-serif,'Apple Color Emoji','Segoe UI Emoji','Segoe UI Symbol';padding:6px 12px;overflow:hidden;position:relative;font-size:0.875rem;max-width:264px;min-width:unset;box-sizing:border-box;min-height:48px;text-align:center;-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;font-weight:400;line-height:1.71429;white-space:normal;padding-left:0;padding-right:0;letter-spacing:0.01071em;text-transform:none;}.css-light-151tvvp .MuiTab-root .MuiTab-root:first-child{margin-left:0;}.css-light-151tvvp .MuiTabs-scroller{-webkit-flex:1 1 auto;-ms-flex:1 1 auto;flex:1 1 auto;display:inline-block;position:relative;white-space:nowrap;border-bottom:1px solid #E8E8E8;width:100%;}.css-light-151tvvp .MuiTab-textColorPrimary.Mui-selected{border-bottom:1px solid #263588;}.css-light-151tvvp .MuiTab-wrapper{width:100%;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;}.css-light-151tvvp .MuiTab-labelIcon{min-height:72px;padding-top:8px;}.css-light-151tvvp .MuiTab-labelIcon .MuiTab-wrapper>*:first-child{margin-bottom:8px;}.css-light-151tvvp .MuiTab-textColorInherit{color:inherit;opacity:0.7;}.css-light-151tvvp .MuiTab-textColorInherit.Mui-selected{opacity:1;}.css-light-151tvvp .MuiTab-textColorInherit.Mui-disabled{opacity:0.5;}.css-light-151tvvp .MuiTab-textColorPrimary{color:#65676e;font-weight:400;}.css-light-151tvvp .MuiTab-textColorPrimary.Mui-disabled{color:#65676e;}.css-light-151tvvp .MuiTab-fullWidth{-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;max-width:none;-webkit-flex-basis:0;-ms-flex-preferred-size:0;flex-basis:0;-webkit-flex-shrink:1;-ms-flex-negative:1;flex-shrink:1;}.css-light-151tvvp .MuiTab-wrapped{font-size:0.75rem;line-height:1.5;}.css-light-151tvvp div[role=tabpanel] ol{list-style:inherit;padding-left:24px;}.css-light-151tvvp .MuiExpansionPanelSummary-content{margin:0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;-webkit-transition:margin 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:margin 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-151tvvp .MuiExpansionPanelSummary-content [data-cosmos-key="avatar-block"]{height:100%;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}.css-light-151tvvp .MuiExpansionPanel-root{margin:0;padding:32px;position:relative;-webkit-transition:margin 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:margin 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-151tvvp .MuiCollapse-hidden{visibility:hidden;}.css-light-151tvvp .MuiExpansionPanelSummary-expandIcon{width:25px;height:25px;-webkit-align-self:baseline;-ms-flex-item-align:baseline;align-self:baseline;}.css-light-151tvvp .MuiCollapse-root{height:0;transition-duration:268ms;min-height:0px;}.css-light-151tvvp .accordion-control-buttons{width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;margin:0 0 8px auto;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;gap:5px;}.css-light-151tvvp .accordion-panels{box-shadow:none;display:grid;gap:16px;grid-template-columns:minmax(0px, 1fr);}.css-light-151tvvp .accordion-panel{border:1px solid #E8E8E8;padding:16px;border-radius:8px;box-shadow:none;}.css-light-151tvvp #accordion-summary{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;padding:0;min-hheight:unset;-webkit-transition:min-height 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:min-height 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;}.css-light-151tvvp .accordion-numbered-icon{width:2rem;height:2rem;font-size:0.875rem;color:#635dff;background-color:#e9e8ff;border-radius:50%;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;overflow:hidden;position:relative;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;font-weight:500;text-transform:uppercase;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;}.css-light-151tvvp .accordion-details{margin-top:16px;margin-left:0;margin-right:16px;}.css-light-151tvvp .accordion-numbered-details{margin-top:16px;margin-left:48px;margin-right:16px;}.css-light-qw3jjx{display:grid;grid-template-columns:minmax(0, 1fr);gap:24px;border:1px solid #E8E8E8;border-radius:4px;margin:32px 0px 40px;padding:40px;}.css-light-ve6lx2{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;-webkit-align-items:baseline;-webkit-box-align:baseline;-ms-flex-align:baseline;align-items:baseline;grid-gap:24px;}@media (max-width:823.95px){.css-light-ve6lx2{-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}}.css-light-1890uci{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;color:#686868;}.css-light-cnjcq1{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;margin:0;}.css-light-146h36z{display:grid;gap:16px;grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}@media (min-width:0px){.css-light-146h36z{grid-template-columns:minmax(0,1fr);}}@media (min-width:600px){.css-light-146h36z{grid-template-columns:minmax(0,1fr);}}@media (min-width:960px){.css-light-146h36z{grid-template-columns:repeat(2, minmax(0,1fr));}}@media (min-width:0px){.css-light-146h36z{grid-template-columns:none;}}@media (min-width:600px){.css-light-146h36z{grid-template-columns:none;}}@media (min-width:960px){.css-light-146h36z{grid-template-columns:none;}}.css-light-up5kby{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.8125rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:3px 9px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;border:1px solid rgba(104, 104, 104, 0.5);color:#686868;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;padding:5px 11px;background-color:#FFFFFF;border-color:#D7D7D7;padding:3px 9px;color:#191919;padding:0px 8px;}.css-light-up5kby::-moz-focus-inner{border-style:none;}.css-light-up5kby.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-light-up5kby{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-light-up5kby:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(104, 104, 104, 0.04);border:1px solid #686868;}@media (hover: none){.css-light-up5kby:hover{background-color:transparent;}}.css-light-up5kby.Mui-disabled{color:rgba(0, 0, 0, 0.26);border:1px solid #F1F1F1;}.css-light-up5kby:hover{box-shadow:none;}.css-light-up5kby.Mui-focusVisible{box-shadow:none;}.css-light-up5kby:active{box-shadow:none;}.css-light-up5kby.Mui-disabled{box-shadow:none;}.css-light-up5kby.Mui-disabled,.css-light-up5kby:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-up5kby:focus,.css-light-up5kby.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-light-up5kby:hover,.css-light-up5kby.Mui-hover{background-color:#F1F1F1;border-color:#D7D7D7;}.css-light-up5kby:active,.css-light-up5kby.Mui-active{background-color:#E8E8E8;border-color:#D7D7D7;}.css-light-up5kby:focus{box-shadow:none;}.css-light-10lfzun{display:inherit;margin-right:8px;margin-left:-2px;}.css-light-10lfzun>*:nth-of-type(1){font-size:18px;}.css-light-10lfzun>*:first-child{font-size:1rem;height:1em;width:1em;}.css-light-1v33see{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:baseline;-webkit-box-align:baseline;-ms-flex-align:baseline;align-items:baseline;-webkit-column-gap:4px;column-gap:4px;color:#686868;}@media (max-width:823.95px){.css-light-1v33see{-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}}.css-light-1xlk6nz{padding-left:0;margin-left:0px;max-width:300px;font-weight:500;padding:8px;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-size:0.875rem;line-height:1.25rem;letter-spacing:0em;color:#191919;border-radius:4px;-webkit-text-decoration:none;text-decoration:none;width:100%;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;cursor:pointer;background:transparent;border:none;-webkit-transition:color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;--identicons-color-light:#D7D7D7;--identicons-color-base:#B9B9B9;--identicons-color-dark:#686868;}.css-light-1xlk6nz .QuantumSidebarLink-title{color:#3F59E4;}.css-light-1xlk6nz:focus{box-shadow:none;}.css-light-1xlk6nz:hover{color:#3F59E4;-webkit-text-decoration:none;text-decoration:none;--identicons-color-light:#CFD6F8;--identicons-color-base:#AAB6F3;--identicons-color-dark:#3F59E4;}.css-light-1xlk6nz:focus-visible{outline:none;box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}</style></style><style id="styled-footer-css"><style data-styled="true" data-styled-version="5.3.1">.grRtqw.grRtqw.grRtqw{font-weight:500;}/*!sc*/ .hNTphv.hNTphv.hNTphv{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-text-decoration:none;text-decoration:none;}/*!sc*/ .dCXkaK.dCXkaK.dCXkaK{color:#80868F;margin:0;}/*!sc*/ .iDvir.iDvir.iDvir{border-top:0.0625rem solid #bdc4cf;padding:1.5rem 1rem;color:#80868F;margin:0;}/*!sc*/ data-styled.g2[id="utils-sc-11hlfw-0"]{content:"grRtqw,hNTphv,coRBuS,dCXkaK,iDvir,"}/*!sc*/ .lAvfL{margin:0 0 1rem 0;padding:0;color:#8B929B;font-family:SpaceGrotesk;font-style:NORMAL;font-weight:600;font-size:0.75rem;-webkit-letter-spacing:0.075rem;-moz-letter-spacing:0.075rem;-ms-letter-spacing:0.075rem;letter-spacing:0.075rem;line-height:1.125rem;text-transform:uppercase;}/*!sc*/ @media screen and (min-width:900px){.lAvfL{color:#8B929B;font-family:SpaceGrotesk;font-style:NORMAL;font-weight:600;font-size:0.875rem;-webkit-letter-spacing:0.09375rem;-moz-letter-spacing:0.09375rem;-ms-letter-spacing:0.09375rem;letter-spacing:0.09375rem;line-height:1.25rem;}}/*!sc*/ @media screen and (min-width:1200px){.lAvfL{color:#8B929B;font-family:SpaceGrotesk;font-style:NORMAL;font-weight:600;font-size:0.875rem;-webkit-letter-spacing:0.09375rem;-moz-letter-spacing:0.09375rem;-ms-letter-spacing:0.09375rem;letter-spacing:0.09375rem;line-height:1.25rem;}}/*!sc*/ data-styled.g6[id="styled__Overline-sc-165cfko-0"]{content:"lAvfL,"}/*!sc*/ .ujlCh{margin:0;padding:0;color:#41454C;font-family:Inter;font-style:NORMAL;font-weight:400;font-size:0.875rem;-webkit-letter-spacing:0rem;-moz-letter-spacing:0rem;-ms-letter-spacing:0rem;letter-spacing:0rem;line-height:1.375rem;color:#41454C;}/*!sc*/ @media screen and (min-width:900px){.ujlCh{color:#41454C;font-family:Inter;font-style:NORMAL;font-weight:400;font-size:0.875rem;-webkit-letter-spacing:0rem;-moz-letter-spacing:0rem;-ms-letter-spacing:0rem;letter-spacing:0rem;line-height:1.375rem;color:#41454C;}}/*!sc*/ @media screen and (min-width:1200px){.ujlCh{color:#41454C;font-family:Inter;font-style:NORMAL;font-weight:400;font-size:0.875rem;-webkit-letter-spacing:0rem;-moz-letter-spacing:0rem;-ms-letter-spacing:0rem;letter-spacing:0rem;line-height:1.375rem;color:#41454C;}}/*!sc*/ .gddBva{margin:0 0 1rem 0;padding:0;color:#41454C;font-family:Inter;font-style:NORMAL;font-weight:400;font-size:0.875rem;-webkit-letter-spacing:0rem;-moz-letter-spacing:0rem;-ms-letter-spacing:0rem;letter-spacing:0rem;line-height:1.375rem;color:#41454C;}/*!sc*/ @media screen and (min-width:900px){.gddBva{color:#41454C;font-family:Inter;font-style:NORMAL;font-weight:400;font-size:0.875rem;-webkit-letter-spacing:0rem;-moz-letter-spacing:0rem;-ms-letter-spacing:0rem;letter-spacing:0rem;line-height:1.375rem;color:#41454C;}}/*!sc*/ @media screen and (min-width:1200px){.gddBva{color:#41454C;font-family:Inter;font-style:NORMAL;font-weight:400;font-size:0.875rem;-webkit-letter-spacing:0rem;-moz-letter-spacing:0rem;-ms-letter-spacing:0rem;letter-spacing:0rem;line-height:1.375rem;color:#41454C;}}/*!sc*/ data-styled.g7[id="styled__Paragraph-sc-165cfko-1"]{content:"ujlCh,gddBva,"}/*!sc*/ .NZnYD{margin:0;padding:0;color:#635DFF;font-family:Inter;font-style:NORMAL;font-weight:500;font-size:0.875rem;-webkit-letter-spacing:0rem;-moz-letter-spacing:0rem;-ms-letter-spacing:0rem;letter-spacing:0rem;line-height:1.375rem;color:#635DFF;-webkit-text-decoration:none;text-decoration:none;cursor:pointer;}/*!sc*/ @media screen and (min-width:900px){.NZnYD{color:#635DFF;font-family:Inter;font-style:NORMAL;font-weight:500;font-size:0.875rem;-webkit-letter-spacing:0rem;-moz-letter-spacing:0rem;-ms-letter-spacing:0rem;letter-spacing:0rem;line-height:1.375rem;}}/*!sc*/ @media screen and (min-width:1200px){.NZnYD{color:#635DFF;font-family:Inter;font-style:NORMAL;font-weight:500;font-size:0.875rem;-webkit-letter-spacing:0rem;-moz-letter-spacing:0rem;-ms-letter-spacing:0rem;letter-spacing:0rem;line-height:1.375rem;}}/*!sc*/ .NZnYD:hover{color:#564ED1;cursor:pointer;-webkit-text-decoration:underline solid #564ED1;text-decoration:underline solid #564ED1;}/*!sc*/ .NZnYD:active{color:#493FA3;}/*!sc*/ .NZnYD:focus-visible{outline:0.25rem solid #635DFFCC;border-radius:0.25rem;color:#635DFF;}/*!sc*/ data-styled.g10[id="styled__Link-sc-bubr9x-0"]{content:"NZnYD,"}/*!sc*/ .eUxShZ{background:#fff;padding-top:0.75rem;}/*!sc*/ data-styled.g68[id="styled__Wrapper-sc-1gk46x3-0"]{content:"eUxShZ,"}/*!sc*/ .fKrrGW{width:100%;max-width:90rem;margin:auto;font-family:Inter,sans-serif;}/*!sc*/ data-styled.g69[id="styled__Content-sc-1gk46x3-1"]{content:"fKrrGW,"}/*!sc*/ .dIMmrp{display:grid;grid-template-columns:1fr 1fr;grid-row-gap:3rem;margin:3rem 1rem auto;}/*!sc*/ @media screen and (min-width:900px){.dIMmrp{margin:4rem 1.5rem auto;}}/*!sc*/ @media screen and (min-width:1200px){.dIMmrp{grid-template-columns:1fr 1fr 1fr 1fr;grid-template-rows:1fr 1fr;margin:5rem 7rem auto;max-width:76rem;}}/*!sc*/ data-styled.g70[id="styled__Nav-sc-1gk46x3-2"]{content:"dIMmrp,"}/*!sc*/ .KTHXE{list-style:none;margin-bottom:0;padding-left:0;}/*!sc*/ data-styled.g71[id="styled__LinksList-sc-1gk46x3-3"]{content:"KTHXE,"}/*!sc*/ .cSvhJk{font-weight:500;font-size:0.875rem;line-height:2rem;-webkit-letter-spacing:-0.000625rem;-moz-letter-spacing:-0.000625rem;-ms-letter-spacing:-0.000625rem;letter-spacing:-0.000625rem;padding-right:2rem;}/*!sc*/ .cSvhJk a{color:#1e212a;}/*!sc*/ .cSvhJk a span{background:linear-gradient(153.07deg,#3ec6eb -2.47%,#1bc99f 102.78%);padding:0.0625rem 0.375rem;border-radius:0.25rem;margin-left:0.5rem;color:#fff;font-weight:600;}/*!sc*/ .cSvhJk a:hover{color:#635dff;}/*!sc*/ @media screen and (min-width:900px){.cSvhJk p::before{content:'';margin-right:0.5rem;border-left:0.0625rem solid #8c929c;height:0.75rem;display:inline-block;}}/*!sc*/ data-styled.g73[id="styled__LinksListItem-sc-1gk46x3-5"]{content:"cSvhJk,"}/*!sc*/ .gnjMuV{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;}/*!sc*/ .gnjMuV > ul{-webkit-flex:1;-ms-flex:1;flex:1;}/*!sc*/ data-styled.g74[id="styled__LastSection-sc-1gk46x3-6"]{content:"gnjMuV,"}/*!sc*/ .fMkjag{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;grid-gap:1rem;margin-left:1rem;display:none;}/*!sc*/ @media screen and (min-width:900px){.fMkjag{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;margin-left:0;}}/*!sc*/ .jVliYH{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;grid-gap:1rem;margin-left:1rem;}/*!sc*/ @media screen and (min-width:900px){.jVliYH{display:none;}}/*!sc*/ data-styled.g75[id="styled__Icons-sc-1gk46x3-7"]{content:"fMkjag,jVliYH,"}/*!sc*/ .QrRnA{height:1.5rem;}/*!sc*/ .QrRnA:hover{cursor:pointer;}/*!sc*/ .QrRnA:hover path{fill:#635dff;}/*!sc*/ data-styled.g76[id="styled__IconsLink-sc-1gk46x3-8"]{content:"QrRnA,"}/*!sc*/ .ilqaED{padding:1.5rem 0 0;position:relative;margin-top:3rem;}/*!sc*/ @media screen and (min-width:900px){.ilqaED{display:none;}}/*!sc*/ data-styled.g77[id="styled__FooterBottomMobile-sc-1gk46x3-9"]{content:"ilqaED,"}/*!sc*/ .hcxfiM{display:none;}/*!sc*/ @media screen and (min-width:900px){.hcxfiM{display:block;border-top:0.0625rem solid #bdc4cf;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;padding:1.5rem;position:relative;margin-top:3rem;}}/*!sc*/ @media screen and (min-width:1200px){.hcxfiM{margin-top:6.25rem;}}/*!sc*/ data-styled.g78[id="styled__FooterBottom-sc-1gk46x3-10"]{content:"hcxfiM,"}/*!sc*/ .jPJGrI{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;margin:1.5rem 1rem;}/*!sc*/ data-styled.g79[id="styled__LegalAndLangMobile-sc-1gk46x3-11"]{content:"jPJGrI,"}/*!sc*/ .lpowaK{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;font-weight:500;color:#8c929c;grid-gap:0.375rem;font-size:0.75rem;line-height:1.125rem;-webkit-flex:1;-ms-flex:1;flex:1;-webkit-flex-flow:wrap;-ms-flex-flow:wrap;flex-flow:wrap;}/*!sc*/ .lpowaK img{max-width:2.5rem;}/*!sc*/ .lpowaK a{color:#8c929c;}/*!sc*/ .lpowaK a:hover{color:#635dff;}/*!sc*/ @media screen and (min-width:900px){.lpowaK{-webkit-box-pack:end;-webkit-justify-content:flex-end;-ms-flex-pack:end;justify-content:flex-end;}}/*!sc*/ @media screen and (min-width:1200px){.lpowaK{font-size:0.875rem;line-height:1.375rem;}}/*!sc*/ data-styled.g80[id="styled__Legal-sc-1gk46x3-12"]{content:"lpowaK,"}/*!sc*/ .jEqyOT{cursor:pointer;height:100%;color:#1e212a;margin-left:2rem;position:relative;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}/*!sc*/ .jEqyOT svg{stroke:#1e212a;}/*!sc*/ .jEqyOT:hover{color:#635dff;}/*!sc*/ .jEqyOT:hover svg{stroke:#635dff;}/*!sc*/ data-styled.g81[id="styled__LanguageSelector-sc-1gk46x3-13"]{content:"jEqyOT,"}/*!sc*/ .bwtJfB{visibility:hidden;opacity:0;position:absolute;-webkit-transition:opacity 0.2s ease;transition:opacity 0.2s ease;left:-2.125rem;top:-12.625rem;display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}/*!sc*/ @media screen and (min-width:1200px){.bwtJfB{left:-1.5rem;}}/*!sc*/ data-styled.g82[id="styled__MenuListWrapper-sc-1gk46x3-14"]{content:"bwtJfB,"}/*!sc*/ .fZCfPj{min-width:8.375rem;margin-top:0;background:#fff;color:#635dff;box-shadow:0 0 0.5rem rgba(0,0,0,0.25);border-radius:0.5rem;padding:1rem 1.5rem;list-style:none;}/*!sc*/ data-styled.g83[id="styled__MenuList-sc-1gk46x3-15"]{content:"fZCfPj,"}/*!sc*/ .dmNdTh{line-height:1.75rem;}/*!sc*/ .dmNdTh:hover{color:#635dff;-webkit-text-decoration:underline;text-decoration:underline;}/*!sc*/ data-styled.g84[id="styled__Language-sc-1gk46x3-16"]{content:"dmNdTh,"}/*!sc*/ .ievNWD{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;z-index:1;font-size:0.75rem;}/*!sc*/ @media screen and (min-width:1200px){.ievNWD{font-size:0.875rem;}}/*!sc*/ .ievNWD:hover .styled__MenuListWrapper-sc-1gk46x3-14{visibility:visible;opacity:1;}/*!sc*/ .ievNWD:focus-visible .styled__MenuListWrapper-sc-1gk46x3-14{visibility:visible;opacity:1;}/*!sc*/ .ievNWD:focus-within .styled__MenuListWrapper-sc-1gk46x3-14{visibility:visible;opacity:1;}/*!sc*/ data-styled.g85[id="styled__CurrentLang-sc-1gk46x3-17"]{content:"ievNWD,"}/*!sc*/ .kmfCow{margin-left:0.5rem;font-weight:500;}/*!sc*/ data-styled.g86[id="styled__CurrentLangText-sc-1gk46x3-18"]{content:"kmfCow,"}/*!sc*/ .jQEcjQ > div{background:inherit;}/*!sc*/ .jQEcjQ footer{max-width:1440px;border-top:1px solid #e3e5e7;margin:140px auto 0;}/*!sc*/ .jQEcjQ footer section > p{font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial, sans-serif !important;}/*!sc*/ .jQEcjQ footer nav a,.jQEcjQ footer > section > p{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial, sans-serif !important;}/*!sc*/ data-styled.g87[id="sc-bdfBQB"]{content:"jQEcjQ,"}/*!sc*/ </style></style><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.25.0/themes/prism-okaidia.css"/><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.25.0/plugins/line-numbers/prism-line-numbers.css"/><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.25.0/plugins/line-highlight/prism-line-highlight.css"/></head><body><script id="cookie-consent-script" charSet="UTF-8" type="text/javascript" data-domain-script="96e22fd8-d619-4cdd-a3c6-d51529d21faf-test" src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js"></script><script>function OptanonWrapper() { const status = document.getElementById("onetrust-accept-btn-handler") ? 'WAITING_FOR_CONSENT' : 'CONSENT_EXPRESSED'; window.postMessage(status, '*'); }</script><a href="#maincontent" style="left:calc(50% - 75px);padding:4px 8px;position:absolute;transform:translateY(-100%)" class="skiplink">Skip to main content</a><div class="docs-single"><div id="app"><div style="padding-top:0" class="docs-application"><header class="MuiPaper-root MuiPaper-elevation MuiPaper-elevation4 MuiAppBar-root MuiAppBar-colorDefault MuiAppBar-positionFixed mui-fixed css-light-12z6ra4" data-search-index="false"><div class="css-light-99yi95"><div class="css-light-1tsb9g0"><div class="MuiBox-root css-light-3cyd2n"><a href="/docs"><svg height="30" viewBox="0 0 324 64" xmlns="http://www.w3.org/2000/svg" class="css-light-1451177"><path d="M67.0272 28.168L75.2983 6.45352H78.4861L86.7251 28.168H83.8471L81.5564 22.3062H72.1106L69.8199 28.168H67.0272ZM80.7448 19.8566L76.8094 9.4005L72.9062 19.8566H80.7448Z"></path><path d="M98.6866 12.3475H101.228V28.168H99.0283L98.6866 26.0608C97.7575 27.2374 96.241 28.3552 93.6406 28.3552C90.1698 28.3552 87.4146 26.4031 87.4146 21.1563V12.3475H89.9562V21.0012C89.9562 24.2904 91.4407 26.0287 94.0731 26.0287C96.9512 26.0287 98.6866 23.8251 98.6866 20.2577V12.3475Z"></path><path d="M102.44 14.6719V12.3453H105.292V7.91148H107.833V12.3453H111.923V14.6719H107.833V24.0102C107.833 25.3419 108.298 25.8393 109.659 25.8393H112.169V28.1659H109.414C106.381 28.1659 105.297 26.8341 105.297 24.0423V14.6719H102.44Z"></path><path d="M127.707 19.3539V28.1627H125.166V19.509C125.166 16.2197 123.585 14.4815 120.862 14.4815C117.92 14.4815 116.094 16.685 116.094 20.2524V28.1627H113.552V6.45352H116.094V14.9521C117.023 13.4653 118.635 12.1603 121.294 12.1603C124.824 12.1603 127.702 14.1124 127.702 19.3592L127.707 19.3539Z"></path><path d="M129.475 16.8121C129.475 10.64 132.817 6.26501 137.714 6.26501C142.61 6.26501 145.921 10.64 145.921 16.8121V17.8069C145.921 24.2891 142.578 28.3539 137.714 28.3539C132.849 28.3539 129.475 24.2891 129.475 17.8069V16.8121ZM143.288 16.903C143.288 11.7525 141.056 8.6504 137.714 8.6504C134.371 8.6504 132.107 11.7525 132.107 16.903V17.7106C132.107 22.8611 134.339 25.9632 137.714 25.9632C141.088 25.9632 143.288 22.8611 143.288 17.7106V16.903Z"></path><path d="M83.9645 49.8342C83.9645 54.6745 80.7447 57.9317 76.3768 57.9317C73.7124 57.9317 71.9182 56.8459 70.9571 55.327L70.6154 57.7445H68.4154V36.0299H70.9571V44.4697C72.009 43.0096 73.7124 41.742 76.3768 41.742C80.7447 41.742 83.9645 44.689 83.9645 49.8395V49.8342ZM81.3641 49.8342C81.3641 46.3898 79.2602 44.0044 76.1312 44.0044C73.0022 44.0044 70.9304 46.3952 70.9304 49.7753C70.9304 53.1555 73.0342 55.6693 76.1312 55.6693C79.2282 55.6693 81.3641 53.2786 81.3641 49.8395V49.8342Z"></path><path d="M83.8683 41.9228H86.5648L91.4292 54.5504L96.1388 41.9228H98.8353L91.5574 60.4122C90.5642 62.9581 89.9768 63.9475 87.7502 63.9475H84.7173V61.621H86.976C88.4337 61.621 88.6793 61.2466 89.2667 59.7597L90.0409 57.8343L83.879 41.9228H83.8683Z"></path><path d="M117.812 57.9238C111.709 57.9238 107.469 53.2707 107.469 46.8794C107.469 40.488 111.714 35.8349 117.812 35.8349C123.91 35.8349 128.155 40.488 128.155 46.8794C128.155 53.2707 123.91 57.9238 117.812 57.9238ZM117.812 55.4422C122.335 55.4422 125.4 51.8748 125.4 46.8794C125.4 41.8839 122.335 38.3166 117.812 38.3166C113.289 38.3166 110.224 41.8839 110.224 46.8794C110.224 51.8748 113.289 55.4422 117.812 55.4422Z"></path><path d="M130.11 36.0299H132.651V50.3316L140.581 41.9239H143.71L137.548 48.4703L144.142 57.7445H141.077L135.845 50.2995L132.657 53.5888V57.7445H130.115V36.0299H130.11Z"></path><path d="M144.35 44.2494V41.9228H147.201V37.489H149.743V41.9228H153.833V44.2494H149.743V53.5877C149.743 54.9194 150.207 55.4168 151.569 55.4168H154.079V57.7434H151.323C148.291 57.7434 147.207 56.4116 147.207 53.6198V44.2494H144.35Z"></path><path d="M170.382 55.4167V57.7432H168.988C166.884 57.7432 166.169 56.8447 166.137 55.2937C165.144 56.7217 163.569 57.9304 160.84 57.9304C157.369 57.9304 155.02 56.1922 155.02 53.3094C155.02 50.1432 157.22 48.3782 161.369 48.3782H166.014V47.2925C166.014 45.244 164.556 44.0032 162.079 44.0032C159.847 44.0032 158.362 45.0568 158.053 46.672H155.511C155.885 43.57 158.389 41.7408 162.202 41.7408C166.228 41.7408 168.55 43.7572 168.55 47.4476V54.363C168.55 55.2027 168.86 55.4167 169.57 55.4167H170.382ZM161.123 50.5175C158.864 50.5175 157.593 51.3572 157.593 53.1543C157.593 54.7053 158.923 55.759 161.032 55.759C164.193 55.759 166.019 53.9298 166.019 51.2931V50.5175H161.123Z"></path><path d="M3.37137 27.7827C13.8455 26.0542 22.0567 17.383 23.7767 6.89172L24.3538 1.84927C24.4967 1.04797 23.9538 -0.0681241 22.9424 0.0120057C15.0283 0.63015 7.55986 3.24582 3.40565 4.94571C1.34283 5.7928 0 7.79605 0 10.0282V26.4777C0 27.4507 0.874269 28.1948 1.83425 28.0403L3.37137 27.7884V27.7827Z"></path><path d="M28.8289 6.89209C30.5545 17.3834 38.7658 26.0546 49.2342 27.7831L50.7713 28.0349C51.7313 28.1952 52.6056 27.4511 52.6056 26.4724V10.0229C52.6056 7.79068 51.2627 5.78744 49.1999 4.94035C45.04 3.23473 37.5773 0.624791 29.6631 0.00664632C28.646 -0.0734835 28.126 1.05406 28.246 1.84391L28.8231 6.88636L28.8289 6.89209Z"></path><path d="M49.2262 32.3908C34.9122 35.2182 28.2666 44.7479 28.2666 62.7886C28.2666 63.6929 29.1637 64.3225 29.918 63.8188C36.5007 59.3716 50.9862 47.7643 52.4776 33.2436C52.5347 31.4178 50.2548 32.2763 49.2262 32.3908Z"></path><path d="M3.37664 32.3908C17.6907 35.2182 24.3363 44.7479 24.3363 62.7886C24.3363 63.6929 23.4391 64.3225 22.6849 63.8188C16.1021 59.3716 1.61668 47.7643 0.125275 33.2436C0.0681328 31.4178 2.34809 32.2763 3.37664 32.3908Z"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M195.049 64V4.90798e-08L196.17 0V64H195.049Z"></path><path d="M233.834 48.2579H224.228V15.2937H233.834C244.289 15.2937 250.411 21.7452 250.411 31.7758C250.411 41.7593 244.289 48.2579 233.834 48.2579ZM226.771 17.6483V45.9033H233.834C242.829 45.9033 247.821 40.3936 247.821 31.7758C247.821 23.1109 242.829 17.6483 233.834 17.6483H226.771Z"></path><path d="M265.093 48.5405C258.359 48.5405 253.65 43.5487 253.65 36.2966C253.65 29.0916 258.359 24.0998 265.093 24.0998C271.827 24.0998 276.583 29.0916 276.583 36.2966C276.583 43.5487 271.827 48.5405 265.093 48.5405ZM265.093 46.3743C270.414 46.3743 274.088 42.2302 274.088 36.2966C274.088 30.4101 270.414 26.219 265.093 26.219C259.772 26.219 256.099 30.4101 256.099 36.2966C256.099 42.2302 259.772 46.3743 265.093 46.3743Z"></path><path d="M290.821 48.5405C284.087 48.5405 279.519 43.69 279.519 36.3437C279.519 29.0916 284.134 24.0998 290.868 24.0998C296.284 24.0998 300.004 27.1137 300.993 32.0583H298.497C297.649 28.4794 294.824 26.219 290.821 26.219C285.547 26.219 281.968 30.4101 281.968 36.3437C281.968 42.2773 285.594 46.3743 290.821 46.3743C294.777 46.3743 297.649 44.1138 298.45 40.582H300.993C300.051 45.4324 296.236 48.5405 290.821 48.5405Z"></path><path d="M303.636 40.9116H306.085C306.273 44.3493 309.24 46.4684 313.808 46.4684C317.717 46.4684 320.683 44.6789 320.683 41.8534C320.683 38.3216 317.434 37.8035 313.431 37.2384C308.534 36.5792 304.107 35.6844 304.107 30.8811C304.107 26.7841 307.921 24.0527 313.243 24.0998C318.423 24.0998 322.237 26.4544 322.661 31.1165H320.212C319.789 28.0085 317.057 26.1719 313.243 26.1719C309.193 26.1719 306.509 27.9614 306.509 30.6927C306.509 34.0362 309.805 34.46 313.525 34.978C318.658 35.6844 323.085 36.6733 323.085 41.7122C323.085 45.9504 318.941 48.5405 313.808 48.5405C307.827 48.5405 303.825 45.8562 303.636 40.9116Z"></path></svg></a></div></div><div class="css-light-zrm49i"><form id="search" role="search" autoComplete="off" style="width:100%"><div class="MuiAutocomplete-root MuiAutocomplete-hasPopupIcon css-light-1nsqnny"><div placement="header" class="css-light-1lntznf"><div placement="header" class="MuiOutlinedInput-root MuiInputBase-root MuiInputBase-colorPrimary MuiInputBase-sizeSmall MuiInputBase-adornedStart css-light-s3wuk0"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="margin:0px 8px" class="css-light-0"><circle cx="11" cy="11" r="8"></circle><line x1="21" y1="21" x2="16.65" y2="16.65"></line></svg><input type="text" autoComplete="off" id="search-box" placeholder="Search the docs" value="" class="MuiOutlinedInput-input MuiInputBase-input MuiInputBase-inputSizeSmall MuiInputBase-inputAdornedStart MuiAutocomplete-input MuiAutocomplete-inputFocused css-light-1b17vdj" aria-autocomplete="list" aria-expanded="false" autoCapitalize="none" spellcheck="false" role="combobox"/><fieldset aria-hidden="true" class="MuiOutlinedInput-notchedOutline css-light-3p6qou"><legend class="css-light-hdw1oc"><span class="notranslate"></span></legend></fieldset></div></div></div></form><div class="css-light-1ijv1n9"><a class="MuiTypography-root MuiTypography-inherit QuantumLink-root css-light-lj7bu0" href="/docs/articles">Articles</a><a class="MuiTypography-root MuiTypography-inherit QuantumLink-root css-light-1rdp59y" href="/docs/quickstarts">Quickstarts</a><a class="MuiTypography-root MuiTypography-inherit QuantumLink-root css-light-1rdp59y" href="/docs/api">Auth0 APIs</a><a class="MuiTypography-root MuiTypography-inherit QuantumLink-root css-light-1rdp59y" href="/docs/libraries">SDKs</a></div></div><div class="css-light-1tsb9g0"><div class="css-light-tjz9nw"><a class="MuiButton-root MuiButton-outlined MuiButton-outlinedDefault MuiButton-sizeSmall MuiButton-outlinedSizeSmall MuiButton-disableElevation MuiButtonBase-root css-light-1fgj6q9" tabindex="0" href="https://auth0.com/get-started?place=header&type=button&text=talk%20to%20sales" target="_blank">Contact sales<!-- --> </a><a class="MuiButton-root MuiButton-link MuiButton-linkInherit MuiButton-sizeSmall MuiButton-linkSizeSmall MuiButton-colorInherit MuiButton-disableElevation MuiButtonBase-root css-light-tohr37" tabindex="0" role="button" id="login-btn">Log in<!-- --> </a><button class="MuiButton-root MuiButton-contained MuiButton-containedPrimary MuiButton-sizeSmall MuiButton-containedSizeSmall MuiButton-disableElevation MuiButtonBase-root css-light-1h20m4j" tabindex="0" type="button">Sign up<!-- --> </button></div></div><div class="css-light-1tsb9g0"><div class="css-light-8og4x3"><hr class="MuiDivider-root MuiDivider-middle MuiDivider-vertical MuiDivider-flexItem css-light-1c8nkz9"/><button class="MuiButtonBase-root MuiIconButton-root MuiIconButton-sizeMedium css-light-1osspdq" tabindex="0" type="button" variant="link" id="color-scheme-menu-trigger" aria-controls="color-scheme-menu-menu" aria-haspopup="menu" aria-expanded="false"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg></button></div></div><button class="MuiButtonBase-root MuiIconButton-root MuiIconButton-sizeMedium css-light-yl2thz" tabindex="0" type="button" variant="link"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><line x1="3" y1="12" x2="21" y2="12"></line><line x1="3" y1="6" x2="21" y2="6"></line><line x1="3" y1="18" x2="21" y2="18"></line></svg></button></div></header><div class="MuiDrawer-root MuiDrawer-docked css-light-1a66avx" data-search-index="false"><div class="MuiPaper-root MuiPaper-elevation MuiPaper-elevation2 MuiDrawer-paper MuiDrawer-paperAnchorTop MuiDrawer-paperAnchorDockedTop css-light-1etdfq6" style="visibility:hidden"><div class="MuiBox-root css-light-absfm6"><form id="search" role="search" autoComplete="off" style="width:100%"><div class="MuiAutocomplete-root MuiAutocomplete-hasPopupIcon css-light-1nsqnny"><div placement="drawer" class="css-light-1lntznf"><div placement="drawer" class="MuiOutlinedInput-root MuiInputBase-root MuiInputBase-colorPrimary MuiInputBase-adornedStart css-light-105k4h6"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="margin:0px 8px" class="css-light-0"><circle cx="11" cy="11" r="8"></circle><line x1="21" y1="21" x2="16.65" y2="16.65"></line></svg><input type="text" autoComplete="off" id="search-box" placeholder="Search the docs" value="" class="MuiOutlinedInput-input MuiInputBase-input MuiInputBase-inputAdornedStart MuiAutocomplete-input MuiAutocomplete-inputFocused css-light-1mamkk4" aria-autocomplete="list" aria-expanded="false" autoCapitalize="none" spellcheck="false" role="combobox"/><fieldset aria-hidden="true" class="MuiOutlinedInput-notchedOutline css-light-3p6qou"><legend class="css-light-hdw1oc"><span class="notranslate"></span></legend></fieldset></div></div></div></form><div class="css-light-ezihch"><a class="MuiTypography-root MuiTypography-subtitle1 QuantumLink-root css-light-gjlwnj" href="/docs/articles">Articles</a><a class="MuiTypography-root MuiTypography-subtitle1 QuantumLink-root css-light-1c09ki7" href="/docs/quickstarts">Quickstarts</a><a class="MuiTypography-root MuiTypography-subtitle1 QuantumLink-root css-light-1c09ki7" href="/docs/api">Auth0 APIs</a><a class="MuiTypography-root MuiTypography-subtitle1 QuantumLink-root css-light-1c09ki7" href="/docs/libraries">SDKs</a></div><div class="css-light-po40j3"><a class="MuiButton-root MuiButton-outlined MuiButton-outlinedDefault MuiButton-sizeLarge MuiButton-outlinedSizeLarge MuiButton-disableElevation MuiButton-fullWidth MuiButtonBase-root css-light-1wlfc9m" tabindex="0" href="https://auth0.com/get-started?place=header&type=button&text=talk%20to%20sales" target="_blank">Contact sales<!-- --> <span class="MuiButton-endIcon MuiButton-iconSizeLarge css-light-1y9rv62"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><line x1="5" y1="12" x2="19" y2="12"></line><polyline points="12 5 19 12 12 19"></polyline></svg></span></a><a class="MuiButton-root MuiButton-outlined MuiButton-outlinedInherit MuiButton-sizeLarge MuiButton-outlinedSizeLarge MuiButton-colorInherit MuiButton-disableElevation MuiButton-fullWidth MuiButtonBase-root css-light-1d1pobz" tabindex="0" role="button" id="login-btn">Log in<!-- --> </a><button class="MuiButton-root MuiButton-contained MuiButton-containedPrimary MuiButton-sizeLarge MuiButton-containedSizeLarge MuiButton-disableElevation MuiButton-fullWidth MuiButtonBase-root css-light-1f4mg9y" tabindex="0" type="button">Sign up<!-- --> </button></div></div></div></div><div class=" docs-article doc-with-sidebar "><div><div class="document"><div id="template-container" class="css-light-1fnpbqv"><div class="css-light-7wfy9u"><div class="css-light-1ibmmut"><div data-search-index="false" class="css-light-13g1c2"><div class="css-light-vwtx2w"><div class="css-light-1nz6ure"><nav class="MuiTypography-root MuiTypography-body2 MuiBreadcrumbs-root css-light-1uvmhse" aria-label="Main Menu"><ol class="MuiBreadcrumbs-ol css-light-nhb8h9"><li class="MuiBreadcrumbs-li"><a class="MuiTypography-root MuiTypography-subtitle2 QuantumLink-root QuantumBreadcrumbsItem-root css-light-xdqqc7"><span class="QuantumBreadcrumbsItem-icon QuantumBreadcrumbsItem-startIcon css-light-12z0wuy"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><line x1="19" y1="12" x2="5" y2="12"></line><polyline points="12 19 5 12 12 5"></polyline></svg></span><span class="QuantumBreadcrumbsItem-label">Main Menu</span></a></li></ol></nav><a class="MuiTypography-root MuiTypography-inherit QuantumLink-root css-light-ewr4mf" href="/docs/secure"><div class="MuiBox-root css-light-axw7ok"><svg width="1em" height="1em" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg" font-size="18" class="css-light-0"><path fill-rule="evenodd" clip-rule="evenodd" d="M39.276 8.853l-13.991-4.66A3.719 3.719 0 0024.076 4a3.743 3.743 0 00-1.21.193l-13.99 4.66A4.206 4.206 0 006 12.843V27.61l.019.055C6.294 31.627 16.587 41.357 24.003 44h.146c7.417-2.643 17.712-12.373 17.985-16.335l.017-.055V12.844a4.204 4.204 0 00-2.875-3.99z" fill="var(--identicons-color-light, #CFD6F8)"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M33.561 20.423L22.107 31.877l-3.025-3.025 11.454-11.454a2.137 2.137 0 013.025 0c.836.836.836 2.19 0 3.025z" fill="var(--identicons-color-dark, #3F59E4)"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M15.414 25.167l6.702 6.703 2.962-2.962-6.703-6.702a2.094 2.094 0 00-2.961 2.961z" fill="var(--identicons-color-dark, #3F59E4)"></path></svg><h6 class="MuiTypography-root MuiTypography-h6 css-light-tq75vo">Secure</h6></div></a></div><ul class="css-light-1iymi0i"><p class="MuiTypography-root MuiTypography-body2 css-light-1ut66dz">Protect Your Application</p><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/application-credentials" title="Application Credentials" class="QuantumSidebarLink-link css-light-lti6cy" description="This section contains information about credentials for your application to authenticate." type="navigationItem" depth="0"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Application Credentials</span><span class="QuantumSidebarLink-icon QuantumSidebarLink-endIcon css-light-1njuh7n"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></span></a></span></li><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/attack-protection" title="Attack Protection" class="QuantumSidebarLink-link css-light-lti6cy" description="Detect attacks and stop malicious attempts to access your applications." type="navigationItem" depth="0"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Attack Protection</span><span class="QuantumSidebarLink-icon QuantumSidebarLink-endIcon css-light-1njuh7n"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></span></a></span></li><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/continuous-session-protection" title="Continuous Session Protection" class="QuantumSidebarLink-link css-light-lti6cy" description="Enhance security and tailor the user experience through customizable session and refresh token management. " type="navigationItem" depth="0"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Continuous Session Protection</span></a></span></li><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/highly-regulated-identity" title="Highly Regulated Identity" class="QuantumSidebarLink-link css-light-1xlk6nz" description="Highly Regulated Identity is Auth0's Financial-Grade Identity " type="navigationItem" depth="0"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Highly Regulated Identity</span><span class="QuantumSidebarLink-icon QuantumSidebarLink-endIcon css-light-1njuh7n"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="6 9 12 15 18 9"></polyline></svg></span></a></span></li><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/highly-regulated-identity/transactional-authorization-with-contextual-sca" title="Transactional Authorization with Contextual Strong Customer Authentication" class="QuantumSidebarLink-link css-light-127ud2i" type="article" depth="1"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Transactional Authorization with Contextual Strong Customer Authentication</span></a></span></li><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/highly-regulated-identity/customer-managed-keys" title="Customer Managed Keys" class="QuantumSidebarLink-link css-light-127ud2i" description="Learn about how to manage your Auth0 keys" type="navigationItem" depth="1"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Customer Managed Keys</span><span class="QuantumSidebarLink-icon QuantumSidebarLink-endIcon css-light-1njuh7n"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></span></a></span></li><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/multi-factor-authentication" title="Multi-Factor Authentication" class="QuantumSidebarLink-link css-light-lti6cy" description="Add additional checks to ensure passwords match up with the identity of the user or device accessing your applications." type="navigationItem" depth="0"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Multi-Factor Authentication</span><span class="QuantumSidebarLink-icon QuantumSidebarLink-endIcon css-light-1njuh7n"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></span></a></span></li><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/security-center" title="Security Center" class="QuantumSidebarLink-link css-light-lti6cy" description="Observe potential attack trends and quickly respond to them in real-time." type="navigationItem" depth="0"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Security Center</span><span class="QuantumSidebarLink-icon QuantumSidebarLink-endIcon css-light-1njuh7n"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></span></a></span></li><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/security-guidance" title="Security Guidance" class="QuantumSidebarLink-link css-light-lti6cy" description="View security bulletins and learn basic tips to secure data and accounts." type="navigationItem" depth="0"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Security Guidance</span><span class="QuantumSidebarLink-icon QuantumSidebarLink-endIcon css-light-1njuh7n"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></span></a></span></li><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/tokens" title="Tokens" class="QuantumSidebarLink-link css-light-lti6cy" description="Explore the types of tokens related to identity and authentication and how they are used by Auth0." type="navigationItem" depth="0"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Tokens</span><span class="QuantumSidebarLink-icon QuantumSidebarLink-endIcon css-light-1njuh7n"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></span></a></span></li><p class="MuiTypography-root MuiTypography-body2 css-light-1ut66dz">Compliance</p><li class="QuantumSidebarLink-root css-light-7t4v2s"><span><a href="/docs/secure/data-privacy-and-compliance" title="Data Privacy and Compliance" class="QuantumSidebarLink-link css-light-lti6cy" description="Read about Auth0’s compliance qualifications and data processing." type="navigationItem" depth="0"><span class="QuantumSidebarLink-icon QuantumSidebarLink-startIcon css-light-3djh8h"></span><span class="QuantumSidebarLink-title css-light-hdbujw">Data Privacy and Compliance</span><span class="QuantumSidebarLink-icon QuantumSidebarLink-endIcon css-light-1njuh7n"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></span></a></span></li></ul></div></div><div class="MuiBox-root css-light-w8rns"><div type="article" class="css-light-1v28jvd"><div class="css-light-e4wg0l"><nav class="MuiTypography-root MuiTypography-body2 MuiBreadcrumbs-root css-light-1uvmhse" itemscope="" itemType="http://schema.org/BreadcrumbList"><ol class="MuiBreadcrumbs-ol css-light-nhb8h9"><li class="MuiBreadcrumbs-li"><span itemProp="itemListElement" itemscope="" itemType="http://schema.org/ListItem"><a class="MuiTypography-root MuiTypography-inherit QuantumLink-root css-light-ewr4mf" itemProp="item" href="/docs"><button class="MuiTypography-root MuiTypography-subtitle2 QuantumLink-root QuantumBreadcrumbsItem-root css-light-1ume9uy" itemProp="name"><span class="QuantumBreadcrumbsItem-label">Docs</span></button></a><meta itemProp="position" content="1"/></span></li><li aria-hidden="true" class="MuiBreadcrumbs-separator css-light-1ahyw7i"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></li><li class="MuiBreadcrumbs-li"><span itemProp="itemListElement" itemscope="" itemType="http://schema.org/ListItem"><a class="MuiTypography-root MuiTypography-inherit QuantumLink-root css-light-ewr4mf" itemProp="item" href="/docs/secure"><button class="MuiTypography-root MuiTypography-subtitle2 QuantumLink-root QuantumBreadcrumbsItem-root css-light-1ume9uy" itemProp="name"><span class="QuantumBreadcrumbsItem-label">Secure</span></button></a><meta itemProp="position" content="2"/></span></li><li aria-hidden="true" class="MuiBreadcrumbs-separator css-light-1ahyw7i"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="9 18 15 12 9 6"></polyline></svg></li><li class="MuiBreadcrumbs-li"><span itemProp="itemListElement" itemscope="" itemType="http://schema.org/ListItem"><a class="MuiTypography-root MuiTypography-inherit QuantumLink-root css-light-ewr4mf" itemProp="item" href="/docs/secure/highly-regulated-identity"><button class="MuiTypography-root MuiTypography-subtitle2 QuantumLink-root QuantumBreadcrumbsItem-root css-light-1ume9uy" itemProp="name"><span class="QuantumBreadcrumbsItem-label">Highly Regulated Identity</span></button></a><meta itemProp="position" content="3"/></span></li></ol></nav><article id="maincontent" role="main" class=""><div class="MuiBox-root css-light-10ib5jr"><h1 class="MuiTypography-root MuiTypography-h1 css-light-lvunq8">Highly Regulated Identity</h1></div><div class="css-light-1kmlmk0"><div><div class="css-light-151tvvp"><style data-emotion="css-light "></style><p></p><div id="react-containers-AlertContainer-0"><style data-emotion="css a14jl7-QuantumAlert-root" data-react-universal-portal="">.css-a14jl7-QuantumAlert-root{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:flex-start;-webkit-box-align:flex-start;-ms-flex-align:flex-start;align-items:flex-start;border-radius:4px;padding:10px 16px;box-shadow:none;border-left:0.5rem solid #686868;background-color:#F1F1F1;color:#3E3E3E;}.css-a14jl7-QuantumAlert-root a,.css-a14jl7-QuantumAlert-root a:hover{color:currentColor;-webkit-text-decoration:underline;text-decoration:underline;}.css-a14jl7-QuantumAlert-root .QuantumAlert-icon{color:#3E3E3E;}</style><div role="alert" class="QuantumAlert-root alert-portal-container alert-portal-severity-default css-a14jl7-QuantumAlert-root" data-react-universal-portal=""><style data-emotion="css coqgw6-QuantumAlert-icon">.css-coqgw6-QuantumAlert-icon{font-size:1.25rem;margin-right:12px;line-height:1;padding-top:0.3125rem;}.css-coqgw6-QuantumAlert-icon svg{height:1em;width:1em;}</style><div class="QuantumAlert-icon css-coqgw6-QuantumAlert-icon"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-0"><path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z"></path><polyline points="14 2 14 8 20 8"></polyline><line x1="16" y1="13" x2="8" y2="13"></line><line x1="16" y1="17" x2="8" y2="17"></line><polyline points="10 9 9 9 8 9"></polyline></svg></div><style data-emotion="css 1qf9vnp-QuantumAlert-content">.css-1qf9vnp-QuantumAlert-content{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;-webkit-flex:1;-ms-flex:1;flex:1;padding-top:0.25rem;}</style><div class="QuantumAlert-content css-1qf9vnp-QuantumAlert-content"><style data-emotion="css cut6d9-QuantumAlert-message">.css-cut6d9-QuantumAlert-message{display:inline;}.css-cut6d9-QuantumAlert-message>ul{list-style:disc;margin-top:4px;padding-left:16px;}</style><div class="QuantumAlert-message css-cut6d9-QuantumAlert-message"><div class="alert-portal-content MuiBox-root css-0"><p>To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to <a href="https://auth0.com/pricing/">Auth0 Pricing</a> for details.</p></div></div></div></div></div><p></p><p>Highly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. </p><p>To secure your sensitive business operations, Highly Regulated Identity provides:</p><ul><li><p><a href="#advanced-security-with-openid-connect-fapi-">Advanced security with OpenID Connect (FAPI)</a></p></li><li><p><a href="#strong-customer-authentication-sca-">Strong Customer Authentication (SCA)</a> and <a href="#dynamic-linking">Dynamic Linking</a></p></li><li><p><a href="#confidentiality-and-integrity-protection">Confidentiality and integrity protection</a></p></li><li><p><a href="#stronger-application-authentication">Strong application authentication</a></p></li><li><p><a href="#protect-access-tokens-with-token-binding">Protect access tokens with Token Binding</a></p></li><li><p><a href="#customizable-approval-flows-for-better-user-experience">Customizable approval flows for better user experience</a></p></li></ul><div id="portal-title-0"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css r3xy45-MuiTypography-root">.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}</style><h2 class="MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root" id="advanced-security-with-openid-connect-fapi-">Advanced security with OpenID Connect (FAPI)</h2></div></div><p><a href="https://openid.net/wg/fapi/specifications/">OpenID FAPI</a> is a suite of security and privacy specifications developed by the <dfn id="react-containers-DefinitionTooltip-0"><span class="tooltip-portal-underlined-word" data-mui-internal-clone-element="true" data-react-universal-portal="">OpenID</span><style data-emotion="css 1piulxx-MuiTooltip-popper" data-react-universal-portal="">.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style><style data-emotion="css 1yddtj5-MuiPopper-root-MuiTooltip-popper" data-react-universal-portal="">.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style></dfn> Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.</p><p>Auth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:</p><ul><li><p><a href="#confidentiality-and-integrity-protection">Confidentiality and integrity protection</a></p></li><li><p><a href="#stronger-application-authentication">Strong application authentication</a></p></li><li><p><a href="#protect-access-tokens-with-token-binding">Protect access tokens with Token Binding</a></p></li></ul><p>For more information on FAPI, see OpenID's <a href="https://openid.net/wordpress-content/uploads/2022/03/OIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf">Open Banking, Open Data, and Financial-grade APIs</a> whitepaper and the <a href="https://openid.net/wg/fapi/specifications/">FAPI Working Group specifications</a>.</p><img src="//images.ctfassets.net/cdy7uua7fh8z/20iajPMtmICMORUfaVQH7a/ec900e1007b3faebd66eb2508f46acb0/image17.png" alt=""><div id="portal-title-1"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css r3xy45-MuiTypography-root">.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}</style><h2 class="MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root" id="strong-customer-authentication-sca-">Strong Customer Authentication (SCA)</h2></div></div><img src="//images.ctfassets.net/cdy7uua7fh8z/3JDIerJcevImoIDRd7OfIy/98597a9164b66cde9ec7ddc23f3e849b/image14.png" alt=""><p>Introduced by Europe’s <a href="https://www.europeanpaymentscouncil.eu/sites/default/files/infographic/2018-04/EPC_Infographic_PSD2_April%202018.pdf">Payment Services Directive (PSD2)</a>, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:</p><ul><li><p>Something the user knows (e.g., a password)</p></li><li><p>Something the user possesses (e.g., a device)</p></li><li><p>Something intrinsic to the user (e.g., a fingerprint)</p></li></ul><p>The authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.</p><p>To help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: </p><ul><li><p>Mobile push notifications</p></li><li><p>SMS</p></li><li><p>Email</p></li><li><p>WebAuthn</p></li></ul><p>Using <a href="/docs/customize/actions">Actions</a>, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read <a href="/docs/secure/highly-regulated-identity/transactional-authorization-with-contextual-sca#apply-dynamic-policy">Apply dynamic policy</a>.</p><div id="portal-title-2"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css r3xy45-MuiTypography-root">.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}</style><h2 class="MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root" id="dynamic-linking">Dynamic Linking</h2></div></div><p>PSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.</p><p>To enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the <dfn id="react-containers-DefinitionTooltip-1"><span class="tooltip-portal-underlined-word" data-mui-internal-clone-element="true" data-react-universal-portal="">OAuth</span><style data-emotion="css 1piulxx-MuiTooltip-popper" data-react-universal-portal="">.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style><style data-emotion="css 1yddtj5-MuiPopper-root-MuiTooltip-popper" data-react-universal-portal="">.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style></dfn> authorization endpoint. The following code sample shows an <code>authorization_details</code> JSON object, which contains information like the payment type, amount, currency, and recipient:</p><p></p><div id="portal-code-block-0"><style data-emotion="css i3pbo" data-react-universal-portal="">.css-i3pbo{margin-bottom:24px;}</style><style data-emotion="css 1ler0" data-react-universal-portal="">.css-1ler0{margin-bottom:24px;}</style><div class="MuiBox-root css-1ler0" data-react-universal-portal=""><style data-emotion="css 1pn7oyt">.css-1pn7oyt{position:relative;}.css-1pn7oyt button.copy-button{position:absolute;right:0.5em;top:0.5em;}.css-1pn7oyt pre.code-highlight-prism{border:0;}.css-1pn7oyt code.code-highlight-prism{color:#FFFFFF;}.css-1pn7oyt .token.keyword{color:#B9E0CB;}.css-1pn7oyt .token.property,.css-1pn7oyt .token.constant,.css-1pn7oyt .token.symbol,.css-1pn7oyt .token.deleted{color:#B9E0CB;}.css-1pn7oyt .token.selector,.css-1pn7oyt .token.string,.css-1pn7oyt .token.char,.css-1pn7oyt .token.builtin,.css-1pn7oyt .token.inserted{color:#bcbcff;}.css-1pn7oyt .token.boolean,.css-1pn7oyt .token.number{color:#bcbcff;}.css-1pn7oyt .token.class-name,.css-1pn7oyt .token.attr-name,.css-1pn7oyt .token .punctuation{color:#DCD1FC;}.css-1pn7oyt .token.attr-value,.css-1pn7oyt .token.tag,.css-1pn7oyt .token.script .punctuation,.css-1pn7oyt .token.atrule{color:#bcbcff;}.css-1pn7oyt .token.function{color:#FFFFFF;}.css-1pn7oyt .token.regex,.css-1pn7oyt .token.important{color:#DCD1FC;}.css-1pn7oyt .token.namespace{opacity:1;}.css-1pn7oyt .line-highlight{background:rgba(85, 85, 85, 0.2);border-bottom:0.5px solid rgba(255, 255, 255, 0.25);border-top:0.5px solid rgba(255, 255, 255, 0.25);}.css-1pn7oyt .line-numbers{font-family:Roboto Mono,Menlo,Monaco,Consolas,Courier New,monospace;font-size:0.875rem;line-height:1.25rem;letter-spacing:0.15px;font-weight:400;-webkit-font-smoothing:subpixel-antialiased;}.css-1pn7oyt .line-numbers .line-numbers-rows{border-right:none;color:#5a5f66;}.css-1pn7oyt :not(pre)>code[class*="language-"],.css-1pn7oyt pre[class*="language-"]{background:#1E1E1E;}.css-1pn7oyt pre[class*="language-"]{margin:0;}.css-1pn7oyt .token.package:before,.css-1pn7oyt .token.package:after{display:none;}.css-1pn7oyt .token.package{background:none;border:none;}</style><div class="css-1pn7oyt"><pre class="code-highlight-prism language-undefined line-numbers linkable-line-numbers"><code class="code-highlight-prism language-undefined" style="font-family:unset">"authorization_details": [ { "type": "one_time_payment", "amount": { "amount": 2460,46, "currency": "USD" }, "sourceAccount": "xxxxxxxxxxx4567", "recipient": "Acme Travel, Inc.", "concept": "All Inclusive Resort Package for Two", } ]</code></pre><style data-emotion="css re1tye">.css-re1tye{color:#BCBAFF;border:none;background-color:none;background:none;}</style><style data-emotion="css 73zw66-QuantumIconButton-root">.css-73zw66-QuantumIconButton-root{padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-73zw66-QuantumIconButton-root:focus,.css-73zw66-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-73zw66-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-73zw66-QuantumIconButton-root>svg:first-child{height:1em;width:1em;}</style><style data-emotion="css 6mu3uj-MuiIconButton-root-QuantumIconButton-root">.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root{text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#3F59E4;font-size:1rem;height:2.125rem;width:2.125rem;color:#3F59E4;border-style:solid;border-width:1px;color:#3F59E4;border-color:#3F59E4;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(63, 89, 228, 0.04);}@media (hover: none){.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:active,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-hover{background-color:#EEF0FD;border-color:#3F59E4;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:active,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-active{background-color:#E4E7FB;border-color:#3F59E4;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:focus,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root>svg:first-child{height:1em;width:1em;}</style><style data-emotion="css 1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root">.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#3F59E4;font-size:1rem;height:2.125rem;width:2.125rem;color:#3F59E4;border-style:solid;border-width:1px;color:#3F59E4;border-color:#3F59E4;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root::-moz-focus-inner{border-style:none;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(63, 89, 228, 0.04);}@media (hover: none){.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:active,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-hover{background-color:#EEF0FD;border-color:#3F59E4;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:active,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-active{background-color:#E4E7FB;border-color:#3F59E4;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:focus,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root>svg:first-child{height:1em;width:1em;}</style><button class="MuiButtonBase-root MuiIconButton-root MuiIconButton-colorPrimary MuiIconButton-sizeMedium copy-button css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root" tabindex="0" type="button" variant="outlined"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-0"><rect x="9" y="9" width="13" height="13" rx="2" ry="2"></rect><path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"></path></svg></button></div><style data-emotion="css 3tbxyb">.css-3tbxyb{position:relative;gap:12px;margin-top:16px;}</style><style data-emotion="css lqmrhz">.css-lqmrhz{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:baseline;-webkit-box-align:baseline;-ms-flex-align:baseline;align-items:baseline;-webkit-box-pack:end;-ms-flex-pack:end;-webkit-justify-content:flex-end;justify-content:flex-end;position:relative;gap:12px;margin-top:16px;}</style><div class="MuiBox-root css-lqmrhz"><style data-emotion="css 1o2jrcs-MuiTypography-root">.css-1o2jrcs-MuiTypography-root{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;}</style><p class="MuiTypography-root MuiTypography-body2 css-1o2jrcs-MuiTypography-root">Was this helpful?</p><style data-emotion="css v9we1n">.css-v9we1n{grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}@media (min-width:0px){.css-v9we1n{grid-template-columns:none;}}@media (min-width:600px){.css-v9we1n{grid-template-columns:none;}}@media (min-width:960px){.css-v9we1n{grid-template-columns:none;}}</style><style data-emotion="css hejfqa-QuantumColumnLayout-root">.css-hejfqa-QuantumColumnLayout-root{display:grid;gap:0px;grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}@media (min-width:0px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:minmax(0,1fr);}}@media (min-width:600px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:minmax(0,1fr);}}@media (min-width:960px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:repeat(2, minmax(0,1fr));}}@media (min-width:0px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}@media (min-width:600px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}@media (min-width:960px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}</style><div class="css-hejfqa-QuantumColumnLayout-root"><style data-emotion="css 1c1xxt8">.css-1c1xxt8{padding:0px 8px;}.css-1c1xxt8:focus{box-shadow:none;}</style><style data-emotion="css 1tsd7gx-QuantumButton-root">.css-1tsd7gx-QuantumButton-root{padding:0px 8px;}.css-1tsd7gx-QuantumButton-root:focus{box-shadow:none;}</style><style data-emotion="css 15i2hpg-MuiButton-root-QuantumButton-root">.css-15i2hpg-MuiButton-root-QuantumButton-root{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:6px 16px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;background-color:transparent;color:#191919;padding:5px 12px;padding:3px 10px;color:#3F59E4;padding:0px 8px;}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{background-color:transparent;}}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled{color:rgba(0, 0, 0, 0.26);}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root:active{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled,.css-15i2hpg-MuiButton-root-QuantumButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-15i2hpg-MuiButton-root-QuantumButton-root:focus,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-15i2hpg-MuiButton-root-QuantumButton-root:active,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-15i2hpg-MuiButton-root-QuantumButton-root:focus{box-shadow:none;}</style><style data-emotion="css 1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root">.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:6px 16px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;background-color:transparent;color:#191919;padding:5px 12px;padding:3px 10px;color:#3F59E4;padding:0px 8px;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root::-moz-focus-inner{border-style:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{background-color:transparent;}}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{color:rgba(0, 0, 0, 0.26);}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:active{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:focus,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:active,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:focus{box-shadow:none;}</style><button class="MuiButton-root MuiButton-link MuiButton-linkPrimary MuiButton-sizeSmall MuiButton-linkSizeSmall MuiButton-disableElevation MuiButtonBase-root css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root" tabindex="0" type="button">Yes </button><span>/</span><button class="MuiButton-root MuiButton-link MuiButton-linkPrimary MuiButton-sizeSmall MuiButton-linkSizeSmall MuiButton-disableElevation MuiButtonBase-root css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root" tabindex="0" type="button">No </button></div></div></div></div> <p></p><p><code>authorization_details</code> is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: </p><ul><li><p>Use push notifications to show transaction details and get approval on a separate device such as a mobile phone application.</p></li><li><p>Use SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.</p></li></ul><p></p><div id="react-containers-AlertContainer-1"><style data-emotion="css kpvd6o-QuantumAlert-root" data-react-universal-portal="">.css-kpvd6o-QuantumAlert-root{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:flex-start;-webkit-box-align:flex-start;-ms-flex-align:flex-start;align-items:flex-start;border-radius:4px;padding:10px 16px;box-shadow:none;border-left:0.5rem solid #F8D626;background-color:#FEF2B3;color:#473D0B;}.css-kpvd6o-QuantumAlert-root a,.css-kpvd6o-QuantumAlert-root a:hover{color:currentColor;-webkit-text-decoration:underline;text-decoration:underline;}.css-kpvd6o-QuantumAlert-root .QuantumAlert-icon{color:#473D0B;}</style><div role="alert" class="QuantumAlert-root alert-portal-container alert-portal-severity-warning css-kpvd6o-QuantumAlert-root" data-react-universal-portal=""><style data-emotion="css coqgw6-QuantumAlert-icon">.css-coqgw6-QuantumAlert-icon{font-size:1.25rem;margin-right:12px;line-height:1;padding-top:0.3125rem;}.css-coqgw6-QuantumAlert-icon svg{height:1em;width:1em;}</style><div class="QuantumAlert-icon css-coqgw6-QuantumAlert-icon"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-0"><path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z"></path><line x1="12" y1="9" x2="12" y2="13"></line><line x1="12" y1="17" x2="12.01" y2="17"></line></svg></div><style data-emotion="css 1qf9vnp-QuantumAlert-content">.css-1qf9vnp-QuantumAlert-content{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;-webkit-flex:1;-ms-flex:1;flex:1;padding-top:0.25rem;}</style><div class="QuantumAlert-content css-1qf9vnp-QuantumAlert-content"><style data-emotion="css cut6d9-QuantumAlert-message">.css-cut6d9-QuantumAlert-message{display:inline;}.css-cut6d9-QuantumAlert-message>ul{list-style:disc;margin-top:4px;padding-left:16px;}</style><div class="QuantumAlert-message css-cut6d9-QuantumAlert-message"><div class="alert-portal-content MuiBox-root css-0"><p>Do not pass fine-grained transaction authorization data or other sensitive or regulated data outside of <code>authorization_details</code>. </p></div></div></div></div></div><p></p><p>If the user confirms the details, the transaction progresses and Auth0 issues an <dfn id="react-containers-DefinitionTooltip-2"><span class="tooltip-portal-underlined-word" data-mui-internal-clone-element="true" data-react-universal-portal="">access token</span><style data-emotion="css 1piulxx-MuiTooltip-popper" data-react-universal-portal="">.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style><style data-emotion="css 1yddtj5-MuiPopper-root-MuiTooltip-popper" data-react-universal-portal="">.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style></dfn> associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests. </p><p>To learn more about RAR, read <a href="/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-rar">Authorization Code Flow with Rich Authorization Requests</a>.</p><div id="portal-title-3"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css r3xy45-MuiTypography-root">.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}</style><h2 class="MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root" id="confidentiality-and-integrity-protection">Confidentiality and integrity protection</h2></div></div><p>Authorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.</p><div id="portal-title-4"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css 13g81vv-MuiTypography-root">.css-13g81vv-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}@media (max-width:599.95px){.css-13g81vv-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}@media (max-width:-0.05px){.css-13g81vv-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}</style><h3 class="MuiTypography-root MuiTypography-h3 title-portal-text css-13g81vv-MuiTypography-root" id="protect-sensitive-data-in-the-front-channel">Protect sensitive data in the front channel</h3></div></div><p>To protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.</p><div id="portal-title-5"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css 1t6oil-MuiTypography-root">.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}</style><h4 class="MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root" id="pushed-authorization-requests-par-">Pushed Authorization Requests (PAR)</h4></div></div><p><a href="https://datatracker.ietf.org/doc/rfc9126/">PAR</a> introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the <dfn id="react-containers-DefinitionTooltip-3"><span class="tooltip-portal-underlined-word" data-mui-internal-clone-element="true" data-react-universal-portal="">authorization server</span><style data-emotion="css 1piulxx-MuiTooltip-popper" data-react-universal-portal="">.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style><style data-emotion="css 1yddtj5-MuiPopper-root-MuiTooltip-popper" data-react-universal-portal="">.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style></dfn> (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.</p><p>To learn more about PAR, read <a href="/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par">Authorization Code Flow with Pushed Authorization Requests (PAR)</a> and <a href="/docs/get-started/applications/configure-par">Configure Pushed Authorization Requests (PAR)</a>.</p><div id="portal-title-6"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css 1t6oil-MuiTypography-root">.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}</style><h4 class="MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root" id="jwt-secured-authorization-request-jar-">JWT-Secured Authorization Request (JAR)</h4></div></div><p><a href="https://datatracker.ietf.org/doc/rfc9101/">JAR</a> is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a <dfn id="react-containers-DefinitionTooltip-4"><span class="tooltip-portal-underlined-word" data-mui-internal-clone-element="true" data-react-universal-portal="">JSON Web Token</span><style data-emotion="css 1piulxx-MuiTooltip-popper" data-react-universal-portal="">.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style><style data-emotion="css 1yddtj5-MuiPopper-root-MuiTooltip-popper" data-react-universal-portal="">.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style></dfn> (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.</p><p>To learn more about JAR, read <a href="/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-jar">Authorization Code Flow with JWT-Secured Authorization Requests (JAR)</a> and <a href="/docs/get-started/applications/configure-jar">Configure JWT-Secured Authorization Requests (JAR)</a>.</p><div id="portal-title-7"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css 1t6oil-MuiTypography-root">.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}</style><h4 class="MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root" id="protect-sensitive-data-in-access-tokens">Protect sensitive data in access tokens</h4></div></div><p>To protect the authorization details included in access tokens, Highly Regulated Identity provides support for using <a href="https://datatracker.ietf.org/doc/html/rfc7516">JSON Web Encryption (JWE)</a> to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.</p><p>To learn more about JWE, read <a href="/docs/secure/tokens/access-tokens/json-web-encryption">JSON Web Encryption</a> and <a href="/docs/get-started/apis/configure-json-web-encryption">Configure JSON Web Encryption</a>.</p><div id="portal-title-8"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css r3xy45-MuiTypography-root">.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}</style><h2 class="MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root" id="stronger-application-authentication">Stronger application authentication</h2></div></div><p>To improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:</p><ul><li><p><a href="http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer">Private Key JWT</a>: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read <a href="/docs/secure/application-credentials#private-key-jwt-authentication">Private Key JWT Authentication</a>.</p></li><li><p><a href="https://datatracker.ietf.org/doc/html/rfc8705">mTLS for OAuth</a>: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read <a href="/docs/get-started/authentication-and-authorization-flow/authenticate-with-mtls">mTLS for OAuth</a>.</p></li></ul><p>With both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and/or certificates at the same time for a given application.</p><div id="portal-title-9"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css r3xy45-MuiTypography-root">.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}</style><h2 class="MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root" id="protect-access-tokens-with-token-binding">Protect access tokens with Token Binding</h2></div></div><p>Supporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.</p><p><b>Note:</b> Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read <a href="/docs/get-started/applications/configure-sender-constraining">Configure Sender Constraining</a>.</p><div id="portal-title-10"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css r3xy45-MuiTypography-root">.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}</style><h2 class="MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root" id="customizable-approval-flows-for-better-user-experience">Customizable approval flows for better user experience</h2></div></div><p>When designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. </p><p>You can customize your authentication flow using <a href="/docs/customize/actions">Actions</a>. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read <a href="/docs/secure/highly-regulated-identity/transactional-authorization-with-contextual-sca#apply-dynamic-policy">Apply dynamic policy</a>. </p><p>The New <dfn id="react-containers-DefinitionTooltip-5"><span class="tooltip-portal-underlined-word" data-mui-internal-clone-element="true" data-react-universal-portal="">Universal Login</span><style data-emotion="css 1piulxx-MuiTooltip-popper" data-react-universal-portal="">.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style><style data-emotion="css 1yddtj5-MuiPopper-root-MuiTooltip-popper" data-react-universal-portal="">.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="bottom"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="top"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="right"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*="left"] .MuiTooltip-arrow::before{transform-origin:0 0;}</style></dfn> templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read <a href="/docs/get-started/apis/configure-rich-authorization-requests">Configure Rich Authorization Requests (RAR)</a>.</p><img src="//images.ctfassets.net/cdy7uua7fh8z/7eBJA1IPsCIZubFKEtHh3m/8ec245ebd3bab775e9ba12fbe7f4096c/image2.png" alt=""><div id="portal-title-11"><div class="title-portal-container MuiBox-root css-0" data-react-universal-portal=""><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="title-portal-icon css-0"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg><style data-emotion="css r3xy45-MuiTypography-root">.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}</style><h2 class="MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root" id="learn-more">Learn more</h2></div></div><p>To learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read <a href="/docs/secure/highly-regulated-identity/transactional-authorization-with-contextual-sca">Transactional Authorization with Contextual Strong Customer Authentication</a>.</p></div></div></div></article><div data-article-footer="true" data-search-index="false" class="css-light-qw3jjx"><div class="css-light-ve6lx2"><p class="MuiTypography-root MuiTypography-body2 css-light-1890uci">Was this article helpful?</p><div class="css-light-cnjcq1"><div class="css-light-146h36z"><button class="MuiButton-root MuiButton-outlined MuiButton-outlinedDefault MuiButton-sizeSmall MuiButton-outlinedSizeSmall MuiButton-disableElevation MuiButtonBase-root css-light-up5kby" tabindex="0" type="button"><span class="MuiButton-startIcon MuiButton-iconSizeSmall css-light-10lfzun"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="#10783F" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><polyline points="20 6 9 17 4 12"></polyline></svg></span>Yes<!-- --> </button><button class="MuiButton-root MuiButton-outlined MuiButton-outlinedDefault MuiButton-sizeSmall MuiButton-outlinedSizeSmall MuiButton-disableElevation MuiButtonBase-root css-light-up5kby" tabindex="0" type="button"><span class="MuiButton-startIcon MuiButton-iconSizeSmall css-light-10lfzun"><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" stroke="#C32F26" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="css-light-0"><line x1="18" y1="6" x2="6" y2="18"></line><line x1="6" y1="6" x2="18" y2="18"></line></svg></span>No<!-- --> </button></div></div><div class="css-light-1v33see"></div></div></div></div></div></div></div></div></div></div></div></div></div></div><div id="footer" data-search-index="false"><div class="sc-bdfBQB jQEcjQ"><div class="styled__Wrapper-sc-1gk46x3-0 eUxShZ"><footer class="styled__Content-sc-1gk46x3-1 fKrrGW"><nav class="styled__Nav-sc-1gk46x3-2 dIMmrp"><section><p class="styled__Overline-sc-165cfko-0 utils-sc-11hlfw-0 lAvfL grRtqw">Developers</p><ul class="styled__LinksList-sc-1gk46x3-3 KTHXE"><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://developer.auth0.com/resources" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Developer Hub<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://developer.auth0.com/resources/code-samples" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Code Samples and Guides<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/blog/developers/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Blog posts<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/docs/videos" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Videos<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://identityunlocked.auth0.com/public/49/Identity,-Unlocked.--bed7fada" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Identity Unlocked - Podcasts<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://developer.auth0.com/newsletter" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Zero Index Newsletter<!-- --> </a></li></ul></section><section><p class="styled__Overline-sc-165cfko-0 utils-sc-11hlfw-0 lAvfL grRtqw">Documentation</p><ul class="styled__LinksList-sc-1gk46x3-3 KTHXE"><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/docs/articles" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Articles<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/docs/quickstarts" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Quickstarts<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/docs/api" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">APIs<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/docs/libraries" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">SDK Libraries<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/blog/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Blog<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/resources/ebooks" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Reports<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/resources/webinars" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Webinars<!-- --> </a></li></ul></section><section><p class="styled__Overline-sc-165cfko-0 utils-sc-11hlfw-0 lAvfL grRtqw">Get Involved</p><ul class="styled__LinksList-sc-1gk46x3-3 KTHXE"><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://community.auth0.com/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Forum<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://developer.auth0.com/events" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Events<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/ambassador-program" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Ambassador Program<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/research-program" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Auth0 Research Program<!-- --> </a></li></ul></section><section><p class="styled__Overline-sc-165cfko-0 utils-sc-11hlfw-0 lAvfL grRtqw">Company</p><ul class="styled__LinksList-sc-1gk46x3-3 KTHXE"><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/customers" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Our Customers<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/security" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Compliance - Ensuring privacy and security<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/partners" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Partners<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://www.okta.com/company/careers/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Careers<!-- --> <span class="styled__Paragraph-sc-165cfko-1 utils-sc-11hlfw-0 ujlCh coRBuS">We're hiring!</span></a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://www.okta.com/okta-and-auth0/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Okta + Auth0<!-- --> </a></li></ul></section><section><p class="styled__Overline-sc-165cfko-0 utils-sc-11hlfw-0 lAvfL grRtqw">Support Center</p><ul class="styled__LinksList-sc-1gk46x3-3 KTHXE"><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://community.auth0.com/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Community<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://support.auth0.com/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Support<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://community.auth0.com/c/help/6" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Help<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://community.auth0.com/c/faq/42" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">FAQs<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://marketplace.auth0.com" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Auth0 Marketplace<!-- --> </a></li></ul></section><section><p class="styled__Overline-sc-165cfko-0 utils-sc-11hlfw-0 lAvfL grRtqw">Learning</p><ul class="styled__LinksList-sc-1gk46x3-3 KTHXE"><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/learn" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Learn<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/intro-to-iam" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Intro to IAM (CIAM)<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/blog/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Blog<!-- --> </a></li></ul></section><section><p class="styled__Overline-sc-165cfko-0 utils-sc-11hlfw-0 lAvfL grRtqw">Platform</p><ul class="styled__LinksList-sc-1gk46x3-3 KTHXE"><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/platform/access-management" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Access Management<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/platform/extensibility" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Extensibility<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/platform/login-security" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Security<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/platform/user-management" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">User Management<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/platform/authentication" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Authentication<!-- --> </a></li></ul></section><section><p class="styled__Overline-sc-165cfko-0 utils-sc-11hlfw-0 lAvfL grRtqw">Features</p><ul class="styled__LinksList-sc-1gk46x3-3 KTHXE"><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/features/universal-login" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Universal Login<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/features/single-sign-on" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Single Sign On<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/features/multifactor-authentication" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Multifactor Authentication<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/features/actions" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Actions<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/features/machine-to-machine" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Machine to Machine<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/features/passwordless" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Passwordless<!-- --> </a></li><li class="styled__LinksListItem-sc-1gk46x3-5 cSvhJk"><a href="https://auth0.com/features/breached-passwords" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD hNTphv">Breached Passwords<!-- --> </a></li></ul></section><section class="styled__LastSection-sc-1gk46x3-6 gnjMuV"><div class="styled__Icons-sc-1gk46x3-7 fMkjag"><a href="https://twitter.com/auth0" target="_blank" rel="noopener noreferrer" aria-label="Twitter link" class="styled__IconsLink-sc-1gk46x3-8 QrRnA"><svg viewBox="0 0 24 24" aria-hidden="true" width="24" height="24" fill="none"><g><path fill="#1e212a" d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-5.214-6.817L4.99 21.75H1.68l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z"></path></g></svg></a><a href="https://linkedin.com/company/auth0" target="_blank" rel="noopener noreferrer" aria-label="Linkedin link" class="styled__IconsLink-sc-1gk46x3-8 QrRnA"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M19.5561 3H4.53738C3.71707 3 2.99988 3.59063 2.99988 4.40156V19.4531C2.99988 20.2687 3.71707 20.9953 4.53738 20.9953H19.5514C20.3764 20.9953 20.9952 20.2641 20.9952 19.4531V4.40156C20.9999 3.59063 20.3764 3 19.5561 3ZM8.578 18H5.99988V9.98438H8.578V18ZM7.378 8.76562H7.35925C6.53425 8.76562 5.99988 8.15156 5.99988 7.38281C5.99988 6.6 6.54831 6 7.39206 6C8.23581 6 8.75144 6.59531 8.77019 7.38281C8.77019 8.15156 8.23581 8.76562 7.378 8.76562ZM17.9999 18H15.4218V13.6172C15.4218 12.5672 15.0468 11.85 14.1139 11.85C13.4014 11.85 12.9796 12.3328 12.7921 12.8016C12.7218 12.9703 12.703 13.2 12.703 13.4344V18H10.1249V9.98438H12.703V11.1C13.078 10.5656 13.6639 9.79688 15.028 9.79688C16.7202 9.79688 17.9999 10.9125 17.9999 13.3172V18Z" fill="#1e212a"></path></svg></a><a href="https://github.com/auth0" target="_blank" rel="noopener noreferrer" aria-label="Github link" class="styled__IconsLink-sc-1gk46x3-8 QrRnA"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12 1.5C6.20156 1.5 1.5 6.32344 1.5 12.2672C1.5 17.025 4.50937 21.0562 8.68125 22.4813C8.74687 22.4953 8.80312 22.5 8.85938 22.5C9.24844 22.5 9.39844 22.2141 9.39844 21.9656C9.39844 21.7078 9.38906 21.0328 9.38437 20.1328C8.99062 20.2219 8.63906 20.2594 8.325 20.2594C6.30469 20.2594 5.84531 18.6891 5.84531 18.6891C5.36719 17.4469 4.67813 17.1141 4.67813 17.1141C3.76406 16.4719 4.67344 16.4531 4.74375 16.4531H4.74844C5.80313 16.5469 6.35625 17.5687 6.35625 17.5687C6.88125 18.4875 7.58437 18.7453 8.2125 18.7453C8.70469 18.7453 9.15 18.5859 9.4125 18.4641C9.50625 17.7703 9.77812 17.2969 10.0781 17.025C7.74844 16.7531 5.29688 15.8297 5.29688 11.7047C5.29688 10.5281 5.70469 9.56719 6.375 8.81719C6.26719 8.54531 5.90625 7.44844 6.47812 5.96719C6.47812 5.96719 6.55312 5.94375 6.7125 5.94375C7.09219 5.94375 7.95 6.08906 9.36563 7.07344C10.2047 6.83437 11.1 6.71719 11.9953 6.7125C12.8859 6.71719 13.7859 6.83437 14.625 7.07344C16.0406 6.08906 16.8984 5.94375 17.2781 5.94375C17.4375 5.94375 17.5125 5.96719 17.5125 5.96719C18.0844 7.44844 17.7234 8.54531 17.6156 8.81719C18.2859 9.57188 18.6937 10.5328 18.6937 11.7047C18.6937 15.8391 16.2375 16.7484 13.8984 17.0156C14.2734 17.3484 14.6109 18.0047 14.6109 19.0078C14.6109 20.4469 14.5969 21.6094 14.5969 21.9609C14.5969 22.2141 14.7422 22.5 15.1312 22.5C15.1875 22.5 15.2531 22.4953 15.3187 22.4813C19.4953 21.0562 22.5 17.0203 22.5 12.2672C22.5 6.32344 17.7984 1.5 12 1.5Z" fill="#1e212a"></path></svg></a></div></section></nav><section class="styled__FooterBottom-sc-1gk46x3-10 hcxfiM"><p class="styled__Paragraph-sc-165cfko-1 utils-sc-11hlfw-0 gddBva dCXkaK">© <!-- -->2024<!-- --> Okta, Inc. All Rights Reserved.</p><div class="styled__Legal-sc-1gk46x3-12 lpowaK"><a href="https://status.auth0.com" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Status</a> <!-- -->•<!-- --> <a href="https://www.okta.com/agreements/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Legal</a> <!-- -->•<!-- --> <a href="https://auth0.com/privacy" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Privacy</a> <!-- -->•<!-- --> <a href="https://auth0.com/web-terms" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Terms</a> <!-- -->•<!-- --> <a href="https://auth0.com/your-privacy-choices" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Your Privacy Choices</a><img alt="" src="https://cdn.auth0.com/website/footer/ccpa.svg"/></div></section><section class="styled__FooterBottomMobile-sc-1gk46x3-9 ilqaED"><div class="styled__Icons-sc-1gk46x3-7 jVliYH"><a href="https://twitter.com/auth0" target="_blank" rel="noopener noreferrer" aria-label="Twitter link" class="styled__IconsLink-sc-1gk46x3-8 QrRnA"><svg viewBox="0 0 24 24" aria-hidden="true" width="24" height="24" fill="none"><g><path fill="#1e212a" d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-5.214-6.817L4.99 21.75H1.68l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z"></path></g></svg></a><a href="https://linkedin.com/company/auth0" target="_blank" rel="noopener noreferrer" aria-label="Linkedin link" class="styled__IconsLink-sc-1gk46x3-8 QrRnA"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M19.5561 3H4.53738C3.71707 3 2.99988 3.59063 2.99988 4.40156V19.4531C2.99988 20.2687 3.71707 20.9953 4.53738 20.9953H19.5514C20.3764 20.9953 20.9952 20.2641 20.9952 19.4531V4.40156C20.9999 3.59063 20.3764 3 19.5561 3ZM8.578 18H5.99988V9.98438H8.578V18ZM7.378 8.76562H7.35925C6.53425 8.76562 5.99988 8.15156 5.99988 7.38281C5.99988 6.6 6.54831 6 7.39206 6C8.23581 6 8.75144 6.59531 8.77019 7.38281C8.77019 8.15156 8.23581 8.76562 7.378 8.76562ZM17.9999 18H15.4218V13.6172C15.4218 12.5672 15.0468 11.85 14.1139 11.85C13.4014 11.85 12.9796 12.3328 12.7921 12.8016C12.7218 12.9703 12.703 13.2 12.703 13.4344V18H10.1249V9.98438H12.703V11.1C13.078 10.5656 13.6639 9.79688 15.028 9.79688C16.7202 9.79688 17.9999 10.9125 17.9999 13.3172V18Z" fill="#1e212a"></path></svg></a><a href="https://github.com/auth0" target="_blank" rel="noopener noreferrer" aria-label="Github link" class="styled__IconsLink-sc-1gk46x3-8 QrRnA"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M12 1.5C6.20156 1.5 1.5 6.32344 1.5 12.2672C1.5 17.025 4.50937 21.0562 8.68125 22.4813C8.74687 22.4953 8.80312 22.5 8.85938 22.5C9.24844 22.5 9.39844 22.2141 9.39844 21.9656C9.39844 21.7078 9.38906 21.0328 9.38437 20.1328C8.99062 20.2219 8.63906 20.2594 8.325 20.2594C6.30469 20.2594 5.84531 18.6891 5.84531 18.6891C5.36719 17.4469 4.67813 17.1141 4.67813 17.1141C3.76406 16.4719 4.67344 16.4531 4.74375 16.4531H4.74844C5.80313 16.5469 6.35625 17.5687 6.35625 17.5687C6.88125 18.4875 7.58437 18.7453 8.2125 18.7453C8.70469 18.7453 9.15 18.5859 9.4125 18.4641C9.50625 17.7703 9.77812 17.2969 10.0781 17.025C7.74844 16.7531 5.29688 15.8297 5.29688 11.7047C5.29688 10.5281 5.70469 9.56719 6.375 8.81719C6.26719 8.54531 5.90625 7.44844 6.47812 5.96719C6.47812 5.96719 6.55312 5.94375 6.7125 5.94375C7.09219 5.94375 7.95 6.08906 9.36563 7.07344C10.2047 6.83437 11.1 6.71719 11.9953 6.7125C12.8859 6.71719 13.7859 6.83437 14.625 7.07344C16.0406 6.08906 16.8984 5.94375 17.2781 5.94375C17.4375 5.94375 17.5125 5.96719 17.5125 5.96719C18.0844 7.44844 17.7234 8.54531 17.6156 8.81719C18.2859 9.57188 18.6937 10.5328 18.6937 11.7047C18.6937 15.8391 16.2375 16.7484 13.8984 17.0156C14.2734 17.3484 14.6109 18.0047 14.6109 19.0078C14.6109 20.4469 14.5969 21.6094 14.5969 21.9609C14.5969 22.2141 14.7422 22.5 15.1312 22.5C15.1875 22.5 15.2531 22.4953 15.3187 22.4813C19.4953 21.0562 22.5 17.0203 22.5 12.2672C22.5 6.32344 17.7984 1.5 12 1.5Z" fill="#1e212a"></path></svg></a></div><div class="styled__LegalAndLangMobile-sc-1gk46x3-11 jPJGrI"><div class="styled__Legal-sc-1gk46x3-12 lpowaK"><a href="https://status.auth0.com" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Status</a> <!-- -->•<!-- --> <a href="https://www.okta.com/agreements/" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Legal</a> <!-- -->•<!-- --> <a href="https://auth0.com/privacy" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Privacy</a> <!-- -->•<!-- --> <a href="https://auth0.com/web-terms" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Terms</a> <!-- -->•<!-- --> <a href="https://auth0.com/your-privacy-choices" class="styled__Link-sc-bubr9x-0 utils-sc-11hlfw-0 NZnYD coRBuS">Your Privacy Choices</a><img alt="" src="https://cdn.auth0.com/website/footer/ccpa.svg"/></div></section></footer></div></div></div></div><script>window.App={"context":{"dispatcher":{"stores":{"RouteStore":{"currentNavigate":{"transactionId":272934868698038,"method":"get","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity?_gl=1*10hptof*_gcl_aw*R0NMLjE3MjU1NzE5ODIuQ2p3S0NBandyZVcyQmhCaEVpd0Fhdkx3Zk1Jc1oyMFVLd2E2NWdaLTNTcWdzcFVhR3dtTkdjb3hxeFhtMUxDeFdMYnA1bWhlSFAwckpob0NCRTRRQXZEX0J3RQ..*_gcl_au*NTExMDg2NDQ1LjE3MjA4MTIxMzk.*_ga*MTM1NzAxMTQ5NC4xNzE2OTE2ODg5*_ga_QKMSDV5369*MTcyNjMyMzEyMC4zMDAuMS4xNzI2MzI0ODYzLjYwLjAuMA..","route":null,"error":null,"isComplete":true},"routes":null},"ApplicationStore":{"flags":{"framed":false,"singleQuickstart":false,"mobile":false},"state":{"isStickyHeaderVisible":false},"pageTitle":"Highly Regulated Identity","pageDescription":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","domainUrlApp":"https:\u002F\u002Fmanage.auth0.com","dashboardUrl":"https:\u002F\u002Fmanage.auth0.com\u002F#","domainUrlDocs":"https:\u002F\u002Fauth0.com\u002Fdocs","domainUrlSignup":"https:\u002F\u002Fauth0.com\u002Fsignup?&signUpData=%7B%22category%22%3A%22docs%22%7D","csrfToken":"hckjpaun-j9jbAEKks9L9Acn2zJoHOLklfBg"},"QuickstartStore":{"flags":{"framed":false,"singleQuickstart":false,"mobile":false},"quickstarts":undefined,"currentQuickstart":undefined,"currentPlatform":undefined,"currentVersion":undefined,"currentArticle":undefined,"sidebarItems":[],"breadcrumbs":[],"sidebarBreadcrumbs":[],"landingPageBreadcrumbs":[],"metadataNextSteps":undefined,"sidebarArticlesNextSteps":undefined,"appChoiceView":undefined,"apiChoiceView":undefined,"appExplorerActiveFile":undefined},"AbStore":{"docExperiments":undefined},"DocumentStore":{"docs":{"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity":{"state":"LOADED","originalHtml":"\u003Cstyle data-emotion=\"css-light \"\u003E\u003C\u002Fstyle\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"react-containers-AlertContainer-0\"\u003E\u003Cstyle data-emotion=\"css a14jl7-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E.css-a14jl7-QuantumAlert-root{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:flex-start;-webkit-box-align:flex-start;-ms-flex-align:flex-start;align-items:flex-start;border-radius:4px;padding:10px 16px;box-shadow:none;border-left:0.5rem solid #686868;background-color:#F1F1F1;color:#3E3E3E;}.css-a14jl7-QuantumAlert-root a,.css-a14jl7-QuantumAlert-root a:hover{color:currentColor;-webkit-text-decoration:underline;text-decoration:underline;}.css-a14jl7-QuantumAlert-root .QuantumAlert-icon{color:#3E3E3E;}\u003C\u002Fstyle\u003E\u003Cdiv role=\"alert\" class=\"QuantumAlert-root alert-portal-container alert-portal-severity-default css-a14jl7-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E\u003Cstyle data-emotion=\"css coqgw6-QuantumAlert-icon\"\u003E.css-coqgw6-QuantumAlert-icon{font-size:1.25rem;margin-right:12px;line-height:1;padding-top:0.3125rem;}.css-coqgw6-QuantumAlert-icon svg{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-icon css-coqgw6-QuantumAlert-icon\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"1em\" height=\"1em\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"css-0\"\u003E\u003Cpath d=\"M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z\"\u003E\u003C\u002Fpath\u003E\u003Cpolyline points=\"14 2 14 8 20 8\"\u003E\u003C\u002Fpolyline\u003E\u003Cline x1=\"16\" y1=\"13\" x2=\"8\" y2=\"13\"\u003E\u003C\u002Fline\u003E\u003Cline x1=\"16\" y1=\"17\" x2=\"8\" y2=\"17\"\u003E\u003C\u002Fline\u003E\u003Cpolyline points=\"10 9 9 9 8 9\"\u003E\u003C\u002Fpolyline\u003E\u003C\u002Fsvg\u003E\u003C\u002Fdiv\u003E\u003Cstyle data-emotion=\"css 1qf9vnp-QuantumAlert-content\"\u003E.css-1qf9vnp-QuantumAlert-content{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;-webkit-flex:1;-ms-flex:1;flex:1;padding-top:0.25rem;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-content css-1qf9vnp-QuantumAlert-content\"\u003E\u003Cstyle data-emotion=\"css cut6d9-QuantumAlert-message\"\u003E.css-cut6d9-QuantumAlert-message{display:inline;}.css-cut6d9-QuantumAlert-message\u003Eul{list-style:disc;margin-top:4px;padding-left:16px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-message css-cut6d9-QuantumAlert-message\"\u003E\u003Cdiv class=\"alert-portal-content MuiBox-root css-0\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-0\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn id=\"react-containers-DefinitionTooltip-0\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EOpenID\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Cdiv id=\"portal-title-1\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-2\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"dynamic-linking\"\u003EDynamic Linking\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn id=\"react-containers-DefinitionTooltip-1\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EOAuth\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-0\"\u003E\u003Cstyle data-emotion=\"css i3pbo\" data-react-universal-portal=\"\"\u003E.css-i3pbo{margin-bottom:24px;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1ler0\" data-react-universal-portal=\"\"\u003E.css-1ler0{margin-bottom:24px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"MuiBox-root css-1ler0\" data-react-universal-portal=\"\"\u003E\u003Cstyle data-emotion=\"css 1pn7oyt\"\u003E.css-1pn7oyt{position:relative;}.css-1pn7oyt button.copy-button{position:absolute;right:0.5em;top:0.5em;}.css-1pn7oyt pre.code-highlight-prism{border:0;}.css-1pn7oyt code.code-highlight-prism{color:#FFFFFF;}.css-1pn7oyt .token.keyword{color:#B9E0CB;}.css-1pn7oyt .token.property,.css-1pn7oyt .token.constant,.css-1pn7oyt .token.symbol,.css-1pn7oyt .token.deleted{color:#B9E0CB;}.css-1pn7oyt .token.selector,.css-1pn7oyt .token.string,.css-1pn7oyt .token.char,.css-1pn7oyt .token.builtin,.css-1pn7oyt .token.inserted{color:#bcbcff;}.css-1pn7oyt .token.boolean,.css-1pn7oyt .token.number{color:#bcbcff;}.css-1pn7oyt .token.class-name,.css-1pn7oyt .token.attr-name,.css-1pn7oyt .token .punctuation{color:#DCD1FC;}.css-1pn7oyt .token.attr-value,.css-1pn7oyt .token.tag,.css-1pn7oyt .token.script .punctuation,.css-1pn7oyt .token.atrule{color:#bcbcff;}.css-1pn7oyt .token.function{color:#FFFFFF;}.css-1pn7oyt .token.regex,.css-1pn7oyt .token.important{color:#DCD1FC;}.css-1pn7oyt .token.namespace{opacity:1;}.css-1pn7oyt .line-highlight{background:rgba(85, 85, 85, 0.2);border-bottom:0.5px solid rgba(255, 255, 255, 0.25);border-top:0.5px solid rgba(255, 255, 255, 0.25);}.css-1pn7oyt .line-numbers{font-family:Roboto Mono,Menlo,Monaco,Consolas,Courier New,monospace;font-size:0.875rem;line-height:1.25rem;letter-spacing:0.15px;font-weight:400;-webkit-font-smoothing:subpixel-antialiased;}.css-1pn7oyt .line-numbers .line-numbers-rows{border-right:none;color:#5a5f66;}.css-1pn7oyt :not(pre)\u003Ecode[class*=\"language-\"],.css-1pn7oyt pre[class*=\"language-\"]{background:#1E1E1E;}.css-1pn7oyt pre[class*=\"language-\"]{margin:0;}.css-1pn7oyt .token.package:before,.css-1pn7oyt .token.package:after{display:none;}.css-1pn7oyt .token.package{background:none;border:none;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"css-1pn7oyt\"\u003E\u003Cpre class=\"code-highlight-prism language-undefined line-numbers linkable-line-numbers\"\u003E\u003Ccode class=\"code-highlight-prism language-undefined\" style=\"font-family:unset\"\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003Cstyle data-emotion=\"css re1tye\"\u003E.css-re1tye{color:#BCBAFF;border:none;background-color:none;background:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 73zw66-QuantumIconButton-root\"\u003E.css-73zw66-QuantumIconButton-root{padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-73zw66-QuantumIconButton-root:focus,.css-73zw66-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-73zw66-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-73zw66-QuantumIconButton-root\u003Esvg:first-child{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 6mu3uj-MuiIconButton-root-QuantumIconButton-root\"\u003E.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root{text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#3F59E4;font-size:1rem;height:2.125rem;width:2.125rem;color:#3F59E4;border-style:solid;border-width:1px;color:#3F59E4;border-color:#3F59E4;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(63, 89, 228, 0.04);}@media (hover: none){.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:active,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-hover{background-color:#EEF0FD;border-color:#3F59E4;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:active,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-active{background-color:#E4E7FB;border-color:#3F59E4;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:focus,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root\u003Esvg:first-child{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root\"\u003E.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#3F59E4;font-size:1rem;height:2.125rem;width:2.125rem;color:#3F59E4;border-style:solid;border-width:1px;color:#3F59E4;border-color:#3F59E4;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root::-moz-focus-inner{border-style:none;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(63, 89, 228, 0.04);}@media (hover: none){.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:active,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-hover{background-color:#EEF0FD;border-color:#3F59E4;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:active,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-active{background-color:#E4E7FB;border-color:#3F59E4;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:focus,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root\u003Esvg:first-child{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cbutton class=\"MuiButtonBase-root MuiIconButton-root MuiIconButton-colorPrimary MuiIconButton-sizeMedium copy-button css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root\" tabindex=\"0\" type=\"button\" variant=\"outlined\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"1em\" height=\"1em\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"css-0\"\u003E\u003Crect x=\"9\" y=\"9\" width=\"13\" height=\"13\" rx=\"2\" ry=\"2\"\u003E\u003C\u002Frect\u003E\u003Cpath d=\"M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003Cstyle data-emotion=\"css 3tbxyb\"\u003E.css-3tbxyb{position:relative;gap:12px;margin-top:16px;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css lqmrhz\"\u003E.css-lqmrhz{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:baseline;-webkit-box-align:baseline;-ms-flex-align:baseline;align-items:baseline;-webkit-box-pack:end;-ms-flex-pack:end;-webkit-justify-content:flex-end;justify-content:flex-end;position:relative;gap:12px;margin-top:16px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"MuiBox-root css-lqmrhz\"\u003E\u003Cstyle data-emotion=\"css 1o2jrcs-MuiTypography-root\"\u003E.css-1o2jrcs-MuiTypography-root{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;}\u003C\u002Fstyle\u003E\u003Cp class=\"MuiTypography-root MuiTypography-body2 css-1o2jrcs-MuiTypography-root\"\u003EWas this helpful?\u003C\u002Fp\u003E\u003Cstyle data-emotion=\"css v9we1n\"\u003E.css-v9we1n{grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}@media (min-width:0px){.css-v9we1n{grid-template-columns:none;}}@media (min-width:600px){.css-v9we1n{grid-template-columns:none;}}@media (min-width:960px){.css-v9we1n{grid-template-columns:none;}}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css hejfqa-QuantumColumnLayout-root\"\u003E.css-hejfqa-QuantumColumnLayout-root{display:grid;gap:0px;grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}@media (min-width:0px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:minmax(0,1fr);}}@media (min-width:600px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:minmax(0,1fr);}}@media (min-width:960px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:repeat(2, minmax(0,1fr));}}@media (min-width:0px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}@media (min-width:600px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}@media (min-width:960px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}\u003C\u002Fstyle\u003E\u003Cdiv class=\"css-hejfqa-QuantumColumnLayout-root\"\u003E\u003Cstyle data-emotion=\"css 1c1xxt8\"\u003E.css-1c1xxt8{padding:0px 8px;}.css-1c1xxt8:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1tsd7gx-QuantumButton-root\"\u003E.css-1tsd7gx-QuantumButton-root{padding:0px 8px;}.css-1tsd7gx-QuantumButton-root:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 15i2hpg-MuiButton-root-QuantumButton-root\"\u003E.css-15i2hpg-MuiButton-root-QuantumButton-root{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:6px 16px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;background-color:transparent;color:#191919;padding:5px 12px;padding:3px 10px;color:#3F59E4;padding:0px 8px;}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{background-color:transparent;}}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled{color:rgba(0, 0, 0, 0.26);}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root:active{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled,.css-15i2hpg-MuiButton-root-QuantumButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-15i2hpg-MuiButton-root-QuantumButton-root:focus,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-15i2hpg-MuiButton-root-QuantumButton-root:active,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-15i2hpg-MuiButton-root-QuantumButton-root:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root\"\u003E.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:6px 16px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;background-color:transparent;color:#191919;padding:5px 12px;padding:3px 10px;color:#3F59E4;padding:0px 8px;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root::-moz-focus-inner{border-style:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{background-color:transparent;}}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{color:rgba(0, 0, 0, 0.26);}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:active{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:focus,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:active,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cbutton class=\"MuiButton-root MuiButton-link MuiButton-linkPrimary MuiButton-sizeSmall MuiButton-linkSizeSmall MuiButton-disableElevation MuiButtonBase-root css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root\" tabindex=\"0\" type=\"button\"\u003EYes \u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"MuiButton-root MuiButton-link MuiButton-linkPrimary MuiButton-sizeSmall MuiButton-linkSizeSmall MuiButton-disableElevation MuiButtonBase-root css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root\" tabindex=\"0\" type=\"button\"\u003ENo \u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"react-containers-AlertContainer-1\"\u003E\u003Cstyle data-emotion=\"css kpvd6o-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E.css-kpvd6o-QuantumAlert-root{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:flex-start;-webkit-box-align:flex-start;-ms-flex-align:flex-start;align-items:flex-start;border-radius:4px;padding:10px 16px;box-shadow:none;border-left:0.5rem solid #F8D626;background-color:#FEF2B3;color:#473D0B;}.css-kpvd6o-QuantumAlert-root a,.css-kpvd6o-QuantumAlert-root a:hover{color:currentColor;-webkit-text-decoration:underline;text-decoration:underline;}.css-kpvd6o-QuantumAlert-root .QuantumAlert-icon{color:#473D0B;}\u003C\u002Fstyle\u003E\u003Cdiv role=\"alert\" class=\"QuantumAlert-root alert-portal-container alert-portal-severity-warning css-kpvd6o-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E\u003Cstyle data-emotion=\"css coqgw6-QuantumAlert-icon\"\u003E.css-coqgw6-QuantumAlert-icon{font-size:1.25rem;margin-right:12px;line-height:1;padding-top:0.3125rem;}.css-coqgw6-QuantumAlert-icon svg{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-icon css-coqgw6-QuantumAlert-icon\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"1em\" height=\"1em\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"css-0\"\u003E\u003Cpath d=\"M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z\"\u003E\u003C\u002Fpath\u003E\u003Cline x1=\"12\" y1=\"9\" x2=\"12\" y2=\"13\"\u003E\u003C\u002Fline\u003E\u003Cline x1=\"12\" y1=\"17\" x2=\"12.01\" y2=\"17\"\u003E\u003C\u002Fline\u003E\u003C\u002Fsvg\u003E\u003C\u002Fdiv\u003E\u003Cstyle data-emotion=\"css 1qf9vnp-QuantumAlert-content\"\u003E.css-1qf9vnp-QuantumAlert-content{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;-webkit-flex:1;-ms-flex:1;flex:1;padding-top:0.25rem;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-content css-1qf9vnp-QuantumAlert-content\"\u003E\u003Cstyle data-emotion=\"css cut6d9-QuantumAlert-message\"\u003E.css-cut6d9-QuantumAlert-message{display:inline;}.css-cut6d9-QuantumAlert-message\u003Eul{list-style:disc;margin-top:4px;padding-left:16px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-message css-cut6d9-QuantumAlert-message\"\u003E\u003Cdiv class=\"alert-portal-content MuiBox-root css-0\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn id=\"react-containers-DefinitionTooltip-2\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003Eaccess token\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-3\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-4\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 13g81vv-MuiTypography-root\"\u003E.css-13g81vv-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}@media (max-width:599.95px){.css-13g81vv-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}@media (max-width:-0.05px){.css-13g81vv-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch3 class=\"MuiTypography-root MuiTypography-h3 title-portal-text css-13g81vv-MuiTypography-root\" id=\"protect-sensitive-data-in-the-front-channel\"\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-5\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 1t6oil-MuiTypography-root\"\u003E.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch4 class=\"MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root\" id=\"pushed-authorization-requests-par-\"\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn id=\"react-containers-DefinitionTooltip-3\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003Eauthorization server\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-6\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 1t6oil-MuiTypography-root\"\u003E.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch4 class=\"MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root\" id=\"jwt-secured-authorization-request-jar-\"\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn id=\"react-containers-DefinitionTooltip-4\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EJSON Web Token\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-7\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 1t6oil-MuiTypography-root\"\u003E.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch4 class=\"MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root\" id=\"protect-sensitive-data-in-access-tokens\"\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-8\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"stronger-application-authentication\"\u003EStronger application authentication\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-9\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-10\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn id=\"react-containers-DefinitionTooltip-5\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EUniversal Login\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Cdiv id=\"portal-title-11\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"learn-more\"\u003ELearn more\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","meta":{"portals":[{"component":"Title","containerID":"portal-title-0","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E","anchor":"advanced-security-with-openid-connect-fapi-","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Advanced security with OpenID Connect (FAPI)"}},{"component":"Title","containerID":"portal-title-1","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E","anchor":"strong-customer-authentication-sca-","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Strong Customer Authentication (SCA)"}},{"component":"Title","containerID":"portal-title-2","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EDynamic Linking\u003C\u002Fh2\u003E","anchor":"dynamic-linking","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Dynamic Linking"}},{"component":"Title","containerID":"portal-title-3","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E","anchor":"confidentiality-and-integrity-protection","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Confidentiality and integrity protection"}},{"component":"Title","containerID":"portal-title-4","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E","anchor":"protect-sensitive-data-in-the-front-channel","tag":"h3","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Protect sensitive data in the front channel"}},{"component":"Title","containerID":"portal-title-5","props":{"children":"\u003Ch4 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E","anchor":"pushed-authorization-requests-par-","tag":"h4","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Pushed Authorization Requests (PAR)"}},{"component":"Title","containerID":"portal-title-6","props":{"children":"\u003Ch4 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E","anchor":"jwt-secured-authorization-request-jar-","tag":"h4","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"JWT-Secured Authorization Request (JAR)"}},{"component":"Title","containerID":"portal-title-7","props":{"children":"\u003Ch4 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E","anchor":"protect-sensitive-data-in-access-tokens","tag":"h4","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Protect sensitive data in access tokens"}},{"component":"Title","containerID":"portal-title-8","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EStronger application authentication\u003C\u002Fh2\u003E","anchor":"stronger-application-authentication","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Stronger application authentication"}},{"component":"Title","containerID":"portal-title-9","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E","anchor":"protect-access-tokens-with-token-binding","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Protect access tokens with Token Binding"}},{"component":"Title","containerID":"portal-title-10","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E","anchor":"customizable-approval-flows-for-better-user-experience","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Customizable approval flows for better user experience"}},{"component":"Title","containerID":"portal-title-11","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E","anchor":"learn-more","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Learn more"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-0","props":{"index":0,"children":"OpenID","key":"openid","dataKey":"openid"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-1","props":{"index":1,"children":"OAuth","key":"oath2","dataKey":"oath2"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-2","props":{"index":2,"children":"access token","key":"access-token","dataKey":"access-token"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-3","props":{"index":3,"children":"authorization server","key":"authorization-server","dataKey":"authorization-server"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-4","props":{"index":4,"children":"JSON Web Token","key":"json-web-token","dataKey":"json-web-token"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-5","props":{"index":5,"children":"Universal Login","key":"universal-login","dataKey":"universal-login"}},{"component":"AlertContainer","containerID":"react-containers-AlertContainer-0","props":{"index":0,"children":"\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E","class":"alert-container","severity":"default"}},{"component":"AlertContainer","containerID":"react-containers-AlertContainer-1","props":{"index":1,"children":"\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E","class":"alert-container","severity":"warning"}},{"component":"CodeBlock","containerID":"portal-code-block-0","props":{"children":"\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E","code":"\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]","tabPaneFooter":"","index":0,"meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]}}}],"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cstyle data-emotion=\"css-light \"\u003E\u003C\u002Fstyle\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"react-containers-AlertContainer-0\"\u003E\u003Cstyle data-emotion=\"css a14jl7-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E.css-a14jl7-QuantumAlert-root{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:flex-start;-webkit-box-align:flex-start;-ms-flex-align:flex-start;align-items:flex-start;border-radius:4px;padding:10px 16px;box-shadow:none;border-left:0.5rem solid #686868;background-color:#F1F1F1;color:#3E3E3E;}.css-a14jl7-QuantumAlert-root a,.css-a14jl7-QuantumAlert-root a:hover{color:currentColor;-webkit-text-decoration:underline;text-decoration:underline;}.css-a14jl7-QuantumAlert-root .QuantumAlert-icon{color:#3E3E3E;}\u003C\u002Fstyle\u003E\u003Cdiv role=\"alert\" class=\"QuantumAlert-root alert-portal-container alert-portal-severity-default css-a14jl7-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E\u003Cstyle data-emotion=\"css coqgw6-QuantumAlert-icon\"\u003E.css-coqgw6-QuantumAlert-icon{font-size:1.25rem;margin-right:12px;line-height:1;padding-top:0.3125rem;}.css-coqgw6-QuantumAlert-icon svg{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-icon css-coqgw6-QuantumAlert-icon\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"1em\" height=\"1em\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"css-0\"\u003E\u003Cpath d=\"M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z\"\u003E\u003C\u002Fpath\u003E\u003Cpolyline points=\"14 2 14 8 20 8\"\u003E\u003C\u002Fpolyline\u003E\u003Cline x1=\"16\" y1=\"13\" x2=\"8\" y2=\"13\"\u003E\u003C\u002Fline\u003E\u003Cline x1=\"16\" y1=\"17\" x2=\"8\" y2=\"17\"\u003E\u003C\u002Fline\u003E\u003Cpolyline points=\"10 9 9 9 8 9\"\u003E\u003C\u002Fpolyline\u003E\u003C\u002Fsvg\u003E\u003C\u002Fdiv\u003E\u003Cstyle data-emotion=\"css 1qf9vnp-QuantumAlert-content\"\u003E.css-1qf9vnp-QuantumAlert-content{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;-webkit-flex:1;-ms-flex:1;flex:1;padding-top:0.25rem;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-content css-1qf9vnp-QuantumAlert-content\"\u003E\u003Cstyle data-emotion=\"css cut6d9-QuantumAlert-message\"\u003E.css-cut6d9-QuantumAlert-message{display:inline;}.css-cut6d9-QuantumAlert-message\u003Eul{list-style:disc;margin-top:4px;padding-left:16px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-message css-cut6d9-QuantumAlert-message\"\u003E\u003Cdiv class=\"alert-portal-content MuiBox-root css-0\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-0\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn id=\"react-containers-DefinitionTooltip-0\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EOpenID\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Cdiv id=\"portal-title-1\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-2\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"dynamic-linking\"\u003EDynamic Linking\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn id=\"react-containers-DefinitionTooltip-1\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EOAuth\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-0\"\u003E\u003Cstyle data-emotion=\"css i3pbo\" data-react-universal-portal=\"\"\u003E.css-i3pbo{margin-bottom:24px;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1ler0\" data-react-universal-portal=\"\"\u003E.css-1ler0{margin-bottom:24px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"MuiBox-root css-1ler0\" data-react-universal-portal=\"\"\u003E\u003Cstyle data-emotion=\"css 1pn7oyt\"\u003E.css-1pn7oyt{position:relative;}.css-1pn7oyt button.copy-button{position:absolute;right:0.5em;top:0.5em;}.css-1pn7oyt pre.code-highlight-prism{border:0;}.css-1pn7oyt code.code-highlight-prism{color:#FFFFFF;}.css-1pn7oyt .token.keyword{color:#B9E0CB;}.css-1pn7oyt .token.property,.css-1pn7oyt .token.constant,.css-1pn7oyt .token.symbol,.css-1pn7oyt .token.deleted{color:#B9E0CB;}.css-1pn7oyt .token.selector,.css-1pn7oyt .token.string,.css-1pn7oyt .token.char,.css-1pn7oyt .token.builtin,.css-1pn7oyt .token.inserted{color:#bcbcff;}.css-1pn7oyt .token.boolean,.css-1pn7oyt .token.number{color:#bcbcff;}.css-1pn7oyt .token.class-name,.css-1pn7oyt .token.attr-name,.css-1pn7oyt .token .punctuation{color:#DCD1FC;}.css-1pn7oyt .token.attr-value,.css-1pn7oyt .token.tag,.css-1pn7oyt .token.script .punctuation,.css-1pn7oyt .token.atrule{color:#bcbcff;}.css-1pn7oyt .token.function{color:#FFFFFF;}.css-1pn7oyt .token.regex,.css-1pn7oyt .token.important{color:#DCD1FC;}.css-1pn7oyt .token.namespace{opacity:1;}.css-1pn7oyt .line-highlight{background:rgba(85, 85, 85, 0.2);border-bottom:0.5px solid rgba(255, 255, 255, 0.25);border-top:0.5px solid rgba(255, 255, 255, 0.25);}.css-1pn7oyt .line-numbers{font-family:Roboto Mono,Menlo,Monaco,Consolas,Courier New,monospace;font-size:0.875rem;line-height:1.25rem;letter-spacing:0.15px;font-weight:400;-webkit-font-smoothing:subpixel-antialiased;}.css-1pn7oyt .line-numbers .line-numbers-rows{border-right:none;color:#5a5f66;}.css-1pn7oyt :not(pre)\u003Ecode[class*=\"language-\"],.css-1pn7oyt pre[class*=\"language-\"]{background:#1E1E1E;}.css-1pn7oyt pre[class*=\"language-\"]{margin:0;}.css-1pn7oyt .token.package:before,.css-1pn7oyt .token.package:after{display:none;}.css-1pn7oyt .token.package{background:none;border:none;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"css-1pn7oyt\"\u003E\u003Cpre class=\"code-highlight-prism language-undefined line-numbers linkable-line-numbers\"\u003E\u003Ccode class=\"code-highlight-prism language-undefined\" style=\"font-family:unset\"\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003Cstyle data-emotion=\"css re1tye\"\u003E.css-re1tye{color:#BCBAFF;border:none;background-color:none;background:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 73zw66-QuantumIconButton-root\"\u003E.css-73zw66-QuantumIconButton-root{padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-73zw66-QuantumIconButton-root:focus,.css-73zw66-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-73zw66-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-73zw66-QuantumIconButton-root\u003Esvg:first-child{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 6mu3uj-MuiIconButton-root-QuantumIconButton-root\"\u003E.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root{text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#3F59E4;font-size:1rem;height:2.125rem;width:2.125rem;color:#3F59E4;border-style:solid;border-width:1px;color:#3F59E4;border-color:#3F59E4;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(63, 89, 228, 0.04);}@media (hover: none){.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:active,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-hover{background-color:#EEF0FD;border-color:#3F59E4;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:active,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-active{background-color:#E4E7FB;border-color:#3F59E4;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:focus,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root\u003Esvg:first-child{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root\"\u003E.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#3F59E4;font-size:1rem;height:2.125rem;width:2.125rem;color:#3F59E4;border-style:solid;border-width:1px;color:#3F59E4;border-color:#3F59E4;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root::-moz-focus-inner{border-style:none;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(63, 89, 228, 0.04);}@media (hover: none){.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:active,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-hover{background-color:#EEF0FD;border-color:#3F59E4;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:active,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-active{background-color:#E4E7FB;border-color:#3F59E4;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:focus,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root\u003Esvg:first-child{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cbutton class=\"MuiButtonBase-root MuiIconButton-root MuiIconButton-colorPrimary MuiIconButton-sizeMedium copy-button css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root\" tabindex=\"0\" type=\"button\" variant=\"outlined\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"1em\" height=\"1em\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"css-0\"\u003E\u003Crect x=\"9\" y=\"9\" width=\"13\" height=\"13\" rx=\"2\" ry=\"2\"\u003E\u003C\u002Frect\u003E\u003Cpath d=\"M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003Cstyle data-emotion=\"css 3tbxyb\"\u003E.css-3tbxyb{position:relative;gap:12px;margin-top:16px;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css lqmrhz\"\u003E.css-lqmrhz{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:baseline;-webkit-box-align:baseline;-ms-flex-align:baseline;align-items:baseline;-webkit-box-pack:end;-ms-flex-pack:end;-webkit-justify-content:flex-end;justify-content:flex-end;position:relative;gap:12px;margin-top:16px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"MuiBox-root css-lqmrhz\"\u003E\u003Cstyle data-emotion=\"css 1o2jrcs-MuiTypography-root\"\u003E.css-1o2jrcs-MuiTypography-root{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;}\u003C\u002Fstyle\u003E\u003Cp class=\"MuiTypography-root MuiTypography-body2 css-1o2jrcs-MuiTypography-root\"\u003EWas this helpful?\u003C\u002Fp\u003E\u003Cstyle data-emotion=\"css v9we1n\"\u003E.css-v9we1n{grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}@media (min-width:0px){.css-v9we1n{grid-template-columns:none;}}@media (min-width:600px){.css-v9we1n{grid-template-columns:none;}}@media (min-width:960px){.css-v9we1n{grid-template-columns:none;}}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css hejfqa-QuantumColumnLayout-root\"\u003E.css-hejfqa-QuantumColumnLayout-root{display:grid;gap:0px;grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}@media (min-width:0px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:minmax(0,1fr);}}@media (min-width:600px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:minmax(0,1fr);}}@media (min-width:960px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:repeat(2, minmax(0,1fr));}}@media (min-width:0px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}@media (min-width:600px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}@media (min-width:960px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}\u003C\u002Fstyle\u003E\u003Cdiv class=\"css-hejfqa-QuantumColumnLayout-root\"\u003E\u003Cstyle data-emotion=\"css 1c1xxt8\"\u003E.css-1c1xxt8{padding:0px 8px;}.css-1c1xxt8:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1tsd7gx-QuantumButton-root\"\u003E.css-1tsd7gx-QuantumButton-root{padding:0px 8px;}.css-1tsd7gx-QuantumButton-root:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 15i2hpg-MuiButton-root-QuantumButton-root\"\u003E.css-15i2hpg-MuiButton-root-QuantumButton-root{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:6px 16px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;background-color:transparent;color:#191919;padding:5px 12px;padding:3px 10px;color:#3F59E4;padding:0px 8px;}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{background-color:transparent;}}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled{color:rgba(0, 0, 0, 0.26);}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root:active{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled,.css-15i2hpg-MuiButton-root-QuantumButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-15i2hpg-MuiButton-root-QuantumButton-root:focus,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-15i2hpg-MuiButton-root-QuantumButton-root:active,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-15i2hpg-MuiButton-root-QuantumButton-root:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root\"\u003E.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:6px 16px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;background-color:transparent;color:#191919;padding:5px 12px;padding:3px 10px;color:#3F59E4;padding:0px 8px;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root::-moz-focus-inner{border-style:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{background-color:transparent;}}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{color:rgba(0, 0, 0, 0.26);}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:active{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:focus,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:active,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cbutton class=\"MuiButton-root MuiButton-link MuiButton-linkPrimary MuiButton-sizeSmall MuiButton-linkSizeSmall MuiButton-disableElevation MuiButtonBase-root css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root\" tabindex=\"0\" type=\"button\"\u003EYes \u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"MuiButton-root MuiButton-link MuiButton-linkPrimary MuiButton-sizeSmall MuiButton-linkSizeSmall MuiButton-disableElevation MuiButtonBase-root css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root\" tabindex=\"0\" type=\"button\"\u003ENo \u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"react-containers-AlertContainer-1\"\u003E\u003Cstyle data-emotion=\"css kpvd6o-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E.css-kpvd6o-QuantumAlert-root{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:flex-start;-webkit-box-align:flex-start;-ms-flex-align:flex-start;align-items:flex-start;border-radius:4px;padding:10px 16px;box-shadow:none;border-left:0.5rem solid #F8D626;background-color:#FEF2B3;color:#473D0B;}.css-kpvd6o-QuantumAlert-root a,.css-kpvd6o-QuantumAlert-root a:hover{color:currentColor;-webkit-text-decoration:underline;text-decoration:underline;}.css-kpvd6o-QuantumAlert-root .QuantumAlert-icon{color:#473D0B;}\u003C\u002Fstyle\u003E\u003Cdiv role=\"alert\" class=\"QuantumAlert-root alert-portal-container alert-portal-severity-warning css-kpvd6o-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E\u003Cstyle data-emotion=\"css coqgw6-QuantumAlert-icon\"\u003E.css-coqgw6-QuantumAlert-icon{font-size:1.25rem;margin-right:12px;line-height:1;padding-top:0.3125rem;}.css-coqgw6-QuantumAlert-icon svg{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-icon css-coqgw6-QuantumAlert-icon\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"1em\" height=\"1em\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"css-0\"\u003E\u003Cpath d=\"M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z\"\u003E\u003C\u002Fpath\u003E\u003Cline x1=\"12\" y1=\"9\" x2=\"12\" y2=\"13\"\u003E\u003C\u002Fline\u003E\u003Cline x1=\"12\" y1=\"17\" x2=\"12.01\" y2=\"17\"\u003E\u003C\u002Fline\u003E\u003C\u002Fsvg\u003E\u003C\u002Fdiv\u003E\u003Cstyle data-emotion=\"css 1qf9vnp-QuantumAlert-content\"\u003E.css-1qf9vnp-QuantumAlert-content{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;-webkit-flex:1;-ms-flex:1;flex:1;padding-top:0.25rem;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-content css-1qf9vnp-QuantumAlert-content\"\u003E\u003Cstyle data-emotion=\"css cut6d9-QuantumAlert-message\"\u003E.css-cut6d9-QuantumAlert-message{display:inline;}.css-cut6d9-QuantumAlert-message\u003Eul{list-style:disc;margin-top:4px;padding-left:16px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-message css-cut6d9-QuantumAlert-message\"\u003E\u003Cdiv class=\"alert-portal-content MuiBox-root css-0\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn id=\"react-containers-DefinitionTooltip-2\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003Eaccess token\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-3\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-4\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 13g81vv-MuiTypography-root\"\u003E.css-13g81vv-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}@media (max-width:599.95px){.css-13g81vv-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}@media (max-width:-0.05px){.css-13g81vv-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch3 class=\"MuiTypography-root MuiTypography-h3 title-portal-text css-13g81vv-MuiTypography-root\" id=\"protect-sensitive-data-in-the-front-channel\"\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-5\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 1t6oil-MuiTypography-root\"\u003E.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch4 class=\"MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root\" id=\"pushed-authorization-requests-par-\"\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn id=\"react-containers-DefinitionTooltip-3\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003Eauthorization server\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-6\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 1t6oil-MuiTypography-root\"\u003E.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch4 class=\"MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root\" id=\"jwt-secured-authorization-request-jar-\"\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn id=\"react-containers-DefinitionTooltip-4\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EJSON Web Token\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-7\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 1t6oil-MuiTypography-root\"\u003E.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch4 class=\"MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root\" id=\"protect-sensitive-data-in-access-tokens\"\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-8\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"stronger-application-authentication\"\u003EStronger application authentication\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-9\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-10\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn id=\"react-containers-DefinitionTooltip-5\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EUniversal Login\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Cdiv id=\"portal-title-11\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"learn-more\"\u003ELearn more\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}],"originalPortals":[{"component":"Title","containerID":"portal-title-0","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E","anchor":"advanced-security-with-openid-connect-fapi-","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Advanced security with OpenID Connect (FAPI)"}},{"component":"Title","containerID":"portal-title-1","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E","anchor":"strong-customer-authentication-sca-","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Strong Customer Authentication (SCA)"}},{"component":"Title","containerID":"portal-title-2","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EDynamic Linking\u003C\u002Fh2\u003E","anchor":"dynamic-linking","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Dynamic Linking"}},{"component":"Title","containerID":"portal-title-3","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E","anchor":"confidentiality-and-integrity-protection","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Confidentiality and integrity protection"}},{"component":"Title","containerID":"portal-title-4","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E","anchor":"protect-sensitive-data-in-the-front-channel","tag":"h3","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Protect sensitive data in the front channel"}},{"component":"Title","containerID":"portal-title-5","props":{"children":"\u003Ch4 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E","anchor":"pushed-authorization-requests-par-","tag":"h4","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Pushed Authorization Requests (PAR)"}},{"component":"Title","containerID":"portal-title-6","props":{"children":"\u003Ch4 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E","anchor":"jwt-secured-authorization-request-jar-","tag":"h4","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"JWT-Secured Authorization Request (JAR)"}},{"component":"Title","containerID":"portal-title-7","props":{"children":"\u003Ch4 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E","anchor":"protect-sensitive-data-in-access-tokens","tag":"h4","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Protect sensitive data in access tokens"}},{"component":"Title","containerID":"portal-title-8","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EStronger application authentication\u003C\u002Fh2\u003E","anchor":"stronger-application-authentication","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Stronger application authentication"}},{"component":"Title","containerID":"portal-title-9","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E","anchor":"protect-access-tokens-with-token-binding","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Protect access tokens with Token Binding"}},{"component":"Title","containerID":"portal-title-10","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E","anchor":"customizable-approval-flows-for-better-user-experience","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Customizable approval flows for better user experience"}},{"component":"Title","containerID":"portal-title-11","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E","anchor":"learn-more","tag":"h2","meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]},"title":"Learn more"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-0","props":{"index":0,"children":"OpenID","key":"openid","dataKey":"openid"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-1","props":{"index":1,"children":"OAuth","key":"oath2","dataKey":"oath2"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-2","props":{"index":2,"children":"access token","key":"access-token","dataKey":"access-token"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-3","props":{"index":3,"children":"authorization server","key":"authorization-server","dataKey":"authorization-server"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-4","props":{"index":4,"children":"JSON Web Token","key":"json-web-token","dataKey":"json-web-token"}},{"component":"DefinitionTooltip","containerID":"react-containers-DefinitionTooltip-5","props":{"index":5,"children":"Universal Login","key":"universal-login","dataKey":"universal-login"}},{"component":"AlertContainer","containerID":"react-containers-AlertContainer-0","props":{"index":0,"children":"\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E","class":"alert-container","severity":"default"}},{"component":"AlertContainer","containerID":"react-containers-AlertContainer-1","props":{"index":1,"children":"\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E","class":"alert-container","severity":"warning"}},{"component":"CodeBlock","containerID":"portal-code-block-0","props":{"children":"\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E","code":"\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]","tabPaneFooter":"","index":0,"meta":{"title":"Highly Regulated Identity","updatedAt":"2024-08-27T20:23:14.565Z","contentfulId":"4MXfmXwd6WcsLjH3kFpOcv","type":"article","description":"Learn about Highly Regulated Identity, Auth0's Financial-Grade Identity solution. ","hash":"highly-regulated-identity","sections":["secure","highly-regulated-identity"],"toc":false,"public":true,"parent":null,"referenceLinks":null,"content":"\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"default\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn data-key=\"openid\"\u003EOpenID\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Ch2\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EDynamic Linking\u003C\u002Fh2\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn data-key=\"oath2\"\u003EOAuth\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv class=\"alert-container\" severity=\"warning\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn data-key=\"access-token\"\u003Eaccess token\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Ch3\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Ch4\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn data-key=\"authorization-server\"\u003Eauthorization server\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn data-key=\"json-web-token\"\u003EJSON Web Token\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch4\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003EStronger application authentication\u003C\u002Fh2\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Ch2\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Ch2\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn data-key=\"universal-login\"\u003EUniversal Login\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Ch2\u003E\u003Cb\u003ELearn more\u003C\u002Fb\u003E\u003C\u002Fh2\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E","sitemap":true,"breadcrumbs":[{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","routeName":"article","section":"articles","titles":[{"content":"Advanced security with OpenID Connect (FAPI)","anchor":"advanced-security-with-openid-connect-fapi-","level":2},{"content":"Strong Customer Authentication (SCA)","anchor":"strong-customer-authentication-sca-","level":2},{"content":"Dynamic Linking","anchor":"dynamic-linking","level":2},{"content":"Confidentiality and integrity protection","anchor":"confidentiality-and-integrity-protection","level":2},{"content":"Protect sensitive data in the front channel","anchor":"protect-sensitive-data-in-the-front-channel","level":3},{"content":"Pushed Authorization Requests (PAR)","anchor":"pushed-authorization-requests-par-","level":4},{"content":"JWT-Secured Authorization Request (JAR)","anchor":"jwt-secured-authorization-request-jar-","level":4},{"content":"Protect sensitive data in access tokens","anchor":"protect-sensitive-data-in-access-tokens","level":4},{"content":"Stronger application authentication","anchor":"stronger-application-authentication","level":2},{"content":"Protect access tokens with Token Binding","anchor":"protect-access-tokens-with-token-binding","level":2},{"content":"Customizable approval flows for better user experience","anchor":"customizable-approval-flows-for-better-user-experience","level":2},{"content":"Learn more","anchor":"learn-more","level":2}]}}}]},"html":"\u003Cstyle data-emotion=\"css-light \"\u003E\u003C\u002Fstyle\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"react-containers-AlertContainer-0\"\u003E\u003Cstyle data-emotion=\"css a14jl7-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E.css-a14jl7-QuantumAlert-root{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:flex-start;-webkit-box-align:flex-start;-ms-flex-align:flex-start;align-items:flex-start;border-radius:4px;padding:10px 16px;box-shadow:none;border-left:0.5rem solid #686868;background-color:#F1F1F1;color:#3E3E3E;}.css-a14jl7-QuantumAlert-root a,.css-a14jl7-QuantumAlert-root a:hover{color:currentColor;-webkit-text-decoration:underline;text-decoration:underline;}.css-a14jl7-QuantumAlert-root .QuantumAlert-icon{color:#3E3E3E;}\u003C\u002Fstyle\u003E\u003Cdiv role=\"alert\" class=\"QuantumAlert-root alert-portal-container alert-portal-severity-default css-a14jl7-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E\u003Cstyle data-emotion=\"css coqgw6-QuantumAlert-icon\"\u003E.css-coqgw6-QuantumAlert-icon{font-size:1.25rem;margin-right:12px;line-height:1;padding-top:0.3125rem;}.css-coqgw6-QuantumAlert-icon svg{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-icon css-coqgw6-QuantumAlert-icon\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"1em\" height=\"1em\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"css-0\"\u003E\u003Cpath d=\"M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z\"\u003E\u003C\u002Fpath\u003E\u003Cpolyline points=\"14 2 14 8 20 8\"\u003E\u003C\u002Fpolyline\u003E\u003Cline x1=\"16\" y1=\"13\" x2=\"8\" y2=\"13\"\u003E\u003C\u002Fline\u003E\u003Cline x1=\"16\" y1=\"17\" x2=\"8\" y2=\"17\"\u003E\u003C\u002Fline\u003E\u003Cpolyline points=\"10 9 9 9 8 9\"\u003E\u003C\u002Fpolyline\u003E\u003C\u002Fsvg\u003E\u003C\u002Fdiv\u003E\u003Cstyle data-emotion=\"css 1qf9vnp-QuantumAlert-content\"\u003E.css-1qf9vnp-QuantumAlert-content{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;-webkit-flex:1;-ms-flex:1;flex:1;padding-top:0.25rem;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-content css-1qf9vnp-QuantumAlert-content\"\u003E\u003Cstyle data-emotion=\"css cut6d9-QuantumAlert-message\"\u003E.css-cut6d9-QuantumAlert-message{display:inline;}.css-cut6d9-QuantumAlert-message\u003Eul{list-style:disc;margin-top:4px;padding-left:16px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-message css-cut6d9-QuantumAlert-message\"\u003E\u003Cdiv class=\"alert-portal-content MuiBox-root css-0\"\u003E\u003Cp\u003ETo use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fpricing\u002F\"\u003EAuth0 Pricing\u003C\u002Fa\u003E for details.\u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EHighly Regulated Identity (HRI) is Auth0’s Financial-Grade Identity™ solution to secure sensitive data operations and services important for your business. Initially targeting highly regulated industries like finance and healthcare, Highly Regulated Identity raises the security level to protect a wide range of customer use cases, including but not limited to money transfers, digital payments, and access to medical records. You can also use Highly Regulated Identity for other sensitive operations that require enhanced security, such as to approve changes in administrative credentials, secure privileged access to a web portal, and more. \u003C\u002Fp\u003E\u003Cp\u003ETo secure your sensitive business operations, Highly Regulated Identity provides:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fa\u003E and \u003Ca href=\"#dynamic-linking\"\u003EDynamic Linking\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-0\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"advanced-security-with-openid-connect-fapi-\"\u003EAdvanced security with OpenID Connect (FAPI)\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EOpenID FAPI\u003C\u002Fa\u003E is a suite of security and privacy specifications developed by the \u003Cdfn id=\"react-containers-DefinitionTooltip-0\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EOpenID\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E Foundation. APIs that meet the FAPI standards are classified as “financial-grade,” which means that they provide robust authentication and authorization mechanisms that help secure access to financial and other sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003EAuth0 is a certified FAPI provider. To learn more about the security improvements we introduced to meet FAPI standards, see the following sections:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#stronger-application-authentication\"\u003EStrong application authentication\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"#protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fa\u003E\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EFor more information on FAPI, see OpenID's \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwordpress-content\u002Fuploads\u002F2022\u002F03\u002FOIDF-Whitepaper_Open-Banking-Open-Data-and-Financial-Grade-APIs_2022-03-16.pdf\"\u003EOpen Banking, Open Data, and Financial-grade APIs\u003C\u002Fa\u003E whitepaper and the \u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fwg\u002Ffapi\u002Fspecifications\u002F\"\u003EFAPI Working Group specifications\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F20iajPMtmICMORUfaVQH7a\u002Fec900e1007b3faebd66eb2508f46acb0\u002Fimage17.png\" alt=\"\"\u003E\u003Cdiv id=\"portal-title-1\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"strong-customer-authentication-sca-\"\u003EStrong Customer Authentication (SCA)\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F3JDIerJcevImoIDRd7OfIy\u002F98597a9164b66cde9ec7ddc23f3e849b\u002Fimage14.png\" alt=\"\"\u003E\u003Cp\u003EIntroduced by Europe’s \u003Ca href=\"https:\u002F\u002Fwww.europeanpaymentscouncil.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Finfographic\u002F2018-04\u002FEPC_Infographic_PSD2_April%202018.pdf\"\u003EPayment Services Directive (PSD2)\u003C\u002Fa\u003E, Strong Customer Authentication (SCA), mandates the use of at least two distinct authentication factors out of the following three:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003ESomething the user knows (e.g., a password)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething the user possesses (e.g., a device)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESomething intrinsic to the user (e.g., a fingerprint)\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EThe authentication factors must be independent so that compromising one does not jeopardize the others. SCA is quickly becoming the worldwide standard for safeguarding sensitive data and services.\u003C\u002Fp\u003E\u003Cp\u003ETo help with SCA compliance, Auth0 offers various authentication factors that enroll and challenge users during a login transaction. Highly Regulated Identity leverages the following authentication factors to secure your transactions: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EMobile push notifications\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ESMS\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EEmail\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EWebAuthn\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EUsing \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E, you can dynamically determine which authentication factors to use. This gives you the flexibility to customize your code logic. For example, you can add a second authentication factor for payments above 10 USD. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-2\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"dynamic-linking\"\u003EDynamic Linking\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EPSD2 requires that payment service providers implement Dynamic Linking along with Strong Customer Authentication. Dynamic Linking presents the user with transaction details for their explicit validation and approval and uniquely links the authorization and the transaction details. This ensures a good user experience and helps with regulatory compliance.\u003C\u002Fp\u003E\u003Cp\u003ETo enable Dynamic Linking, you can use Rich Authorization Requests (RAR) to pass fine-grained transaction authorization data to the \u003Cdfn id=\"react-containers-DefinitionTooltip-1\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EOAuth\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E authorization endpoint. The following code sample shows an \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E JSON object, which contains information like the payment type, amount, currency, and recipient:\u003C\u002Fp\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-0\"\u003E\u003Cstyle data-emotion=\"css i3pbo\" data-react-universal-portal=\"\"\u003E.css-i3pbo{margin-bottom:24px;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1ler0\" data-react-universal-portal=\"\"\u003E.css-1ler0{margin-bottom:24px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"MuiBox-root css-1ler0\" data-react-universal-portal=\"\"\u003E\u003Cstyle data-emotion=\"css 1pn7oyt\"\u003E.css-1pn7oyt{position:relative;}.css-1pn7oyt button.copy-button{position:absolute;right:0.5em;top:0.5em;}.css-1pn7oyt pre.code-highlight-prism{border:0;}.css-1pn7oyt code.code-highlight-prism{color:#FFFFFF;}.css-1pn7oyt .token.keyword{color:#B9E0CB;}.css-1pn7oyt .token.property,.css-1pn7oyt .token.constant,.css-1pn7oyt .token.symbol,.css-1pn7oyt .token.deleted{color:#B9E0CB;}.css-1pn7oyt .token.selector,.css-1pn7oyt .token.string,.css-1pn7oyt .token.char,.css-1pn7oyt .token.builtin,.css-1pn7oyt .token.inserted{color:#bcbcff;}.css-1pn7oyt .token.boolean,.css-1pn7oyt .token.number{color:#bcbcff;}.css-1pn7oyt .token.class-name,.css-1pn7oyt .token.attr-name,.css-1pn7oyt .token .punctuation{color:#DCD1FC;}.css-1pn7oyt .token.attr-value,.css-1pn7oyt .token.tag,.css-1pn7oyt .token.script .punctuation,.css-1pn7oyt .token.atrule{color:#bcbcff;}.css-1pn7oyt .token.function{color:#FFFFFF;}.css-1pn7oyt .token.regex,.css-1pn7oyt .token.important{color:#DCD1FC;}.css-1pn7oyt .token.namespace{opacity:1;}.css-1pn7oyt .line-highlight{background:rgba(85, 85, 85, 0.2);border-bottom:0.5px solid rgba(255, 255, 255, 0.25);border-top:0.5px solid rgba(255, 255, 255, 0.25);}.css-1pn7oyt .line-numbers{font-family:Roboto Mono,Menlo,Monaco,Consolas,Courier New,monospace;font-size:0.875rem;line-height:1.25rem;letter-spacing:0.15px;font-weight:400;-webkit-font-smoothing:subpixel-antialiased;}.css-1pn7oyt .line-numbers .line-numbers-rows{border-right:none;color:#5a5f66;}.css-1pn7oyt :not(pre)\u003Ecode[class*=\"language-\"],.css-1pn7oyt pre[class*=\"language-\"]{background:#1E1E1E;}.css-1pn7oyt pre[class*=\"language-\"]{margin:0;}.css-1pn7oyt .token.package:before,.css-1pn7oyt .token.package:after{display:none;}.css-1pn7oyt .token.package{background:none;border:none;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"css-1pn7oyt\"\u003E\u003Cpre class=\"code-highlight-prism language-undefined line-numbers linkable-line-numbers\"\u003E\u003Ccode class=\"code-highlight-prism language-undefined\" style=\"font-family:unset\"\u003E\"authorization_details\": [\n {\n \"type\": \"one_time_payment\",\n \"amount\": {\n \"amount\": 2460,46,\n \"currency\": \"USD\"\n },\n \"sourceAccount\": \"xxxxxxxxxxx4567\",\n \"recipient\": \"Acme Travel, Inc.\",\n \"concept\": \"All Inclusive Resort Package for Two\",\n }\n]\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003Cstyle data-emotion=\"css re1tye\"\u003E.css-re1tye{color:#BCBAFF;border:none;background-color:none;background:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 73zw66-QuantumIconButton-root\"\u003E.css-73zw66-QuantumIconButton-root{padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-73zw66-QuantumIconButton-root:focus,.css-73zw66-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-73zw66-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-73zw66-QuantumIconButton-root\u003Esvg:first-child{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 6mu3uj-MuiIconButton-root-QuantumIconButton-root\"\u003E.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root{text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#3F59E4;font-size:1rem;height:2.125rem;width:2.125rem;color:#3F59E4;border-style:solid;border-width:1px;color:#3F59E4;border-color:#3F59E4;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(63, 89, 228, 0.04);}@media (hover: none){.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:active,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:hover,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-hover{background-color:#EEF0FD;border-color:#3F59E4;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:active,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-active{background-color:#E4E7FB;border-color:#3F59E4;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root:focus,.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-6mu3uj-MuiIconButton-root-QuantumIconButton-root\u003Esvg:first-child{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root\"\u003E.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#3F59E4;font-size:1rem;height:2.125rem;width:2.125rem;color:#3F59E4;border-style:solid;border-width:1px;color:#3F59E4;border-color:#3F59E4;padding:0;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:#BCBAFF;border:none;background-color:none;background:none;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root::-moz-focus-inner{border-style:none;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:rgba(63, 89, 228, 0.04);}@media (hover: none){.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover{background-color:transparent;}}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:active,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:hover,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-hover{background-color:#EEF0FD;border-color:#3F59E4;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:active,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-active{background-color:#E4E7FB;border-color:#3F59E4;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root:focus,.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root.Mui-disabled{background-color:#F1F1F1;color:#686868;}.css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root\u003Esvg:first-child{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cbutton class=\"MuiButtonBase-root MuiIconButton-root MuiIconButton-colorPrimary MuiIconButton-sizeMedium copy-button css-1gkcg2s-MuiButtonBase-root-MuiIconButton-root-QuantumIconButton-root\" tabindex=\"0\" type=\"button\" variant=\"outlined\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"1em\" height=\"1em\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"css-0\"\u003E\u003Crect x=\"9\" y=\"9\" width=\"13\" height=\"13\" rx=\"2\" ry=\"2\"\u003E\u003C\u002Frect\u003E\u003Cpath d=\"M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003Cstyle data-emotion=\"css 3tbxyb\"\u003E.css-3tbxyb{position:relative;gap:12px;margin-top:16px;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css lqmrhz\"\u003E.css-lqmrhz{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:baseline;-webkit-box-align:baseline;-ms-flex-align:baseline;align-items:baseline;-webkit-box-pack:end;-ms-flex-pack:end;-webkit-justify-content:flex-end;justify-content:flex-end;position:relative;gap:12px;margin-top:16px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"MuiBox-root css-lqmrhz\"\u003E\u003Cstyle data-emotion=\"css 1o2jrcs-MuiTypography-root\"\u003E.css-1o2jrcs-MuiTypography-root{margin:0;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;}\u003C\u002Fstyle\u003E\u003Cp class=\"MuiTypography-root MuiTypography-body2 css-1o2jrcs-MuiTypography-root\"\u003EWas this helpful?\u003C\u002Fp\u003E\u003Cstyle data-emotion=\"css v9we1n\"\u003E.css-v9we1n{grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}@media (min-width:0px){.css-v9we1n{grid-template-columns:none;}}@media (min-width:600px){.css-v9we1n{grid-template-columns:none;}}@media (min-width:960px){.css-v9we1n{grid-template-columns:none;}}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css hejfqa-QuantumColumnLayout-root\"\u003E.css-hejfqa-QuantumColumnLayout-root{display:grid;gap:0px;grid-template-columns:none;grid-auto-columns:min-content;grid-auto-flow:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}@media (min-width:0px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:minmax(0,1fr);}}@media (min-width:600px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:minmax(0,1fr);}}@media (min-width:960px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:repeat(2, minmax(0,1fr));}}@media (min-width:0px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}@media (min-width:600px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}@media (min-width:960px){.css-hejfqa-QuantumColumnLayout-root{grid-template-columns:none;}}\u003C\u002Fstyle\u003E\u003Cdiv class=\"css-hejfqa-QuantumColumnLayout-root\"\u003E\u003Cstyle data-emotion=\"css 1c1xxt8\"\u003E.css-1c1xxt8{padding:0px 8px;}.css-1c1xxt8:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1tsd7gx-QuantumButton-root\"\u003E.css-1tsd7gx-QuantumButton-root{padding:0px 8px;}.css-1tsd7gx-QuantumButton-root:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 15i2hpg-MuiButton-root-QuantumButton-root\"\u003E.css-15i2hpg-MuiButton-root-QuantumButton-root{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:6px 16px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;background-color:transparent;color:#191919;padding:5px 12px;padding:3px 10px;color:#3F59E4;padding:0px 8px;}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{background-color:transparent;}}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled{color:rgba(0, 0, 0, 0.26);}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root:active{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled{box-shadow:none;}.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-disabled,.css-15i2hpg-MuiButton-root-QuantumButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-15i2hpg-MuiButton-root-QuantumButton-root:focus,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-15i2hpg-MuiButton-root-QuantumButton-root:hover,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-15i2hpg-MuiButton-root-QuantumButton-root:active,.css-15i2hpg-MuiButton-root-QuantumButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-15i2hpg-MuiButton-root-QuantumButton-root:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root\"\u003E.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:0.875rem;line-height:1.57143;text-transform:capitalize;letter-spacing:0em;min-width:64px;padding:6px 16px;border-radius:4px;-webkit-transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,box-shadow 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,border-color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms,color 250ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;box-shadow:none;padding:6px 12px;color:#191919;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content;white-space:nowrap;min-width:unset;font-size:0.875rem;background-color:transparent;color:#191919;padding:5px 12px;padding:3px 10px;color:#3F59E4;padding:0px 8px;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root::-moz-focus-inner{border-style:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{-webkit-text-decoration:none;text-decoration:none;background-color:rgba(25, 25, 25, 0.04);}@media (hover: none){.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{background-color:transparent;}}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{color:rgba(0, 0, 0, 0.26);}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:active{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled{box-shadow:none;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-disabled,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:disabled{color:#8E8E8E;background-color:#E8E8E8;border-color:#D7D7D7;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:focus,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-focusVisible{box-shadow:rgba(63, 89, 228, 0.25) 0px 0px 0px 0.25em;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:hover,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-hover{color:#3449BA;background-color:#EEF0FD;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:active,.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root.Mui-active{color:#263588;background-color:#E4E7FB;}.css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root:focus{box-shadow:none;}\u003C\u002Fstyle\u003E\u003Cbutton class=\"MuiButton-root MuiButton-link MuiButton-linkPrimary MuiButton-sizeSmall MuiButton-linkSizeSmall MuiButton-disableElevation MuiButtonBase-root css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root\" tabindex=\"0\" type=\"button\"\u003EYes \u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"MuiButton-root MuiButton-link MuiButton-linkPrimary MuiButton-sizeSmall MuiButton-linkSizeSmall MuiButton-disableElevation MuiButtonBase-root css-1e3m5mn-MuiButtonBase-root-MuiButton-root-QuantumButton-root\" tabindex=\"0\" type=\"button\"\u003ENo \u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003E\u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E is assigned a unique transaction reference, which Auth0 uses to prompt the user to perform step-up authentication: \u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EUse push notifications to show transaction details and get approval on a separate device such as a mobile phone application.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EUse SMS, email, or WebAuthn to confirm the details on the device that originated the transaction after the user completes the second authentication factor.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"react-containers-AlertContainer-1\"\u003E\u003Cstyle data-emotion=\"css kpvd6o-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E.css-kpvd6o-QuantumAlert-root{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:flex-start;-webkit-box-align:flex-start;-ms-flex-align:flex-start;align-items:flex-start;border-radius:4px;padding:10px 16px;box-shadow:none;border-left:0.5rem solid #F8D626;background-color:#FEF2B3;color:#473D0B;}.css-kpvd6o-QuantumAlert-root a,.css-kpvd6o-QuantumAlert-root a:hover{color:currentColor;-webkit-text-decoration:underline;text-decoration:underline;}.css-kpvd6o-QuantumAlert-root .QuantumAlert-icon{color:#473D0B;}\u003C\u002Fstyle\u003E\u003Cdiv role=\"alert\" class=\"QuantumAlert-root alert-portal-container alert-portal-severity-warning css-kpvd6o-QuantumAlert-root\" data-react-universal-portal=\"\"\u003E\u003Cstyle data-emotion=\"css coqgw6-QuantumAlert-icon\"\u003E.css-coqgw6-QuantumAlert-icon{font-size:1.25rem;margin-right:12px;line-height:1;padding-top:0.3125rem;}.css-coqgw6-QuantumAlert-icon svg{height:1em;width:1em;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-icon css-coqgw6-QuantumAlert-icon\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"1em\" height=\"1em\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"css-0\"\u003E\u003Cpath d=\"M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z\"\u003E\u003C\u002Fpath\u003E\u003Cline x1=\"12\" y1=\"9\" x2=\"12\" y2=\"13\"\u003E\u003C\u002Fline\u003E\u003Cline x1=\"12\" y1=\"17\" x2=\"12.01\" y2=\"17\"\u003E\u003C\u002Fline\u003E\u003C\u002Fsvg\u003E\u003C\u002Fdiv\u003E\u003Cstyle data-emotion=\"css 1qf9vnp-QuantumAlert-content\"\u003E.css-1qf9vnp-QuantumAlert-content{font-family:Inter Var,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:400;font-size:0.875rem;line-height:1.57143;letter-spacing:0em;-webkit-flex:1;-ms-flex:1;flex:1;padding-top:0.25rem;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-content css-1qf9vnp-QuantumAlert-content\"\u003E\u003Cstyle data-emotion=\"css cut6d9-QuantumAlert-message\"\u003E.css-cut6d9-QuantumAlert-message{display:inline;}.css-cut6d9-QuantumAlert-message\u003Eul{list-style:disc;margin-top:4px;padding-left:16px;}\u003C\u002Fstyle\u003E\u003Cdiv class=\"QuantumAlert-message css-cut6d9-QuantumAlert-message\"\u003E\u003Cdiv class=\"alert-portal-content MuiBox-root css-0\"\u003E\u003Cp\u003EDo not pass fine-grained transaction authorization data or other sensitive or regulated data outside of \u003Ccode\u003Eauthorization_details\u003C\u002Fcode\u003E. \u003C\u002Fp\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cp\u003EIf the user confirms the details, the transaction progresses and Auth0 issues an \u003Cdfn id=\"react-containers-DefinitionTooltip-2\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003Eaccess token\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E associated with the now-approved authorization_details. Developers can also add the unique transaction reference to the access token. As a result, your API servers can later validate the approved transaction details when receiving and servicing API requests.\n\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about RAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar\"\u003EAuthorization Code Flow with Rich Authorization Requests\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-3\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"confidentiality-and-integrity-protection\"\u003EConfidentiality and integrity protection\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EAuthorization details may include account numbers, monetary amounts, merchant names, and other highly sensitive information that are passed in URLs or access tokens that are not secure. To protect sensitive data from unauthorized access and tampering, Highly Regulated Identity offers comprehensive confidentiality and integrity protection.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-4\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 13g81vv-MuiTypography-root\"\u003E.css-13g81vv-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}@media (max-width:599.95px){.css-13g81vv-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}@media (max-width:-0.05px){.css-13g81vv-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch3 class=\"MuiTypography-root MuiTypography-h3 title-portal-text css-13g81vv-MuiTypography-root\" id=\"protect-sensitive-data-in-the-front-channel\"\u003EProtect sensitive data in the front channel\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo protect sensitive data in the front channel, such as a web browser, Highly Regulated Identity offers the following solutions as part of the FAPI 1 Advanced Security profile.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-5\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 1t6oil-MuiTypography-root\"\u003E.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch4 class=\"MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root\" id=\"pushed-authorization-requests-par-\"\u003EPushed Authorization Requests (PAR)\u003C\u002Fh4\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9126\u002F\"\u003EPAR\u003C\u002Fa\u003E introduces a new endpoint, which allows clients to directly push the payload of an OAuth 2.0 authorization request to the \u003Cdfn id=\"react-containers-DefinitionTooltip-3\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003Eauthorization server\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E (i.e. Auth0 in this case). This avoids passing the authorization parameters via the insecure front channel (i.e., the browser), thus reducing the risk of unauthorized access to authorization parameters by an intermediary.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about PAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par\"\u003EAuthorization Code Flow with Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par\"\u003EConfigure Pushed Authorization Requests (PAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-6\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 1t6oil-MuiTypography-root\"\u003E.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch4 class=\"MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root\" id=\"jwt-secured-authorization-request-jar-\"\u003EJWT-Secured Authorization Request (JAR)\u003C\u002Fh4\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9101\u002F\"\u003EJAR\u003C\u002Fa\u003E is an OAuth2 protocol extension that enhances the security of authorization requests. It does so by using a \u003Cdfn id=\"react-containers-DefinitionTooltip-4\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EJSON Web Token\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E (JWT) request parameter to protect the integrity and, optionally, the confidentiality of the authorization request parameters.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JAR, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar\"\u003EAuthorization Code Flow with JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar\"\u003EConfigure JWT-Secured Authorization Requests (JAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-7\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css 1t6oil-MuiTypography-root\"\u003E.css-1t6oil-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}@media (max-width:599.95px){.css-1t6oil-MuiTypography-root{font-size:1.25rem;line-height:1.75rem;letter-spacing:-0.1px;}}\u003C\u002Fstyle\u003E\u003Ch4 class=\"MuiTypography-root MuiTypography-h4 title-portal-text css-1t6oil-MuiTypography-root\" id=\"protect-sensitive-data-in-access-tokens\"\u003EProtect sensitive data in access tokens\u003C\u002Fh4\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo protect the authorization details included in access tokens, Highly Regulated Identity provides support for using \u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc7516\"\u003EJSON Web Encryption (JWE)\u003C\u002Fa\u003E to encrypt the payload of access tokens. This protects access tokens from application-side data breaches and unauthorized inspection into API calls by intermediaries.\u003C\u002Fp\u003E\u003Cp\u003ETo learn more about JWE, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption\"\u003EJSON Web Encryption\u003C\u002Fa\u003E and \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption\"\u003EConfigure JSON Web Encryption\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-8\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"stronger-application-authentication\"\u003EStronger application authentication\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo improve your application authentication security, Highly Regulated Identity offers two different alternatives as part of the FAPI 1 Advanced Security profile:\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-ietf-oauth-jwt-bearer\"\u003EPrivate Key JWT\u003C\u002Fa\u003E: involves generating a public-private key pair to use as credentials to authenticate an application. It is already available for customers on the Enterprise plan. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fapplication-credentials#private-key-jwt-authentication\"\u003EPrivate Key JWT Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8705\"\u003EmTLS for OAuth\u003C\u002Fa\u003E: involves registering a standard X.509 certificate linked to an application on your tenant. The certificate can either be CA-issued or self-signed. Following standard mTLS procedures, the private key corresponding to the certificate is used on the client side to establish the mTLS tunnel when sending requests to your Auth0 tenant endpoints. As a result, Auth0 can authenticate the application without transmitting secrets over the network. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls\"\u003EmTLS for OAuth\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cp\u003EWith both Private Key JWT and OAuth 2.0 mTLS, you can rotate credentials with zero downtime by temporarily keeping two active keys and\u002For certificates at the same time for a given application.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-9\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"protect-access-tokens-with-token-binding\"\u003EProtect access tokens with Token Binding\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ESupporting mTLS also adds the ability to use Token Binding or Sender Constraining. Token Binding associates the thumbprint of the client certificate used for establishing the mTLS tunnel to an access token. When the client consumes an API using the certificate-bound access token, the API server is then able to verify whether the client is also using the associated client certificate. As a result, even if the access token is compromised, malicious actors who don’t know the client certificate still cannot access protected resources.\u003C\u002Fp\u003E\u003Cp\u003E\u003Cb\u003ENote:\u003C\u002Fb\u003E Token Binding operates independently of the application's authentication method and does not require the pre-registration of the client certificate. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\"\u003EConfigure Sender Constraining\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-10\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"customizable-approval-flows-for-better-user-experience\"\u003ECustomizable approval flows for better user experience\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EWhen designing real-world solutions for financial-grade security, it’s important to consider user experience. Applying one-size-fits-all authentication flows for all transactions is not as effective as dynamically adjusting based on transaction details and use cases. \u003C\u002Fp\u003E\u003Cp\u003EYou can customize your authentication flow using \u003Ca href=\"\u002Fdocs\u002Fcustomize\u002Factions\"\u003EActions\u003C\u002Fa\u003E. For example, after the user logs in, you can inspect transaction details received via RAR, list the user’s enrolled and already validated authentication factors, and use external services, such as risk evaluation engines, to determine the next authentication factor to use. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca#apply-dynamic-policy\"\u003EApply dynamic policy\u003C\u002Fa\u003E. \u003C\u002Fp\u003E\u003Cp\u003EThe New \u003Cdfn id=\"react-containers-DefinitionTooltip-5\"\u003E\u003Cspan class=\"tooltip-portal-underlined-word\" data-mui-internal-clone-element=\"true\" data-react-universal-portal=\"\"\u003EUniversal Login\u003C\u002Fspan\u003E\u003Cstyle data-emotion=\"css 1piulxx-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1piulxx-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1piulxx-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003Cstyle data-emotion=\"css 1yddtj5-MuiPopper-root-MuiTooltip-popper\" data-react-universal-portal=\"\"\u003E.css-1yddtj5-MuiPopper-root-MuiTooltip-popper{z-index:1500;pointer-events:none;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow{top:0;margin-top:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"bottom\"] .MuiTooltip-arrow::before{transform-origin:0 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow{bottom:0;margin-bottom:-0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"top\"] .MuiTooltip-arrow::before{transform-origin:100% 0;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow{left:0;margin-left:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"right\"] .MuiTooltip-arrow::before{transform-origin:100% 100%;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow{right:0;margin-right:-0.71em;height:1em;width:0.71em;}.css-1yddtj5-MuiPopper-root-MuiTooltip-popper[data-popper-placement*=\"left\"] .MuiTooltip-arrow::before{transform-origin:0 0;}\u003C\u002Fstyle\u003E\u003C\u002Fdfn\u003E templates also enable you to customize the attributes displayed on the transaction approval screen depending on the type of transaction and other authorization details. To learn more, read \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests\"\u003EConfigure Rich Authorization Requests (RAR)\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003Cimg src=\"\u002F\u002Fimages.ctfassets.net\u002Fcdy7uua7fh8z\u002F7eBJA1IPsCIZubFKEtHh3m\u002F8ec245ebd3bab775e9ba12fbe7f4096c\u002Fimage2.png\" alt=\"\"\u003E\u003Cdiv id=\"portal-title-11\"\u003E\u003Cdiv class=\"title-portal-container MuiBox-root css-0\" data-react-universal-portal=\"\"\u003E\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"title-portal-icon css-0\"\u003E\u003Cpath d=\"M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71\"\u003E\u003C\u002Fpath\u003E\u003Cpath d=\"M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71\"\u003E\u003C\u002Fpath\u003E\u003C\u002Fsvg\u003E\u003Cstyle data-emotion=\"css r3xy45-MuiTypography-root\"\u003E.css-r3xy45-MuiTypography-root{margin:0;font-family:Aeonik,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica,Arial,sans-serif;font-weight:500;font-size:2rem;line-height:2.5rem;letter-spacing:-0.5px;}@media (max-width:599.95px){.css-r3xy45-MuiTypography-root{font-size:1.75rem;line-height:2.25rem;letter-spacing:-0.3px;}}@media (max-width:-0.05px){.css-r3xy45-MuiTypography-root{font-size:1.5rem;line-height:2rem;letter-spacing:-0.2px;}}\u003C\u002Fstyle\u003E\u003Ch2 class=\"MuiTypography-root MuiTypography-h2 title-portal-text css-r3xy45-MuiTypography-root\" id=\"learn-more\"\u003ELearn more\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003ETo learn how Highly Regulated Identity works from end-to-end to authorize a one-time transaction, read \u003Ca href=\"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca\"\u003ETransactional Authorization with Contextual Strong Customer Authentication\u003C\u002Fa\u003E.\u003C\u002Fp\u003E"}},"user":{"isAuthenticated":false,"account":{"userName":"","email":undefined,"appName":"{yourAppName}","tenant":"{yourTenant}","namespace":"{yourDomain}","clientId":"{yourClientId}","clientSecret":"{yourClientSecret}","callback":"{https:\u002F\u002FyourApp\u002Fcallback}"},"connectionName":"{yourConnectionName}","apiIdentifier":"{yourApiIdentifier}","manage_url":"https:\u002F\u002Fmanage.auth0.com\u002F#","userResources":{"nonGlobalClients":[],"nonGlobalApis":[],"selectedClientId":"{yourClientId}","selectedApiId":"{yourApiIdentifier}","clientsSortedByType":{}},"profile":{}},"userResources":{"nonGlobalClients":[],"nonGlobalApis":[],"selectedClientId":"{yourClientId}","selectedApiId":"{yourApiIdentifier}","clientsSortedByType":{}},"framedAccount":undefined},"UserStore":{"user":{"isAuthenticated":false,"account":{"userName":"","email":undefined,"appName":"{yourAppName}","tenant":"{yourTenant}","namespace":"{yourDomain}","clientId":"{yourClientId}","clientSecret":"{yourClientSecret}","callback":"{https:\u002F\u002FyourApp\u002Fcallback}"},"connectionName":"{yourConnectionName}","apiIdentifier":"{yourApiIdentifier}","manage_url":"https:\u002F\u002Fmanage.auth0.com\u002F#","userResources":{"nonGlobalClients":[],"nonGlobalApis":[],"selectedClientId":"{yourClientId}","selectedApiId":"{yourApiIdentifier}","clientsSortedByType":{}},"profile":{}},"profile":{},"userResources":{"nonGlobalClients":[],"nonGlobalApis":[],"selectedClientId":"{yourClientId}","selectedApiId":"{yourApiIdentifier}","clientsSortedByType":{}},"framedAccount":undefined},"NavigationStore":{"navigation":{"sections":[{"id":"articles","title":"Articles","url":"\u002Fdocs\u002Farticles","folder":"","default":true},{"id":"quickstarts","title":"Quickstarts","url":"\u002Fdocs\u002Fquickstarts","folder":"quickstart"},{"id":"apis","title":"Auth0 APIs","url":"\u002Fdocs\u002Fapi","folder":"api"},{"id":"libraries","title":"SDKs","url":"\u002Fdocs\u002Flibraries","folder":"libraries"}],"sidebar":{"articles":[{"title":"Get Started","description":"Learn the basics and begin building your authentication solution.","type":"navigationSection","url":"\u002Fdocs\u002Fget-started","icon":"IdenticonGettingStarted","children":[{"title":"Auth0 Onboarding","type":"navigationSubsection","showCards":false,"quickstarts":false,"children":[{"title":"Auth0 Onboarding","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fonboarding","showCards":true,"children":[{"title":"Self-Service Machine-to-Machine","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fonboarding\u002Fself-service-m2m"}]}]},{"title":"Start Building","description":"To get up and running swiftly, choose your application type for a step-by-step quickstart tutorial.","type":"navigationSubsection","showCards":true,"quickstarts":true,"children":[{"title":"Quickstarts","type":"externalLink","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fquickstarts","external":true,"forceFullReload":true}]},{"title":"Learn the Basics","description":"Build your knowledge of IAM technology and Auth0.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Identity Fundamentals","description":"Explore topics related to the fundamentals of identity and access management.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fidentity-fundamentals","showCards":true,"children":[{"title":"Introduction to Identity and Access Management (IAM)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fidentity-fundamentals\u002Fidentity-and-access-management"},{"title":"Introduction to Auth0","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fidentity-fundamentals\u002Fintroduction-to-auth0"},{"title":"Authentication vs. Authorization","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fidentity-fundamentals\u002Fauthentication-and-authorization"},{"title":"Glossary","type":"externalLink","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fglossary","external":false,"forceFullReload":true}]},{"title":"Auth0 Overview","description":"Discover different use cases. Create and connect the building blocks of your IAM solution.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview","showCards":true,"children":[{"title":"Auth0 Dashboard","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fdashboard","showCards":true,"children":[{"title":"About the Activity Page ","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fdashboard\u002Factivity"}]},{"title":"Auth0 Guide","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fauth0-guide"},{"title":"Create Tenants","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants","showCards":true,"children":[{"title":"Create Multiple Tenants","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants\u002Fcreate-multiple-tenants"},{"title":"Link Multiple Tenants to a Single Subscription","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants\u002Fchild-tenants"},{"title":"Set Up Multiple Environments","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants\u002Fset-up-multiple-environments"},{"title":"Multi-Tenant Applications Best Practices","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants\u002Fmulti-tenant-apps-best-practices"}]},{"title":"Create Applications","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications","showCards":true,"children":[{"title":"Register Native Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fnative-apps"},{"title":"Register Single-Page Web Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fsingle-page-web-apps"},{"title":"Register Regular Web Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fregular-web-apps"},{"title":"Register Machine-to-Machine Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fmachine-to-machine-apps"},{"title":"Configure an Identity Provider in Access Gateway","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fconfigure-an-identity-provider-in-access-gateway"}]},{"title":"Register APIs","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fset-up-apis"}]}]},{"title":"Configure Auth0","description":"Define how Auth0 works with your applications and APIs. Control who can access your Auth0 Dashboard.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Auth0 Teams","description":"Learn about Auth0 Teams, including how to enable Teams, view and manage tenants, and manage tenant members.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams","showCards":true,"children":[{"title":"Tenant Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Ftenant-management"},{"title":"Team Member Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Fteam-member-management"},{"title":"Tenant Member Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Ftenant-member-management"},{"title":"Configure Security Policies","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Fconfigure-security-policies"},{"title":"Troubleshoot Teams","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Ftroubleshoot-teams"},{"title":"Team Activity","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Fteam-activity"},{"title":"About the Quarterly Snapshot","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Fquarterly-snapshot"}]},{"title":"Dashboard Profile","description":"Describes how to configure options in Auth0 Dashboard's profile section.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fdashboard-profile","showCards":true,"children":[{"title":"Auth0 Dashboard Login Session Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fdashboard-profile\u002Fauth0-dashboard-login-session-management"},{"title":"Light and Dark themes","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fdashboard-profile\u002Flight-and-dark-themes"}]},{"title":"Tenant Settings","description":"Configure the behavior of your Auth0 tenant.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings","showCards":true,"children":[{"title":"Signing Keys","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fsigning-keys","showCards":true,"children":[{"title":"Rotate Signing Keys","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fsigning-keys\u002Frotate-signing-keys"},{"title":"Revoke Signing Keys","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fsigning-keys\u002Frevoke-signing-keys"},{"title":"View Signing Certificates","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fsigning-keys\u002Fview-signing-certificates"}]},{"title":"Configure Device User Code Settings","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fconfigure-device-user-code-settings"},{"title":"Enable Single Sign-On for Tenants","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fenable-sso-for-legacy-tenants"},{"title":"Find Your Tenant Name or Tenant ID","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Ffind-your-tenant-name-or-tenant-id"}]},{"title":"Applications in Auth0","description":"Control the details of how Auth0 works with your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications","showCards":true,"children":[{"title":"Application Settings","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fapplication-settings"},{"title":"Credential Settings","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fcredentials"},{"title":"Subdomain URL Placeholders","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fwildcards-for-subdomains"},{"title":"Confidential and Public Applications","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications","showCards":true,"children":[{"title":"Check if Application is Confidential or Public","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fview-application-type"},{"title":"First-Party and Third-Party Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Ffirst-party-and-third-party-applications"},{"title":"View Application Ownership","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fview-application-ownership"},{"title":"Update Application Ownership","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fupdate-application-ownership"},{"title":"Enable Third-Party Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fenable-third-party-applications"},{"title":"User Consent and Third-Party Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fuser-consent-and-third-party-applications"}]},{"title":"Dynamic Application Registration","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fdynamic-client-registration"},{"title":"Set Up Database Connections","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fset-up-database-connections"},{"title":"Test Database Connections","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Ftest-database-connections"},{"title":"Application Grant Types","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fapplication-grant-types"},{"title":"Update Grant Types","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fupdate-grant-types"},{"title":"Revoke Access to APIs Using Application Grants","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Frevoke-api-access"},{"title":"Signing Algorithms","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fsigning-algorithms"},{"title":"Change Application Signing Algorithms","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fchange-application-signing-algorithms"},{"title":"Configure Application Metadata","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-application-metadata"},{"title":"Update Application Connections","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fupdate-application-connections"},{"title":"Rotate Credentials","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Frotate-credentials"},{"title":"Rotate Client Secrets","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Frotate-client-secret"},{"title":"Enable Android App Links Support","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fenable-android-app-links-support"},{"title":"Enable Universal Links Support in Apple Xcode","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fenable-universal-links-support-in-apple-xcode"},{"title":"Configure Cross-Origin Resource Sharing","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fset-up-cors"},{"title":"Configure Applications with OIDC Discovery","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-applications-with-oidc-discovery"},{"title":"Configure WS-Fed Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-ws-fed-applications"},{"title":"Configure FAPI Compliance","description":"Learn how to configure FAPI compliance for an Auth0 tenant.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-fapi-compliance","showCards":true,"children":[{"title":"Configure Auth0 to pass OpenID FAPI Certification Tests","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-fapi-compliance\u002Fconfigure-auth0-to-pass-openid-fapi-certification-tests"}]},{"title":"Configure Pushed Authorization Requests (PAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par"},{"title":"Configure JWT-secured Authorization Requests (JAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar"},{"title":"Configure mTLS Authentication","description":"Learn how to configure mTLS authentication for Auth0.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-mtls","showCards":true,"children":[{"title":"Set up the Customer Edge","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-mtls\u002Fset-up-the-customer-edge"},{"title":"Configure mTLS Authentication for a Tenant","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-mtls\u002Fconfigure-mtls-for-a-tenant"},{"title":"Configure mTLS Authentication for a Client","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-mtls\u002Fconfigure-mtls-for-a-client"}]},{"title":"Configure Private Key JWT Authentication","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-private-key-jwt"},{"title":"Configure Sender Constraining ","description":"Learn how to configure sender constraining for your Auth0 tenant. ","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining","showCards":true,"children":[{"title":"Configure Client for Sender Constraining ","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\u002Fconfigure-client-for-sender-constraining"},{"title":"Configure Resource Server for Sender Constraining","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\u002Fconfigure-resource-server-for-sender-constraining"}]},{"title":"Remove Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fremove-applications"},{"title":"Test Applications Locally","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fwork-with-auth0-locally"},{"title":"Enable Single Sign-On Integrations for Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fenable-sso-for-applications"}]},{"title":"APIs","description":"Manage access for resource requests made to your APIs.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapis","showCards":true,"children":[{"title":"API Settings","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fapi-settings"},{"title":"Add API Permissions","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fadd-api-permissions"},{"title":"Delete API Permissions","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fdelete-api-permissions"},{"title":"Scopes","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes","showCards":true,"children":[{"title":"API Scopes","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes\u002Fapi-scopes"},{"title":"OpenID Connect Scopes","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes\u002Fopenid-connect-scopes"},{"title":"Sample Use Cases: Scopes and Claims","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes\u002Fsample-use-cases-scopes-and-claims"}]},{"title":"Configure Access Token Profile","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-access-token-profile"},{"title":"Configure JSON Web Encryption (JWE)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption"},{"title":"Configure Logical API for Multiple APIs","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fset-logical-api"},{"title":"Configure Rich Authorization Requests (RAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests"},{"title":"Create Machine-to-Machine Applications for Testing","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fcreate-m2m-app-test"},{"title":"Enable Role-Based Access Control for APIs","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fenable-role-based-access-control-for-apis"}]},{"title":"Manage Dashboard Access","description":"Administer your team members’ access to your Auth0 Dashboard.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access","showCards":true,"children":[{"title":"Dashboard Access by Role","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Ffeature-access-by-role"},{"title":"Add Tenant Members","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fadd-dashboard-users"},{"title":"Edit Tenant Members","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fedit-dashboard-users"},{"title":"Remove Tenant Members","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fremove-dashboard-users"},{"title":"Update Dashboard User Email Addresses","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fupdate-dashboard-user-email"},{"title":"Multi-factor Authentication for Dashboard Users","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fadd-change-remove-mfa","showCards":true,"children":[{"title":"Add Multi-Factor Authentication for Auth0 Dashboard Access","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fadd-change-remove-mfa\u002Fadd-mfa"},{"title":"Remove or Change Dashboard Multi-Factor Authentication","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fadd-change-remove-mfa\u002Fremove-or-change-dashboard-multi-factor-authentication"}]},{"title":"Configure Single Sign-on for Auth0 Dashboard","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fconfigure-single-sign-on-for-auth0-dashboard"}]}]},{"title":"Plan and Design","description":"Learn about Auth0 flows and architecture so you can make informed decisions about your Auth0 implementation.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Authentication and Authorization Flows","description":"Explore the different flows of information that drive authentication and authorization.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow","showCards":true,"children":[{"title":"Which OAuth 2.0 Flow Should I Use?","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fwhich-oauth-2-0-flow-should-i-use"},{"title":"Authorization Code Flow","description":"Describes the Authorization Code Grant from OAuth 2.0","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow","showCards":true,"children":[{"title":"Add Login Using the Authorization Code Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fadd-login-auth-code-flow"},{"title":"Call Your API Using the Authorization Code Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fcall-your-api-using-the-authorization-code-flow"},{"title":"Authorization Code Flow with Rich Authorization Requests (RAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar"},{"title":"Authorization Code Flow with Pushed Authorization Requests (PAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par"},{"title":"Authorization Code Flow with JWT-Secured Authorization Requests (JAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar"},{"title":"Authorization Code Flow with PAR and JAR","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par-and-jar"}]},{"title":"Authorization Code Flow with Proof Key for Code Exchange","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow-with-pkce","showCards":true,"children":[{"title":"Add Login Using the Authorization Code Flow with PKCE","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow-with-pkce\u002Fadd-login-using-the-authorization-code-flow-with-pkce"},{"title":"Call Your API Using the Authorization Code Flow with PKCE","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow-with-pkce\u002Fcall-your-api-using-the-authorization-code-flow-with-pkce"}]},{"title":"Client Credentials Flow","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fclient-credentials-flow","showCards":true,"children":[{"title":"Call Your API Using the Client Credentials Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fclient-credentials-flow\u002Fcall-your-api-using-the-client-credentials-flow"},{"title":"Customize Tokens Using Hooks with Client Credentials Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fclient-credentials-flow\u002Fcustomize-tokens-using-hooks-with-client-credentials-flow"}]},{"title":"Device Authorization Flow","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fdevice-authorization-flow","showCards":true,"children":[{"title":"Call Your API Using the Device Authorization Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fdevice-authorization-flow\u002Fcall-your-api-using-the-device-authorization-flow"},{"title":"Mobile Device Login Flow Best Practices","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fdevice-authorization-flow\u002Fmobile-device-login-flow-best-practices"}]},{"title":"Implicit Flow with Form Post","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fimplicit-flow-with-form-post","showCards":true,"children":[{"title":"Mitigate Replay Attacks When Using the Implicit Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fimplicit-flow-with-form-post\u002Fmitigate-replay-attacks-when-using-the-implicit-flow"},{"title":"Add Login Using the Implicit Flow with Form Post","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fimplicit-flow-with-form-post\u002Fadd-login-using-the-implicit-flow-with-form-post"}]},{"title":"Hybrid Flow","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fhybrid-flow","showCards":true,"children":[{"title":"Call Your API Using the Hybrid Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fhybrid-flow\u002Fcall-api-hybrid-flow"}]},{"title":"Resource Owner Password Flow","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fresource-owner-password-flow","showCards":true,"children":[{"title":"Call Your API Using Resource Owner Password Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fresource-owner-password-flow\u002Fcall-your-api-using-resource-owner-password-flow"},{"title":"Avoid Common Issues with Resource Owner Password Flow and Attack Protection","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fresource-owner-password-flow\u002Favoid-common-issues-with-resource-owner-password-flow-and-attack-protection"}]},{"title":"Authenticate with Private Key JWT","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-private-key-jwt"},{"title":"Authenticate with mTLS","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls"},{"title":"Client Credentials Exchange","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fclient-credentials-exchange"}]},{"title":"Architecture Scenarios","description":"Read about real-world customer implementations of Auth0.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios","showCards":true,"children":[{"title":"Business to Consumer","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer","showCards":true,"children":[{"title":"Architecture (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Farchitecture"},{"title":"Provisioning (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fprovisioning"},{"title":"Authentication (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fauthentication"},{"title":"Branding (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fbranding"},{"title":"Deployment Automation (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fdeployment"},{"title":"Quality Assurance (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fquality-assurance"},{"title":"Profile Management (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fprofile-management"},{"title":"Authorization (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fauthorization"},{"title":"Logout (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flogout"},{"title":"Operations (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Foperations"},{"title":"Launch Preparation","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch","showCards":true,"children":[{"title":"Tenant Check (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Ftenant-check"},{"title":"Testing Complete (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Ftesting"},{"title":"Operations Readiness (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Foperations-readiness"},{"title":"Compliance Readiness (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Fcompliance-readiness"},{"title":"Support Readiness (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Fsupport-readiness"},{"title":"Launch Day Preparation (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Flaunch-day"}]}]},{"title":"Business to Business","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business","showCards":true,"children":[{"title":"Architecture (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Farchitecture"},{"title":"Provisioning (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fprovisioning"},{"title":"Authentication (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fauthentication"},{"title":"Branding (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fbranding"},{"title":"Deployment Automation (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fdeployment"},{"title":"Quality Assurance (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fquality-assurance"},{"title":"Profile Management (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fprofile-management"},{"title":"Authorization (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fauthorization"},{"title":"Logout (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flogout"},{"title":"Operations (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Foperations"},{"title":"Launch Preparation (B2B)","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch","showCards":true,"children":[{"title":"Tenant Check (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Ftenant-check"},{"title":"Testing Complete (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Ftesting"},{"title":"Operations Readiness (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Foperations-readiness"},{"title":"Compliance Readiness (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Fcompliance-readiness"},{"title":"Support Readiness (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Fsupport-readiness"},{"title":"Launch Day Preparation (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Flaunch-day"}]}]},{"title":"Business to Employees","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fb2e"},{"title":"Multiple Organization Architecture","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture","showCards":true,"children":[{"title":"Single Identity Provider Organizations","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations","showCards":true,"children":[{"title":"Single Identity Provider: Provisioning","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fprovisioning"},{"title":"Single Identity Provider: Authentication","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fauthentication"},{"title":"Single Identity Provider: Branding","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fbranding"},{"title":"Single Identity Provider: Authorization","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fauthorization"},{"title":"Single Identity Provider: Profile Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fprofile-management"},{"title":"Single Identity Provider: Logout","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Flogout"}]},{"title":"Multiple Identity Provider Organizations","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fmultiple-idp-orgs"}]},{"title":"SSO for Regular Web Apps","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps","showCards":true,"children":[{"title":"Solution Overview (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fpart-1"},{"title":"Auth0 Configuration (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fpart-2"},{"title":"Application Implementation (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fpart-3"},{"title":"ASP.NET Core Implementation (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fimplementation-aspnetcore"},{"title":"Conclusion (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fpart-4"}]},{"title":"Server Application + API","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api","showCards":true,"children":[{"title":"Solution Overview (Server Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fpart-1"},{"title":"Auth0 Configuration (Server Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fpart-2"},{"title":"Application Implementation (Server Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fpart-3"},{"title":"Server Apps + API: Node.js Implementation for the API","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fapi-implementation-nodejs"},{"title":"Server Apps + API: Python Implementation for the Cron Job","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fcron-implementation-python"},{"title":"Conclusion (Server Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fpart-4"}]},{"title":"SPA + API","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api","showCards":true,"children":[{"title":"Solution Overview (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-1"},{"title":"Auth0 Configuration (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-2"},{"title":"API and SPA Configuration (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-3"},{"title":"SPA Angular 2 Implementation (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fspa-implementation-angular2"},{"title":"Node.js API Implementation (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fapi-implementation-nodejs"},{"title":"Conclusion (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-4"}]},{"title":"Mobile + API","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api","showCards":true,"children":[{"title":"Solution Overview (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-1"},{"title":"Auth0 Configuration (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-2"},{"title":"API and Mobile Configuration (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-3"},{"title":"Android Mobile Application Implementation (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fmobile-implementation-android"},{"title":"Node.js API Implementation (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fapi-implementation-nodejs"},{"title":"Conclusion (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-4"}]},{"title":"Implementation Planning Checklists","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fchecklists"},{"title":"Implementation Resources","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fimplementation-resources"}]},{"title":"Professional Services","description":"Get personalized help deploying and maintaining solutions from Auth0 specialists.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fprofessional-services","showCards":true,"children":[{"title":"Professional Services: Discover and Design","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fprofessional-services\u002Fdiscover-design"},{"title":"Professional Services: Implement","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fprofessional-services\u002Fimplement"},{"title":"Professional Services: Maintain and Improve","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fprofessional-services\u002Fmaintain-improve"}]}]}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Authenticate","description":"Define how your applications and APIs verify the identity of a user or device.","type":"navigationSection","url":"\u002Fdocs\u002Fauthenticate","icon":"IdenticonAuthenticationA","children":[{"title":"Add Login","description":"Implement Auth0 Universal Login (or an alternative) to control access to your applications.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Login","description":"Choose from a variety of user login options.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin","showCards":true,"children":[{"title":"Auth0 Universal Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login","showCards":true,"children":[{"title":"Universal Login vs. Classic Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Funiversal-login-vs-classic-login","showCards":true,"children":[{"title":"Universal Login Experience","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Funiversal-login-vs-classic-login\u002Funiversal-experience"},{"title":"Classic Login Experience","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Funiversal-login-vs-classic-login\u002Fclassic-experience"}]},{"title":"Passwordless Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fpasswordless-login","showCards":true,"children":[{"title":"Configure WebAuthn with Device Biometrics for Passwordless Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fpasswordless-login\u002Fwebauthn-device-biometrics"},{"title":"Configure Email or SMS for Passwordless Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fpasswordless-login\u002Femail-or-sms"}]},{"title":"Configure Identifier First Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fidentifier-first"},{"title":"Configure Default Login Routes","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fconfigure-default-login-routes"},{"title":"Default Auth0 Error Page","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Ferror-pages"}]},{"title":"Centralized Universal Login vs. Embedded Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Funiversal-vs-embedded-login"},{"title":"Embedded Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fembedded-login"},{"title":"Native Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fnative-login"},{"title":"Cross-Origin Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fcross-origin-authentication"},{"title":"Configure Silent Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fconfigure-silent-authentication"},{"title":"Redirect Users","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fredirect-users-after-login"},{"title":"Force Reauthentication in OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fmax-age-reauthentication"},{"title":"Logout","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout","showCards":true,"children":[{"title":"Back-Channel Logout","description":"Describes OIDC back-channel logout workflow and how to configure for your Auth0 services.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Fback-channel-logout","showCards":true,"children":[{"title":"Configure OIDC Back-Channel Logout","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Fback-channel-logout\u002Fconfigure-back-channel-logout"},{"title":"OIDC Back-Channel Logout Initiators","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Fback-channel-logout\u002Foidc-back-channel-logout-initiators"}]},{"title":"Log Users Out of Applications","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Flog-users-out-of-applications"},{"title":"Log Users Out of Auth0 with OIDC Endpoint","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Flog-users-out-of-auth0"},{"title":"Log Users Out of Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Flog-users-out-of-idps"},{"title":"Log Users Out of SAML Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Flog-users-out-of-saml-idps"},{"title":"Redirect Users with Alternative Logout","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Fredirect-users-after-logout"}]},{"title":"OIDC-Conformant Authentication","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication","showCards":true,"children":[{"title":"Access Tokens with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-access-tokens"},{"title":"Authorization Code Flow with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-auth-code-flow"},{"title":"Client Credentials Flow with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow"},{"title":"Delegation with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-delegation"},{"title":"External APIs with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-apis"},{"title":"Implicit Flow with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-implicit-flow"},{"title":"Refresh Tokens with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-refresh-tokens"},{"title":"Resource Owner Password Flow with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-rop-flow"},{"title":"Single Sign-On with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-sso"}]}]},{"title":"Single Sign-On","description":"Enable users to log in to one application and automatically authenticate in other applications.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on","showCards":true,"children":[{"title":"Service-Provider-Initiated Single Sign-On","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Finbound-single-sign-on"},{"title":"Identity-Provider-Initiated Single Sign-On","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on","showCards":false,"children":[{"title":"Configure Auth0 as SAML Identity Provider","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider","showCards":false,"children":[{"title":"Configure Amazon Web Services as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-web-app-addon-for-aws"},{"title":"Configure Atlassian as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-atlassian"},{"title":"Configure Cisco WebEx as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-cisco-webex"},{"title":"Configure Datadog as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-datadog"},{"title":"Configure Egencia as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-egencia"},{"title":"Configure Freshdesk as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-freshdesk"},{"title":"Configure GitHub Enterprise Cloud as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-web-app-addon-for-github-enterprise-cloud"},{"title":"Configure GitHub Enterprise Server as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-web-app-addon-for-github-enterprise-server"},{"title":"Configure Google Workspace as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-idp-for-google-g-suite"},{"title":"Configure Heroku as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-web-app-addon-for-heroku"},{"title":"Configure Hosted Graphite as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-hosted-graphite"},{"title":"Configure Litmos as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-litmos"},{"title":"Configure Oracle Eloqua Marketing Cloud as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-addon-eloqua"},{"title":"Configure Pluralsight as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-pluralsight"},{"title":"Configure Sprout Video as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-sprout-video"},{"title":"Configure Tableau Online as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-tableau-online"},{"title":"Configure Tableau Server as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-tableau-server"},{"title":"Configure Workday as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-workday"},{"title":"Configure Workpath as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-workpath"}]}]},{"title":"API Endpoints for Single Sign-On","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Fapi-endpoints-for-single-sign-on"},{"title":"Okta Access Gateway","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Fokta-access-gateway"}]},{"title":"Passwordless","description":"Let users enter mobile phone numbers or email addresses and receive a one-time code or link to log in without a password.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless","showCards":true,"children":[{"title":"Authentication Methods","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods","showCards":true,"children":[{"title":"Passwordless Authentication with Email","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods\u002Femail-otp"},{"title":"Passwordless Authentication with Magic Links","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods\u002Femail-magic-link"},{"title":"Passwordless Authentication with SMS","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods\u002Fsms-otp"},{"title":"Set Up Custom SMS Gateway for Passwordless Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods\u002Fuse-sms-gateway-passwordless"}]},{"title":"Implement Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login","showCards":true,"children":[{"title":"Passwordless Authentication with Universal Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Funiversal-login"},{"title":"Embedded Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login","showCards":true,"children":[{"title":"Using Passwordless APIs","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login\u002Frelevant-api-endpoints"},{"title":"Embedded Passwordless Authentication for SPAs","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login\u002Fspa"},{"title":"Embedded Passwordless Login in Native Applications","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login\u002Fnative"},{"title":"Embedded Passwordless Login in Regular Web Applications","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login\u002Fwebapps"}]}]},{"title":"Passwordless with Universal Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fpasswordless-with-universal-login"},{"title":"Passwordless Connection Limitations","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fpasswordless-connection-limitations"},{"title":"Passwordless Connections Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fbest-practices"},{"title":"Sample Use Cases - Rules with Passwordless Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fsample-use-cases-rules"}]}]},{"title":"Provision Users","description":"Source users from social identity providers (such as Facebook or SalesForce), enterprise user stores (such as Active Directory or Google Workspace), a custom database, and more.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Identity Providers","description":"Set up sources of user accounts to authenticate your applications and APIs.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers","showCards":true,"children":[{"title":"Social Identity Providers","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers","showCards":true,"children":[{"title":"Connect Apps to Generic OAuth2 Authorization Servers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Foauth2"},{"title":"Add Sign In with Apple to Native iOS Apps","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Fapple-native"},{"title":"Add Facebook Login to Native Apps","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Ffacebook-native"},{"title":"Handle Declined Authorization Permissions","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Freprompt-permissions"},{"title":"Test Social Connections with Auth0 Developer Keys","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Fdevkeys"},{"title":"Create a Custom Social Connection with TikTok","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Ftiktok"}]},{"title":"Enterprise Identity Providers","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers","showCards":true,"children":[{"title":"Connect Your App to Active Directory using LDAP","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap","showCards":true,"children":[{"title":"AD\u002FLDAP Connector","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector","showCards":true,"children":[{"title":"AD\u002FLDAP Connector System Requirements","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-requirements"},{"title":"Install and Configure AD\u002FLDAP Connector","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Finstall-configure-ad-ldap-connector"},{"title":"Configure AD\u002FLDAP Connector Authentication with Client Certificates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fconfigure-ad-ldap-connector-client-certificates"},{"title":"Configure AD\u002FLDAP Connector Authentication with Kerberos","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fconfigure-ad-ldap-connector-with-kerberos"},{"title":"AD\u002FLDAP Connector Configuration File Schema","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-config-file-schema"},{"title":"Import and Export AD\u002FLDAP Connector Configurations","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fimport-export-ad-ldap-connector-configs"},{"title":"Map AD\u002FLDAP Profile Attributes to Auth0 User Profile","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fmap-ad-ldap-profile-attributes-to-auth0"},{"title":"Point AD\u002FLDAP Connector to Auth0 Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-to-auth0"},{"title":"Update AD\u002FLDAP Connectors","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fupdate-ad-ldap-connectors"},{"title":"Disable AD\u002FLDAP Connection Credential Caching","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fdisable-credential-caching"},{"title":"Deploy AD\u002FLDAP Connectors for High Availability Environments","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-high-availability"},{"title":"Set Up AD\u002FLDAP Connector Test Environment","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-test-environment"},{"title":"Monitor AD\u002FLDAP Connector with System Center Operations Manager","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-scom"}]}]},{"title":"Connect Your App to ADFS","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fadfs"},{"title":"Connect Your Native App to Microsoft Azure Active Directory Using Resource Owner Flow","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fazure-active-directory-native"},{"title":"Connect Your App to Google Workspace","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fgoogle-apps"},{"title":"Connect to OpenID Connect Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Foidc"},{"title":"Connect Your Auth0 Application with Okta Workforce Enterprise Connection","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fokta"},{"title":"Configure PKCE and Claim Mapping for OIDC Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fconfigure-pkce-claim-mapping-for-oidc"},{"title":"Connect Your PingFederate Server to Auth0","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fping-federate"},{"title":"Connect Your App to SAML Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fsaml"},{"title":"Connect Your App to Microsoft Azure Active Directory","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fazure-active-directory\u002Fv2"},{"title":"Choose a Connection Type for Azure AD","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fchoose-a-connection-type-for-azure-ad"},{"title":"Email Verification for Azure AD and ADFS","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fazuread-adfs-email-verification"},{"title":"Enable Enterprise Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fenable-enterprise-connections"},{"title":"Test Enterprise Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Ftest-enterprise-connections"}]},{"title":"Legal Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Flegal"},{"title":"View Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fview-connections"},{"title":"Test Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Ftest-connections"},{"title":"Locate the Connection ID or Name","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Flocate-the-connection-id"},{"title":"Retrieve Connection Options","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fretrieve-connection-options"},{"title":"Pass Parameters to Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fpass-parameters-to-idps"},{"title":"Promote Connections to Domain Level","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fpromote-connections-to-domain-level"},{"title":"Call an Identity Provider API","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fcalling-an-external-idp-api"},{"title":"Add Scopes\u002FPermissions to Call Identity Provider APIs","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fadding-scopes-for-an-external-idp"}]},{"title":"Database Connections","description":"Authenticate users with an email\u002Fusername and password and save their credentials in an Auth0-provided user store or in your own database.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections","showCards":true,"children":[{"title":"Auth0 User Store","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fauth0-user-store"},{"title":"Your User Store","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db","showCards":true,"children":[{"title":"Authenticate with Your Own User Store","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Foverview-custom-db-connections"},{"title":"Create Custom Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcreate-db-connection"},{"title":"Test Custom Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftest-custom-database-connections"},{"title":"Troubleshoot Custom Databases","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ferror-handling"},{"title":"Action Script Templates","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates","showCards":true,"children":[{"title":"Change Password Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fchange-password"},{"title":"Create Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fcreate"},{"title":"Delete Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fdelete"},{"title":"Get User Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fget-user"},{"title":"Login Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Flogin"},{"title":"Verify Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fverify"},{"title":"Change Email Script Template","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fchange-email"}]},{"title":"Custom Database and Action Script Best Practices","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts","showCards":true,"children":[{"title":"Custom Database Connection Anatomy Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts\u002Fanatomy"},{"title":"Custom Database Action Script Environment Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts\u002Fenvironment"},{"title":"Custom Database Action Script Execution Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts\u002Fexecution"},{"title":"Custom Database Connection Security Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts\u002Fconnection-security"}]}]},{"title":"Passkeys","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpasskeys","showCards":true,"children":[{"title":"Configure Passkey Policy","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpasskeys\u002Fconfigure-passkey-policy"},{"title":"Monitor Passkey Events in Tenant Logs","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpasskeys\u002Fmonitor-passkey-events-in-tenant-logs"}]},{"title":"Password Options in Auth0 Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpassword-options"},{"title":"Password Strength in Auth0 Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpassword-strength"},{"title":"Change Users' Passwords","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpassword-change"},{"title":"Adding Username for Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Frequire-username"},{"title":"Login Script for IBM DB2","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fdb2-script"},{"title":"Activate and Configure Attributes for Flexible Identifiers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Factivate-and-configure-attributes-for-flexible-identifiers"},{"title":"Flexible Identifiers and Attributes","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fflexible-identifiers-and-attributes"}]},{"title":"Enterprise Connections","description":"Authenticate users with external, federated identity providers such as Azure AD, Google Workspace, and PingFederate.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fenterprise-connections","showCards":true,"children":[{"title":"Self-Service Single Sign-On","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fenterprise-connections\u002Fself-service-SSO"}]},{"title":"Protocols","description":"Easily implement open industry-standard protocols like OAuth 2.0, SAML, and LDAP for authentication and authorization.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols","showCards":true,"children":[{"title":"SAML","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml","showCards":true,"children":[{"title":"SAML Identity Provider Configuration Settings","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-identity-provider-configuration-settings"},{"title":"SAML Configuration","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration","showCards":true,"children":[{"title":"Customize SAML Assertions","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration\u002Fcustomize-saml-assertions"},{"title":"Deprovision Users in SAML Integrations","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration\u002Fdeprovision-users-in-saml-integrations"},{"title":"Test SAML SSO with Auth0 as Service Provider and Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration\u002Fconfigure-auth0-as-service-and-identity-provider"},{"title":"Map SAML Attributes with Auth0 as IdP\u002FSAML Add-on","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration\u002Fsaml-attribute-mapping-examples"}]},{"title":"SAML Single Sign-On Integrations","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations","showCards":true,"children":[{"title":"Configure SAML Identity Provider-Initiated Single Sign-On","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fidentity-provider-initiated-single-sign-on"},{"title":"Configure IdP-Initiated SAML Sign-on to OIDC Apps","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-idp-initiated-saml-sign-on-to-oidc-apps"},{"title":"Configure Auth0 as SAML Service Provider","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider","showCards":true,"children":[{"title":"Configure ADFS as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-adfs-saml-connections"},{"title":"Configure Okta as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-okta-as-saml-identity-provider"},{"title":"Configure OneLogin as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-onelogin-as-saml-identity-provider"},{"title":"Configure PingFederate as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-pingfederate-as-saml-identity-provider"},{"title":"Configure Salesforce as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-salesforce-as-saml-identity-provider"},{"title":"Configure SiteMinder as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-siteminder-as-saml-identity-provider"},{"title":"Configure SSOCircle as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-ssocircle-as-saml-identity-provider"}]},{"title":"Enable SAML2 Web App Addon","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fenable-saml2-web-app-addon"},{"title":"Sign and Encrypt SAML Requests","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fsign-and-encrypt-saml-requests"},{"title":"Work with Certificates and Keys as Strings","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fwork-with-certificates-and-keys-as-strings"}]}]},{"title":"OpenID Connect Protocol","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fopenid-connect-protocol"},{"title":"OAuth 2.0 Authorization Framework","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Foauth"},{"title":"Web Services Federation Protocol","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fws-fed-protocol"},{"title":"Lightweight Directory Access Protocol","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fldap-protocol"},{"title":"System for Cross-domain Identity Management (SCIM)","description":"Articles associated with System for Cross-domain Identity Management (SCIM)","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim","showCards":true,"children":[{"title":"Configure Inbound SCIM","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Fconfigure-inbound-scim"},{"title":"Inbound SCIM for Azure AD SAML Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-azure-ad-saml-connections"},{"title":"Inbound SCIM for Older Azure AD Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-older-azure-ad-connections"},{"title":"Inbound SCIM for New Azure AD Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-new-azure-ad-connections"},{"title":"Inbound SCIM for Okta Workforce Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-okta-workforce-connections"},{"title":"Configure Inbound SCIM for Identity Providers using SAML or OpenID","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Fconfigure-inbound-scim-for-identity-providers-using-saml-or-openid"},{"title":"Inbound SCIM for Okta Workforce SAML Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-okta-workforce-saml-connections"},{"title":"Manage an Inbound SCIM Deployment with the Management API","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Fmanage-an-inbound-scim-deployment-with-the-management-api"}]}]},{"title":"Connection Settings Best Practices","description":"Review best practices when configuring social and database connections.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fconnection-settings-best-practices","showCards":true}]}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Manage Users","description":"Store and manage custom details about your users.","type":"navigationSection","url":"\u002Fdocs\u002Fmanage-users","icon":"IdenticonUserManagement","children":[{"title":"Manage Users","description":"Import, group, and administer users and control their access.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"User Accounts","description":"Migrate, find, organize, and administer user accounts and user data.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts","showCards":true,"children":[{"title":"Manage Users Using the Dashboard","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmanage-users-using-the-dashboard"},{"title":"Manage Users Using the Management API","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmanage-users-using-the-management-api"},{"title":"User Profiles","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles","showCards":true,"children":[{"title":"User Profile Structure","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fuser-profile-structure"},{"title":"Sample User Profiles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fsample-user-profiles"},{"title":"Normalized User Profiles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fnormalized-user-profiles"},{"title":"Normalized User Profile Schema","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fnormalized-user-profile-schema"},{"title":"Understand How Progressive Profiling Works","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fprogressive-profiling"},{"title":"Root Attributes","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Froot-attributes","showCards":true,"children":[{"title":"Set Root Attributes During User Import","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Froot-attributes\u002Fset-root-attributes-during-user-import"},{"title":"Set Root Attributes During User Signup","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Froot-attributes\u002Fset-root-attributes-during-user-sign-up"},{"title":"Update Root Attributes for Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Froot-attributes\u002Fupdate-root-attributes-for-users"}]},{"title":"Use Verified Email in User Profiles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fverified-email-usage"},{"title":"Configure Identity Provider Connection for User Profile Updates","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fconfigure-connection-sync-with-auth0"},{"title":"Update User Profiles Using Your Database","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fupdate-user-profiles-using-your-database"}]},{"title":"Metadata","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata","showCards":true,"children":[{"title":"Metadata Field Names and Data Types","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmetadata-fields-data"},{"title":"Manage Metadata Using the Management API","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmanage-metadata-api"},{"title":"Manage Metadata with Rules","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmanage-metadata-rules"},{"title":"Manage Metadata with Lock","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmanage-metadata-lock"},{"title":"Configure Application Metadata","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fconfigure-application-metadata"},{"title":"Manage User Metadata with the post-login Action Trigger","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmanage-user-metadata"}]},{"title":"Verify Emails using Auth0","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fverify-emails"},{"title":"User Account Linking","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking","showCards":true,"children":[{"title":"Link User Accounts","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking\u002Flink-user-accounts"},{"title":"Unlink User Accounts","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking\u002Funlink-user-accounts"},{"title":"User-Initiated Account Linking: Client-Side Implementation","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking\u002Fuser-initiated-account-linking-client-side-implementation"},{"title":"User Account Linking: Server-Side Implementation","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking\u002Fsuggested-account-linking-server-side-implementation"}]},{"title":"Create Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fcreate-users"},{"title":"Identify Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fidentify-users"},{"title":"View User Details","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fview-user-details"},{"title":"Change User Pictures","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fchange-user-picture"},{"title":"Manage User Access to Applications","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmanage-user-access-to-applications"},{"title":"Deny User Access to an API with Rules","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fdeny-api-access"},{"title":"Block and Unblock Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fblock-and-unblock-users"},{"title":"Unlink Devices from Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Funlink-devices-from-users"},{"title":"Delete Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fdelete-users"},{"title":"Get User Information on Unbounce Landing Pages","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fget-user-information-on-unbounce-landing-pages"},{"title":"Resend Verification Emails","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fresend-verification-emails"}]},{"title":"User Migration","description":"Import users from external applications using custom database connections, the Auth0 Management API, or the User Import\u002FExport extension.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration","showCards":true,"children":[{"title":"Configure Automatic Migration from Your Database","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fconfigure-automatic-migration-from-your-database"},{"title":"Bulk User Imports","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fbulk-user-imports"},{"title":"Bulk User Import Database Schema and Examples","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fbulk-user-import-database-schema-and-examples"},{"title":"Bulk User Exports","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fbulk-user-exports"},{"title":"User Import \u002F Export Extension","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fuser-import-export-extension"},{"title":"User Migration Scenarios","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fuser-migration-scenarios"}]},{"title":"User Search","description":"Retrieve user profile details using the Auth0 Management API.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search","showCards":true,"children":[{"title":"Retrieve Users with the Get Users Endpoint","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fretrieve-users-with-get-users-endpoint"},{"title":"Retrieve Users with Get Users by Email Endpoint","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fretrieve-users-with-get-users-by-email-endpoint"},{"title":"Retrieve Users with the Get Users by ID Endpoint","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fretrieve-users-with-get-users-by-id-endpoint"},{"title":"Sort Search Results","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fsort-search-results"},{"title":"View Search Results by Page","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fview-search-results-by-page"},{"title":"User Search Query Syntax","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fuser-search-query-syntax"},{"title":"User Search Best Practices","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fuser-search-best-practices"}]},{"title":"Organizations","description":"Manage your partners and customers and control the ways that end-users access your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations","showCards":true,"children":[{"title":"Understand How Auth0 Organizations Work","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-overview"},{"title":"Create Your First Organization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fcreate-first-organization"},{"title":"Login Flows for Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Flogin-flows-for-organizations"},{"title":"Custom Development with Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fcustom-development"},{"title":"Work with Tokens and Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fusing-tokens"},{"title":"Configure Organizations","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations","showCards":true,"children":[{"title":"Create Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fcreate-organizations"},{"title":"Delete Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fdelete-organizations"},{"title":"Use Organization Names in Authentication API","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fuse-org-name-authentication-api"},{"title":"Define Organization Behavior","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fdefine-organization-behavior"},{"title":"Enable Organization Connections","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fenable-connections"},{"title":"Disable Organization Connections","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fdisable-connections"},{"title":"Invite Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Finvite-members"},{"title":"Send Organization Membership Invitations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fsend-membership-invitations"},{"title":"Grant Just-In-Time Membership to an Organization Connection","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fgrant-just-in-time-membership"},{"title":"Assign Members to an Organization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fassign-members"},{"title":"Remove Members From Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fremove-members"},{"title":"Add Roles to Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fadd-member-roles"},{"title":"Remove Roles from Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fremove-member-roles"},{"title":"Retrieve Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-organizations"},{"title":"Search for Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fsearch-for-organizations"},{"title":"Retrieve Organization Connections","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-connections"},{"title":"Retrieve Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-members"},{"title":"Search Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fsearch-organization-members"},{"title":"Retrieve User's Organization Memberships","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-user-membership"},{"title":"Retrieve Member Roles for an Organization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-member-roles"}]},{"title":"Machine-to-Machine (M2M) Access for Organizations","description":"Learn how to set up machine-to-machine access for Organizations. ","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications","showCards":false,"children":[{"title":"Configure Your Application For M2M Access","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications\u002Fconfigure-your-application-for-m2m-access"},{"title":"Authorize M2M Access","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications\u002Fauthorize-m2m-access"},{"title":"Revoke M2M Access","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications\u002Frevoke-m2m-access"},{"title":"Audit M2M Access","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications\u002Faudit-m2m-access"}]}]}]},{"title":"Manage Access","description":"Control who can interact within your applications.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Access Control","description":"Control users’ access to applications and information based on roles.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control","showCards":true,"children":[{"title":"Role-Based Access Control","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Frbac"},{"title":"Authorization Policies","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fauthorization-policies"},{"title":"Rules for Authorization Policies","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Frules-for-authorization-policies"},{"title":"Sample Use Cases: Role-Based Access Control","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fsample-use-cases-role-based-access-control"},{"title":"Sample Use Cases: Actions with Authorization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fsample-use-cases-actions-with-authorization"},{"title":"Sample Use Cases: Rules with Authorization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fsample-use-cases-rules-with-authorization"},{"title":"Authorization Core vs. Authorization Extension","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fauthorization-core-vs-authorization-extension"},{"title":"Configure Core RBAC","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac","showCards":true,"children":[{"title":"Manage Role-Based Access Control Roles","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles","showCards":true,"children":[{"title":"View Users Assigned to Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fview-users-assigned-to-roles"},{"title":"View Role Permissions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fview-role-permissions"},{"title":"Remove Permissions from Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fremove-permissions-from-roles"},{"title":"Edit Role Definitions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fedit-role-definitions"},{"title":"Delete Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fdelete-roles"},{"title":"Create Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fcreate-roles"},{"title":"Add Permissions to Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fadd-permissions-to-roles"}]},{"title":"Manage Role-Based Access Control Users","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users","showCards":true,"children":[{"title":"View Roles Assigned to Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fview-user-roles"},{"title":"View User Permissions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fview-user-permissions"},{"title":"Remove Roles from Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fremove-roles-from-users"},{"title":"Remove Permissions from Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fremove-permissions-from-users"},{"title":"Assign Roles to Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fassign-roles-to-users"},{"title":"Assign Permissions to Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fassign-permissions-to-users"}]},{"title":"Manage Role-Based Access Control Permissions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Fmanage-permissions"},{"title":"Enable Role-Based Access Control for APIs","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Fenable-role-based-access-control-for-apis"}]}]},{"title":"Sessions","description":"Define groups of interactions (such as page views, events, social interactions, and e-commerce transactions) between a user and an application that take place within a given timeframe.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions","showCards":true,"children":[{"title":"Session Layers","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fsession-layers"},{"title":"Session Lifetime Limits","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fsession-lifetime-limits"},{"title":"Configure Session Lifetime Settings","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fconfigure-session-lifetime-settings"},{"title":"Non-Persistent Sessions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fnon-persistent-sessions"},{"title":"Sessions with Actions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fmanage-sessions-actions"},{"title":"Manage Multi-Site Sessions with Auth0 SDK","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fmanage-multi-site-sessions"},{"title":"Manage User Sessions with Auth0 Management API","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fmanage-user-sessions-with-auth0-management-api"}]},{"title":"Cookies","description":"Control how cookies work with your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fcookies","showCards":true,"children":[{"title":"Authentication API Cookies","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fcookies\u002Fauthentication-api-cookies"},{"title":"Authenticate Single-Page Apps With Cookies","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fcookies\u002Fspa-authenticate-with-cookies"},{"title":"SameSite Cookie Attribute Changes","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fcookies\u002Fsamesite-cookie-attribute-changes"}]}]}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Customize","description":"Customize Auth0 using your own branding and extend our functionality to solve your unique identity needs.","type":"navigationSection","url":"\u002Fdocs\u002Fcustomize","icon":"IdenticonCustomize","children":[{"title":"Brand Customization","description":"Seamlessly integrate Auth0 with your own brand and localize the experience for international users.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Customize Login Pages","description":"Customize the Universal Login and Classic Login experiences","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages","showCards":true,"children":[{"title":"Customize Universal Login ","description":"Learn how to customize Universal Login pages","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login","showCards":true,"children":[{"title":"Customize Universal Login Page Themes","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login\u002Fcustomize-themes"},{"title":"Customize Universal Login Page Templates","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login\u002Fcustomize-templates"},{"title":"Customize Universal Login Text Elements","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login\u002Fcustomize-text-elements"},{"title":"Customize Signup and Login Prompts","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login\u002Fcustomize-signup-and-login-prompts"}]},{"title":"Customize Classic Login","description":"Learn how to customize the Classic Login experience","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login","showCards":true,"children":[{"title":"Customize Classic Login Pages","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fcustomization-classic"},{"title":"Customize Classic Login Pages with Lock or SDK","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fcustomize-with-lock-sdk"},{"title":"Customize Lock Error Messages","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fcustomize-lock-error-messages"},{"title":"Customize Classic Password Reset Page","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fcustomize-password-reset-page"},{"title":"Classic Login Page Version Control","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fversion-control"}]},{"title":"Customize Consent Prompts","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fcustomize-consent-prompts"},{"title":"Customize Error Pages","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fcustom-error-pages"}]},{"title":"Custom Domains","description":"Unify the login experience with your own brand and products.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains","showCards":true,"children":[{"title":"Configure Custom Domains with Auth0-Managed Certificates","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fauth0-managed-certificates"},{"title":"Self-Managed Certificates","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates","showCards":true,"children":[{"title":"Configure Google Cloud Platform with Load Balancing as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-gcp-as-reverse-proxy"},{"title":"Configure Cloudflare as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-cloudflare-for-use-as-reverse-proxy"},{"title":"Configure AWS CloudFront as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-aws-cloudfront-for-use-as-reverse-proxy"},{"title":"Configure Azure CDN as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-azure-cdn-for-use-as-reverse-proxy"},{"title":"Configure Akamai as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-akamai-for-use-as-reverse-proxy"},{"title":"TLS (SSL) Versions and Ciphers","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Ftls-ssl"}]},{"title":"Configure Features to Use Custom Domains","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fconfigure-features-to-use-custom-domains"}]},{"title":"Customize Emails","description":"Brand and modify the content and flow of email to end users.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Femail","showCards":true,"children":[{"title":"Customize Email Handling","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fmanage-email-flow"},{"title":"Email Templates","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Femail-templates","showCards":true,"children":[{"title":"Use Liquid Syntax in Email Templates","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Femail-templates\u002Fuse-liquid-syntax-in-email-templates"},{"title":"Email Template Descriptions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Femail-templates\u002Femail-template-descriptions"}]},{"title":"Configure a Custom Email Provider","description":"Learn how to configure a custom email provider. ","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fconfigure-a-custom-email-provider","showCards":false,"children":[{"title":"Action Triggers: custom-email-provider Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fconfigure-a-custom-email-provider\u002Faction-triggers-custom-email-provider-event-object"},{"title":"Action Triggers: custom-email-provider API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fconfigure-a-custom-email-provider\u002Faction-triggers-custom-email-provider-api-object"}]},{"title":"Customize Blocked Account Emails","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fcustomize-blocked-account-emails"},{"title":"Send Email Invitations for Application Signup","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsend-email-invitations-for-application-signup"},{"title":"SMTP Email Providers","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers","showCards":true,"children":[{"title":"Configure Amazon SES as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-amazon-ses-as-external-smtp-email-provider"},{"title":"Configure Azure Communication Services as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-azure-comm-service-as-smtp-email-provider"},{"title":"Configure Mandrill as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-mandrill-as-external-smtp-email-provider"},{"title":"Configure Microsoft 365 Exchange Online as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-365-exchange-as-smtp-email-provider"},{"title":"Configure SendGrid as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-sendgrid-as-external-smtp-email-provider"},{"title":"Configure SparkPost as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-sparkpost-as-external-smtp-email-provider"},{"title":"Configure Mailgun as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-mailgun-as-external-smtp-email-provider"},{"title":"Configure Custom External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-custom-external-smtp-email-provider"}]},{"title":"Configure Test SMTP Email Server","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fconfigure-test-smtp-email-servers"},{"title":"Troubleshoot Custom Email Provider Delivery Issues","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Ftroubleshoot-custom-email-provider-delivery-issues"}]},{"title":"Customize Phone Messages","description":"Learn how to customize your phone message flows in the Auth0 Dashboard. ","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages","showCards":false,"children":[{"title":"Configure Phone Messaging Providers","description":"Learn how to configure a phone messaging provider. ","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers","showCards":true,"children":[{"title":"Configure Twilio as a Phone Messaging Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers\u002Fconfigure-twilio-as-a-phone-messaging-provider"},{"title":"Configure a Custom Phone Provider ","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers\u002Fconfigure-a-custom-phone-provider"},{"title":"Actions Triggers: custom-phone-provider Event Object ","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers\u002Factions-triggers-custom-phone-provider-event-object"},{"title":"Action Triggers: custom-phone-provider API Object ","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers\u002Faction-triggers-custom-phone-provider-api-object"}]},{"title":"Customize Phone Templates","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fcustomize-phone-templates"}]},{"title":"Customize Multi-factor Authentication SMS and Voice Messages","description":"Learn how to customize SMS and voice messages sent by Auth0 during enrollment and verification.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fcustomize-sms-or-voice-messages","showCards":true},{"title":"Internationalization and Localization","description":"Learn how to handle different languages within your Auth0 applications.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization","showCards":true,"children":[{"title":"Universal Login Internationalization","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Funiversal-login-internationalization"},{"title":"Lock Internationalization","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Flock-internationalization"},{"title":"Lock.swift Internationalization","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Flock-swift-internationalization"},{"title":"Lock.Android Internationalization","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Flock-android-internationalization"},{"title":"Customize Translation of Lock Password Options","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Fpassword-options-translation"}]}]},{"title":"Code Customization","description":"Create Actions to customize and extend Auth0’s capabilities with custom logic. Or maintain legacy Rules and Hooks. ","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Actions","description":"Customize Auth0 capabilities with secure, tenant-specific, versioned functions that execute at certain points during the Auth0 runtime.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions","showCards":true,"children":[{"title":"Understand How Auth0 Actions Work","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Factions-overview"},{"title":"Write Your First Action","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fwrite-your-first-action"},{"title":"Explore Triggers","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers","showCards":true,"children":[{"title":"Signup and Login Triggers","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers","showCards":true,"children":[{"title":"Login Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger","showCards":true,"children":[{"title":"Actions Triggers: post-login - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger\u002Fpost-login-event-object"},{"title":"Actions Triggers: post-login - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger\u002Fpost-login-api-object"},{"title":"Redirect with Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger\u002Fredirect-with-actions"},{"title":"Releases","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger\u002Freleases"}]},{"title":"Pre-user Registration Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpre-user-registration-trigger","showCards":true,"children":[{"title":"Actions Triggers: pre-user-registration - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpre-user-registration-trigger\u002Fpre-user-registration-event-object"},{"title":"Actions Triggers: pre-user-registration - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpre-user-registration-trigger\u002Fpre-user-registration-api-object"}]},{"title":"Post-user Registration Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpost-user-registration-trigger","showCards":true,"children":[{"title":"Actions Triggers: post-user-registration - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpost-user-registration-trigger\u002Fpost-user-registration-event-object"},{"title":"Actions - Triggers - post-user-registration - API object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpost-user-registration-trigger\u002Fpost-user-registration-api-object"}]}]},{"title":"MFA Notifications Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmfa-notifications-trigger","showCards":true,"children":[{"title":"Actions Triggers: send-phone-message - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmfa-notifications-trigger\u002Fsend-phone-message-event-object"},{"title":"Actions Triggers: send-phone-message - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmfa-notifications-trigger\u002Fsend-phone-message-api-object"}]},{"title":"Password Reset Triggers","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers","showCards":true,"children":[{"title":"Post-challenge Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-challenge-trigger","showCards":true,"children":[{"title":"Actions Triggers: post-challenge - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-challenge-trigger\u002Fpost-challenge-event-object"},{"title":"Actions Triggers: post-challenge - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-challenge-trigger\u002Fpost-challenge-api-object"}]},{"title":"Post Change Password Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-change-password-trigger","showCards":true,"children":[{"title":"Actions Triggers: post-change-password - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-change-password-trigger\u002Fpost-change-password-event-object"},{"title":"Actions Triggers: post-change-password - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-change-password-trigger\u002Fpost-change-password-api-object"}]}]},{"title":"Machine to Machine Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmachine-to-machine-trigger","showCards":true,"children":[{"title":"Actions Triggers: credentials-exchange - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmachine-to-machine-trigger\u002Fcredentials-exchange-event-object"},{"title":"Actions Triggers: credentials-exchange - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmachine-to-machine-trigger\u002Fcredentials-exchange-api-object"}]}]},{"title":"Action Use Cases","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fuse-cases"},{"title":"Action Coding Guidelines","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Faction-coding-guidelines"},{"title":"Actions Limitations","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Flimitations"},{"title":"Manage Dependencies","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmanage-dependencies"},{"title":"Manage Versions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmanage-versions"},{"title":"Test Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Ftest-actions"},{"title":"Releases","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Freleases"},{"title":"Migrate to Actions","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate","showCards":true,"children":[{"title":"Migrate from Rules to Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Fmigrate-from-rules-to-actions"},{"title":"Migration tooling","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Fmigrate-a-rule-to-an-action"},{"title":"Migrate from Hooks to Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Fmigrate-from-hooks-to-actions"},{"title":"Migrate from Actions Beta to Final","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Fmigrate-from-actions-beta-to-final"},{"title":"Actions Migration Limitations","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Factions-migration-limitations"}]},{"title":"Templates for Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Factions-templates"}]},{"title":"Forms","description":"Extend your identity flows with additional steps and custom logic with Forms.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fforms","showCards":true,"children":[{"title":"Nodes and components","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fnodes-and-components"},{"title":"Flows","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows","showCards":true,"children":[{"title":"Integrations","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations","showCards":true,"children":[{"title":"Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fauth0"},{"title":"Data verification","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fdata-verification"},{"title":"HTTP Request","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fhttp-request"},{"title":"JSON","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fjson"},{"title":"JSON Web Token","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fjson-web-token"},{"title":"Logic","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Flogic"},{"title":"Mailjet","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fmailjet"},{"title":"SendGrid","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fsendgrid"},{"title":"Telegram","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Ftelegram"},{"title":"Twilio","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Ftwilio"},{"title":"WhatsApp","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fwhatsapp"},{"title":"XML","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fxml"}]},{"title":"Execution and Debugger","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fflow-execution-and-debugger"}]},{"title":"Variables and helper functions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fvariables"},{"title":"Routers","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Frouters"},{"title":"Custom Field Components","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fcustom-field-components"},{"title":"Render Forms using Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Frender"},{"title":"Vault","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fvault"},{"title":"Custom Messages and Translation","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fcustom-messages-and-translation"},{"title":"Resources: Templates","type":"externalLink","url":"https:\u002F\u002Fdeveloper.auth0.com\u002Fresources\u002Ftemplates\u002Fforms","external":true,"forceFullReload":true},{"title":"Use Cases: Configure a progressive profile form using Forms","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fconfigure-progressive-profile-form"},{"title":"Use Cases: Configure an update policy form using Forms","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fconfigure-update-policy-form"},{"title":"Use Cases: Configure additional signup steps using Forms","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fconfigure-additional-signup-steps"}]},{"title":"Rules","description":"Maintain legacy rules that your applications use in the authentication pipeline.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Frules","showCards":true,"children":[{"title":"Create Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fcreate-rules"},{"title":"Configure Global Variables for Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fconfigure-global-variables-for-rules"},{"title":"Store Rule Configurations","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fconfiguration"},{"title":"Cache Expensive Resources in Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fcache-resources"},{"title":"Debug Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fdebug-rules"},{"title":"Use the Management API from within Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fuse-management-api"},{"title":"Redirect Users from Within Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fredirect-users"},{"title":"User Object Properties in Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fuser-object-in-rules"},{"title":"Context Object Properties in Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fcontext-object"},{"title":"Raise Errors from Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fraise-errors-from-rules"}]},{"title":"Hooks","description":"Maintain legacy hooks for selected extensibility points of the Auth0 platform.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fhooks","showCards":true,"children":[{"title":"Create Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fcreate-hooks"},{"title":"Update Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fupdate-hooks"},{"title":"Delete Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fdelete-hooks"},{"title":"Enable\u002FDisable Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fenable-disable-hooks"},{"title":"View Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fview-hooks"},{"title":"View Logs for Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fview-logs-for-hooks"},{"title":"Hook Secrets","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets","showCards":true,"children":[{"title":"Create Hook Secrets","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets\u002Fcreate-hook-secrets"},{"title":"Update Hook Secrets","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets\u002Fupdate-hook-secrets"},{"title":"Delete Hook Secrets","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets\u002Fdelete-hook-secrets"},{"title":"View Hook Secrets","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets\u002Fview-hook-secrets"}]}]}]},{"title":"Third-Party Customization","description":"Take advantage of third-party integrations and Auth0 extensions to expand what Auth0 can do for your systems.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Extensions","description":"Use Auth0 Extensions to install applications or run commands\u002Fscripts that extend the capabilities of the Auth0 base product.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions","showCards":true,"children":[{"title":"Authorization Extension","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension","showCards":true,"children":[{"title":"Install Authorization Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Finstall-authorization-extension"},{"title":"Configure Authorization Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fconfigure-authorization-extension"},{"title":"Set Up Users in Authorization Extension Dashboard","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fset-up-authorization-extension-users"},{"title":"Enable API Access to Authorization Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fenable-api-access-to-authorization-extension"},{"title":"Import and Export Authorization Extension Data","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fimport-and-export-authorization-extension-data"},{"title":"Use Rules with the Authorization Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fuse-rules-with-the-authorization-extension"},{"title":"Migrate to Authorization Extension v2","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fmigrate-to-authorization-extension-v2"}]},{"title":"Delegated Administration Extension","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension","showCards":true,"children":[{"title":"Install Delegated Admin Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Finstall-delegated-admin-extension"},{"title":"Create Delegated Admin Applications","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fcreate-delegated-admin-applications"},{"title":"Delegated Administration Extension Hooks","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks","showCards":true,"children":[{"title":"Delegated Administration: Access Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-access-hook"},{"title":"Delegated Administration: Filter Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-filter-hook"},{"title":"Delegated Administration: Memberships Query Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-memberships-query-hook"},{"title":"Delegated Administration: Settings Query Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-settings-query-hook"},{"title":"Delegated Administration: Write Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-write-hook"}]},{"title":"Delegated Administration: Manage Users","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-manage-users"}]},{"title":"Single Sign-On Dashboard Extension","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension","showCards":true,"children":[{"title":"Install Single Sign-On Dashboard Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension\u002Finstall-sso-dashboard-extension"},{"title":"Create Single Sign-on (SSO) Dashboard Application","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension\u002Fcreate-sso-dashboard-application"},{"title":"Add Applications to Single Sign-On Dashboard","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension\u002Fadd-applications-to-the-sso-dashboard"},{"title":"Update Applications in the SSO Dashboard","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension\u002Fupdate-applications-on-the-sso-dashboard"}]},{"title":"Authentication API Debugger Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthentication-api-debugger-extension"},{"title":"Auth0 AD\u002FLDAP Connector Health Monitor Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fad-ldap-connector-health-monitor"},{"title":"Real-time Webtask Logs Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Freal-time-webtask-logs"},{"title":"Account Link Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Faccount-link-extension"},{"title":"User Import \u002F Export Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fuser-import-export-extension"}]},{"title":"Integrations ","description":"Reduce implementation time with Auth0-reviewed integrations you can trust.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations","showCards":true,"children":[{"title":"Integrate with Amazon Web Services and Products","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws","showCards":true,"children":[{"title":"Configure Amazon Web Services for Delegated Authentication","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Fhow-to-set-up-aws-for-delegated-authentication"},{"title":"Configure Amazon Web Services for Single Sign-On","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Fconfigure-amazon-web-services-for-sso"},{"title":"Secure AWS API Gateway Endpoints Using Custom Authorizers","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-custom-authorizers"},{"title":"Use Amazon Web Services Session Tags for Role-Based Access Control","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Fsession-tags"},{"title":"Serverless Apps with API Gateway and Lambda","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation","showCards":true,"children":[{"title":"AWS API Gateway Tutorial Step 1","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-1"},{"title":"AWS API Gateway Tutorial Step 2","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-2"},{"title":"AWS API Gateway Tutorial Step 3","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-3"},{"title":"AWS API Gateway Tutorial Step 4","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-4"},{"title":"AWS API Gateway Tutorial Step 5","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-5"}]},{"title":"Integrate with Amazon Cognito","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Famazon-cognito"},{"title":"Secure AWS API Gateway Using Cognito","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-cognito"}]},{"title":"Integrate with Azure API Management","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fazure-api-management"},{"title":"Secure Google Cloud Endpoints with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fgoogle-cloud-endpoints"},{"title":"Secure a CLI with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fsecure-a-cli-with-auth0"},{"title":"Secure Apigee with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fapigee"},{"title":"Single Sign-On Integrations","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fsso-integrations"},{"title":"Marketing Tool Integrations","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations","showCards":true,"children":[{"title":"Export User Data to Adobe Campaign","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fadobe-campaign"},{"title":"Export User Data to Alterian","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Falterian"},{"title":"Export User Data to Constant Contact","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fconstant-contact"},{"title":"Export User Data to Oracle Eloqua","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Feloqua"},{"title":"Export User Data to MailChimp","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fmailchimp"},{"title":"Export User Data to Marketo","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fmarketo"},{"title":"Export User Data to Sailthru","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fsailthru"},{"title":"Export User Data to Salesforce","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fexport-user-data-salesforce"},{"title":"Export User Data to Salesforce Marketing Cloud","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fsalesforce-marketing-cloud"},{"title":"Export User Data to Watson Campaign Automation","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fwatson-campaign-automation"}]},{"title":"Marketplace Partners","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners","showCards":true,"children":[{"title":"Introduction to Integrating with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fintroduction-to-integrating-with-auth0"},{"title":"Defining an Integration Use Case","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fdefining-an-integration-use-case"},{"title":"Actions Integrations for Partners","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Factions-integrations-for-partners"},{"title":"Redirect Actions for Partners","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fredirect-actions-for-partners"},{"title":"Social Connections for Partners","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fsocial-connections-for-partners"},{"title":"SSO Integrations for Partners","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fsso-integrations-for-partners"},{"title":"Writing Tips for Installation Guides","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fwriting-tips-for-installation-guides"}]},{"title":"Integrate with SharePoint 2010\u002F2013","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fsharepoint-2010-2013"},{"title":"Integrate with Vercel","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fintegrate-with-vercel"},{"title":"Connect Provider Hosted Apps to SharePoint Online","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fconnecting-provider-hosted-apps-to-sharepoint-online"},{"title":"CMS Identity Plugins","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms","showCards":true,"children":[{"title":"Login by Auth0 Wordpress Plugin","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin","showCards":true,"children":[{"title":"Integrate with WordPress","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Fintegrate-with-wordpress"},{"title":"Install Login by Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Finstall-login-by-auth0"},{"title":"Configure Login by Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Fconfigure-login-by-auth0"},{"title":"User Migration in Login by Auth0 WordPress Plugin","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Fuser-migration-in-login-by-auth0"},{"title":"Extend Login by Auth0 WordPress Plugin","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Fextend-login-by-auth0"},{"title":"Troubleshoot Login by Auth0 WordPress Plugin","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Ftroubleshoot-login-by-auth0"},{"title":"Troubleshoot WordPress Plugin Invalid State Errors","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Ftroubleshoot-wordpress-plugin-invalid-state-errors"}]}]},{"title":"Authenticating & Authorizing a Tessel device with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fauthenticating-and-authorizing-a-tessel-device-with-auth0"},{"title":"Authenticating & Authorizing Devices using MQTT with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fauthenticate-devices-using-mqtt"},{"title":"Migrate Office365 Connections to Windows Azure AD","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmigrate-office365-connections-to-windows-azure-ad"},{"title":"Office 365 Custom Provisioning","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Foffice-365-custom-provisioning"}]},{"title":"Log Streams","description":"Monitor and respond to events such as changed passwords or new registrations with your own business logic.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams","showCards":true,"children":[{"title":"Integrated Log Streaming Services","type":"externalLink","url":"https:\u002F\u002Fmarketplace.auth0.com\u002Ffeatures\u002Flog-streaming","external":true,"forceFullReload":true},{"title":"Create Custom Log Streams Using Webhooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fcustom-log-streams"},{"title":"Check Log Stream Health","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fcheck-log-stream-health"},{"title":"Log Stream Filters","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fevent-filters"},{"title":"Use Auth0 App for Splunk","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fsplunk-dashboard"},{"title":"Use Auth0 App for Sumo Logic","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fsumo-logic-dashboard"},{"title":"Use Auth0 Dashboard Templates with Datadog","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fdatadog-dashboard-templates"}]},{"title":"Auth0 Marketplace","type":"externalLink","url":"https:\u002F\u002Fmarketplace.auth0.com\u002F","external":true,"forceFullReload":true}]}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Secure","description":"Add multi-factor authentication and defend your application from bots, suspicious IPs, and password breaches.","type":"navigationSection","url":"\u002Fdocs\u002Fsecure","icon":"IdenticonSecurity","children":[{"title":"Protect Your Application","description":"Make sure only the right people can access your applications. ","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Application Credentials","description":"This section contains information about credentials for your application to authenticate.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fapplication-credentials","showCards":true,"children":[{"title":"Generate RSA Key Pair","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fapplication-credentials\u002Fgenerate-rsa-key-pair"}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Attack Protection","description":"Detect attacks and stop malicious attempts to access your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection","showCards":true,"children":[{"title":"Bot Detection","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection","showCards":true,"children":[{"title":"Add Bot Detection to Native Applications","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection\u002Fbot-detection-native-apps"},{"title":"Add Bot Detection to Passwordless Flows","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection\u002Fbot-detection-passwordless-flows"},{"title":"Add Bot Detection to Custom Login Pages","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection\u002Fbot-detection-custom-login-pages"},{"title":"Configure Third-Party CAPTCHA Provider Integrations","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection\u002Fconfigure-captcha"}]},{"title":"Breached Password Detection","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbreached-password-detection"},{"title":"Brute-Force Protection","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbrute-force-protection"},{"title":"Suspicious IP Throttling","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fsuspicious-ip-throttling"},{"title":"View Attack Protection Log Events","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fview-attack-protection-events"},{"title":"Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fstate-parameters"}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Continuous Session Protection","description":"Enhance security and tailor the user experience through customizable session and refresh token management. ","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fcontinuous-session-protection","showCards":true,"isActiveUrl":false,"isCurrentUrl":false},{"title":"Highly Regulated Identity","description":"Highly Regulated Identity is Auth0's Financial-Grade Identity ","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","showCards":false,"children":[{"title":"Transactional Authorization with Contextual Strong Customer Authentication","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca"},{"title":"Customer Managed Keys","description":"Learn about how to manage your Auth0 keys","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Fcustomer-managed-keys","showCards":true,"children":[{"title":"Configure Customer Managed Keys with the Dashboard","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Fcustomer-managed-keys\u002Fcustomer-managed-keys-dashboard"},{"title":"Configure Customer Managed Keys with the Management API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Fcustomer-managed-keys\u002Fcustomer-managed-keys-management-api"}]}],"isActiveUrl":true,"isCurrentUrl":true},{"title":"Multi-Factor Authentication","description":"Add additional checks to ensure passwords match up with the identity of the user or device accessing your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication","showCards":true,"children":[{"title":"Enable Multi-Factor Authentication","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fenable-mfa"},{"title":"Multi-Factor Authentication Factors","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors","showCards":true,"children":[{"title":"Configure Push Notifications for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors\u002Fconfigure-push-notifications-for-mfa"},{"title":"Configure OTP Notifications for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors\u002Fconfigure-otp-notifications-for-mfa"},{"title":"Configure Email Notifications for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors\u002Fconfigure-email-notifications-for-mfa"},{"title":"Configure SMS and Voice Notifications for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors\u002Fconfigure-sms-voice-notifications-mfa"}]},{"title":"WebAuthn as Multi-Factor Authentication","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fwebauthn-as-mfa"},{"title":"Configure Cisco Duo Security for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fconfigure-cisco-duo-for-mfa"},{"title":"FIDO Authentication with WebAuthn","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Ffido-authentication-with-webauthn","showCards":true,"children":[{"title":"Configure WebAuthn with Security Keys for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Ffido-authentication-with-webauthn\u002Fconfigure-webauthn-security-keys-for-mfa"},{"title":"Configure WebAuthn with Device Biometrics for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Ffido-authentication-with-webauthn\u002Fconfigure-webauthn-device-biometrics-for-mfa"}]},{"title":"Adaptive MFA","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fadaptive-mfa","showCards":true,"children":[{"title":"Enable Adaptive MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fadaptive-mfa\u002Fenable-adaptive-mfa"},{"title":"Customize Adaptive MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fadaptive-mfa\u002Fcustomize-adaptive-mfa"},{"title":"Adaptive MFA Log Events","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fadaptive-mfa\u002Fadaptive-mfa-log-events"}]},{"title":"Auth0 Guardian","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauth0-guardian","showCards":true,"children":[{"title":"Guardian.swift iOS SDK","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauth0-guardian\u002Fguardian-for-ios-sdk"},{"title":"Guardian for Android SDK","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauth0-guardian\u002Fguardian-for-android-sdk"}]},{"title":"Customize MFA","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa","showCards":true,"children":[{"title":"Customize MFA Selection for Universal Login","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fcustomize-mfa-selection-universal-login"},{"title":"Customize MFA Enrollments for Universal Login","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fcustomize-mfa-enrollments-universal-login"},{"title":"Customize MFA for Classic Login","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fcustomize-mfa-classic-login"},{"title":"MFA Theme Language Dictionary","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fmfa-theme-language-dictionary"},{"title":"MFA Widget Theme Options","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fmfa-widget-theme-options"}]},{"title":"Authenticate Using ROPG Flow with MFA","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa","showCards":true,"children":[{"title":"Enroll and Challenge SMS and Voice Authenticators","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fenroll-challenge-sms-voice-authenticators"},{"title":"Enroll and Challenge OTP Authenticators","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fenroll-and-challenge-otp-authenticators"},{"title":"Enroll and Challenge Push Authenticators","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fenroll-and-challenge-push-authenticators"},{"title":"Enroll and Challenge Email Authenticators","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fenroll-and-challenge-email-authenticators"},{"title":"Import User MFA Authenticator Enrollments","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fimport-user-mfa-authenticator-enrollments"},{"title":"Challenge with Recovery Codes","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fchallenge-with-recovery-codes"}]},{"title":"Step-Up Authentication","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fstep-up-authentication","showCards":true,"children":[{"title":"Configure Step-up Authentication for APIs","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fstep-up-authentication\u002Fconfigure-step-up-authentication-for-apis"},{"title":"Configure Step-up Authentication for Web Apps","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fstep-up-authentication\u002Fconfigure-step-up-authentication-for-web-apps"}]},{"title":"Configure Recovery Codes for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fconfigure-recovery-codes-for-mfa"},{"title":"Manage Authentication Factors with APIs","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmanage-mfa-auth0-apis","showCards":true,"children":[{"title":"Manage Authentication Methods with Management API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmanage-mfa-auth0-apis\u002Fmanage-authentication-methods-with-management-api"},{"title":"Manage Authentication Factors with Authentication API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmanage-mfa-auth0-apis\u002Fmanage-authenticator-factors-mfa-api"}]},{"title":"Reset User Multi-Factor Authentication and Recovery Codes","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Freset-user-mfa"},{"title":"Multi-factor Authentication Developer Resources","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources","showCards":true,"children":[{"title":"Auth0 MFA API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources\u002Fmfa-api"},{"title":"Create Custom Enrollment Tickets","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources\u002Fcreate-custom-enrollment-tickets"},{"title":"Install Guardian SDK","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources\u002Finstall-guardian-sdk"},{"title":"Guardian Error Code Reference","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources\u002Fguardian-error-code-reference"},{"title":"Auth0 MFA Client Library","type":"externalLink","url":"https:\u002F\u002Fgithub.com\u002Fauth0\u002Fauth0-guardian.js","external":true,"forceFullReload":true},{"title":"Create Custom MFA Widget","type":"externalLink","url":"https:\u002F\u002Fgithub.com\u002Fauth0\u002Fauth0-guardian.js\u002Ftree\u002Fmaster\u002Fexample","external":true,"forceFullReload":true}]}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Security Center","description":"Observe potential attack trends and quickly respond to them in real-time.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-center","showCards":true,"children":[{"title":"Metrics","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-center\u002Fmetrics"},{"title":"Prioritized Log Streams","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-center\u002Fprioritized-log-streams"},{"title":"Configure Security Monitoring Alerts","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-center\u002Fsecurity-alerts"}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Security Guidance","description":"View security bulletins and learn basic tips to secure data and accounts.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance","showCards":true,"children":[{"title":"General Security Tips","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Ftips"},{"title":"Security Bulletins","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins","showCards":true,"children":[{"title":"CVE-2022-23539, CVE-2022-23541, CVE-2022-23540: Security Update for jsonwebtoken","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002F2022-12-21-jsonwebtoken"},{"title":"CVE-2022-23505: Security Update for passport-wsfed-saml2 Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2022-23505"},{"title":"CVE-2022-24794: Security Update for Express OpenID Connect Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2022-24794"},{"title":"CVE-2021-43812: Security Update for Next.js Auth0 Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2021-43812"},{"title":"CVE-2021-41246: Security Update for Express OpenID Connect Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2021-41246"},{"title":"CVE-2021-32702: Security Update for Auth0 Next.js Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2021-32702"},{"title":"CVE-2021-32641: Security Update for Auth0 Lock Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2021-32641"},{"title":"CVE 2020-15259: Security Update for ad-ldap-connector","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15259"},{"title":"CVE-2020-15240: Security Update for omniauth-auth0 JWT Validation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15240"},{"title":"CVE-2020-15125: Security Update for node-auth0 Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15125"},{"title":"CVE-2020-15119: Security Update for Auth0 Lock Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15119"},{"title":"CVE-2020-15084: Security Update for express-jwt Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15084"},{"title":"CVE-2020-5391, CVE-2020-5392, CVE-2020-6753, CVE-2020-7948, CVE-2020-7947: Security Update for WordPress Plugin for Auth0","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002F2020-03-31-wpauth0"},{"title":"CVE-2020-5263: Security Update for auth0.js Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-5263"},{"title":"CVE-2019-20174: Security Update for Auth0 Lock Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-20174"},{"title":"CVE-2019-16929: Security Vulnerability in auth0.net","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-16929"},{"title":"CVE-2019-13483: Security Vulnerability in Passport-SharePoint","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-13483"},{"title":"CVE-2019-7644: Security Vulnerability in Auth0-WCF-Service-JWT","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-7644"},{"title":"CVE-2019-20173: Security Update for WordPress Plugin for Auth0 wp-auth0","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-20173"},{"title":"CVE-2018-15121: Security Vulnerability in auth0-aspnet and auth0-aspnet-owin","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-15121"},{"title":"CVE-2018-11537: Security Update for angular-jwt Allow List Bypass","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-11537"},{"title":"CVE-2018-7307: Security Vulnerability for auth0.js \u003C 9.3","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-7307"},{"title":"CVE-2018-6874: Security Vulnerability in the Auth0 Authentication Service","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-6874"},{"title":"CVE-2018-6873: Security Vulnerability in the Auth0 Authentication Service","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-6873"},{"title":"CVE-2017-17068: Security Update for auth0.js Popup Callback Vulnerability","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2017-17068"},{"title":"CVE-2017-16897: Security Update for passport-wsfed-saml2 Passport Strategy Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2017-16897"},{"title":"Auth0 Security Bulletin for Rules","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002F2019-01-10-rules"},{"title":"Auth0 Security Bulletin for Assigning Scopes Based on Email Address","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002F2019-09-05-scopes"}]},{"title":"Data Security","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security","showCards":true,"children":[{"title":"Auth0 IP Addresses for Allow Lists ","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security\u002Fallowlist"},{"title":"Add User Attributes to Deny List","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security\u002Fdenylist"},{"title":"User Data Storage","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security\u002Fuser-data-storage"},{"title":"Token Storage","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security\u002Ftoken-storage"}]},{"title":"Prevent Common Cybersecurity Threats","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fprevent-threats"},{"title":"Incident Response: Using Logs","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fincident-response-using-logs"}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Tokens","description":"Explore the types of tokens related to identity and authentication and how they are used by Auth0.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens","showCards":true,"children":[{"title":"JSON Web Tokens","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens","showCards":true,"children":[{"title":"JSON Web Token Structure","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-token-structure"},{"title":"JSON Web Token Claims","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-token-claims"},{"title":"Create Custom Claims","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fcreate-custom-claims"},{"title":"Validate JSON Web Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fvalidate-json-web-tokens"},{"title":"JSON Web Key Sets","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-key-sets"},{"title":"JSON Web Key Set Properties","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-key-set-properties"},{"title":"Locate JSON Web Key Sets","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Flocate-json-web-key-sets"}]},{"title":"ID Tokens","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens","showCards":true,"children":[{"title":"Validate ID Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens\u002Fvalidate-id-tokens"},{"title":"Get ID Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens\u002Fget-id-tokens"},{"title":"ID Token Structure","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens\u002Fid-token-structure"},{"title":"Update ID Token Lifetime","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens\u002Fupdate-id-token-lifetime"}]},{"title":"Access Tokens","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens","showCards":true,"children":[{"title":"Access Token Profiles","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Faccess-token-profiles"},{"title":"Get Access Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fget-access-tokens"},{"title":"Use Access Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fuse-access-tokens"},{"title":"Validate Access Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fvalidate-access-tokens"},{"title":"Update Access Token Lifetime","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fupdate-access-token-lifetime"},{"title":"Identity Provider Access Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fidentity-provider-access-tokens"},{"title":"Management API Access Tokens","description":"Learn about Auth0 Management APIv2 Access Tokens and how to use them.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens","showCards":false,"children":[{"title":"Get Management API Access Tokens for Testing","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens\u002Fget-management-api-access-tokens-for-testing"},{"title":"Get Management API Access Tokens for Production","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens\u002Fget-management-api-access-tokens-for-production"},{"title":"Get Management API Access Tokens for Single-Page Applications","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens\u002Fget-management-api-tokens-for-single-page-applications"},{"title":"Changes in Auth0 Management APIv2 Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens\u002Fchanges-in-auth0-management-apiv2-tokens"}]},{"title":"JSON Web Encryption","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption"}]},{"title":"Delegation Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fdelegation-tokens"},{"title":"Refresh Tokens","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens","showCards":true,"children":[{"title":"Get Refresh Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fget-refresh-tokens"},{"title":"Use Refresh Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fuse-refresh-tokens"},{"title":"Configure Refresh Token Expiration","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fconfigure-refresh-token-expiration"},{"title":"Refresh Token Rotation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Frefresh-token-rotation"},{"title":"Configure Refresh Token Rotation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fconfigure-refresh-token-rotation"},{"title":"Use Refresh Token Rotation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fuse-refresh-token-rotation"},{"title":"Disable Refresh Token Rotation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fdisable-refresh-token-rotation"},{"title":"Revoke Refresh Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Frevoke-refresh-tokens"},{"title":"Refresh Tokens with Actions","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fmanage-refresh-tokens-actions"}]},{"title":"Revoke Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frevoke-tokens"},{"title":"Manage Refresh Tokens with Auth0 Management API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fmanage-refresh-tokens-with-auth0-management-api"},{"title":"Token Best Practices","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Ftoken-best-practices"}],"isActiveUrl":false,"isCurrentUrl":false}],"isActiveUrl":true,"isCurrentUrl":false},{"title":"Compliance","description":"Learn how Auth0 meets requirements for multiple compliance frameworks and certifications, including GDPR and HIPAA.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Data Privacy and Compliance","description":"Read about Auth0’s compliance qualifications and data processing.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance","showCards":true,"children":[{"title":"GDPR","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr","showCards":true,"children":[{"title":"GDPR: Conditions for Consent","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-conditions-for-consent"},{"title":"GDPR: Track Consent with Custom UI","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-track-consent-with-custom-ui"},{"title":"GDPR: Track Consent with Lock","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-track-consent-with-lock"},{"title":"GDPR: Right to Access, Correct, and Erase Data","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-right-to-access-correct-and-erase-data"},{"title":"GDPR: Data Minimization","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-data-minimization"},{"title":"GDPR: Data Portability","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-data-portability"},{"title":"GDPR: Protect and Secure User Data","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-protect-and-secure-user-data"}]},{"title":"Auth0 Data Processing","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fdata-processing"}]}],"isActiveUrl":false,"isCurrentUrl":false}],"isActiveUrl":true,"isCurrentUrl":false},{"title":"Deploy and Monitor","description":"Deploy Auth0 for your applications and monitor system health and events.","type":"navigationSection","url":"\u002Fdocs\u002Fdeploy-monitor","icon":"IdenticonMonitoring","children":[{"title":"Deployment","description":"Plan, check, and execute your Auth0 deployment.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Deployment Options","description":"Evaluate whether to deploy to the public cloud or to a private cloud.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeployment-options","showCards":true},{"title":"Private Cloud Deployments","description":"Explore the capabilities and limitations of different AWS and Azure private cloud options.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-private-cloud","showCards":true,"children":[{"title":"Private Cloud on AWS","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-private-cloud\u002Fprivate-cloud-on-aws"},{"title":"Private Cloud on Azure","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-private-cloud\u002Fprivate-cloud-on-azure"},{"title":"Private Cloud Add-on Features","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-private-cloud\u002Fprivate-cloud-add-on-features"}]},{"title":"Pre-Deployment Checks","description":"Run checks to ensure that your applications are ready for production.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks","showCards":true,"children":[{"title":"Run Production Readiness Checks","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fhow-to-run-production-checks"},{"title":"Production Readiness Checks: Critical Fixes","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fproduction-check-required-fixes"},{"title":"Production Readiness Checks: Non-Critical Fixes","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fproduction-check-recommended-fixes"},{"title":"Production Readiness Checks: Best Practices","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fproduction-checks-best-practices"},{"title":"Run Pre-Deployment Tests","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fpredeployment-tests"},{"title":"Pre-Launch Tips","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fpre-launch-tips"}]},{"title":"Deployment Checklist","description":"Explore the Auth0-provided general deployment checklist for Auth0 implementations.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-checklist","showCards":true},{"title":"Deploy CLI Tool","description":"Learn how Auth0 supports continuous integration and deployment using the Deploy CLI tool.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool","showCards":true,"children":[{"title":"Use as a CLI","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fuse-as-a-cli"},{"title":"Use as a Node Module","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fuse-as-a-node-module"},{"title":"Configure the Deploy CLI","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fconfigure-the-deploy-cli"},{"title":"Authenticate with your Tenant","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fauthenticate-with-your-tenant"},{"title":"Keyword Replacement","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fkeyword-replacement"},{"title":"Incorporate into Multi-environment Workflows","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fincorporate-into-multi-environment-workflows"},{"title":"Exclude Resources From Management","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fexclude-resources-from-management"},{"title":"Resource-specific Documentation","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fresource-specific-documentation"},{"title":"Available Resource Configuration Formats","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Favailable-resource-configuration-formats"}]},{"title":"Auth0 Terraform Provider","description":"Learn about the Auth0 Terraform Provider and how to use it to manage deployment of your Auth0 instances.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fauth0-terraform-provider","showCards":false},{"title":"Deployment Best Practices","description":"Explore best practices for deploying Auth0 implementations.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeployment-best-practices","showCards":true}]},{"title":"Monitoring","description":"Monitor events and service status and work with tenant log event data.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Monitor","description":"Monitor your Auth0 implementation and Auth0 status and services.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor","showCards":true,"children":[{"title":"Check Auth0 Status","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor\u002Fcheck-auth0-status"},{"title":"Check External Services Status","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor\u002Fcheck-external-services-status"},{"title":"Monitor Applications","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor\u002Fmonitor-applications"},{"title":"Monitor Auth0 Using System Center Operations Manager","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor\u002Fmonitor-using-scom"}]},{"title":"Logs","description":"Manage event logs for business analysis and insights. ","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs","showCards":true,"children":[{"title":"Personally Identifiable Information in Auth0 Logs","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fpii-in-logs"},{"title":"Log Data Retention","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Flog-data-retention"},{"title":"View Log Events","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fview-log-events"},{"title":"Filter Log Events","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Flog-event-filters"},{"title":"Prompt Details in Tenant Logs","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fprompt-details-in-tenant-logs"},{"title":"Retrieve Log Events Using the Management API","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fretrieve-log-events-using-mgmt-api"},{"title":"Log Event Type Codes","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Flog-event-type-codes"},{"title":"Log Search Query Syntax","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Flog-search-query-syntax"},{"title":"Export Log Events with Rules","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fexport-log-events-with-rules"}]}]}],"isActiveUrl":false,"isCurrentUrl":false},{"title":"Troubleshoot","description":"Troubleshoot challenges, learn about Auth0’s different levels of support, and get help.","type":"navigationSection","url":"\u002Fdocs\u002Ftroubleshoot","icon":"IdenticonTroubleshoot","children":[{"title":"Get Support","description":"Learn about Auth0’s support plans and procedures, service agreements, and community.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Customer Support","description":"Learn about the different levels of support at Auth0.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support","showCards":true,"children":[{"title":"Premier Success Plans","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fsupport-plans"},{"title":" Support Channels","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fsupport-channels"},{"title":"Self Service Support","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fself-service-support"},{"title":"Product Support Matrix","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fproduct-support-matrix"},{"title":"Service Levels","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fservices-level-descriptions"},{"title":"Open and Manage Support Tickets","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fopen-and-manage-support-tickets"},{"title":"Manage Subscriptions","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions","showCards":true,"children":[{"title":"Downgrade or Cancel Auth0 Subscriptions","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions\u002Fdowngrade-or-cancel-subscriptions"},{"title":"Delete or Reset Tenants","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions\u002Fdelete-or-reset-tenant"},{"title":"Export Data","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions\u002Fexport-data"},{"title":"Monitor Subscription Usage","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions\u002Fmonitor-subscription-usage"}]},{"title":"Reset Account Passwords","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Freset-account-passwords"},{"title":"Software Updates","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fsoftware-updates"},{"title":"Auth0 Versioning Strategy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fversioning-strategy"},{"title":"Operational Policies","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies","showCards":true,"children":[{"title":"Billing Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fbilling-policy"},{"title":"Auth0 Public Cloud Service Endpoints","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fpublic-cloud-service-endpoints"},{"title":"Data Export and Transfer Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fdata-export-and-transfer-policy"},{"title":"Change Freeze Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fchange-freeze-policy"},{"title":"Load Testing Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fload-testing-policy"},{"title":"Penetration Testing Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fpenetration-testing-policy"},{"title":"Rate Limit Policy","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy","showCards":true,"children":[{"title":"Rate Limit Use Cases","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-use-cases"},{"title":"Rate Limit Configurations","description":"Rate limit configurations for each subscription type","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations","showCards":true,"children":[{"title":"Free","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ffree-public"},{"title":"Self Service","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Fself-service-public"},{"title":"Enterprise","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Fenterprise-public"},{"title":"Tier Dev Private Cloud","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-20-development-private-cloud"},{"title":"Private Cloud Basic 100 RPS (1x)","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-100-rps-private-cloud"},{"title":"Private Cloud Performance 500 RPS (5x)","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-500-rps-private-cloud"},{"title":"Private Cloud Performance 1500 RPS (15x)","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-1500-rps-private-cloud"},{"title":"Private Cloud Performance 3000 RPS (30x) and 3000 RPS (30x) Burst","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-3000-rps-private-cloud"},{"title":"Private Cloud Performance 6000 RPS (60x) and 6000 RPS (60x) Burst","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-6000-rps-private-cloud"}]}]},{"title":"Entity Limit Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fentity-limit-policy"}]},{"title":"Auth0 Changelog","type":"externalLink","url":"https:\u002F\u002Fauth0.com\u002Fchangelog","external":true,"forceFullReload":true},{"title":"Responsible Disclosure Program Security Support Tickets","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fresponsible-disclosure-program-security-support-tickets"},{"title":"Auth0 Enterprise and Premier Support","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fauth0-enterprise-and-premier-support"},{"title":"Update Billing Information","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fupdate-billing-information"}]}]},{"title":"Troubleshoot","description":"Explore solutions to common challenges.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Commonplace Issues","description":"Learn fundamental troubleshooting tactics.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues","showCards":true,"children":[{"title":"Verify Platform","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fverify-platform"},{"title":"Verify Connections","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fverify-connections"},{"title":"Verify Domain","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fverify-domain"},{"title":"Verify Rules","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fverify-rules"},{"title":"Check Error Messages","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fcheck-error-messages"},{"title":"Troubleshoot Invalid Token Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Finvalid-token-errors"},{"title":"Check for Deprecation Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fsearch-logs-for-deprecation-errors"},{"title":"Deprecation Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fcheck-deprecation-errors"},{"title":"Recover Administrative Access to a Tenant","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Frecover-administrative-access-to-a-tenant"}]},{"title":"Authentication Issues","description":"Troubleshoot login and other authentication issues.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues","showCards":true,"children":[{"title":"Check API Calls","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fcheck-api-calls"},{"title":"Check Login and Logout Issues","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fcheck-login-and-logout-issues"},{"title":"Check User Profiles","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fcheck-user-profiles"},{"title":"Troubleshoot Role-Based Access Control and Authorization","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Ftroubleshoot-rbac-authorization"},{"title":"Troubleshoot Multi-Factor Authentication Issues","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Ftroubleshoot-mfa-issues"},{"title":"Troubleshoot SAML Configurations","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Ftroubleshoot-saml-configurations"},{"title":"Troubleshoot SAML Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fsaml-errors"},{"title":"Self Change Password Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fself-change-password-errors"},{"title":"Troubleshoot Authorization Extension","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Ftroubleshoot-authorization-extension"},{"title":"Troubleshoot Renew Tokens When Using Safari","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Frenew-tokens-when-using-safari"}]},{"title":"Integration and Extensibility Issues","description":"Troubleshoot issues integrating with third-party solutions.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues","showCards":true,"children":[{"title":"Troubleshoot Custom Domains","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues\u002Ftroubleshoot-custom-domains"},{"title":"Troubleshoot AD\u002FLDAP Connector","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues\u002Ftroubleshoot-ad-ldap-connector"},{"title":"Troubleshoot Extensions","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues\u002Ftroubleshoot-extensions"},{"title":"Troubleshoot Deploy CLI Tool","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues\u002Ftroubleshoot-the-deploy-cli-tool"}]},{"title":"Troubleshooting Tools","description":"Learn how to generate and analyze HAR files, debug, and inspect tokens.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshooting-tools","showCards":true,"children":[{"title":"Generate and Analyze HAR Files","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshooting-tools\u002Fgenerate-and-analyze-har-files"},{"title":"Sanitize HTTP Traces","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshooting-tools\u002Fsanitize-http-traces"},{"title":"JSON Web Token Inspector","type":"externalLink","url":"https:\u002F\u002Fjwt.io","external":true,"forceFullReload":true}]},{"title":"Debugging Best Practices","description":"Explore best practices for debugging your Auth0 implementation.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fdebugging-best-practices","showCards":true},{"title":"Error Handling Best Practices","description":"Explore best practices for handling error conditions.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Ferror-handling-best-practices","showCards":true},{"title":"Performance Best Practices","description":"Learn about best practices for performance.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fperformance-best-practices","showCards":true},{"title":"General Usage and Operations Best Practices","description":"Explore best practices for general Auth0 usage and operation.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fgeneral-usage-and-operations-best-practices","showCards":true}]},{"title":"Auth0 Product Lifecycle","description":"Discover our iterative approach to product delivery.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Product Lifecycle","description":"Learn how we’re constantly improving.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle","showCards":true,"children":[{"title":"Product Release Stages","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},{"title":"Migration Process","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fmigration-process"},{"title":"Deprecations and Migrations","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fdeprecations-and-migrations","showCards":true,"children":[{"title":"Migrate from Node 12 and 16 to Node 18","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fdeprecations-and-migrations\u002Fmigrate-nodejs-16-to-nodejs-18"}]},{"title":"Past Migrations","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations","showCards":true,"children":[{"title":"Migrate from edge.js extensibility features","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-edge-js-extensibility-features"},{"title":"Migrate from oracledb extensibility features","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-oracledb-extensibility-features"},{"title":"Migrate Custom Claims","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fcustom-claims-migration"},{"title":"Migrate from Log Extensions","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-log-extensions"},{"title":"Migrate Tenant Hostname Validation","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Ftenant-hostname-migration"},{"title":"Migrate to Node.js 16","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-nodejs-16"},{"title":"Migrate from Node.js 8 to Node.js 12","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-nodejs-12"},{"title":"Migrate to Management API v2 Endpoint Paginated Queries","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-paginated-queries"},{"title":"Migrate to New Tenant Member Roles","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-tenant-member-roles"},{"title":"Migrate from Search v2 to v3","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-v2-v3"},{"title":"Migrate to Passwordless Endpoint from Confidential Applications","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-passwordless"},{"title":"Clickjacking Protection for Universal Login Change","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fclickjacking-protection-for-universal-login"},{"title":"Migrate to Management API Endpoints with Access Tokens","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-calling-api-with-access-tokens"},{"title":"Migrate to Access Tokens for Account Linking","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Flink-user-accounts-with-access-tokens-migration"},{"title":"Migrate Your Resource Owner Passwordless Credentials Exchange","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fresource-owner-passwordless-credentials-exchange"},{"title":"Migrate Your Resource Owner Password Flow","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigration-oauthro-oauthtoken"},{"title":"Instagram Connection Deprecation","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Finstagram-connection-deprecation"},{"title":"Yahoo API Changes","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fyahoo-api-changes"},{"title":"Migrate from Google to Firebase Cloud Messaging","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fgoogle-firebase-migration"},{"title":"Facebook Social Context Field Deprecation","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Ffacebook-social-context-field-deprecation"},{"title":"Facebook Graph API Changes","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Ffacebook-graph-api-changes"},{"title":"Migrate from Embedded Login to Universal Login","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-embedded-login-to-universal-login"},{"title":"Migrate from Legacy Authentication Flows","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-legacy-auth-flows"},{"title":"Migrate to Tenant Log Search v3","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-tenant-log-search-v3"},{"title":"Migrate to 1-Hour Login Flows Expiration","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-1-hour-expiration"}]}]}]},{"title":"Auth0 Community","type":"externalLink","url":"https:\u002F\u002Fcommunity.auth0.com\u002F","external":true,"forceFullReload":true},{"title":"Auth0 Blog","type":"externalLink","url":"https:\u002F\u002Fauth0.com\u002Fblog\u002F","external":true,"forceFullReload":true}],"isActiveUrl":false,"isCurrentUrl":false}],"apis":[{"title":"Overview","url":"\u002Fdocs\u002Fapi"},{"title":"Testing with Postman","url":"\u002Fdocs\u002Fapi\u002Fuse-auth0-apis-with-postman-collections","hidden":true},{"title":"Authentication API","url":"\u002Fdocs\u002Fapi\u002Fauthentication","external":true,"forceFullReload":true},{"title":"Changes in Management API v2","url":"\u002Fdocs\u002Fapi\u002Fmanagement-api-changes-v1-to-v2","forceFullReload":true,"hidden":true},{"title":"Management API Explorer","url":"\u002Fdocs\u002Fapi\u002Fmanagement\u002Fv2\u002F","forceFullReload":true,"external":true}],"libraries":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries"},{"title":"Auth0 Single Page App SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-single-page-app-sdk","children":[{"title":"Migrate from auth0.js","url":"\u002Fdocs\u002Flibraries\u002Fauth0-single-page-app-sdk\u002Fmigrate-from-auth0-js-to-the-auth0-single-page-app-sdk","hidden":true}]},{"title":"Auth0 React SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-react"},{"title":"Auth0 Angular SPA SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-angular-spa"},{"title":"Lock for Web","url":"\u002Fdocs\u002Flibraries\u002Flock","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Flock"},{"title":"Configuration Options","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-configuration"},{"title":"API Reference","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-api-reference"},{"title":"UI Customization","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-ui-customization"},{"title":"Internationalization","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-internationalization"},{"title":"Customizing Errors","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Fcustomize-lock-error-messages"},{"title":"Authentication Modes","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-authentication-modes"}]},{"title":"Lock for iOS","url":"\u002Fdocs\u002Flibraries\u002Flock-swift","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Flock-swift"},{"title":"Styles Customization","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-customization"},{"title":"Behavior Configuration","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-configuration-options"},{"title":"Custom Fields","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-custom-fields-at-signup"},{"title":"Internationalization","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-internationalization"}]},{"title":"Lock for Android","url":"\u002Fdocs\u002Flibraries\u002Flock-android","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Flock-android"},{"title":"Configuration Options","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-configuration"},{"title":"Custom Auth Providers","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-custom-authentication-providers"},{"title":"Android Dev Keystores","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fandroid-development-keystores-hashes"},{"title":"Custom Signup Fields","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-custom-fields-at-signup"},{"title":"Custom Theming","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-custom-theming"},{"title":"Internationalization","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-internationalization"},{"title":"Passwordless","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-passwordless"},{"title":"Passwordless with Magic Link","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-passwordless-with-magic-link"}]},{"title":"Lock vs. Custom UI","url":"\u002Fdocs\u002Funiversal-login\u002Funiversal-login-page-customization"},{"title":"Auth0 SDK for Web","url":"\u002Fdocs\u002Flibraries\u002Fauth0js-v9-reference"},{"title":"Auth0 SDK for iOS","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift"},{"title":"Database Authentication","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-database-connections"},{"title":"User Management","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-user-management"},{"title":"Refresh Tokens","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-save-and-renew-tokens"},{"title":"Touch ID \u002F Face ID","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-touchid-faceid"}]},{"title":"Auth0 SDK for Android","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android"},{"title":"Login, Logout, and User Profiles","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-login-logout-and-user-profiles"},{"title":"Configuration","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-configuration"},{"title":"Database Authentication","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-database-authentication"},{"title":"Passwordless Authentication","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-passwordless"},{"title":"User Management","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-user-management"},{"title":"Refresh Tokens","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-save-and-renew-tokens"},{"title":"Custom Networking Client","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-custom-networking-client"},{"title":"V2 Migration Guide","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-v2-migration-guide"}]}],"videos":[{"title":"Learn Identity","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series","children":[{"title":"Introduction to Identity","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fintroduction-to-identity"},{"title":"OpenID Connect and OAuth2","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fopenid-connect-and-oauth2"},{"title":"Web Sign-In","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fweb-sign-in"},{"title":"Calling an API","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fcalling-an-api"},{"title":"Desktop and Mobile Apps","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fdesktop-and-mobile-apps"},{"title":"Single Page Apps","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fsingle-page-apps"}]},{"title":"Get Started","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series","children":[{"title":"Architect: Your Tenant","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Farchitect-your-tenant"},{"title":"Provision: User Stores","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fprovision-user-stores"},{"title":"Provision: Import Users","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fprovision-import-users"},{"title":"Authenticate: How It Works","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthenticate-how-it-works"},{"title":"Authenticate: SPA Example","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthenticate-spa-example"},{"title":"Authorize: ID Tokens and Access Control","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthorize-id-tokens-and-access-control"},{"title":"Authorize: Get and Validate ID Tokens","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthorize-get-and-validate-id-tokens"},{"title":"User Profiles","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Flearn-user-profiles"},{"title":"Brand: How It Works","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fbrand-how-it-works"},{"title":"Brand: Sign Up and Login Pages","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fbrand-signup-and-login-pages"},{"title":"Brand: Emails and Error Pages","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fbrand-emails-and-error-pages"},{"title":"Logout","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Flearn-logout"}]}],"identity-labs":[{"title":"Digital Identity Labs","url":"\u002Fdocs\u002Fidentity-labs","children":[{"title":"Lab 1: Web Sign-In","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-1-web-sign-in","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-1-web-sign-in\u002Fidentity-lab-1-exercise-1"},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-1-web-sign-in\u002Fidentity-lab-1-exercise-2"}]},{"title":"Lab 2: Calling an API","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api\u002Fidentity-lab-2-exercise-1"},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api\u002Fidentity-lab-2-exercise-2"},{"title":"Exercise 3","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api\u002Fidentity-lab-2-exercise-3"}]},{"title":"Lab 3: Mobile Native App","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app\u002Fidentity-lab-3-exercise-1"},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app\u002Fidentity-lab-3-exercise-2"},{"title":"Exercise 3","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app\u002Fidentity-lab-3-exercise-3"}]},{"title":"Lab 4: Single Page App","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-4-single-page-app","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-4-single-page-app\u002Fidentity-lab-4-exercise-1"},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-4-single-page-app\u002Fidentity-lab-4-exercise-2"}]}]}]},"unmarkedSidebar":{"articles":[{"title":"Get Started","description":"Learn the basics and begin building your authentication solution.","type":"navigationSection","url":"\u002Fdocs\u002Fget-started","icon":"IdenticonGettingStarted","children":[{"title":"Auth0 Onboarding","type":"navigationSubsection","showCards":false,"quickstarts":false,"children":[{"title":"Auth0 Onboarding","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fonboarding","showCards":true,"children":[{"title":"Self-Service Machine-to-Machine","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fonboarding\u002Fself-service-m2m"}]}]},{"title":"Start Building","description":"To get up and running swiftly, choose your application type for a step-by-step quickstart tutorial.","type":"navigationSubsection","showCards":true,"quickstarts":true,"children":[{"title":"Quickstarts","type":"externalLink","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fquickstarts","external":true,"forceFullReload":true}]},{"title":"Learn the Basics","description":"Build your knowledge of IAM technology and Auth0.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Identity Fundamentals","description":"Explore topics related to the fundamentals of identity and access management.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fidentity-fundamentals","showCards":true,"children":[{"title":"Introduction to Identity and Access Management (IAM)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fidentity-fundamentals\u002Fidentity-and-access-management"},{"title":"Introduction to Auth0","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fidentity-fundamentals\u002Fintroduction-to-auth0"},{"title":"Authentication vs. Authorization","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fidentity-fundamentals\u002Fauthentication-and-authorization"},{"title":"Glossary","type":"externalLink","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fglossary","external":false,"forceFullReload":true}]},{"title":"Auth0 Overview","description":"Discover different use cases. Create and connect the building blocks of your IAM solution.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview","showCards":true,"children":[{"title":"Auth0 Dashboard","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fdashboard","showCards":true,"children":[{"title":"About the Activity Page ","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fdashboard\u002Factivity"}]},{"title":"Auth0 Guide","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fauth0-guide"},{"title":"Create Tenants","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants","showCards":true,"children":[{"title":"Create Multiple Tenants","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants\u002Fcreate-multiple-tenants"},{"title":"Link Multiple Tenants to a Single Subscription","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants\u002Fchild-tenants"},{"title":"Set Up Multiple Environments","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants\u002Fset-up-multiple-environments"},{"title":"Multi-Tenant Applications Best Practices","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-tenants\u002Fmulti-tenant-apps-best-practices"}]},{"title":"Create Applications","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications","showCards":true,"children":[{"title":"Register Native Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fnative-apps"},{"title":"Register Single-Page Web Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fsingle-page-web-apps"},{"title":"Register Regular Web Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fregular-web-apps"},{"title":"Register Machine-to-Machine Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fmachine-to-machine-apps"},{"title":"Configure an Identity Provider in Access Gateway","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fcreate-applications\u002Fconfigure-an-identity-provider-in-access-gateway"}]},{"title":"Register APIs","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-overview\u002Fset-up-apis"}]}]},{"title":"Configure Auth0","description":"Define how Auth0 works with your applications and APIs. Control who can access your Auth0 Dashboard.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Auth0 Teams","description":"Learn about Auth0 Teams, including how to enable Teams, view and manage tenants, and manage tenant members.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams","showCards":true,"children":[{"title":"Tenant Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Ftenant-management"},{"title":"Team Member Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Fteam-member-management"},{"title":"Tenant Member Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Ftenant-member-management"},{"title":"Configure Security Policies","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Fconfigure-security-policies"},{"title":"Troubleshoot Teams","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Ftroubleshoot-teams"},{"title":"Team Activity","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Fteam-activity"},{"title":"About the Quarterly Snapshot","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauth0-teams\u002Fquarterly-snapshot"}]},{"title":"Dashboard Profile","description":"Describes how to configure options in Auth0 Dashboard's profile section.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fdashboard-profile","showCards":true,"children":[{"title":"Auth0 Dashboard Login Session Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fdashboard-profile\u002Fauth0-dashboard-login-session-management"},{"title":"Light and Dark themes","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fdashboard-profile\u002Flight-and-dark-themes"}]},{"title":"Tenant Settings","description":"Configure the behavior of your Auth0 tenant.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings","showCards":true,"children":[{"title":"Signing Keys","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fsigning-keys","showCards":true,"children":[{"title":"Rotate Signing Keys","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fsigning-keys\u002Frotate-signing-keys"},{"title":"Revoke Signing Keys","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fsigning-keys\u002Frevoke-signing-keys"},{"title":"View Signing Certificates","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fsigning-keys\u002Fview-signing-certificates"}]},{"title":"Configure Device User Code Settings","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fconfigure-device-user-code-settings"},{"title":"Enable Single Sign-On for Tenants","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Fenable-sso-for-legacy-tenants"},{"title":"Find Your Tenant Name or Tenant ID","type":"article","url":"\u002Fdocs\u002Fget-started\u002Ftenant-settings\u002Ffind-your-tenant-name-or-tenant-id"}]},{"title":"Applications in Auth0","description":"Control the details of how Auth0 works with your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications","showCards":true,"children":[{"title":"Application Settings","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fapplication-settings"},{"title":"Credential Settings","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fcredentials"},{"title":"Subdomain URL Placeholders","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fwildcards-for-subdomains"},{"title":"Confidential and Public Applications","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications","showCards":true,"children":[{"title":"Check if Application is Confidential or Public","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fview-application-type"},{"title":"First-Party and Third-Party Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Ffirst-party-and-third-party-applications"},{"title":"View Application Ownership","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fview-application-ownership"},{"title":"Update Application Ownership","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fupdate-application-ownership"},{"title":"Enable Third-Party Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fenable-third-party-applications"},{"title":"User Consent and Third-Party Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications\u002Fuser-consent-and-third-party-applications"}]},{"title":"Dynamic Application Registration","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fdynamic-client-registration"},{"title":"Set Up Database Connections","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fset-up-database-connections"},{"title":"Test Database Connections","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Ftest-database-connections"},{"title":"Application Grant Types","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fapplication-grant-types"},{"title":"Update Grant Types","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fupdate-grant-types"},{"title":"Revoke Access to APIs Using Application Grants","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Frevoke-api-access"},{"title":"Signing Algorithms","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fsigning-algorithms"},{"title":"Change Application Signing Algorithms","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fchange-application-signing-algorithms"},{"title":"Configure Application Metadata","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-application-metadata"},{"title":"Update Application Connections","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fupdate-application-connections"},{"title":"Rotate Credentials","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Frotate-credentials"},{"title":"Rotate Client Secrets","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Frotate-client-secret"},{"title":"Enable Android App Links Support","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fenable-android-app-links-support"},{"title":"Enable Universal Links Support in Apple Xcode","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fenable-universal-links-support-in-apple-xcode"},{"title":"Configure Cross-Origin Resource Sharing","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fset-up-cors"},{"title":"Configure Applications with OIDC Discovery","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-applications-with-oidc-discovery"},{"title":"Configure WS-Fed Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-ws-fed-applications"},{"title":"Configure FAPI Compliance","description":"Learn how to configure FAPI compliance for an Auth0 tenant.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-fapi-compliance","showCards":true,"children":[{"title":"Configure Auth0 to pass OpenID FAPI Certification Tests","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-fapi-compliance\u002Fconfigure-auth0-to-pass-openid-fapi-certification-tests"}]},{"title":"Configure Pushed Authorization Requests (PAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-par"},{"title":"Configure JWT-secured Authorization Requests (JAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-jar"},{"title":"Configure mTLS Authentication","description":"Learn how to configure mTLS authentication for Auth0.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-mtls","showCards":true,"children":[{"title":"Set up the Customer Edge","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-mtls\u002Fset-up-the-customer-edge"},{"title":"Configure mTLS Authentication for a Tenant","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-mtls\u002Fconfigure-mtls-for-a-tenant"},{"title":"Configure mTLS Authentication for a Client","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-mtls\u002Fconfigure-mtls-for-a-client"}]},{"title":"Configure Private Key JWT Authentication","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-private-key-jwt"},{"title":"Configure Sender Constraining ","description":"Learn how to configure sender constraining for your Auth0 tenant. ","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining","showCards":true,"children":[{"title":"Configure Client for Sender Constraining ","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\u002Fconfigure-client-for-sender-constraining"},{"title":"Configure Resource Server for Sender Constraining","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfigure-sender-constraining\u002Fconfigure-resource-server-for-sender-constraining"}]},{"title":"Remove Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fremove-applications"},{"title":"Test Applications Locally","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fwork-with-auth0-locally"},{"title":"Enable Single Sign-On Integrations for Applications","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fenable-sso-for-applications"}]},{"title":"APIs","description":"Manage access for resource requests made to your APIs.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapis","showCards":true,"children":[{"title":"API Settings","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fapi-settings"},{"title":"Add API Permissions","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fadd-api-permissions"},{"title":"Delete API Permissions","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fdelete-api-permissions"},{"title":"Scopes","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes","showCards":true,"children":[{"title":"API Scopes","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes\u002Fapi-scopes"},{"title":"OpenID Connect Scopes","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes\u002Fopenid-connect-scopes"},{"title":"Sample Use Cases: Scopes and Claims","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes\u002Fsample-use-cases-scopes-and-claims"}]},{"title":"Configure Access Token Profile","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-access-token-profile"},{"title":"Configure JSON Web Encryption (JWE)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-json-web-encryption"},{"title":"Configure Logical API for Multiple APIs","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fset-logical-api"},{"title":"Configure Rich Authorization Requests (RAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fconfigure-rich-authorization-requests"},{"title":"Create Machine-to-Machine Applications for Testing","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fcreate-m2m-app-test"},{"title":"Enable Role-Based Access Control for APIs","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fenable-role-based-access-control-for-apis"}]},{"title":"Manage Dashboard Access","description":"Administer your team members’ access to your Auth0 Dashboard.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access","showCards":true,"children":[{"title":"Dashboard Access by Role","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Ffeature-access-by-role"},{"title":"Add Tenant Members","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fadd-dashboard-users"},{"title":"Edit Tenant Members","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fedit-dashboard-users"},{"title":"Remove Tenant Members","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fremove-dashboard-users"},{"title":"Update Dashboard User Email Addresses","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fupdate-dashboard-user-email"},{"title":"Multi-factor Authentication for Dashboard Users","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fadd-change-remove-mfa","showCards":true,"children":[{"title":"Add Multi-Factor Authentication for Auth0 Dashboard Access","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fadd-change-remove-mfa\u002Fadd-mfa"},{"title":"Remove or Change Dashboard Multi-Factor Authentication","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fadd-change-remove-mfa\u002Fremove-or-change-dashboard-multi-factor-authentication"}]},{"title":"Configure Single Sign-on for Auth0 Dashboard","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fmanage-dashboard-access\u002Fconfigure-single-sign-on-for-auth0-dashboard"}]}]},{"title":"Plan and Design","description":"Learn about Auth0 flows and architecture so you can make informed decisions about your Auth0 implementation.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Authentication and Authorization Flows","description":"Explore the different flows of information that drive authentication and authorization.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow","showCards":true,"children":[{"title":"Which OAuth 2.0 Flow Should I Use?","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fwhich-oauth-2-0-flow-should-i-use"},{"title":"Authorization Code Flow","description":"Describes the Authorization Code Grant from OAuth 2.0","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow","showCards":true,"children":[{"title":"Add Login Using the Authorization Code Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fadd-login-auth-code-flow"},{"title":"Call Your API Using the Authorization Code Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fcall-your-api-using-the-authorization-code-flow"},{"title":"Authorization Code Flow with Rich Authorization Requests (RAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-rar"},{"title":"Authorization Code Flow with Pushed Authorization Requests (PAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par"},{"title":"Authorization Code Flow with JWT-Secured Authorization Requests (JAR)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-jar"},{"title":"Authorization Code Flow with PAR and JAR","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow\u002Fauthorization-code-flow-with-par-and-jar"}]},{"title":"Authorization Code Flow with Proof Key for Code Exchange","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow-with-pkce","showCards":true,"children":[{"title":"Add Login Using the Authorization Code Flow with PKCE","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow-with-pkce\u002Fadd-login-using-the-authorization-code-flow-with-pkce"},{"title":"Call Your API Using the Authorization Code Flow with PKCE","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthorization-code-flow-with-pkce\u002Fcall-your-api-using-the-authorization-code-flow-with-pkce"}]},{"title":"Client Credentials Flow","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fclient-credentials-flow","showCards":true,"children":[{"title":"Call Your API Using the Client Credentials Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fclient-credentials-flow\u002Fcall-your-api-using-the-client-credentials-flow"},{"title":"Customize Tokens Using Hooks with Client Credentials Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fclient-credentials-flow\u002Fcustomize-tokens-using-hooks-with-client-credentials-flow"}]},{"title":"Device Authorization Flow","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fdevice-authorization-flow","showCards":true,"children":[{"title":"Call Your API Using the Device Authorization Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fdevice-authorization-flow\u002Fcall-your-api-using-the-device-authorization-flow"},{"title":"Mobile Device Login Flow Best Practices","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fdevice-authorization-flow\u002Fmobile-device-login-flow-best-practices"}]},{"title":"Implicit Flow with Form Post","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fimplicit-flow-with-form-post","showCards":true,"children":[{"title":"Mitigate Replay Attacks When Using the Implicit Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fimplicit-flow-with-form-post\u002Fmitigate-replay-attacks-when-using-the-implicit-flow"},{"title":"Add Login Using the Implicit Flow with Form Post","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fimplicit-flow-with-form-post\u002Fadd-login-using-the-implicit-flow-with-form-post"}]},{"title":"Hybrid Flow","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fhybrid-flow","showCards":true,"children":[{"title":"Call Your API Using the Hybrid Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fhybrid-flow\u002Fcall-api-hybrid-flow"}]},{"title":"Resource Owner Password Flow","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fresource-owner-password-flow","showCards":true,"children":[{"title":"Call Your API Using Resource Owner Password Flow","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fresource-owner-password-flow\u002Fcall-your-api-using-resource-owner-password-flow"},{"title":"Avoid Common Issues with Resource Owner Password Flow and Attack Protection","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fresource-owner-password-flow\u002Favoid-common-issues-with-resource-owner-password-flow-and-attack-protection"}]},{"title":"Authenticate with Private Key JWT","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-private-key-jwt"},{"title":"Authenticate with mTLS","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fauthenticate-with-mtls"},{"title":"Client Credentials Exchange","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fclient-credentials-exchange"}]},{"title":"Architecture Scenarios","description":"Read about real-world customer implementations of Auth0.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios","showCards":true,"children":[{"title":"Business to Consumer","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer","showCards":true,"children":[{"title":"Architecture (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Farchitecture"},{"title":"Provisioning (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fprovisioning"},{"title":"Authentication (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fauthentication"},{"title":"Branding (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fbranding"},{"title":"Deployment Automation (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fdeployment"},{"title":"Quality Assurance (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fquality-assurance"},{"title":"Profile Management (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fprofile-management"},{"title":"Authorization (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Fauthorization"},{"title":"Logout (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flogout"},{"title":"Operations (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Foperations"},{"title":"Launch Preparation","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch","showCards":true,"children":[{"title":"Tenant Check (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Ftenant-check"},{"title":"Testing Complete (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Ftesting"},{"title":"Operations Readiness (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Foperations-readiness"},{"title":"Compliance Readiness (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Fcompliance-readiness"},{"title":"Support Readiness (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Fsupport-readiness"},{"title":"Launch Day Preparation (B2C)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-consumer\u002Flaunch\u002Flaunch-day"}]}]},{"title":"Business to Business","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business","showCards":true,"children":[{"title":"Architecture (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Farchitecture"},{"title":"Provisioning (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fprovisioning"},{"title":"Authentication (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fauthentication"},{"title":"Branding (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fbranding"},{"title":"Deployment Automation (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fdeployment"},{"title":"Quality Assurance (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fquality-assurance"},{"title":"Profile Management (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fprofile-management"},{"title":"Authorization (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Fauthorization"},{"title":"Logout (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flogout"},{"title":"Operations (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Foperations"},{"title":"Launch Preparation (B2B)","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch","showCards":true,"children":[{"title":"Tenant Check (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Ftenant-check"},{"title":"Testing Complete (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Ftesting"},{"title":"Operations Readiness (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Foperations-readiness"},{"title":"Compliance Readiness (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Fcompliance-readiness"},{"title":"Support Readiness (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Fsupport-readiness"},{"title":"Launch Day Preparation (B2B)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fbusiness-to-business\u002Flaunch\u002Flaunch-day"}]}]},{"title":"Business to Employees","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fb2e"},{"title":"Multiple Organization Architecture","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture","showCards":true,"children":[{"title":"Single Identity Provider Organizations","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations","showCards":true,"children":[{"title":"Single Identity Provider: Provisioning","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fprovisioning"},{"title":"Single Identity Provider: Authentication","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fauthentication"},{"title":"Single Identity Provider: Branding","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fbranding"},{"title":"Single Identity Provider: Authorization","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fauthorization"},{"title":"Single Identity Provider: Profile Management","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Fprofile-management"},{"title":"Single Identity Provider: Logout","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fsingle-identity-provider-organizations\u002Flogout"}]},{"title":"Multiple Identity Provider Organizations","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fmultiple-idp-orgs"}]},{"title":"SSO for Regular Web Apps","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps","showCards":true,"children":[{"title":"Solution Overview (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fpart-1"},{"title":"Auth0 Configuration (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fpart-2"},{"title":"Application Implementation (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fpart-3"},{"title":"ASP.NET Core Implementation (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fimplementation-aspnetcore"},{"title":"Conclusion (Web Apps + SSO)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fsso-for-regular-web-apps\u002Fpart-4"}]},{"title":"Server Application + API","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api","showCards":true,"children":[{"title":"Solution Overview (Server Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fpart-1"},{"title":"Auth0 Configuration (Server Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fpart-2"},{"title":"Application Implementation (Server Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fpart-3"},{"title":"Server Apps + API: Node.js Implementation for the API","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fapi-implementation-nodejs"},{"title":"Server Apps + API: Python Implementation for the Cron Job","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fcron-implementation-python"},{"title":"Conclusion (Server Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fserver-application-api\u002Fpart-4"}]},{"title":"SPA + API","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api","showCards":true,"children":[{"title":"Solution Overview (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-1"},{"title":"Auth0 Configuration (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-2"},{"title":"API and SPA Configuration (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-3"},{"title":"SPA Angular 2 Implementation (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fspa-implementation-angular2"},{"title":"Node.js API Implementation (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fapi-implementation-nodejs"},{"title":"Conclusion (SPAs + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-4"}]},{"title":"Mobile + API","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api","showCards":true,"children":[{"title":"Solution Overview (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-1"},{"title":"Auth0 Configuration (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-2"},{"title":"API and Mobile Configuration (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-3"},{"title":"Android Mobile Application Implementation (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fmobile-implementation-android"},{"title":"Node.js API Implementation (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fapi-implementation-nodejs"},{"title":"Conclusion (Mobile Apps + API)","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-4"}]},{"title":"Implementation Planning Checklists","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fchecklists"},{"title":"Implementation Resources","type":"article","url":"\u002Fdocs\u002Fget-started\u002Farchitecture-scenarios\u002Fimplementation-resources"}]},{"title":"Professional Services","description":"Get personalized help deploying and maintaining solutions from Auth0 specialists.","type":"navigationItem","url":"\u002Fdocs\u002Fget-started\u002Fprofessional-services","showCards":true,"children":[{"title":"Professional Services: Discover and Design","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fprofessional-services\u002Fdiscover-design"},{"title":"Professional Services: Implement","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fprofessional-services\u002Fimplement"},{"title":"Professional Services: Maintain and Improve","type":"article","url":"\u002Fdocs\u002Fget-started\u002Fprofessional-services\u002Fmaintain-improve"}]}]}]},{"title":"Authenticate","description":"Define how your applications and APIs verify the identity of a user or device.","type":"navigationSection","url":"\u002Fdocs\u002Fauthenticate","icon":"IdenticonAuthenticationA","children":[{"title":"Add Login","description":"Implement Auth0 Universal Login (or an alternative) to control access to your applications.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Login","description":"Choose from a variety of user login options.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin","showCards":true,"children":[{"title":"Auth0 Universal Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login","showCards":true,"children":[{"title":"Universal Login vs. Classic Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Funiversal-login-vs-classic-login","showCards":true,"children":[{"title":"Universal Login Experience","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Funiversal-login-vs-classic-login\u002Funiversal-experience"},{"title":"Classic Login Experience","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Funiversal-login-vs-classic-login\u002Fclassic-experience"}]},{"title":"Passwordless Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fpasswordless-login","showCards":true,"children":[{"title":"Configure WebAuthn with Device Biometrics for Passwordless Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fpasswordless-login\u002Fwebauthn-device-biometrics"},{"title":"Configure Email or SMS for Passwordless Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fpasswordless-login\u002Femail-or-sms"}]},{"title":"Configure Identifier First Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fidentifier-first"},{"title":"Configure Default Login Routes","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Fconfigure-default-login-routes"},{"title":"Default Auth0 Error Page","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login\u002Ferror-pages"}]},{"title":"Centralized Universal Login vs. Embedded Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Funiversal-vs-embedded-login"},{"title":"Embedded Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fembedded-login"},{"title":"Native Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fnative-login"},{"title":"Cross-Origin Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fcross-origin-authentication"},{"title":"Configure Silent Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fconfigure-silent-authentication"},{"title":"Redirect Users","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fredirect-users-after-login"},{"title":"Force Reauthentication in OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fmax-age-reauthentication"},{"title":"Logout","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout","showCards":true,"children":[{"title":"Back-Channel Logout","description":"Describes OIDC back-channel logout workflow and how to configure for your Auth0 services.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Fback-channel-logout","showCards":true,"children":[{"title":"Configure OIDC Back-Channel Logout","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Fback-channel-logout\u002Fconfigure-back-channel-logout"},{"title":"OIDC Back-Channel Logout Initiators","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Fback-channel-logout\u002Foidc-back-channel-logout-initiators"}]},{"title":"Log Users Out of Applications","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Flog-users-out-of-applications"},{"title":"Log Users Out of Auth0 with OIDC Endpoint","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Flog-users-out-of-auth0"},{"title":"Log Users Out of Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Flog-users-out-of-idps"},{"title":"Log Users Out of SAML Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Flog-users-out-of-saml-idps"},{"title":"Redirect Users with Alternative Logout","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Flogout\u002Fredirect-users-after-logout"}]},{"title":"OIDC-Conformant Authentication","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication","showCards":true,"children":[{"title":"Access Tokens with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-access-tokens"},{"title":"Authorization Code Flow with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-auth-code-flow"},{"title":"Client Credentials Flow with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow"},{"title":"Delegation with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-delegation"},{"title":"External APIs with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-apis"},{"title":"Implicit Flow with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-implicit-flow"},{"title":"Refresh Tokens with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-refresh-tokens"},{"title":"Resource Owner Password Flow with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-rop-flow"},{"title":"Single Sign-On with OIDC","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Foidc-conformant-authentication\u002Foidc-adoption-sso"}]}]},{"title":"Single Sign-On","description":"Enable users to log in to one application and automatically authenticate in other applications.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on","showCards":true,"children":[{"title":"Service-Provider-Initiated Single Sign-On","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Finbound-single-sign-on"},{"title":"Identity-Provider-Initiated Single Sign-On","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on","showCards":false,"children":[{"title":"Configure Auth0 as SAML Identity Provider","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider","showCards":false,"children":[{"title":"Configure Amazon Web Services as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-web-app-addon-for-aws"},{"title":"Configure Atlassian as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-atlassian"},{"title":"Configure Cisco WebEx as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-cisco-webex"},{"title":"Configure Datadog as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-datadog"},{"title":"Configure Egencia as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-egencia"},{"title":"Configure Freshdesk as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-freshdesk"},{"title":"Configure GitHub Enterprise Cloud as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-web-app-addon-for-github-enterprise-cloud"},{"title":"Configure GitHub Enterprise Server as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-web-app-addon-for-github-enterprise-server"},{"title":"Configure Google Workspace as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-idp-for-google-g-suite"},{"title":"Configure Heroku as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-web-app-addon-for-heroku"},{"title":"Configure Hosted Graphite as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-hosted-graphite"},{"title":"Configure Litmos as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-litmos"},{"title":"Configure Oracle Eloqua Marketing Cloud as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-saml2-addon-eloqua"},{"title":"Configure Pluralsight as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-pluralsight"},{"title":"Configure Sprout Video as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-sprout-video"},{"title":"Configure Tableau Online as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-tableau-online"},{"title":"Configure Tableau Server as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-tableau-server"},{"title":"Configure Workday as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-workday"},{"title":"Configure Workpath as SAML Service Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Foutbound-single-sign-on\u002Fconfigure-auth0-saml-identity-provider\u002Fconfigure-auth0-as-identity-provider-for-workpath"}]}]},{"title":"API Endpoints for Single Sign-On","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Fapi-endpoints-for-single-sign-on"},{"title":"Okta Access Gateway","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on\u002Fokta-access-gateway"}]},{"title":"Passwordless","description":"Let users enter mobile phone numbers or email addresses and receive a one-time code or link to log in without a password.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless","showCards":true,"children":[{"title":"Authentication Methods","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods","showCards":true,"children":[{"title":"Passwordless Authentication with Email","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods\u002Femail-otp"},{"title":"Passwordless Authentication with Magic Links","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods\u002Femail-magic-link"},{"title":"Passwordless Authentication with SMS","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods\u002Fsms-otp"},{"title":"Set Up Custom SMS Gateway for Passwordless Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fauthentication-methods\u002Fuse-sms-gateway-passwordless"}]},{"title":"Implement Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login","showCards":true,"children":[{"title":"Passwordless Authentication with Universal Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Funiversal-login"},{"title":"Embedded Login","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login","showCards":true,"children":[{"title":"Using Passwordless APIs","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login\u002Frelevant-api-endpoints"},{"title":"Embedded Passwordless Authentication for SPAs","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login\u002Fspa"},{"title":"Embedded Passwordless Login in Native Applications","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login\u002Fnative"},{"title":"Embedded Passwordless Login in Regular Web Applications","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fimplement-login\u002Fembedded-login\u002Fwebapps"}]}]},{"title":"Passwordless with Universal Login","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fpasswordless-with-universal-login"},{"title":"Passwordless Connection Limitations","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fpasswordless-connection-limitations"},{"title":"Passwordless Connections Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fbest-practices"},{"title":"Sample Use Cases - Rules with Passwordless Authentication","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless\u002Fsample-use-cases-rules"}]}]},{"title":"Provision Users","description":"Source users from social identity providers (such as Facebook or SalesForce), enterprise user stores (such as Active Directory or Google Workspace), a custom database, and more.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Identity Providers","description":"Set up sources of user accounts to authenticate your applications and APIs.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers","showCards":true,"children":[{"title":"Social Identity Providers","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers","showCards":true,"children":[{"title":"Connect Apps to Generic OAuth2 Authorization Servers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Foauth2"},{"title":"Add Sign In with Apple to Native iOS Apps","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Fapple-native"},{"title":"Add Facebook Login to Native Apps","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Ffacebook-native"},{"title":"Handle Declined Authorization Permissions","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Freprompt-permissions"},{"title":"Test Social Connections with Auth0 Developer Keys","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Fdevkeys"},{"title":"Create a Custom Social Connection with TikTok","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fsocial-identity-providers\u002Ftiktok"}]},{"title":"Enterprise Identity Providers","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers","showCards":true,"children":[{"title":"Connect Your App to Active Directory using LDAP","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap","showCards":true,"children":[{"title":"AD\u002FLDAP Connector","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector","showCards":true,"children":[{"title":"AD\u002FLDAP Connector System Requirements","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-requirements"},{"title":"Install and Configure AD\u002FLDAP Connector","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Finstall-configure-ad-ldap-connector"},{"title":"Configure AD\u002FLDAP Connector Authentication with Client Certificates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fconfigure-ad-ldap-connector-client-certificates"},{"title":"Configure AD\u002FLDAP Connector Authentication with Kerberos","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fconfigure-ad-ldap-connector-with-kerberos"},{"title":"AD\u002FLDAP Connector Configuration File Schema","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-config-file-schema"},{"title":"Import and Export AD\u002FLDAP Connector Configurations","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fimport-export-ad-ldap-connector-configs"},{"title":"Map AD\u002FLDAP Profile Attributes to Auth0 User Profile","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fmap-ad-ldap-profile-attributes-to-auth0"},{"title":"Point AD\u002FLDAP Connector to Auth0 Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-to-auth0"},{"title":"Update AD\u002FLDAP Connectors","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fupdate-ad-ldap-connectors"},{"title":"Disable AD\u002FLDAP Connection Credential Caching","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fdisable-credential-caching"},{"title":"Deploy AD\u002FLDAP Connectors for High Availability Environments","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-high-availability"},{"title":"Set Up AD\u002FLDAP Connector Test Environment","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-test-environment"},{"title":"Monitor AD\u002FLDAP Connector with System Center Operations Manager","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Factive-directory-ldap\u002Fad-ldap-connector\u002Fad-ldap-connector-scom"}]}]},{"title":"Connect Your App to ADFS","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fadfs"},{"title":"Connect Your Native App to Microsoft Azure Active Directory Using Resource Owner Flow","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fazure-active-directory-native"},{"title":"Connect Your App to Google Workspace","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fgoogle-apps"},{"title":"Connect to OpenID Connect Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Foidc"},{"title":"Connect Your Auth0 Application with Okta Workforce Enterprise Connection","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fokta"},{"title":"Configure PKCE and Claim Mapping for OIDC Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fconfigure-pkce-claim-mapping-for-oidc"},{"title":"Connect Your PingFederate Server to Auth0","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fping-federate"},{"title":"Connect Your App to SAML Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fsaml"},{"title":"Connect Your App to Microsoft Azure Active Directory","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fazure-active-directory\u002Fv2"},{"title":"Choose a Connection Type for Azure AD","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fchoose-a-connection-type-for-azure-ad"},{"title":"Email Verification for Azure AD and ADFS","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fazuread-adfs-email-verification"},{"title":"Enable Enterprise Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Fenable-enterprise-connections"},{"title":"Test Enterprise Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fenterprise-identity-providers\u002Ftest-enterprise-connections"}]},{"title":"Legal Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Flegal"},{"title":"View Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fview-connections"},{"title":"Test Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Ftest-connections"},{"title":"Locate the Connection ID or Name","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Flocate-the-connection-id"},{"title":"Retrieve Connection Options","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fretrieve-connection-options"},{"title":"Pass Parameters to Identity Providers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fpass-parameters-to-idps"},{"title":"Promote Connections to Domain Level","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fpromote-connections-to-domain-level"},{"title":"Call an Identity Provider API","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fcalling-an-external-idp-api"},{"title":"Add Scopes\u002FPermissions to Call Identity Provider APIs","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fidentity-providers\u002Fadding-scopes-for-an-external-idp"}]},{"title":"Database Connections","description":"Authenticate users with an email\u002Fusername and password and save their credentials in an Auth0-provided user store or in your own database.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections","showCards":true,"children":[{"title":"Auth0 User Store","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fauth0-user-store"},{"title":"Your User Store","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db","showCards":true,"children":[{"title":"Authenticate with Your Own User Store","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Foverview-custom-db-connections"},{"title":"Create Custom Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcreate-db-connection"},{"title":"Test Custom Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftest-custom-database-connections"},{"title":"Troubleshoot Custom Databases","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ferror-handling"},{"title":"Action Script Templates","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates","showCards":true,"children":[{"title":"Change Password Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fchange-password"},{"title":"Create Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fcreate"},{"title":"Delete Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fdelete"},{"title":"Get User Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fget-user"},{"title":"Login Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Flogin"},{"title":"Verify Script Templates","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fverify"},{"title":"Change Email Script Template","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Ftemplates\u002Fchange-email"}]},{"title":"Custom Database and Action Script Best Practices","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts","showCards":true,"children":[{"title":"Custom Database Connection Anatomy Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts\u002Fanatomy"},{"title":"Custom Database Action Script Environment Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts\u002Fenvironment"},{"title":"Custom Database Action Script Execution Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts\u002Fexecution"},{"title":"Custom Database Connection Security Best Practices","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fcustom-db\u002Fcustom-database-connections-scripts\u002Fconnection-security"}]}]},{"title":"Passkeys","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpasskeys","showCards":true,"children":[{"title":"Configure Passkey Policy","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpasskeys\u002Fconfigure-passkey-policy"},{"title":"Monitor Passkey Events in Tenant Logs","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpasskeys\u002Fmonitor-passkey-events-in-tenant-logs"}]},{"title":"Password Options in Auth0 Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpassword-options"},{"title":"Password Strength in Auth0 Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpassword-strength"},{"title":"Change Users' Passwords","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fpassword-change"},{"title":"Adding Username for Database Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Frequire-username"},{"title":"Login Script for IBM DB2","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fdb2-script"},{"title":"Activate and Configure Attributes for Flexible Identifiers","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Factivate-and-configure-attributes-for-flexible-identifiers"},{"title":"Flexible Identifiers and Attributes","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fdatabase-connections\u002Fflexible-identifiers-and-attributes"}]},{"title":"Enterprise Connections","description":"Authenticate users with external, federated identity providers such as Azure AD, Google Workspace, and PingFederate.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fenterprise-connections","showCards":true,"children":[{"title":"Self-Service Single Sign-On","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fenterprise-connections\u002Fself-service-SSO"}]},{"title":"Protocols","description":"Easily implement open industry-standard protocols like OAuth 2.0, SAML, and LDAP for authentication and authorization.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols","showCards":true,"children":[{"title":"SAML","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml","showCards":true,"children":[{"title":"SAML Identity Provider Configuration Settings","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-identity-provider-configuration-settings"},{"title":"SAML Configuration","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration","showCards":true,"children":[{"title":"Customize SAML Assertions","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration\u002Fcustomize-saml-assertions"},{"title":"Deprovision Users in SAML Integrations","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration\u002Fdeprovision-users-in-saml-integrations"},{"title":"Test SAML SSO with Auth0 as Service Provider and Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration\u002Fconfigure-auth0-as-service-and-identity-provider"},{"title":"Map SAML Attributes with Auth0 as IdP\u002FSAML Add-on","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-configuration\u002Fsaml-attribute-mapping-examples"}]},{"title":"SAML Single Sign-On Integrations","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations","showCards":true,"children":[{"title":"Configure SAML Identity Provider-Initiated Single Sign-On","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fidentity-provider-initiated-single-sign-on"},{"title":"Configure IdP-Initiated SAML Sign-on to OIDC Apps","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-idp-initiated-saml-sign-on-to-oidc-apps"},{"title":"Configure Auth0 as SAML Service Provider","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider","showCards":true,"children":[{"title":"Configure ADFS as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-adfs-saml-connections"},{"title":"Configure Okta as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-okta-as-saml-identity-provider"},{"title":"Configure OneLogin as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-onelogin-as-saml-identity-provider"},{"title":"Configure PingFederate as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-pingfederate-as-saml-identity-provider"},{"title":"Configure Salesforce as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-salesforce-as-saml-identity-provider"},{"title":"Configure SiteMinder as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-siteminder-as-saml-identity-provider"},{"title":"Configure SSOCircle as SAML Identity Provider","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fconfigure-auth0-saml-service-provider\u002Fconfigure-ssocircle-as-saml-identity-provider"}]},{"title":"Enable SAML2 Web App Addon","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fenable-saml2-web-app-addon"},{"title":"Sign and Encrypt SAML Requests","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fsign-and-encrypt-saml-requests"},{"title":"Work with Certificates and Keys as Strings","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml\u002Fsaml-sso-integrations\u002Fwork-with-certificates-and-keys-as-strings"}]}]},{"title":"OpenID Connect Protocol","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fopenid-connect-protocol"},{"title":"OAuth 2.0 Authorization Framework","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Foauth"},{"title":"Web Services Federation Protocol","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fws-fed-protocol"},{"title":"Lightweight Directory Access Protocol","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fldap-protocol"},{"title":"System for Cross-domain Identity Management (SCIM)","description":"Articles associated with System for Cross-domain Identity Management (SCIM)","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim","showCards":true,"children":[{"title":"Configure Inbound SCIM","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Fconfigure-inbound-scim"},{"title":"Inbound SCIM for Azure AD SAML Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-azure-ad-saml-connections"},{"title":"Inbound SCIM for Older Azure AD Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-older-azure-ad-connections"},{"title":"Inbound SCIM for New Azure AD Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-new-azure-ad-connections"},{"title":"Inbound SCIM for Okta Workforce Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-okta-workforce-connections"},{"title":"Configure Inbound SCIM for Identity Providers using SAML or OpenID","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Fconfigure-inbound-scim-for-identity-providers-using-saml-or-openid"},{"title":"Inbound SCIM for Okta Workforce SAML Connections","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Finbound-scim-for-okta-workforce-saml-connections"},{"title":"Manage an Inbound SCIM Deployment with the Management API","type":"article","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fscim\u002Fmanage-an-inbound-scim-deployment-with-the-management-api"}]}]},{"title":"Connection Settings Best Practices","description":"Review best practices when configuring social and database connections.","type":"navigationItem","url":"\u002Fdocs\u002Fauthenticate\u002Fconnection-settings-best-practices","showCards":true}]}]},{"title":"Manage Users","description":"Store and manage custom details about your users.","type":"navigationSection","url":"\u002Fdocs\u002Fmanage-users","icon":"IdenticonUserManagement","children":[{"title":"Manage Users","description":"Import, group, and administer users and control their access.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"User Accounts","description":"Migrate, find, organize, and administer user accounts and user data.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts","showCards":true,"children":[{"title":"Manage Users Using the Dashboard","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmanage-users-using-the-dashboard"},{"title":"Manage Users Using the Management API","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmanage-users-using-the-management-api"},{"title":"User Profiles","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles","showCards":true,"children":[{"title":"User Profile Structure","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fuser-profile-structure"},{"title":"Sample User Profiles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fsample-user-profiles"},{"title":"Normalized User Profiles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fnormalized-user-profiles"},{"title":"Normalized User Profile Schema","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fnormalized-user-profile-schema"},{"title":"Understand How Progressive Profiling Works","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fprogressive-profiling"},{"title":"Root Attributes","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Froot-attributes","showCards":true,"children":[{"title":"Set Root Attributes During User Import","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Froot-attributes\u002Fset-root-attributes-during-user-import"},{"title":"Set Root Attributes During User Signup","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Froot-attributes\u002Fset-root-attributes-during-user-sign-up"},{"title":"Update Root Attributes for Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Froot-attributes\u002Fupdate-root-attributes-for-users"}]},{"title":"Use Verified Email in User Profiles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fverified-email-usage"},{"title":"Configure Identity Provider Connection for User Profile Updates","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fconfigure-connection-sync-with-auth0"},{"title":"Update User Profiles Using Your Database","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-profiles\u002Fupdate-user-profiles-using-your-database"}]},{"title":"Metadata","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata","showCards":true,"children":[{"title":"Metadata Field Names and Data Types","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmetadata-fields-data"},{"title":"Manage Metadata Using the Management API","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmanage-metadata-api"},{"title":"Manage Metadata with Rules","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmanage-metadata-rules"},{"title":"Manage Metadata with Lock","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmanage-metadata-lock"},{"title":"Configure Application Metadata","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fconfigure-application-metadata"},{"title":"Manage User Metadata with the post-login Action Trigger","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmetadata\u002Fmanage-user-metadata"}]},{"title":"Verify Emails using Auth0","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fverify-emails"},{"title":"User Account Linking","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking","showCards":true,"children":[{"title":"Link User Accounts","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking\u002Flink-user-accounts"},{"title":"Unlink User Accounts","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking\u002Funlink-user-accounts"},{"title":"User-Initiated Account Linking: Client-Side Implementation","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking\u002Fuser-initiated-account-linking-client-side-implementation"},{"title":"User Account Linking: Server-Side Implementation","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fuser-account-linking\u002Fsuggested-account-linking-server-side-implementation"}]},{"title":"Create Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fcreate-users"},{"title":"Identify Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fidentify-users"},{"title":"View User Details","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fview-user-details"},{"title":"Change User Pictures","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fchange-user-picture"},{"title":"Manage User Access to Applications","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fmanage-user-access-to-applications"},{"title":"Deny User Access to an API with Rules","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fdeny-api-access"},{"title":"Block and Unblock Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fblock-and-unblock-users"},{"title":"Unlink Devices from Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Funlink-devices-from-users"},{"title":"Delete Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fdelete-users"},{"title":"Get User Information on Unbounce Landing Pages","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fget-user-information-on-unbounce-landing-pages"},{"title":"Resend Verification Emails","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-accounts\u002Fresend-verification-emails"}]},{"title":"User Migration","description":"Import users from external applications using custom database connections, the Auth0 Management API, or the User Import\u002FExport extension.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration","showCards":true,"children":[{"title":"Configure Automatic Migration from Your Database","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fconfigure-automatic-migration-from-your-database"},{"title":"Bulk User Imports","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fbulk-user-imports"},{"title":"Bulk User Import Database Schema and Examples","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fbulk-user-import-database-schema-and-examples"},{"title":"Bulk User Exports","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fbulk-user-exports"},{"title":"User Import \u002F Export Extension","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fuser-import-export-extension"},{"title":"User Migration Scenarios","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-migration\u002Fuser-migration-scenarios"}]},{"title":"User Search","description":"Retrieve user profile details using the Auth0 Management API.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search","showCards":true,"children":[{"title":"Retrieve Users with the Get Users Endpoint","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fretrieve-users-with-get-users-endpoint"},{"title":"Retrieve Users with Get Users by Email Endpoint","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fretrieve-users-with-get-users-by-email-endpoint"},{"title":"Retrieve Users with the Get Users by ID Endpoint","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fretrieve-users-with-get-users-by-id-endpoint"},{"title":"Sort Search Results","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fsort-search-results"},{"title":"View Search Results by Page","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fview-search-results-by-page"},{"title":"User Search Query Syntax","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fuser-search-query-syntax"},{"title":"User Search Best Practices","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fuser-search\u002Fuser-search-best-practices"}]},{"title":"Organizations","description":"Manage your partners and customers and control the ways that end-users access your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations","showCards":true,"children":[{"title":"Understand How Auth0 Organizations Work","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-overview"},{"title":"Create Your First Organization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fcreate-first-organization"},{"title":"Login Flows for Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Flogin-flows-for-organizations"},{"title":"Custom Development with Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fcustom-development"},{"title":"Work with Tokens and Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fusing-tokens"},{"title":"Configure Organizations","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations","showCards":true,"children":[{"title":"Create Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fcreate-organizations"},{"title":"Delete Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fdelete-organizations"},{"title":"Use Organization Names in Authentication API","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fuse-org-name-authentication-api"},{"title":"Define Organization Behavior","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fdefine-organization-behavior"},{"title":"Enable Organization Connections","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fenable-connections"},{"title":"Disable Organization Connections","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fdisable-connections"},{"title":"Invite Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Finvite-members"},{"title":"Send Organization Membership Invitations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fsend-membership-invitations"},{"title":"Grant Just-In-Time Membership to an Organization Connection","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fgrant-just-in-time-membership"},{"title":"Assign Members to an Organization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fassign-members"},{"title":"Remove Members From Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fremove-members"},{"title":"Add Roles to Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fadd-member-roles"},{"title":"Remove Roles from Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fremove-member-roles"},{"title":"Retrieve Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-organizations"},{"title":"Search for Organizations","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fsearch-for-organizations"},{"title":"Retrieve Organization Connections","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-connections"},{"title":"Retrieve Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-members"},{"title":"Search Organization Members","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fsearch-organization-members"},{"title":"Retrieve User's Organization Memberships","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-user-membership"},{"title":"Retrieve Member Roles for an Organization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Fconfigure-organizations\u002Fretrieve-member-roles"}]},{"title":"Machine-to-Machine (M2M) Access for Organizations","description":"Learn how to set up machine-to-machine access for Organizations. ","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications","showCards":false,"children":[{"title":"Configure Your Application For M2M Access","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications\u002Fconfigure-your-application-for-m2m-access"},{"title":"Authorize M2M Access","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications\u002Fauthorize-m2m-access"},{"title":"Revoke M2M Access","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications\u002Frevoke-m2m-access"},{"title":"Audit M2M Access","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations\u002Forganizations-for-m2m-applications\u002Faudit-m2m-access"}]}]}]},{"title":"Manage Access","description":"Control who can interact within your applications.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Access Control","description":"Control users’ access to applications and information based on roles.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control","showCards":true,"children":[{"title":"Role-Based Access Control","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Frbac"},{"title":"Authorization Policies","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fauthorization-policies"},{"title":"Rules for Authorization Policies","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Frules-for-authorization-policies"},{"title":"Sample Use Cases: Role-Based Access Control","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fsample-use-cases-role-based-access-control"},{"title":"Sample Use Cases: Actions with Authorization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fsample-use-cases-actions-with-authorization"},{"title":"Sample Use Cases: Rules with Authorization","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fsample-use-cases-rules-with-authorization"},{"title":"Authorization Core vs. Authorization Extension","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fauthorization-core-vs-authorization-extension"},{"title":"Configure Core RBAC","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac","showCards":true,"children":[{"title":"Manage Role-Based Access Control Roles","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles","showCards":true,"children":[{"title":"View Users Assigned to Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fview-users-assigned-to-roles"},{"title":"View Role Permissions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fview-role-permissions"},{"title":"Remove Permissions from Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fremove-permissions-from-roles"},{"title":"Edit Role Definitions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fedit-role-definitions"},{"title":"Delete Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fdelete-roles"},{"title":"Create Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fcreate-roles"},{"title":"Add Permissions to Roles","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Froles\u002Fadd-permissions-to-roles"}]},{"title":"Manage Role-Based Access Control Users","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users","showCards":true,"children":[{"title":"View Roles Assigned to Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fview-user-roles"},{"title":"View User Permissions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fview-user-permissions"},{"title":"Remove Roles from Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fremove-roles-from-users"},{"title":"Remove Permissions from Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fremove-permissions-from-users"},{"title":"Assign Roles to Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fassign-roles-to-users"},{"title":"Assign Permissions to Users","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Frbac-users\u002Fassign-permissions-to-users"}]},{"title":"Manage Role-Based Access Control Permissions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Fmanage-permissions"},{"title":"Enable Role-Based Access Control for APIs","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Fconfigure-core-rbac\u002Fenable-role-based-access-control-for-apis"}]}]},{"title":"Sessions","description":"Define groups of interactions (such as page views, events, social interactions, and e-commerce transactions) between a user and an application that take place within a given timeframe.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions","showCards":true,"children":[{"title":"Session Layers","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fsession-layers"},{"title":"Session Lifetime Limits","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fsession-lifetime-limits"},{"title":"Configure Session Lifetime Settings","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fconfigure-session-lifetime-settings"},{"title":"Non-Persistent Sessions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fnon-persistent-sessions"},{"title":"Sessions with Actions","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fmanage-sessions-actions"},{"title":"Manage Multi-Site Sessions with Auth0 SDK","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fmanage-multi-site-sessions"},{"title":"Manage User Sessions with Auth0 Management API","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fsessions\u002Fmanage-user-sessions-with-auth0-management-api"}]},{"title":"Cookies","description":"Control how cookies work with your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fmanage-users\u002Fcookies","showCards":true,"children":[{"title":"Authentication API Cookies","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fcookies\u002Fauthentication-api-cookies"},{"title":"Authenticate Single-Page Apps With Cookies","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fcookies\u002Fspa-authenticate-with-cookies"},{"title":"SameSite Cookie Attribute Changes","type":"article","url":"\u002Fdocs\u002Fmanage-users\u002Fcookies\u002Fsamesite-cookie-attribute-changes"}]}]}]},{"title":"Customize","description":"Customize Auth0 using your own branding and extend our functionality to solve your unique identity needs.","type":"navigationSection","url":"\u002Fdocs\u002Fcustomize","icon":"IdenticonCustomize","children":[{"title":"Brand Customization","description":"Seamlessly integrate Auth0 with your own brand and localize the experience for international users.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Customize Login Pages","description":"Customize the Universal Login and Classic Login experiences","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages","showCards":true,"children":[{"title":"Customize Universal Login ","description":"Learn how to customize Universal Login pages","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login","showCards":true,"children":[{"title":"Customize Universal Login Page Themes","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login\u002Fcustomize-themes"},{"title":"Customize Universal Login Page Templates","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login\u002Fcustomize-templates"},{"title":"Customize Universal Login Text Elements","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login\u002Fcustomize-text-elements"},{"title":"Customize Signup and Login Prompts","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Funiversal-login\u002Fcustomize-signup-and-login-prompts"}]},{"title":"Customize Classic Login","description":"Learn how to customize the Classic Login experience","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login","showCards":true,"children":[{"title":"Customize Classic Login Pages","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fcustomization-classic"},{"title":"Customize Classic Login Pages with Lock or SDK","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fcustomize-with-lock-sdk"},{"title":"Customize Lock Error Messages","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fcustomize-lock-error-messages"},{"title":"Customize Classic Password Reset Page","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fcustomize-password-reset-page"},{"title":"Classic Login Page Version Control","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fclassic-login\u002Fversion-control"}]},{"title":"Customize Consent Prompts","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fcustomize-consent-prompts"},{"title":"Customize Error Pages","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flogin-pages\u002Fcustom-error-pages"}]},{"title":"Custom Domains","description":"Unify the login experience with your own brand and products.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains","showCards":true,"children":[{"title":"Configure Custom Domains with Auth0-Managed Certificates","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fauth0-managed-certificates"},{"title":"Self-Managed Certificates","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates","showCards":true,"children":[{"title":"Configure Google Cloud Platform with Load Balancing as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-gcp-as-reverse-proxy"},{"title":"Configure Cloudflare as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-cloudflare-for-use-as-reverse-proxy"},{"title":"Configure AWS CloudFront as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-aws-cloudfront-for-use-as-reverse-proxy"},{"title":"Configure Azure CDN as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-azure-cdn-for-use-as-reverse-proxy"},{"title":"Configure Akamai as Reverse Proxy","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Fconfigure-akamai-for-use-as-reverse-proxy"},{"title":"TLS (SSL) Versions and Ciphers","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fself-managed-certificates\u002Ftls-ssl"}]},{"title":"Configure Features to Use Custom Domains","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fcustom-domains\u002Fconfigure-features-to-use-custom-domains"}]},{"title":"Customize Emails","description":"Brand and modify the content and flow of email to end users.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Femail","showCards":true,"children":[{"title":"Customize Email Handling","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fmanage-email-flow"},{"title":"Email Templates","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Femail-templates","showCards":true,"children":[{"title":"Use Liquid Syntax in Email Templates","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Femail-templates\u002Fuse-liquid-syntax-in-email-templates"},{"title":"Email Template Descriptions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Femail-templates\u002Femail-template-descriptions"}]},{"title":"Configure a Custom Email Provider","description":"Learn how to configure a custom email provider. ","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fconfigure-a-custom-email-provider","showCards":false,"children":[{"title":"Action Triggers: custom-email-provider Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fconfigure-a-custom-email-provider\u002Faction-triggers-custom-email-provider-event-object"},{"title":"Action Triggers: custom-email-provider API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fconfigure-a-custom-email-provider\u002Faction-triggers-custom-email-provider-api-object"}]},{"title":"Customize Blocked Account Emails","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fcustomize-blocked-account-emails"},{"title":"Send Email Invitations for Application Signup","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsend-email-invitations-for-application-signup"},{"title":"SMTP Email Providers","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers","showCards":true,"children":[{"title":"Configure Amazon SES as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-amazon-ses-as-external-smtp-email-provider"},{"title":"Configure Azure Communication Services as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-azure-comm-service-as-smtp-email-provider"},{"title":"Configure Mandrill as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-mandrill-as-external-smtp-email-provider"},{"title":"Configure Microsoft 365 Exchange Online as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-365-exchange-as-smtp-email-provider"},{"title":"Configure SendGrid as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-sendgrid-as-external-smtp-email-provider"},{"title":"Configure SparkPost as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-sparkpost-as-external-smtp-email-provider"},{"title":"Configure Mailgun as External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-mailgun-as-external-smtp-email-provider"},{"title":"Configure Custom External SMTP Email Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fsmtp-email-providers\u002Fconfigure-custom-external-smtp-email-provider"}]},{"title":"Configure Test SMTP Email Server","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Fconfigure-test-smtp-email-servers"},{"title":"Troubleshoot Custom Email Provider Delivery Issues","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Femail\u002Ftroubleshoot-custom-email-provider-delivery-issues"}]},{"title":"Customize Phone Messages","description":"Learn how to customize your phone message flows in the Auth0 Dashboard. ","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages","showCards":false,"children":[{"title":"Configure Phone Messaging Providers","description":"Learn how to configure a phone messaging provider. ","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers","showCards":true,"children":[{"title":"Configure Twilio as a Phone Messaging Provider","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers\u002Fconfigure-twilio-as-a-phone-messaging-provider"},{"title":"Configure a Custom Phone Provider ","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers\u002Fconfigure-a-custom-phone-provider"},{"title":"Actions Triggers: custom-phone-provider Event Object ","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers\u002Factions-triggers-custom-phone-provider-event-object"},{"title":"Action Triggers: custom-phone-provider API Object ","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fconfigure-phone-messaging-providers\u002Faction-triggers-custom-phone-provider-api-object"}]},{"title":"Customize Phone Templates","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fphone-messages\u002Fcustomize-phone-templates"}]},{"title":"Customize Multi-factor Authentication SMS and Voice Messages","description":"Learn how to customize SMS and voice messages sent by Auth0 during enrollment and verification.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fcustomize-sms-or-voice-messages","showCards":true},{"title":"Internationalization and Localization","description":"Learn how to handle different languages within your Auth0 applications.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization","showCards":true,"children":[{"title":"Universal Login Internationalization","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Funiversal-login-internationalization"},{"title":"Lock Internationalization","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Flock-internationalization"},{"title":"Lock.swift Internationalization","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Flock-swift-internationalization"},{"title":"Lock.Android Internationalization","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Flock-android-internationalization"},{"title":"Customize Translation of Lock Password Options","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Finternationalization-and-localization\u002Fpassword-options-translation"}]}]},{"title":"Code Customization","description":"Create Actions to customize and extend Auth0’s capabilities with custom logic. Or maintain legacy Rules and Hooks. ","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Actions","description":"Customize Auth0 capabilities with secure, tenant-specific, versioned functions that execute at certain points during the Auth0 runtime.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions","showCards":true,"children":[{"title":"Understand How Auth0 Actions Work","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Factions-overview"},{"title":"Write Your First Action","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fwrite-your-first-action"},{"title":"Explore Triggers","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers","showCards":true,"children":[{"title":"Signup and Login Triggers","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers","showCards":true,"children":[{"title":"Login Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger","showCards":true,"children":[{"title":"Actions Triggers: post-login - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger\u002Fpost-login-event-object"},{"title":"Actions Triggers: post-login - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger\u002Fpost-login-api-object"},{"title":"Redirect with Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger\u002Fredirect-with-actions"},{"title":"Releases","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Flogin-trigger\u002Freleases"}]},{"title":"Pre-user Registration Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpre-user-registration-trigger","showCards":true,"children":[{"title":"Actions Triggers: pre-user-registration - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpre-user-registration-trigger\u002Fpre-user-registration-event-object"},{"title":"Actions Triggers: pre-user-registration - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpre-user-registration-trigger\u002Fpre-user-registration-api-object"}]},{"title":"Post-user Registration Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpost-user-registration-trigger","showCards":true,"children":[{"title":"Actions Triggers: post-user-registration - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpost-user-registration-trigger\u002Fpost-user-registration-event-object"},{"title":"Actions - Triggers - post-user-registration - API object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fsignup-and-login-triggers\u002Fpost-user-registration-trigger\u002Fpost-user-registration-api-object"}]}]},{"title":"MFA Notifications Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmfa-notifications-trigger","showCards":true,"children":[{"title":"Actions Triggers: send-phone-message - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmfa-notifications-trigger\u002Fsend-phone-message-event-object"},{"title":"Actions Triggers: send-phone-message - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmfa-notifications-trigger\u002Fsend-phone-message-api-object"}]},{"title":"Password Reset Triggers","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers","showCards":true,"children":[{"title":"Post-challenge Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-challenge-trigger","showCards":true,"children":[{"title":"Actions Triggers: post-challenge - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-challenge-trigger\u002Fpost-challenge-event-object"},{"title":"Actions Triggers: post-challenge - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-challenge-trigger\u002Fpost-challenge-api-object"}]},{"title":"Post Change Password Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-change-password-trigger","showCards":true,"children":[{"title":"Actions Triggers: post-change-password - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-change-password-trigger\u002Fpost-change-password-event-object"},{"title":"Actions Triggers: post-change-password - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fpassword-reset-triggers\u002Fpost-change-password-trigger\u002Fpost-change-password-api-object"}]}]},{"title":"Machine to Machine Trigger","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmachine-to-machine-trigger","showCards":true,"children":[{"title":"Actions Triggers: credentials-exchange - Event Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmachine-to-machine-trigger\u002Fcredentials-exchange-event-object"},{"title":"Actions Triggers: credentials-exchange - API Object","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fexplore-triggers\u002Fmachine-to-machine-trigger\u002Fcredentials-exchange-api-object"}]}]},{"title":"Action Use Cases","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fuse-cases"},{"title":"Action Coding Guidelines","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Faction-coding-guidelines"},{"title":"Actions Limitations","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Flimitations"},{"title":"Manage Dependencies","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmanage-dependencies"},{"title":"Manage Versions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmanage-versions"},{"title":"Test Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Ftest-actions"},{"title":"Releases","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Freleases"},{"title":"Migrate to Actions","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate","showCards":true,"children":[{"title":"Migrate from Rules to Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Fmigrate-from-rules-to-actions"},{"title":"Migration tooling","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Fmigrate-a-rule-to-an-action"},{"title":"Migrate from Hooks to Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Fmigrate-from-hooks-to-actions"},{"title":"Migrate from Actions Beta to Final","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Fmigrate-from-actions-beta-to-final"},{"title":"Actions Migration Limitations","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Fmigrate\u002Factions-migration-limitations"}]},{"title":"Templates for Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Factions\u002Factions-templates"}]},{"title":"Forms","description":"Extend your identity flows with additional steps and custom logic with Forms.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fforms","showCards":true,"children":[{"title":"Nodes and components","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fnodes-and-components"},{"title":"Flows","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows","showCards":true,"children":[{"title":"Integrations","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations","showCards":true,"children":[{"title":"Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fauth0"},{"title":"Data verification","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fdata-verification"},{"title":"HTTP Request","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fhttp-request"},{"title":"JSON","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fjson"},{"title":"JSON Web Token","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fjson-web-token"},{"title":"Logic","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Flogic"},{"title":"Mailjet","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fmailjet"},{"title":"SendGrid","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fsendgrid"},{"title":"Telegram","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Ftelegram"},{"title":"Twilio","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Ftwilio"},{"title":"WhatsApp","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fwhatsapp"},{"title":"XML","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fintegrations\u002Fxml"}]},{"title":"Execution and Debugger","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fflows\u002Fflow-execution-and-debugger"}]},{"title":"Variables and helper functions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fvariables"},{"title":"Routers","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Frouters"},{"title":"Custom Field Components","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fcustom-field-components"},{"title":"Render Forms using Actions","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Frender"},{"title":"Vault","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fvault"},{"title":"Custom Messages and Translation","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fcustom-messages-and-translation"},{"title":"Resources: Templates","type":"externalLink","url":"https:\u002F\u002Fdeveloper.auth0.com\u002Fresources\u002Ftemplates\u002Fforms","external":true,"forceFullReload":true},{"title":"Use Cases: Configure a progressive profile form using Forms","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fconfigure-progressive-profile-form"},{"title":"Use Cases: Configure an update policy form using Forms","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fconfigure-update-policy-form"},{"title":"Use Cases: Configure additional signup steps using Forms","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fforms\u002Fconfigure-additional-signup-steps"}]},{"title":"Rules","description":"Maintain legacy rules that your applications use in the authentication pipeline.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Frules","showCards":true,"children":[{"title":"Create Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fcreate-rules"},{"title":"Configure Global Variables for Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fconfigure-global-variables-for-rules"},{"title":"Store Rule Configurations","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fconfiguration"},{"title":"Cache Expensive Resources in Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fcache-resources"},{"title":"Debug Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fdebug-rules"},{"title":"Use the Management API from within Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fuse-management-api"},{"title":"Redirect Users from Within Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fredirect-users"},{"title":"User Object Properties in Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fuser-object-in-rules"},{"title":"Context Object Properties in Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fcontext-object"},{"title":"Raise Errors from Rules","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Frules\u002Fraise-errors-from-rules"}]},{"title":"Hooks","description":"Maintain legacy hooks for selected extensibility points of the Auth0 platform.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fhooks","showCards":true,"children":[{"title":"Create Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fcreate-hooks"},{"title":"Update Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fupdate-hooks"},{"title":"Delete Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fdelete-hooks"},{"title":"Enable\u002FDisable Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fenable-disable-hooks"},{"title":"View Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fview-hooks"},{"title":"View Logs for Hooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fview-logs-for-hooks"},{"title":"Hook Secrets","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets","showCards":true,"children":[{"title":"Create Hook Secrets","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets\u002Fcreate-hook-secrets"},{"title":"Update Hook Secrets","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets\u002Fupdate-hook-secrets"},{"title":"Delete Hook Secrets","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets\u002Fdelete-hook-secrets"},{"title":"View Hook Secrets","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fhooks\u002Fhook-secrets\u002Fview-hook-secrets"}]}]}]},{"title":"Third-Party Customization","description":"Take advantage of third-party integrations and Auth0 extensions to expand what Auth0 can do for your systems.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Extensions","description":"Use Auth0 Extensions to install applications or run commands\u002Fscripts that extend the capabilities of the Auth0 base product.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions","showCards":true,"children":[{"title":"Authorization Extension","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension","showCards":true,"children":[{"title":"Install Authorization Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Finstall-authorization-extension"},{"title":"Configure Authorization Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fconfigure-authorization-extension"},{"title":"Set Up Users in Authorization Extension Dashboard","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fset-up-authorization-extension-users"},{"title":"Enable API Access to Authorization Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fenable-api-access-to-authorization-extension"},{"title":"Import and Export Authorization Extension Data","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fimport-and-export-authorization-extension-data"},{"title":"Use Rules with the Authorization Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fuse-rules-with-the-authorization-extension"},{"title":"Migrate to Authorization Extension v2","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthorization-extension\u002Fmigrate-to-authorization-extension-v2"}]},{"title":"Delegated Administration Extension","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension","showCards":true,"children":[{"title":"Install Delegated Admin Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Finstall-delegated-admin-extension"},{"title":"Create Delegated Admin Applications","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fcreate-delegated-admin-applications"},{"title":"Delegated Administration Extension Hooks","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks","showCards":true,"children":[{"title":"Delegated Administration: Access Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-access-hook"},{"title":"Delegated Administration: Filter Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-filter-hook"},{"title":"Delegated Administration: Memberships Query Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-memberships-query-hook"},{"title":"Delegated Administration: Settings Query Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-settings-query-hook"},{"title":"Delegated Administration: Write Hook","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-hooks\u002Fdelegated-administration-write-hook"}]},{"title":"Delegated Administration: Manage Users","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fdelegated-administration-extension\u002Fdelegated-administration-manage-users"}]},{"title":"Single Sign-On Dashboard Extension","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension","showCards":true,"children":[{"title":"Install Single Sign-On Dashboard Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension\u002Finstall-sso-dashboard-extension"},{"title":"Create Single Sign-on (SSO) Dashboard Application","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension\u002Fcreate-sso-dashboard-application"},{"title":"Add Applications to Single Sign-On Dashboard","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension\u002Fadd-applications-to-the-sso-dashboard"},{"title":"Update Applications in the SSO Dashboard","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fsingle-sign-on-dashboard-extension\u002Fupdate-applications-on-the-sso-dashboard"}]},{"title":"Authentication API Debugger Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fauthentication-api-debugger-extension"},{"title":"Auth0 AD\u002FLDAP Connector Health Monitor Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fad-ldap-connector-health-monitor"},{"title":"Real-time Webtask Logs Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Freal-time-webtask-logs"},{"title":"Account Link Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Faccount-link-extension"},{"title":"User Import \u002F Export Extension","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fextensions\u002Fuser-import-export-extension"}]},{"title":"Integrations ","description":"Reduce implementation time with Auth0-reviewed integrations you can trust.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations","showCards":true,"children":[{"title":"Integrate with Amazon Web Services and Products","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws","showCards":true,"children":[{"title":"Configure Amazon Web Services for Delegated Authentication","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Fhow-to-set-up-aws-for-delegated-authentication"},{"title":"Configure Amazon Web Services for Single Sign-On","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Fconfigure-amazon-web-services-for-sso"},{"title":"Secure AWS API Gateway Endpoints Using Custom Authorizers","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-custom-authorizers"},{"title":"Use Amazon Web Services Session Tags for Role-Based Access Control","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Fsession-tags"},{"title":"Serverless Apps with API Gateway and Lambda","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation","showCards":true,"children":[{"title":"AWS API Gateway Tutorial Step 1","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-1"},{"title":"AWS API Gateway Tutorial Step 2","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-2"},{"title":"AWS API Gateway Tutorial Step 3","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-3"},{"title":"AWS API Gateway Tutorial Step 4","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-4"},{"title":"AWS API Gateway Tutorial Step 5","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-delegation\u002Faws-api-gateway-delegation-5"}]},{"title":"Integrate with Amazon Cognito","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Famazon-cognito"},{"title":"Secure AWS API Gateway Using Cognito","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Faws\u002Faws-api-gateway-cognito"}]},{"title":"Integrate with Azure API Management","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fazure-api-management"},{"title":"Secure Google Cloud Endpoints with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fgoogle-cloud-endpoints"},{"title":"Secure a CLI with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fsecure-a-cli-with-auth0"},{"title":"Secure Apigee with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fapigee"},{"title":"Single Sign-On Integrations","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fsso-integrations"},{"title":"Marketing Tool Integrations","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations","showCards":true,"children":[{"title":"Export User Data to Adobe Campaign","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fadobe-campaign"},{"title":"Export User Data to Alterian","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Falterian"},{"title":"Export User Data to Constant Contact","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fconstant-contact"},{"title":"Export User Data to Oracle Eloqua","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Feloqua"},{"title":"Export User Data to MailChimp","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fmailchimp"},{"title":"Export User Data to Marketo","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fmarketo"},{"title":"Export User Data to Sailthru","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fsailthru"},{"title":"Export User Data to Salesforce","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fexport-user-data-salesforce"},{"title":"Export User Data to Salesforce Marketing Cloud","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fsalesforce-marketing-cloud"},{"title":"Export User Data to Watson Campaign Automation","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketing-tool-integrations\u002Fwatson-campaign-automation"}]},{"title":"Marketplace Partners","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners","showCards":true,"children":[{"title":"Introduction to Integrating with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fintroduction-to-integrating-with-auth0"},{"title":"Defining an Integration Use Case","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fdefining-an-integration-use-case"},{"title":"Actions Integrations for Partners","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Factions-integrations-for-partners"},{"title":"Redirect Actions for Partners","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fredirect-actions-for-partners"},{"title":"Social Connections for Partners","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fsocial-connections-for-partners"},{"title":"SSO Integrations for Partners","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fsso-integrations-for-partners"},{"title":"Writing Tips for Installation Guides","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmarketplace-partners\u002Fwriting-tips-for-installation-guides"}]},{"title":"Integrate with SharePoint 2010\u002F2013","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fsharepoint-2010-2013"},{"title":"Integrate with Vercel","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fintegrate-with-vercel"},{"title":"Connect Provider Hosted Apps to SharePoint Online","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fconnecting-provider-hosted-apps-to-sharepoint-online"},{"title":"CMS Identity Plugins","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms","showCards":true,"children":[{"title":"Login by Auth0 Wordpress Plugin","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin","showCards":true,"children":[{"title":"Integrate with WordPress","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Fintegrate-with-wordpress"},{"title":"Install Login by Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Finstall-login-by-auth0"},{"title":"Configure Login by Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Fconfigure-login-by-auth0"},{"title":"User Migration in Login by Auth0 WordPress Plugin","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Fuser-migration-in-login-by-auth0"},{"title":"Extend Login by Auth0 WordPress Plugin","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Fextend-login-by-auth0"},{"title":"Troubleshoot Login by Auth0 WordPress Plugin","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Ftroubleshoot-login-by-auth0"},{"title":"Troubleshoot WordPress Plugin Invalid State Errors","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fcms\u002Fwordpress-plugin\u002Ftroubleshoot-wordpress-plugin-invalid-state-errors"}]}]},{"title":"Authenticating & Authorizing a Tessel device with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fauthenticating-and-authorizing-a-tessel-device-with-auth0"},{"title":"Authenticating & Authorizing Devices using MQTT with Auth0","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fauthenticate-devices-using-mqtt"},{"title":"Migrate Office365 Connections to Windows Azure AD","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Fmigrate-office365-connections-to-windows-azure-ad"},{"title":"Office 365 Custom Provisioning","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Fintegrations\u002Foffice-365-custom-provisioning"}]},{"title":"Log Streams","description":"Monitor and respond to events such as changed passwords or new registrations with your own business logic.","type":"navigationItem","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams","showCards":true,"children":[{"title":"Integrated Log Streaming Services","type":"externalLink","url":"https:\u002F\u002Fmarketplace.auth0.com\u002Ffeatures\u002Flog-streaming","external":true,"forceFullReload":true},{"title":"Create Custom Log Streams Using Webhooks","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fcustom-log-streams"},{"title":"Check Log Stream Health","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fcheck-log-stream-health"},{"title":"Log Stream Filters","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fevent-filters"},{"title":"Use Auth0 App for Splunk","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fsplunk-dashboard"},{"title":"Use Auth0 App for Sumo Logic","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fsumo-logic-dashboard"},{"title":"Use Auth0 Dashboard Templates with Datadog","type":"article","url":"\u002Fdocs\u002Fcustomize\u002Flog-streams\u002Fdatadog-dashboard-templates"}]},{"title":"Auth0 Marketplace","type":"externalLink","url":"https:\u002F\u002Fmarketplace.auth0.com\u002F","external":true,"forceFullReload":true}]}]},{"title":"Secure","description":"Add multi-factor authentication and defend your application from bots, suspicious IPs, and password breaches.","type":"navigationSection","url":"\u002Fdocs\u002Fsecure","icon":"IdenticonSecurity","children":[{"title":"Protect Your Application","description":"Make sure only the right people can access your applications. ","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Application Credentials","description":"This section contains information about credentials for your application to authenticate.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fapplication-credentials","showCards":true,"children":[{"title":"Generate RSA Key Pair","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fapplication-credentials\u002Fgenerate-rsa-key-pair"}]},{"title":"Attack Protection","description":"Detect attacks and stop malicious attempts to access your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection","showCards":true,"children":[{"title":"Bot Detection","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection","showCards":true,"children":[{"title":"Add Bot Detection to Native Applications","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection\u002Fbot-detection-native-apps"},{"title":"Add Bot Detection to Passwordless Flows","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection\u002Fbot-detection-passwordless-flows"},{"title":"Add Bot Detection to Custom Login Pages","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection\u002Fbot-detection-custom-login-pages"},{"title":"Configure Third-Party CAPTCHA Provider Integrations","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection\u002Fconfigure-captcha"}]},{"title":"Breached Password Detection","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbreached-password-detection"},{"title":"Brute-Force Protection","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbrute-force-protection"},{"title":"Suspicious IP Throttling","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fsuspicious-ip-throttling"},{"title":"View Attack Protection Log Events","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fview-attack-protection-events"},{"title":"Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fstate-parameters"}]},{"title":"Continuous Session Protection","description":"Enhance security and tailor the user experience through customizable session and refresh token management. ","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fcontinuous-session-protection","showCards":true},{"title":"Highly Regulated Identity","description":"Highly Regulated Identity is Auth0's Financial-Grade Identity ","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity","showCards":false,"children":[{"title":"Transactional Authorization with Contextual Strong Customer Authentication","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Ftransactional-authorization-with-contextual-sca"},{"title":"Customer Managed Keys","description":"Learn about how to manage your Auth0 keys","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Fcustomer-managed-keys","showCards":true,"children":[{"title":"Configure Customer Managed Keys with the Dashboard","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Fcustomer-managed-keys\u002Fcustomer-managed-keys-dashboard"},{"title":"Configure Customer Managed Keys with the Management API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity\u002Fcustomer-managed-keys\u002Fcustomer-managed-keys-management-api"}]}]},{"title":"Multi-Factor Authentication","description":"Add additional checks to ensure passwords match up with the identity of the user or device accessing your applications.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication","showCards":true,"children":[{"title":"Enable Multi-Factor Authentication","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fenable-mfa"},{"title":"Multi-Factor Authentication Factors","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors","showCards":true,"children":[{"title":"Configure Push Notifications for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors\u002Fconfigure-push-notifications-for-mfa"},{"title":"Configure OTP Notifications for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors\u002Fconfigure-otp-notifications-for-mfa"},{"title":"Configure Email Notifications for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors\u002Fconfigure-email-notifications-for-mfa"},{"title":"Configure SMS and Voice Notifications for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-factors\u002Fconfigure-sms-voice-notifications-mfa"}]},{"title":"WebAuthn as Multi-Factor Authentication","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fwebauthn-as-mfa"},{"title":"Configure Cisco Duo Security for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fconfigure-cisco-duo-for-mfa"},{"title":"FIDO Authentication with WebAuthn","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Ffido-authentication-with-webauthn","showCards":true,"children":[{"title":"Configure WebAuthn with Security Keys for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Ffido-authentication-with-webauthn\u002Fconfigure-webauthn-security-keys-for-mfa"},{"title":"Configure WebAuthn with Device Biometrics for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Ffido-authentication-with-webauthn\u002Fconfigure-webauthn-device-biometrics-for-mfa"}]},{"title":"Adaptive MFA","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fadaptive-mfa","showCards":true,"children":[{"title":"Enable Adaptive MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fadaptive-mfa\u002Fenable-adaptive-mfa"},{"title":"Customize Adaptive MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fadaptive-mfa\u002Fcustomize-adaptive-mfa"},{"title":"Adaptive MFA Log Events","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fadaptive-mfa\u002Fadaptive-mfa-log-events"}]},{"title":"Auth0 Guardian","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauth0-guardian","showCards":true,"children":[{"title":"Guardian.swift iOS SDK","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauth0-guardian\u002Fguardian-for-ios-sdk"},{"title":"Guardian for Android SDK","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauth0-guardian\u002Fguardian-for-android-sdk"}]},{"title":"Customize MFA","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa","showCards":true,"children":[{"title":"Customize MFA Selection for Universal Login","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fcustomize-mfa-selection-universal-login"},{"title":"Customize MFA Enrollments for Universal Login","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fcustomize-mfa-enrollments-universal-login"},{"title":"Customize MFA for Classic Login","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fcustomize-mfa-classic-login"},{"title":"MFA Theme Language Dictionary","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fmfa-theme-language-dictionary"},{"title":"MFA Widget Theme Options","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fcustomize-mfa\u002Fmfa-widget-theme-options"}]},{"title":"Authenticate Using ROPG Flow with MFA","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa","showCards":true,"children":[{"title":"Enroll and Challenge SMS and Voice Authenticators","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fenroll-challenge-sms-voice-authenticators"},{"title":"Enroll and Challenge OTP Authenticators","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fenroll-and-challenge-otp-authenticators"},{"title":"Enroll and Challenge Push Authenticators","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fenroll-and-challenge-push-authenticators"},{"title":"Enroll and Challenge Email Authenticators","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fenroll-and-challenge-email-authenticators"},{"title":"Import User MFA Authenticator Enrollments","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fimport-user-mfa-authenticator-enrollments"},{"title":"Challenge with Recovery Codes","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fauthenticate-using-ropg-flow-with-mfa\u002Fchallenge-with-recovery-codes"}]},{"title":"Step-Up Authentication","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fstep-up-authentication","showCards":true,"children":[{"title":"Configure Step-up Authentication for APIs","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fstep-up-authentication\u002Fconfigure-step-up-authentication-for-apis"},{"title":"Configure Step-up Authentication for Web Apps","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fstep-up-authentication\u002Fconfigure-step-up-authentication-for-web-apps"}]},{"title":"Configure Recovery Codes for MFA","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fconfigure-recovery-codes-for-mfa"},{"title":"Manage Authentication Factors with APIs","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmanage-mfa-auth0-apis","showCards":true,"children":[{"title":"Manage Authentication Methods with Management API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmanage-mfa-auth0-apis\u002Fmanage-authentication-methods-with-management-api"},{"title":"Manage Authentication Factors with Authentication API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmanage-mfa-auth0-apis\u002Fmanage-authenticator-factors-mfa-api"}]},{"title":"Reset User Multi-Factor Authentication and Recovery Codes","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Freset-user-mfa"},{"title":"Multi-factor Authentication Developer Resources","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources","showCards":true,"children":[{"title":"Auth0 MFA API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources\u002Fmfa-api"},{"title":"Create Custom Enrollment Tickets","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources\u002Fcreate-custom-enrollment-tickets"},{"title":"Install Guardian SDK","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources\u002Finstall-guardian-sdk"},{"title":"Guardian Error Code Reference","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication\u002Fmulti-factor-authentication-developer-resources\u002Fguardian-error-code-reference"},{"title":"Auth0 MFA Client Library","type":"externalLink","url":"https:\u002F\u002Fgithub.com\u002Fauth0\u002Fauth0-guardian.js","external":true,"forceFullReload":true},{"title":"Create Custom MFA Widget","type":"externalLink","url":"https:\u002F\u002Fgithub.com\u002Fauth0\u002Fauth0-guardian.js\u002Ftree\u002Fmaster\u002Fexample","external":true,"forceFullReload":true}]}]},{"title":"Security Center","description":"Observe potential attack trends and quickly respond to them in real-time.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-center","showCards":true,"children":[{"title":"Metrics","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-center\u002Fmetrics"},{"title":"Prioritized Log Streams","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-center\u002Fprioritized-log-streams"},{"title":"Configure Security Monitoring Alerts","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-center\u002Fsecurity-alerts"}]},{"title":"Security Guidance","description":"View security bulletins and learn basic tips to secure data and accounts.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance","showCards":true,"children":[{"title":"General Security Tips","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Ftips"},{"title":"Security Bulletins","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins","showCards":true,"children":[{"title":"CVE-2022-23539, CVE-2022-23541, CVE-2022-23540: Security Update for jsonwebtoken","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002F2022-12-21-jsonwebtoken"},{"title":"CVE-2022-23505: Security Update for passport-wsfed-saml2 Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2022-23505"},{"title":"CVE-2022-24794: Security Update for Express OpenID Connect Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2022-24794"},{"title":"CVE-2021-43812: Security Update for Next.js Auth0 Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2021-43812"},{"title":"CVE-2021-41246: Security Update for Express OpenID Connect Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2021-41246"},{"title":"CVE-2021-32702: Security Update for Auth0 Next.js Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2021-32702"},{"title":"CVE-2021-32641: Security Update for Auth0 Lock Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2021-32641"},{"title":"CVE 2020-15259: Security Update for ad-ldap-connector","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15259"},{"title":"CVE-2020-15240: Security Update for omniauth-auth0 JWT Validation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15240"},{"title":"CVE-2020-15125: Security Update for node-auth0 Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15125"},{"title":"CVE-2020-15119: Security Update for Auth0 Lock Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15119"},{"title":"CVE-2020-15084: Security Update for express-jwt Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-15084"},{"title":"CVE-2020-5391, CVE-2020-5392, CVE-2020-6753, CVE-2020-7948, CVE-2020-7947: Security Update for WordPress Plugin for Auth0","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002F2020-03-31-wpauth0"},{"title":"CVE-2020-5263: Security Update for auth0.js Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2020-5263"},{"title":"CVE-2019-20174: Security Update for Auth0 Lock Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-20174"},{"title":"CVE-2019-16929: Security Vulnerability in auth0.net","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-16929"},{"title":"CVE-2019-13483: Security Vulnerability in Passport-SharePoint","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-13483"},{"title":"CVE-2019-7644: Security Vulnerability in Auth0-WCF-Service-JWT","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-7644"},{"title":"CVE-2019-20173: Security Update for WordPress Plugin for Auth0 wp-auth0","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2019-20173"},{"title":"CVE-2018-15121: Security Vulnerability in auth0-aspnet and auth0-aspnet-owin","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-15121"},{"title":"CVE-2018-11537: Security Update for angular-jwt Allow List Bypass","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-11537"},{"title":"CVE-2018-7307: Security Vulnerability for auth0.js \u003C 9.3","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-7307"},{"title":"CVE-2018-6874: Security Vulnerability in the Auth0 Authentication Service","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-6874"},{"title":"CVE-2018-6873: Security Vulnerability in the Auth0 Authentication Service","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2018-6873"},{"title":"CVE-2017-17068: Security Update for auth0.js Popup Callback Vulnerability","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2017-17068"},{"title":"CVE-2017-16897: Security Update for passport-wsfed-saml2 Passport Strategy Library","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002Fcve-2017-16897"},{"title":"Auth0 Security Bulletin for Rules","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002F2019-01-10-rules"},{"title":"Auth0 Security Bulletin for Assigning Scopes Based on Email Address","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fsecurity-bulletins\u002F2019-09-05-scopes"}]},{"title":"Data Security","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security","showCards":true,"children":[{"title":"Auth0 IP Addresses for Allow Lists ","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security\u002Fallowlist"},{"title":"Add User Attributes to Deny List","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security\u002Fdenylist"},{"title":"User Data Storage","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security\u002Fuser-data-storage"},{"title":"Token Storage","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fdata-security\u002Ftoken-storage"}]},{"title":"Prevent Common Cybersecurity Threats","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fprevent-threats"},{"title":"Incident Response: Using Logs","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fsecurity-guidance\u002Fincident-response-using-logs"}]},{"title":"Tokens","description":"Explore the types of tokens related to identity and authentication and how they are used by Auth0.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens","showCards":true,"children":[{"title":"JSON Web Tokens","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens","showCards":true,"children":[{"title":"JSON Web Token Structure","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-token-structure"},{"title":"JSON Web Token Claims","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-token-claims"},{"title":"Create Custom Claims","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fcreate-custom-claims"},{"title":"Validate JSON Web Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fvalidate-json-web-tokens"},{"title":"JSON Web Key Sets","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-key-sets"},{"title":"JSON Web Key Set Properties","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-key-set-properties"},{"title":"Locate JSON Web Key Sets","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens\u002Flocate-json-web-key-sets"}]},{"title":"ID Tokens","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens","showCards":true,"children":[{"title":"Validate ID Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens\u002Fvalidate-id-tokens"},{"title":"Get ID Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens\u002Fget-id-tokens"},{"title":"ID Token Structure","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens\u002Fid-token-structure"},{"title":"Update ID Token Lifetime","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens\u002Fupdate-id-token-lifetime"}]},{"title":"Access Tokens","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens","showCards":true,"children":[{"title":"Access Token Profiles","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Faccess-token-profiles"},{"title":"Get Access Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fget-access-tokens"},{"title":"Use Access Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fuse-access-tokens"},{"title":"Validate Access Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fvalidate-access-tokens"},{"title":"Update Access Token Lifetime","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fupdate-access-token-lifetime"},{"title":"Identity Provider Access Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fidentity-provider-access-tokens"},{"title":"Management API Access Tokens","description":"Learn about Auth0 Management APIv2 Access Tokens and how to use them.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens","showCards":false,"children":[{"title":"Get Management API Access Tokens for Testing","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens\u002Fget-management-api-access-tokens-for-testing"},{"title":"Get Management API Access Tokens for Production","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens\u002Fget-management-api-access-tokens-for-production"},{"title":"Get Management API Access Tokens for Single-Page Applications","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens\u002Fget-management-api-tokens-for-single-page-applications"},{"title":"Changes in Auth0 Management APIv2 Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fmanagement-api-access-tokens\u002Fchanges-in-auth0-management-apiv2-tokens"}]},{"title":"JSON Web Encryption","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens\u002Fjson-web-encryption"}]},{"title":"Delegation Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fdelegation-tokens"},{"title":"Refresh Tokens","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens","showCards":true,"children":[{"title":"Get Refresh Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fget-refresh-tokens"},{"title":"Use Refresh Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fuse-refresh-tokens"},{"title":"Configure Refresh Token Expiration","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fconfigure-refresh-token-expiration"},{"title":"Refresh Token Rotation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Frefresh-token-rotation"},{"title":"Configure Refresh Token Rotation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fconfigure-refresh-token-rotation"},{"title":"Use Refresh Token Rotation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fuse-refresh-token-rotation"},{"title":"Disable Refresh Token Rotation","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fdisable-refresh-token-rotation"},{"title":"Revoke Refresh Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Frevoke-refresh-tokens"},{"title":"Refresh Tokens with Actions","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens\u002Fmanage-refresh-tokens-actions"}]},{"title":"Revoke Tokens","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frevoke-tokens"},{"title":"Manage Refresh Tokens with Auth0 Management API","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fmanage-refresh-tokens-with-auth0-management-api"},{"title":"Token Best Practices","type":"article","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Ftoken-best-practices"}]}]},{"title":"Compliance","description":"Learn how Auth0 meets requirements for multiple compliance frameworks and certifications, including GDPR and HIPAA.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Data Privacy and Compliance","description":"Read about Auth0’s compliance qualifications and data processing.","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance","showCards":true,"children":[{"title":"GDPR","type":"navigationItem","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr","showCards":true,"children":[{"title":"GDPR: Conditions for Consent","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-conditions-for-consent"},{"title":"GDPR: Track Consent with Custom UI","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-track-consent-with-custom-ui"},{"title":"GDPR: Track Consent with Lock","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-track-consent-with-lock"},{"title":"GDPR: Right to Access, Correct, and Erase Data","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-right-to-access-correct-and-erase-data"},{"title":"GDPR: Data Minimization","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-data-minimization"},{"title":"GDPR: Data Portability","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-data-portability"},{"title":"GDPR: Protect and Secure User Data","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fgdpr\u002Fgdpr-protect-and-secure-user-data"}]},{"title":"Auth0 Data Processing","type":"article","url":"\u002Fdocs\u002Fsecure\u002Fdata-privacy-and-compliance\u002Fdata-processing"}]}]}]},{"title":"Deploy and Monitor","description":"Deploy Auth0 for your applications and monitor system health and events.","type":"navigationSection","url":"\u002Fdocs\u002Fdeploy-monitor","icon":"IdenticonMonitoring","children":[{"title":"Deployment","description":"Plan, check, and execute your Auth0 deployment.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Deployment Options","description":"Evaluate whether to deploy to the public cloud or to a private cloud.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeployment-options","showCards":true},{"title":"Private Cloud Deployments","description":"Explore the capabilities and limitations of different AWS and Azure private cloud options.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-private-cloud","showCards":true,"children":[{"title":"Private Cloud on AWS","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-private-cloud\u002Fprivate-cloud-on-aws"},{"title":"Private Cloud on Azure","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-private-cloud\u002Fprivate-cloud-on-azure"},{"title":"Private Cloud Add-on Features","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-private-cloud\u002Fprivate-cloud-add-on-features"}]},{"title":"Pre-Deployment Checks","description":"Run checks to ensure that your applications are ready for production.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks","showCards":true,"children":[{"title":"Run Production Readiness Checks","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fhow-to-run-production-checks"},{"title":"Production Readiness Checks: Critical Fixes","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fproduction-check-required-fixes"},{"title":"Production Readiness Checks: Non-Critical Fixes","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fproduction-check-recommended-fixes"},{"title":"Production Readiness Checks: Best Practices","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fproduction-checks-best-practices"},{"title":"Run Pre-Deployment Tests","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fpredeployment-tests"},{"title":"Pre-Launch Tips","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fpre-deployment-checks\u002Fpre-launch-tips"}]},{"title":"Deployment Checklist","description":"Explore the Auth0-provided general deployment checklist for Auth0 implementations.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-checklist","showCards":true},{"title":"Deploy CLI Tool","description":"Learn how Auth0 supports continuous integration and deployment using the Deploy CLI tool.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool","showCards":true,"children":[{"title":"Use as a CLI","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fuse-as-a-cli"},{"title":"Use as a Node Module","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fuse-as-a-node-module"},{"title":"Configure the Deploy CLI","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fconfigure-the-deploy-cli"},{"title":"Authenticate with your Tenant","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fauthenticate-with-your-tenant"},{"title":"Keyword Replacement","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fkeyword-replacement"},{"title":"Incorporate into Multi-environment Workflows","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fincorporate-into-multi-environment-workflows"},{"title":"Exclude Resources From Management","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fexclude-resources-from-management"},{"title":"Resource-specific Documentation","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Fresource-specific-documentation"},{"title":"Available Resource Configuration Formats","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeploy-cli-tool\u002Favailable-resource-configuration-formats"}]},{"title":"Auth0 Terraform Provider","description":"Learn about the Auth0 Terraform Provider and how to use it to manage deployment of your Auth0 instances.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fauth0-terraform-provider","showCards":false},{"title":"Deployment Best Practices","description":"Explore best practices for deploying Auth0 implementations.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fdeployment-best-practices","showCards":true}]},{"title":"Monitoring","description":"Monitor events and service status and work with tenant log event data.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Monitor","description":"Monitor your Auth0 implementation and Auth0 status and services.","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor","showCards":true,"children":[{"title":"Check Auth0 Status","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor\u002Fcheck-auth0-status"},{"title":"Check External Services Status","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor\u002Fcheck-external-services-status"},{"title":"Monitor Applications","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor\u002Fmonitor-applications"},{"title":"Monitor Auth0 Using System Center Operations Manager","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Fmonitor\u002Fmonitor-using-scom"}]},{"title":"Logs","description":"Manage event logs for business analysis and insights. ","type":"navigationItem","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs","showCards":true,"children":[{"title":"Personally Identifiable Information in Auth0 Logs","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fpii-in-logs"},{"title":"Log Data Retention","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Flog-data-retention"},{"title":"View Log Events","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fview-log-events"},{"title":"Filter Log Events","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Flog-event-filters"},{"title":"Prompt Details in Tenant Logs","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fprompt-details-in-tenant-logs"},{"title":"Retrieve Log Events Using the Management API","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fretrieve-log-events-using-mgmt-api"},{"title":"Log Event Type Codes","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Flog-event-type-codes"},{"title":"Log Search Query Syntax","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Flog-search-query-syntax"},{"title":"Export Log Events with Rules","type":"article","url":"\u002Fdocs\u002Fdeploy-monitor\u002Flogs\u002Fexport-log-events-with-rules"}]}]}]},{"title":"Troubleshoot","description":"Troubleshoot challenges, learn about Auth0’s different levels of support, and get help.","type":"navigationSection","url":"\u002Fdocs\u002Ftroubleshoot","icon":"IdenticonTroubleshoot","children":[{"title":"Get Support","description":"Learn about Auth0’s support plans and procedures, service agreements, and community.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Customer Support","description":"Learn about the different levels of support at Auth0.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support","showCards":true,"children":[{"title":"Premier Success Plans","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fsupport-plans"},{"title":" Support Channels","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fsupport-channels"},{"title":"Self Service Support","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fself-service-support"},{"title":"Product Support Matrix","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fproduct-support-matrix"},{"title":"Service Levels","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fservices-level-descriptions"},{"title":"Open and Manage Support Tickets","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fopen-and-manage-support-tickets"},{"title":"Manage Subscriptions","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions","showCards":true,"children":[{"title":"Downgrade or Cancel Auth0 Subscriptions","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions\u002Fdowngrade-or-cancel-subscriptions"},{"title":"Delete or Reset Tenants","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions\u002Fdelete-or-reset-tenant"},{"title":"Export Data","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions\u002Fexport-data"},{"title":"Monitor Subscription Usage","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fmanage-subscriptions\u002Fmonitor-subscription-usage"}]},{"title":"Reset Account Passwords","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Freset-account-passwords"},{"title":"Software Updates","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fsoftware-updates"},{"title":"Auth0 Versioning Strategy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fversioning-strategy"},{"title":"Operational Policies","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies","showCards":true,"children":[{"title":"Billing Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fbilling-policy"},{"title":"Auth0 Public Cloud Service Endpoints","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fpublic-cloud-service-endpoints"},{"title":"Data Export and Transfer Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fdata-export-and-transfer-policy"},{"title":"Change Freeze Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fchange-freeze-policy"},{"title":"Load Testing Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fload-testing-policy"},{"title":"Penetration Testing Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fpenetration-testing-policy"},{"title":"Rate Limit Policy","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy","showCards":true,"children":[{"title":"Rate Limit Use Cases","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-use-cases"},{"title":"Rate Limit Configurations","description":"Rate limit configurations for each subscription type","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations","showCards":true,"children":[{"title":"Free","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ffree-public"},{"title":"Self Service","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Fself-service-public"},{"title":"Enterprise","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Fenterprise-public"},{"title":"Tier Dev Private Cloud","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-20-development-private-cloud"},{"title":"Private Cloud Basic 100 RPS (1x)","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-100-rps-private-cloud"},{"title":"Private Cloud Performance 500 RPS (5x)","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-500-rps-private-cloud"},{"title":"Private Cloud Performance 1500 RPS (15x)","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-1500-rps-private-cloud"},{"title":"Private Cloud Performance 3000 RPS (30x) and 3000 RPS (30x) Burst","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-3000-rps-private-cloud"},{"title":"Private Cloud Performance 6000 RPS (60x) and 6000 RPS (60x) Burst","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Frate-limit-policy\u002Frate-limit-configurations\u002Ftier-6000-rps-private-cloud"}]}]},{"title":"Entity Limit Policy","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Foperational-policies\u002Fentity-limit-policy"}]},{"title":"Auth0 Changelog","type":"externalLink","url":"https:\u002F\u002Fauth0.com\u002Fchangelog","external":true,"forceFullReload":true},{"title":"Responsible Disclosure Program Security Support Tickets","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fresponsible-disclosure-program-security-support-tickets"},{"title":"Auth0 Enterprise and Premier Support","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fauth0-enterprise-and-premier-support"},{"title":"Update Billing Information","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fcustomer-support\u002Fupdate-billing-information"}]}]},{"title":"Troubleshoot","description":"Explore solutions to common challenges.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Commonplace Issues","description":"Learn fundamental troubleshooting tactics.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues","showCards":true,"children":[{"title":"Verify Platform","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fverify-platform"},{"title":"Verify Connections","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fverify-connections"},{"title":"Verify Domain","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fverify-domain"},{"title":"Verify Rules","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fverify-rules"},{"title":"Check Error Messages","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fcheck-error-messages"},{"title":"Troubleshoot Invalid Token Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Finvalid-token-errors"},{"title":"Check for Deprecation Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fsearch-logs-for-deprecation-errors"},{"title":"Deprecation Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Fcheck-deprecation-errors"},{"title":"Recover Administrative Access to a Tenant","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fbasic-issues\u002Frecover-administrative-access-to-a-tenant"}]},{"title":"Authentication Issues","description":"Troubleshoot login and other authentication issues.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues","showCards":true,"children":[{"title":"Check API Calls","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fcheck-api-calls"},{"title":"Check Login and Logout Issues","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fcheck-login-and-logout-issues"},{"title":"Check User Profiles","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fcheck-user-profiles"},{"title":"Troubleshoot Role-Based Access Control and Authorization","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Ftroubleshoot-rbac-authorization"},{"title":"Troubleshoot Multi-Factor Authentication Issues","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Ftroubleshoot-mfa-issues"},{"title":"Troubleshoot SAML Configurations","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Ftroubleshoot-saml-configurations"},{"title":"Troubleshoot SAML Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fsaml-errors"},{"title":"Self Change Password Errors","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Fself-change-password-errors"},{"title":"Troubleshoot Authorization Extension","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Ftroubleshoot-authorization-extension"},{"title":"Troubleshoot Renew Tokens When Using Safari","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fauthentication-issues\u002Frenew-tokens-when-using-safari"}]},{"title":"Integration and Extensibility Issues","description":"Troubleshoot issues integrating with third-party solutions.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues","showCards":true,"children":[{"title":"Troubleshoot Custom Domains","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues\u002Ftroubleshoot-custom-domains"},{"title":"Troubleshoot AD\u002FLDAP Connector","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues\u002Ftroubleshoot-ad-ldap-connector"},{"title":"Troubleshoot Extensions","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues\u002Ftroubleshoot-extensions"},{"title":"Troubleshoot Deploy CLI Tool","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fintegration-extensibility-issues\u002Ftroubleshoot-the-deploy-cli-tool"}]},{"title":"Troubleshooting Tools","description":"Learn how to generate and analyze HAR files, debug, and inspect tokens.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshooting-tools","showCards":true,"children":[{"title":"Generate and Analyze HAR Files","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshooting-tools\u002Fgenerate-and-analyze-har-files"},{"title":"Sanitize HTTP Traces","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshooting-tools\u002Fsanitize-http-traces"},{"title":"JSON Web Token Inspector","type":"externalLink","url":"https:\u002F\u002Fjwt.io","external":true,"forceFullReload":true}]},{"title":"Debugging Best Practices","description":"Explore best practices for debugging your Auth0 implementation.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fdebugging-best-practices","showCards":true},{"title":"Error Handling Best Practices","description":"Explore best practices for handling error conditions.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Ferror-handling-best-practices","showCards":true},{"title":"Performance Best Practices","description":"Learn about best practices for performance.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fperformance-best-practices","showCards":true},{"title":"General Usage and Operations Best Practices","description":"Explore best practices for general Auth0 usage and operation.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fgeneral-usage-and-operations-best-practices","showCards":true}]},{"title":"Auth0 Product Lifecycle","description":"Discover our iterative approach to product delivery.","type":"navigationSubsection","showCards":true,"quickstarts":false,"children":[{"title":"Product Lifecycle","description":"Learn how we’re constantly improving.","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle","showCards":true,"children":[{"title":"Product Release Stages","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},{"title":"Migration Process","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fmigration-process"},{"title":"Deprecations and Migrations","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fdeprecations-and-migrations","showCards":true,"children":[{"title":"Migrate from Node 12 and 16 to Node 18","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fdeprecations-and-migrations\u002Fmigrate-nodejs-16-to-nodejs-18"}]},{"title":"Past Migrations","type":"navigationItem","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations","showCards":true,"children":[{"title":"Migrate from edge.js extensibility features","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-edge-js-extensibility-features"},{"title":"Migrate from oracledb extensibility features","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-oracledb-extensibility-features"},{"title":"Migrate Custom Claims","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fcustom-claims-migration"},{"title":"Migrate from Log Extensions","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-log-extensions"},{"title":"Migrate Tenant Hostname Validation","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Ftenant-hostname-migration"},{"title":"Migrate to Node.js 16","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-nodejs-16"},{"title":"Migrate from Node.js 8 to Node.js 12","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-nodejs-12"},{"title":"Migrate to Management API v2 Endpoint Paginated Queries","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-paginated-queries"},{"title":"Migrate to New Tenant Member Roles","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-tenant-member-roles"},{"title":"Migrate from Search v2 to v3","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-v2-v3"},{"title":"Migrate to Passwordless Endpoint from Confidential Applications","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-passwordless"},{"title":"Clickjacking Protection for Universal Login Change","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fclickjacking-protection-for-universal-login"},{"title":"Migrate to Management API Endpoints with Access Tokens","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-calling-api-with-access-tokens"},{"title":"Migrate to Access Tokens for Account Linking","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Flink-user-accounts-with-access-tokens-migration"},{"title":"Migrate Your Resource Owner Passwordless Credentials Exchange","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fresource-owner-passwordless-credentials-exchange"},{"title":"Migrate Your Resource Owner Password Flow","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigration-oauthro-oauthtoken"},{"title":"Instagram Connection Deprecation","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Finstagram-connection-deprecation"},{"title":"Yahoo API Changes","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fyahoo-api-changes"},{"title":"Migrate from Google to Firebase Cloud Messaging","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fgoogle-firebase-migration"},{"title":"Facebook Social Context Field Deprecation","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Ffacebook-social-context-field-deprecation"},{"title":"Facebook Graph API Changes","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Ffacebook-graph-api-changes"},{"title":"Migrate from Embedded Login to Universal Login","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-embedded-login-to-universal-login"},{"title":"Migrate from Legacy Authentication Flows","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-from-legacy-auth-flows"},{"title":"Migrate to Tenant Log Search v3","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-tenant-log-search-v3"},{"title":"Migrate to 1-Hour Login Flows Expiration","type":"article","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fpast-migrations\u002Fmigrate-to-1-hour-expiration"}]}]}]},{"title":"Auth0 Community","type":"externalLink","url":"https:\u002F\u002Fcommunity.auth0.com\u002F","external":true,"forceFullReload":true},{"title":"Auth0 Blog","type":"externalLink","url":"https:\u002F\u002Fauth0.com\u002Fblog\u002F","external":true,"forceFullReload":true}]}],"apis":[{"title":"Overview","url":"\u002Fdocs\u002Fapi"},{"title":"Testing with Postman","url":"\u002Fdocs\u002Fapi\u002Fuse-auth0-apis-with-postman-collections","hidden":true},{"title":"Authentication API","url":"\u002Fdocs\u002Fapi\u002Fauthentication","external":true,"forceFullReload":true},{"title":"Changes in Management API v2","url":"\u002Fdocs\u002Fapi\u002Fmanagement-api-changes-v1-to-v2","forceFullReload":true,"hidden":true},{"title":"Management API Explorer","url":"\u002Fdocs\u002Fapi\u002Fmanagement\u002Fv2\u002F","forceFullReload":true,"external":true}],"libraries":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries"},{"title":"Auth0 Single Page App SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-single-page-app-sdk","children":[{"title":"Migrate from auth0.js","url":"\u002Fdocs\u002Flibraries\u002Fauth0-single-page-app-sdk\u002Fmigrate-from-auth0-js-to-the-auth0-single-page-app-sdk","hidden":true}]},{"title":"Auth0 React SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-react"},{"title":"Auth0 Angular SPA SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-angular-spa"},{"title":"Lock for Web","url":"\u002Fdocs\u002Flibraries\u002Flock","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Flock"},{"title":"Configuration Options","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-configuration"},{"title":"API Reference","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-api-reference"},{"title":"UI Customization","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-ui-customization"},{"title":"Internationalization","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-internationalization"},{"title":"Customizing Errors","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Fcustomize-lock-error-messages"},{"title":"Authentication Modes","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-authentication-modes"}]},{"title":"Lock for iOS","url":"\u002Fdocs\u002Flibraries\u002Flock-swift","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Flock-swift"},{"title":"Styles Customization","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-customization"},{"title":"Behavior Configuration","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-configuration-options"},{"title":"Custom Fields","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-custom-fields-at-signup"},{"title":"Internationalization","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-internationalization"}]},{"title":"Lock for Android","url":"\u002Fdocs\u002Flibraries\u002Flock-android","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Flock-android"},{"title":"Configuration Options","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-configuration"},{"title":"Custom Auth Providers","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-custom-authentication-providers"},{"title":"Android Dev Keystores","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fandroid-development-keystores-hashes"},{"title":"Custom Signup Fields","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-custom-fields-at-signup"},{"title":"Custom Theming","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-custom-theming"},{"title":"Internationalization","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-internationalization"},{"title":"Passwordless","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-passwordless"},{"title":"Passwordless with Magic Link","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-passwordless-with-magic-link"}]},{"title":"Lock vs. Custom UI","url":"\u002Fdocs\u002Funiversal-login\u002Funiversal-login-page-customization"},{"title":"Auth0 SDK for Web","url":"\u002Fdocs\u002Flibraries\u002Fauth0js-v9-reference"},{"title":"Auth0 SDK for iOS","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift"},{"title":"Database Authentication","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-database-connections"},{"title":"User Management","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-user-management"},{"title":"Refresh Tokens","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-save-and-renew-tokens"},{"title":"Touch ID \u002F Face ID","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-touchid-faceid"}]},{"title":"Auth0 SDK for Android","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android"},{"title":"Login, Logout, and User Profiles","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-login-logout-and-user-profiles"},{"title":"Configuration","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-configuration"},{"title":"Database Authentication","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-database-authentication"},{"title":"Passwordless Authentication","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-passwordless"},{"title":"User Management","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-user-management"},{"title":"Refresh Tokens","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-save-and-renew-tokens"},{"title":"Custom Networking Client","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-custom-networking-client"},{"title":"V2 Migration Guide","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-v2-migration-guide"}]}],"videos":[{"title":"Learn Identity","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series","children":[{"title":"Introduction to Identity","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fintroduction-to-identity"},{"title":"OpenID Connect and OAuth2","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fopenid-connect-and-oauth2"},{"title":"Web Sign-In","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fweb-sign-in"},{"title":"Calling an API","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fcalling-an-api"},{"title":"Desktop and Mobile Apps","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fdesktop-and-mobile-apps"},{"title":"Single Page Apps","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fsingle-page-apps"}]},{"title":"Get Started","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series","children":[{"title":"Architect: Your Tenant","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Farchitect-your-tenant"},{"title":"Provision: User Stores","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fprovision-user-stores"},{"title":"Provision: Import Users","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fprovision-import-users"},{"title":"Authenticate: How It Works","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthenticate-how-it-works"},{"title":"Authenticate: SPA Example","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthenticate-spa-example"},{"title":"Authorize: ID Tokens and Access Control","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthorize-id-tokens-and-access-control"},{"title":"Authorize: Get and Validate ID Tokens","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthorize-get-and-validate-id-tokens"},{"title":"User Profiles","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Flearn-user-profiles"},{"title":"Brand: How It Works","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fbrand-how-it-works"},{"title":"Brand: Sign Up and Login Pages","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fbrand-signup-and-login-pages"},{"title":"Brand: Emails and Error Pages","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fbrand-emails-and-error-pages"},{"title":"Logout","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Flearn-logout"}]}],"identity-labs":[{"title":"Digital Identity Labs","url":"\u002Fdocs\u002Fidentity-labs","children":[{"title":"Lab 1: Web Sign-In","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-1-web-sign-in","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-1-web-sign-in\u002Fidentity-lab-1-exercise-1"},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-1-web-sign-in\u002Fidentity-lab-1-exercise-2"}]},{"title":"Lab 2: Calling an API","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api\u002Fidentity-lab-2-exercise-1"},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api\u002Fidentity-lab-2-exercise-2"},{"title":"Exercise 3","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api\u002Fidentity-lab-2-exercise-3"}]},{"title":"Lab 3: Mobile Native App","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app\u002Fidentity-lab-3-exercise-1"},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app\u002Fidentity-lab-3-exercise-2"},{"title":"Exercise 3","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app\u002Fidentity-lab-3-exercise-3"}]},{"title":"Lab 4: Single Page App","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-4-single-page-app","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-4-single-page-app\u002Fidentity-lab-4-exercise-1"},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-4-single-page-app\u002Fidentity-lab-4-exercise-2"}]}]}]}},"cards":null,"glossary":{"terms":[{"id":"access-token","title":"Access Token","associatedPage":{"title":"Access Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens"},"definition":"\u003Cp\u003ECredential that can be used by an application to access an API. It informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted. An Access Token can be in any format, but two popular options include opaque strings and JSON Web Tokens (JWT). They should be transmitted to the API as a Bearer credential in an HTTP Authorization header.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuthorization credential, in the form of an opaque string or JWT, used to access an API.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["access token","access tokens"]},{"id":"account linking","title":"Account Linking","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EConnecting user accounts across multiple platforms to allow users access to more than one resource or application by providing credentials one time.\u003C\u002Fp\u003E","short":"\u003Cp\u003EConnecting user accounts across multiple platforms.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["account linking"]},{"id":"actions","title":"Actions","associatedPage":{"title":"Actions","url":"\u002Fdocs\u002Fcustomize\u002Factions"},"definition":"\u003Cp\u003ESecure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime. Actions are used to customize and extend Auth0's capabilities with custom logic.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESecure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["actions","action"]},{"id":"adaptive-multi-factor-authentication","title":"Adaptive Multi-factor Authentication","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EMulti-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors.\u003C\u002Fp\u003E","short":"\u003Cp\u003EMulti-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. \u003C\u002Fp\u003E","automate":true,"automaticTerms":["adaptive multi-factor authentication","adaptive MFA","adaptive multifactor authentication"]},{"id":"application","title":"Application","associatedPage":{"title":"Applications in Auth0","url":"\u002Fdocs\u002Fget-started\u002Fapplications"},"definition":"\u003Cp\u003EYour software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EYour software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["application","applications"]},{"id":"attack-protection","title":"Attack Protection","associatedPage":{"title":"Attack Protection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection"},"definition":"\u003Cp\u003EFeatures that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication.\u003C\u002Fp\u003E","short":"\u003Cp\u003EFeatures that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["attack protection"]},{"id":"audience","title":"Audience","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EUnique identifier of the audience for an issued token, identified within a JSON Web Token as the \u003Cb\u003Eaud\u003C\u002Fb\u003E claim. The audience value is either the application (\u003Ccode\u003EClient ID\u003C\u002Fcode\u003E) for an ID Token or the API that is being called (\u003Ccode\u003EAPI Identifier\u003C\u002Fcode\u003E) for an Access Token. At Auth0, the Audience value sent in a request for an Access Token dictates whether that token is returned in an opaque or JWT format.\u003C\u002Fp\u003E","short":"\u003Cp\u003EUnique identifier of the audience for an issued token. Named \u003Cb\u003Eaud\u003C\u002Fb\u003E in a token, its value contains the ID of either an application (\u003Ccode\u003EClient ID\u003C\u002Fcode\u003E) for an ID Token or an API (\u003Ccode\u003EAPI Identifier\u003C\u002Fcode\u003E) for an Access Token.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["audience"]},{"id":"auth0-dashboard","title":"Auth0 Dashboard","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0’s primary administrator interface in which you can register your application or API, connect to a user store or another identity provider, and configure your Auth0 services.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0's main product to configure your services.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["auth0 dashboard"]},{"id":"authentication-server","title":"Authentication Server","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EServer that confirms or denies a user’s identity. An authentication server does not limit the actions or resources available to the user (although it can provide context for this purpose).\u003C\u002Fp\u003E","short":"\u003Cp\u003EServer that confirms or denies a user’s identity.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["authentication server","authentication servers"]},{"id":"authorization-code","title":"Authorization Code","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ERandom string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow (either with or without Proof Key for Code Exchange (PKCE)).\u003C\u002Fp\u003E","short":"\u003Cp\u003ERandom string generated by the authorization server and returned to the application as part of the authorization response when using the Authorization Code Flow (either with or without PKCE).\u003C\u002Fp\u003E","automate":false,"automaticTerms":["authorization code","auth code","authorization codes","auth codes"]},{"id":"authorization-flow","title":"Authorization Flow","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAnother name for Authorization Grants outlined in OAuth 2.0. Authorization flows are the workflows a resource (an application or an AIP) uses to grant requestors access. Based on the type of technology (for example, if an application can store a Client Secret) and the type of requestor, resource owners can use Authorization Code Flow, Proof of Key Code Exchange (PKCE), Resource Owner Password Credential (ROPG), Implicit, or Client Credential.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuthorization grant (or workflow) specified in the OAuth 2.0 framework.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["authorization flow","authorization flows"]},{"id":"authorization-server","title":"Authorization Server","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ECentralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user. An authorization server does not authenticate users. It’s the role of the authentication server to verify a user’s identity.\u003C\u002Fp\u003E","short":"\u003Cp\u003ECentralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["authorization server","authorization servers"]},{"id":"bad-actors","title":"Bad Actors","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAlso known as threat actors. Entity (a person or group) that poses a threat to the business or environment with the intention to cause harm. Harm can constitute physical or cyber damages, from breaking into a data center to hacking into systems with stolen credentials.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity (a person or group) that poses a threat to the business or environment with the intention to cause harm.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["bad actors","bad actor"]},{"id":"beta","title":"Beta","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be restricted to a select number of subscribers (private) or open to all subscribers (public).\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage during which subscribers can explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Beta releases may be public or private.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["beta","betas"]},{"id":"block-unblock","title":"Block\u002FUnblock Users","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ERemoving or restoring a requestor's access to a resource. Refers to the features from Auth0's Attack Protection suite: Breached Password Detection, Brute-Force Protection, and Suspicious IP Throttling. Each service assesses login\u002Fsign-up trends and blocks IP addresses associated with suspicious activity.\u003C\u002Fp\u003E","short":"\u003Cp\u003ERemoving or restoring a requestor's access to a resource.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["block\u002Funblock users","block\u002Funblock user"]},{"id":"bot-detection","title":"Bot Detection","associatedPage":{"title":"Bot Detection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection"},"definition":"\u003Cp\u003EForm of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["bot detection"]},{"id":"breached-password-detection","title":"Breached Password Detection","associatedPage":{"title":"Breached Password Detection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbreached-password-detection"},"definition":"\u003Cp\u003EForm of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["breached password detection"]},{"id":"breaking-change","title":"Breaking Change","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EChange to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EChange to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["breaking change","breaking changes"]},{"id":"brute-force-protection","title":"Brute-force Protection","associatedPage":{"title":"Brute-Force Protection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbrute-force-protection"},"definition":"\u003Cp\u003EForm of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["brute-force protection","brute force protection"]},{"id":"callback","title":"Callback","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EURL to which Auth0 sends its response after authentication. It is often the same URL to which a user is redirected after authentication.\u003C\u002Fp\u003E","short":"\u003Cp\u003EURL to which Auth0 sends its response after an API call and sometimes where a user is redirected after authentication.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["callback","callbacks"]},{"id":"claim","title":"Claim","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAttribute packaged in a security token which represents a claim that the provider of the token is making about an entity.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAttribute packaged in a security token which represents a claim that the provider of the token is making about an entity.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["claim","claims"]},{"id":"client-id","title":"Client ID","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EIdentification value assigned to your application after registration. This value is used in conjunction with other third-party services and can be found in \u003Cb\u003EAuth0 Dashboard\u003C\u002Fb\u003E > \u003Cb\u003EApplication Settings\u003C\u002Fb\u003E.\u003C\u002Fp\u003E","short":"\u003Cp\u003EIdentification value given to your registered resource from Auth0.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["client id","client ids"]},{"id":"client-secret","title":"Client Secret","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESecret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESecret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["client secret","client secrets"]},{"id":"confidential-client","title":"Confidential Client","associatedPage":{"title":"Confidential and Public Applications","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications"},"definition":"\u003Cp\u003EAccording to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Confidential clients can hold credentials in a secure way without exposing them to unauthorized parties and require a trusted backend server to do so. They can use grant types that require them to authenticate by specifying their client ID and secret when calling the token endpoint and can have tokens issued to them that have been signed either symmetrically or asymmetrically.\u003C\u002Fp\u003E","short":"\u003Cp\u003EA client (application) that can hold credentials securely by using a trusted backend server. Examples include a web application with a secure backend and a machine-to-machine (M2M) application.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["confidential client","confidential clients"]},{"id":"confused-deputy","title":"Confused Deputy","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESituation in which an attacker tricks a client or service into performing an action on their behalf.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESituation in which an attacker tricks a client or service into performing an action on their behalf.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["confused deputy","confused deputies"]},{"id":"connection","title":"Connection","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ERelationship between Auth0 and the sources of users for your applications. Examples include identity providers (such as Google or Active Directory), passwordless authentication methods, or user databases.\u003C\u002Fp\u003E","short":"\u003Cp\u003ERelationship between Auth0 and the sources of users for your applications.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["connection","connections"]},{"id":"custom-domain","title":"Custom Domain","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EThird-party domain with a specialized, or vanity, name. Also known as a CNAME.\u003C\u002Fp\u003E","short":"\u003Cp\u003EThird-party domain with a specialized, or vanity, name.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["custom domain","custom domains"]},{"id":"deprecation","title":"Deprecation","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained. Tenants using the feature or behavior at the time of deprecation will continue to have access.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["deprecation","deprecations"]},{"id":"digital-identity","title":"Digital Identity","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESet of attributes that define a particular user in the context of a function which is delivered by a particular application.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESet of attributes that define a particular user in the context of a function which is delivered by a particular application.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["digital identity","digital identities"]},{"id":"digital-signature","title":"Digital Signature","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEncrypted string that protects bits in a token from tampering. If the bits are changed or tampered with, the signature will no longer be able to be verified and it will be rejected.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEncrypted string that protects bits in a token from tampering.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["digital signature","digital signatures"]},{"id":"directory","title":"Directory","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ECentralized repository of users (the most well-known of which is Active Directory) which centralizes credentials and attributes and makes it unnecessary for each application to have their own local identity setup and pool of users. Allows single sign on to all applications that use the same directory of users.\u003C\u002Fp\u003E","short":"\u003Cp\u003ECentralized repository of users that allows single sign on to all applications that use the same directory.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["directory","directories"]},{"id":"early-access","title":"Early Access","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality. At this stage, functionality may not be complete, but is ready for validation.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["early access","ea"]},{"id":"end-of-life","title":"End of Life","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors. The new behavior will automatically be enabled for Tenants that did not opt in during the migration window.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["end of life","eol"]},{"id":"end-of-life-date","title":"End of Life Date","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EDate when access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.\u003C\u002Fp\u003E","short":"\u003Cp\u003EDate when access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["end of life date","end of life dates","eol date"]},{"id":"fine-grained-auth","title":"Fine-grained Authorization (FGA)","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0’s SaaS product that gives individual users access to specific objects or resources within your application.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0 product allowing individual users access to specific objects or resources.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["fine-grained authorization (fga)","fine-grained authorization","FGA"]},{"id":"flow","title":"Flow","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EProcesses that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProcesses that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["flow","flows"]},{"id":"general-availability","title":"General Availability","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use. If a new release replaces an existing feature, Auth0 provides a period of backward compatibility in accordance with our deprecation policy and informs customers so they have time to adopt the new release.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["general availability","GA"]},{"id":"group","title":"Group","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESet of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESet of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["group","groups"]},{"id":"id-token","title":"ID Token","associatedPage":{"title":"ID Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens"},"definition":"\u003Cp\u003ECredential meant for the client itself, rather than for accessing a resource. It has a fixed format that clients can parse and validate.\u003C\u002Fp\u003E","short":"\u003Cp\u003ECredential meant for the client itself, rather than for accessing a resource.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["id token","id tokens","identity token","identity tokens"]},{"id":"idp","title":"Identity Provider (IdP)","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EService that stores and manages digital identities. Auth0 supports trusted social, enterprise, and legal identity providers. Auth0 also can function as an identity provider for your applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EService that stores and manages digital identities.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["identity provider (idp)","identity providers","identity provider","idp","idps","identity providers (idps)"]},{"id":"json-web-token","title":"JSON Web Token (JWT)","associatedPage":{"title":"JSON Web Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens"},"definition":"\u003Cp\u003EOpen, industry standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\"\u003ERFC 7519\u003C\u002Fa\u003E method for representing claims securely between two parties. At Auth0, ID Tokens are always returned in JWT format, and Access Tokens are often in JWT format. You may decode well-formed JWTs at \u003Ca href=\"https:\u002F\u002Fjwt.io\"\u003EJWT.io\u003C\u002Fa\u003E to view their claims.\u003C\u002Fp\u003E","short":"\u003Cp\u003EStandard ID Token format (and often Access Token format) used to represent claims securely between two parties.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["json web token (jwt)","json web token","json web tokens","jwt","jwts","json web tokens (jwts)"]},{"id":"localization","title":"Localization","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAbility to render the New Universal Login experience into a supported language.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAbility to render the New Universal Login experience into a supported language.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["localization"]},{"id":"lock","title":"Lock","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0's UI widget for authenticating users. It is ready to go as-is and is the default face of the Classic Universal Login experience. Lock allows you to customize minor behavioral and appearance options, but its primary goal is ease of use.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0's UI widget for authenticating users.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["lock"]},{"id":"management-api","title":"Management API","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0's API to manage Auth0 services and perform administrative tasks programatically.\u003C\u002Fp\u003E","short":"\u003Cp\u003EA product to allow customers to perform administrative tasks. \u003C\u002Fp\u003E","automate":true,"automaticTerms":["management api"]},{"id":"metadata","title":"Metadata","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EInformation users can update, such as preferences or profile settings. Metadata is added to ID tokens and can be stored in user profiles.\u003C\u002Fp\u003E","short":"\u003Cp\u003EUser information stored in user profiles.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["metadata"]},{"id":"migration","title":"Migration","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EProcess by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProcess by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["migration","migrations"]},{"id":"multifactor-authentication","title":"Multi-factor authentication (MFA)","associatedPage":{"title":"Multi-Factor Authentication","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication"},"definition":"\u003Cp\u003EAuthentication process that considers multiple factors. Typically at Auth0, the first factor is the standard username\u002Fpassword exchange, and the second is a code or link via email or SMS, a one-time-password via an app such as Authy or Google Authenticator, or a push notification via a phone app such as Guardian or Duo. Using multiple factors allows your account to remain secure if someone captures one or the other factor--acquires your password or steals your phone, for example.\u003C\u002Fp\u003E","short":"\u003Cp\u003EUser authentication process that uses a factor in addition to username and password such as a code via SMS.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["multi-factor authentication (mfa)","multi-factor authentication","multifactor authentication","mfa"]},{"id":"nonce","title":"Nonce","associatedPage":{"title":"Mitigate Replay Attacks When Using the Implicit Flow","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fimplicit-flow-with-form-post\u002Fmitigate-replay-attacks-when-using-the-implicit-flow"},"definition":"\u003Cp\u003EArbitrary (often random or pseudo-random) number issued in an authentication protocol that can be used to help detect and mitigate replay attacks using old communications. In other words, the nonce is only issued once, so if an attacker attempts to replay a transaction with a different nonce, its false transaction can be detected more easily.\u003C\u002Fp\u003E","short":"\u003Cp\u003EArbitrary number issued once in an authentication protocol to detect and prevent replay attacks.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["nonce","nonces"]},{"id":"oath2","title":"OAuth 2.0","associatedPage":{"title":"OAuth 2.0 Authorization Framework","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Foauth"},"definition":"\u003Cp\u003EAuthorization framework that defines authorization protocols and workflows. OAuth 2.0 defines roles, authorization grants (or workflows), authorization requests and responses, and token handling. OpenID Connect (OIDC) protocols to verify user identity extends OAuth 2.0.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuthorization framework that defines authorization protocols and workflows.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["oauth 2.0","oauth"]},{"id":"openid","title":"OpenID","associatedPage":{"title":"OpenID Connect Protocol","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fopenid-connect-protocol"},"definition":"\u003Cp\u003EOpen standard for authentication that allows applications to verify users are who they say they are without needing to collect, store, and therefore become liable for a user’s login information.\u003C\u002Fp\u003E","short":"\u003Cp\u003EOpen standard for authentication that allows applications to verify users' identities without collecting and storing login information.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["openid"]},{"id":"organizations","title":"Organizations","associatedPage":{"title":"Organizations","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations"},"definition":"\u003Cp\u003EAuth0 product that allows B2B customers to categorize end-users and define specific roles, login experience, and access to resources.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0 product that allows B2B customers to categorize end-users and define specific roles.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["organizations","organization"]},{"id":"passwordless","title":"Passwordless","associatedPage":{"title":"Passwordless","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless"},"definition":"\u003Cp\u003EForm of authentication where the first factor is not a password. Instead, it could be a one-time password received by email or SMS, a push notification, or a biometric sensor. Passwordless uses one-time passwords, so users are less susceptible to the typical password-based attacks (e.g., dictionary or credential stuffing) than with traditional username\u002Fpassword logins.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of authentication that does not rely on a password as the first factor.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["passwordless"]},{"id":"perimeter","title":"Perimeter","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESet of boundaries that encompass a directory, all of its users, and all of the applications which use the directory. In some implementations, this perimeter is a physical location; in others, it is a set of networks or devices connected via VPN.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESet of boundaries that encompass a directory, all of its users, and all of the applications which use the directory.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["perimeter","perimeters"]},{"id":"product-release-stages","title":"Product Release Stages","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EPhases that describe how Auth0 stages, releases, and retires product functionality. Product features may not progress through all release stages, and the time in each stage will vary depending on the scope and impact of the feature.\u003C\u002Fp\u003E","short":"\u003Cp\u003EPhases that describe how Auth0 stages, releases, and retires product functionality.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["product release stages","product release stage"]},{"id":"public-client","title":"Public Client","associatedPage":{"title":"Confidential and Public Applications","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications"},"definition":"\u003Cp\u003EAccording to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Public clients cannot hold credentials securely, so should only use grant types that do not require the use of their client secret. ID Tokens issued to them must be signed asymmetrically using a private key (RS256) and verified using the public key corresponding to the private key used to sign the token.\u003C\u002Fp\u003E","short":"\u003Cp\u003EClient (application) that cannot hold credentials securely. Examples include a native desktop or mobile application and a JavaScript-based client-side web application (such as a single-page app (SPA)).\u003C\u002Fp\u003E","automate":true,"automaticTerms":["public client","public clients"]},{"id":"raw-credential","title":"Raw Credential","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EShared secret or set of information that is agreed upon between the user and the resource that allow the resource to verify the identity of a user.\u003C\u002Fp\u003E","short":"\u003Cp\u003EShared secret or set of information that is agreed upon between the user and the resource that allow the resource to verify the identity of a user.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["raw credential","raw credentials"]},{"id":"refresh-token","title":"Refresh Token","associatedPage":{"title":"Refresh Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens"},"definition":"\u003Cp\u003ESpecial kind of token that can be used to obtain a renewed Access Token. It is useful for renewing expiring Access Tokens without forcing the user to log in again. Using the Refresh Token, you can request a new Access Token at any time until the Refresh Token is blocklisted.\u003C\u002Fp\u003E","short":"\u003Cp\u003EToken used to obtain a renewed Access Token without forcing users to log in again.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["refresh token","refresh tokens"]},{"id":"refresh-token-rotation","title":"Refresh Token Rotation","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EStrategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token.\u003C\u002Fp\u003E","short":"\u003Cp\u003EStrategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["refresh token rotation"]},{"id":"relying-party","title":"Relying Party","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEntity (such as a service or application) that depends on a third-party identity provider to authenticate a user.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity (such as a service or application) that depends on a third-party identity provider to authenticate a user.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["relying party","relying parties"]},{"id":"resource-owner","title":"Resource Owner","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEntity (such as a user or application) capable of granting access to a protected resource.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity (such as a user or application) capable of granting access to a protected resource.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["resource owner","resource owners"]},{"id":"resource-server","title":"Resource Server","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EServer hosting protected resources. Resource servers accept and respond to protected resource requests.\u003C\u002Fp\u003E","short":"\u003Cp\u003EServer hosting protected resources. Resource servers accept and respond to protected resource requests.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["resource server","resource servers"]},{"id":"role","title":"Role","associatedPage":{"title":"Role-Based Access Control","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Frbac"},"definition":"\u003Cp\u003EAspect of a user’s identity assigned to the user to indicate the level of access they should have to the system. Roles are essentially collections of permissions.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAspect of a user’s identity assigned to the user to give them a certain set of permissions.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["role","roles"]},{"id":"scope","title":"Scope","associatedPage":{"title":"Scopes","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes"},"definition":"\u003Cp\u003EMechanism that defines the specific actions applications can be allowed to do or information that they can request on a user’s behalf. Often, applications will want to make use of the information that has already been created in an online resource. To do so, the application must ask for authorization to access this information on a user’s behalf. When an app requests permission to access a resource through an authorization server, it uses the Scope parameter to specify what access it needs, and the authorization server uses the Scope parameter to respond with the access that was actually granted.\u003C\u002Fp\u003E","short":"\u003Cp\u003EMechanism that determines actions applications can perform on a user's behalf with information previously created in an online resource.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["scope","scopes"]},{"id":"security-assertion-markup-language","title":"Security Assertion Markup Language (SAML)","associatedPage":{"title":"SAML","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml"},"definition":"\u003Cp\u003EXML-based standardized protocol by which two parties can exchange authentication information without the use of a password.\u003C\u002Fp\u003E","short":"\u003Cp\u003EStandardized protocol allowing two parties to exchange authentication information without a password.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["security assertion markup language (saml)","security assertion markup language","saml"]},{"id":"security-token","title":"Security Token","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EDigitally-signed artifact used to prove that the user was successfully authenticated.\u003C\u002Fp\u003E","short":"\u003Cp\u003EDigitally-signed artifact used to prove that the user was successfully authenticated.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["security token","security tokens"]},{"id":"session-cookie","title":"Session Cookie","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEntity emitted by middleware after it establishes that the token it is receiving is signed, valid, and comes from a trusted source (the identity provider). This entity represents the fact that successful authentication occurred with the identity provider. This cookie prevents this process with tokens from needing to be continually repeated, by allowing the user to be considered authenticated as long as the cookie is present.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity that, when present, allows the user to be considered authenticated.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["session cookie","session cookies"]},{"id":"shadow-account","title":"Shadow Account","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EDifficult-to-sustain practice of manually provisioning a user from a local directory separately in a remote directory (essentially creating a copy, or shadow, of the original account) when they need access to remote applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EDifficult-to-sustain practice of manually provisioning a user from a local directory separately in a remote directory.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["shadow account","shadow accounts"]},{"id":"signing-algorithm","title":"Signing Algorithm","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EHashing algorithm used to digitally sign tokens to ensure the token has not been tampered with by bad actors.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAlgorithm used to digitally sign tokens to ensure the token has not been tampered with.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["signing algorithm","signing algorithms"]},{"id":"single-sign-on","title":"Single Sign-On (SSO)","associatedPage":{"title":"Single Sign-On","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on"},"definition":"\u003Cp\u003EService that, after a user logs into one application, automatically logs that user in to other applications, regardless of the platform, technology, or domain the user is using. The user signs in only one time (hence the name of the feature). Similarly, Single Logout (SLO) occurs when, after a user logs out from one application, they are logged out of each application or service where they were logged in. SSO and SLO are possible through the use of sessions.\u003C\u002Fp\u003E","short":"\u003Cp\u003EService that, after a user logs into one applicaton, automatically logs that user in to other applications.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["single sign-on (sso)","single sign-on","single sign on","sso","single signon"]},{"id":"subscription","title":"Subscription","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAgreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAgreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["subscription","subscriptions"]},{"id":"suspicious-ip-throttling","title":"Suspicious IP Throttling","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EForm of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["suspicious ip throttling"]},{"id":"tenant","title":"Tenant","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAt Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine. Tenant, in general, is a term borrowed from software multitenant architecture.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAt Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["tenant","tenants"]},{"id":"token-endpoint","title":"Token Endpoint","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEndpoint on the Authorization Server that is used to programmatically request tokens.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEndpoint on the Authorization Server that is used to programmatically request tokens.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["token endpoint","token endpoints"]},{"id":"trigger","title":"Trigger","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEvent that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime. Some Triggers are executed synchronously, blocking the Flow in which they are involved, and some are executed asynchronously.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEvent that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["trigger","triggers"]},{"id":"trust","title":"Trust","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EResource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.\u003C\u002Fp\u003E","short":"\u003Cp\u003EResource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["trust","trusts"]},{"id":"universal-login","title":"Universal Login","associatedPage":{"title":"Auth0 Universal Login","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login"},"definition":"\u003Cp\u003EAuth0’s implementation of the authentication flow, which is the key feature of an Authorization Server. Each time a user needs to prove their identity, your \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\"\u003Eapplications\u003C\u002Fa\u003E redirect to Universal Login, and Auth0 will do what’s needed to guarantee the user’s identity.\u003C\u002Fp\u003E","short":"\u003Cp\u003EYour application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["universal login"]},{"id":"ws-fed","title":"Web Service Federation (WS-Fed)","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EProtocol for managing user identities between systems, domains, and identity providers with established trust using WS-Trust. This protocol is mainly used for Microsoft products and defines policies on how to share federation metadata. \u003C\u002Fp\u003E","short":"\u003Cp\u003EProtocol for managing user identities across domains.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["web service federation (ws-fed)","web service federation","ws-fed"]}],"termsByLetter":{"A":[{"id":"access-token","title":"Access Token","associatedPage":{"title":"Access Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens"},"definition":"\u003Cp\u003ECredential that can be used by an application to access an API. It informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted. An Access Token can be in any format, but two popular options include opaque strings and JSON Web Tokens (JWT). They should be transmitted to the API as a Bearer credential in an HTTP Authorization header.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuthorization credential, in the form of an opaque string or JWT, used to access an API.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["access token","access tokens"]},{"id":"account linking","title":"Account Linking","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EConnecting user accounts across multiple platforms to allow users access to more than one resource or application by providing credentials one time.\u003C\u002Fp\u003E","short":"\u003Cp\u003EConnecting user accounts across multiple platforms.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["account linking"]},{"id":"actions","title":"Actions","associatedPage":{"title":"Actions","url":"\u002Fdocs\u002Fcustomize\u002Factions"},"definition":"\u003Cp\u003ESecure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime. Actions are used to customize and extend Auth0's capabilities with custom logic.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESecure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["actions","action"]},{"id":"adaptive-multi-factor-authentication","title":"Adaptive Multi-factor Authentication","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EMulti-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors.\u003C\u002Fp\u003E","short":"\u003Cp\u003EMulti-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. \u003C\u002Fp\u003E","automate":true,"automaticTerms":["adaptive multi-factor authentication","adaptive MFA","adaptive multifactor authentication"]},{"id":"application","title":"Application","associatedPage":{"title":"Applications in Auth0","url":"\u002Fdocs\u002Fget-started\u002Fapplications"},"definition":"\u003Cp\u003EYour software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EYour software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["application","applications"]},{"id":"attack-protection","title":"Attack Protection","associatedPage":{"title":"Attack Protection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection"},"definition":"\u003Cp\u003EFeatures that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication.\u003C\u002Fp\u003E","short":"\u003Cp\u003EFeatures that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["attack protection"]},{"id":"audience","title":"Audience","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EUnique identifier of the audience for an issued token, identified within a JSON Web Token as the \u003Cb\u003Eaud\u003C\u002Fb\u003E claim. The audience value is either the application (\u003Ccode\u003EClient ID\u003C\u002Fcode\u003E) for an ID Token or the API that is being called (\u003Ccode\u003EAPI Identifier\u003C\u002Fcode\u003E) for an Access Token. At Auth0, the Audience value sent in a request for an Access Token dictates whether that token is returned in an opaque or JWT format.\u003C\u002Fp\u003E","short":"\u003Cp\u003EUnique identifier of the audience for an issued token. Named \u003Cb\u003Eaud\u003C\u002Fb\u003E in a token, its value contains the ID of either an application (\u003Ccode\u003EClient ID\u003C\u002Fcode\u003E) for an ID Token or an API (\u003Ccode\u003EAPI Identifier\u003C\u002Fcode\u003E) for an Access Token.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["audience"]},{"id":"auth0-dashboard","title":"Auth0 Dashboard","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0’s primary administrator interface in which you can register your application or API, connect to a user store or another identity provider, and configure your Auth0 services.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0's main product to configure your services.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["auth0 dashboard"]},{"id":"authentication-server","title":"Authentication Server","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EServer that confirms or denies a user’s identity. An authentication server does not limit the actions or resources available to the user (although it can provide context for this purpose).\u003C\u002Fp\u003E","short":"\u003Cp\u003EServer that confirms or denies a user’s identity.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["authentication server","authentication servers"]},{"id":"authorization-code","title":"Authorization Code","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ERandom string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow (either with or without Proof Key for Code Exchange (PKCE)).\u003C\u002Fp\u003E","short":"\u003Cp\u003ERandom string generated by the authorization server and returned to the application as part of the authorization response when using the Authorization Code Flow (either with or without PKCE).\u003C\u002Fp\u003E","automate":false,"automaticTerms":["authorization code","auth code","authorization codes","auth codes"]},{"id":"authorization-flow","title":"Authorization Flow","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAnother name for Authorization Grants outlined in OAuth 2.0. Authorization flows are the workflows a resource (an application or an AIP) uses to grant requestors access. Based on the type of technology (for example, if an application can store a Client Secret) and the type of requestor, resource owners can use Authorization Code Flow, Proof of Key Code Exchange (PKCE), Resource Owner Password Credential (ROPG), Implicit, or Client Credential.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuthorization grant (or workflow) specified in the OAuth 2.0 framework.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["authorization flow","authorization flows"]},{"id":"authorization-server","title":"Authorization Server","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ECentralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user. An authorization server does not authenticate users. It’s the role of the authentication server to verify a user’s identity.\u003C\u002Fp\u003E","short":"\u003Cp\u003ECentralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["authorization server","authorization servers"]}],"B":[{"id":"bad-actors","title":"Bad Actors","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAlso known as threat actors. Entity (a person or group) that poses a threat to the business or environment with the intention to cause harm. Harm can constitute physical or cyber damages, from breaking into a data center to hacking into systems with stolen credentials.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity (a person or group) that poses a threat to the business or environment with the intention to cause harm.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["bad actors","bad actor"]},{"id":"beta","title":"Beta","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be restricted to a select number of subscribers (private) or open to all subscribers (public).\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage during which subscribers can explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Beta releases may be public or private.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["beta","betas"]},{"id":"block-unblock","title":"Block\u002FUnblock Users","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ERemoving or restoring a requestor's access to a resource. Refers to the features from Auth0's Attack Protection suite: Breached Password Detection, Brute-Force Protection, and Suspicious IP Throttling. Each service assesses login\u002Fsign-up trends and blocks IP addresses associated with suspicious activity.\u003C\u002Fp\u003E","short":"\u003Cp\u003ERemoving or restoring a requestor's access to a resource.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["block\u002Funblock users","block\u002Funblock user"]},{"id":"bot-detection","title":"Bot Detection","associatedPage":{"title":"Bot Detection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection"},"definition":"\u003Cp\u003EForm of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["bot detection"]},{"id":"breached-password-detection","title":"Breached Password Detection","associatedPage":{"title":"Breached Password Detection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbreached-password-detection"},"definition":"\u003Cp\u003EForm of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["breached password detection"]},{"id":"breaking-change","title":"Breaking Change","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EChange to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EChange to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["breaking change","breaking changes"]},{"id":"brute-force-protection","title":"Brute-force Protection","associatedPage":{"title":"Brute-Force Protection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbrute-force-protection"},"definition":"\u003Cp\u003EForm of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["brute-force protection","brute force protection"]}],"C":[{"id":"callback","title":"Callback","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EURL to which Auth0 sends its response after authentication. It is often the same URL to which a user is redirected after authentication.\u003C\u002Fp\u003E","short":"\u003Cp\u003EURL to which Auth0 sends its response after an API call and sometimes where a user is redirected after authentication.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["callback","callbacks"]},{"id":"claim","title":"Claim","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAttribute packaged in a security token which represents a claim that the provider of the token is making about an entity.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAttribute packaged in a security token which represents a claim that the provider of the token is making about an entity.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["claim","claims"]},{"id":"client-id","title":"Client ID","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EIdentification value assigned to your application after registration. This value is used in conjunction with other third-party services and can be found in \u003Cb\u003EAuth0 Dashboard\u003C\u002Fb\u003E > \u003Cb\u003EApplication Settings\u003C\u002Fb\u003E.\u003C\u002Fp\u003E","short":"\u003Cp\u003EIdentification value given to your registered resource from Auth0.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["client id","client ids"]},{"id":"client-secret","title":"Client Secret","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESecret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESecret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["client secret","client secrets"]},{"id":"confidential-client","title":"Confidential Client","associatedPage":{"title":"Confidential and Public Applications","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications"},"definition":"\u003Cp\u003EAccording to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Confidential clients can hold credentials in a secure way without exposing them to unauthorized parties and require a trusted backend server to do so. They can use grant types that require them to authenticate by specifying their client ID and secret when calling the token endpoint and can have tokens issued to them that have been signed either symmetrically or asymmetrically.\u003C\u002Fp\u003E","short":"\u003Cp\u003EA client (application) that can hold credentials securely by using a trusted backend server. Examples include a web application with a secure backend and a machine-to-machine (M2M) application.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["confidential client","confidential clients"]},{"id":"confused-deputy","title":"Confused Deputy","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESituation in which an attacker tricks a client or service into performing an action on their behalf.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESituation in which an attacker tricks a client or service into performing an action on their behalf.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["confused deputy","confused deputies"]},{"id":"connection","title":"Connection","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ERelationship between Auth0 and the sources of users for your applications. Examples include identity providers (such as Google or Active Directory), passwordless authentication methods, or user databases.\u003C\u002Fp\u003E","short":"\u003Cp\u003ERelationship between Auth0 and the sources of users for your applications.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["connection","connections"]},{"id":"custom-domain","title":"Custom Domain","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EThird-party domain with a specialized, or vanity, name. Also known as a CNAME.\u003C\u002Fp\u003E","short":"\u003Cp\u003EThird-party domain with a specialized, or vanity, name.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["custom domain","custom domains"]}],"D":[{"id":"deprecation","title":"Deprecation","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained. Tenants using the feature or behavior at the time of deprecation will continue to have access.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["deprecation","deprecations"]},{"id":"digital-identity","title":"Digital Identity","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESet of attributes that define a particular user in the context of a function which is delivered by a particular application.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESet of attributes that define a particular user in the context of a function which is delivered by a particular application.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["digital identity","digital identities"]},{"id":"digital-signature","title":"Digital Signature","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEncrypted string that protects bits in a token from tampering. If the bits are changed or tampered with, the signature will no longer be able to be verified and it will be rejected.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEncrypted string that protects bits in a token from tampering.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["digital signature","digital signatures"]},{"id":"directory","title":"Directory","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ECentralized repository of users (the most well-known of which is Active Directory) which centralizes credentials and attributes and makes it unnecessary for each application to have their own local identity setup and pool of users. Allows single sign on to all applications that use the same directory of users.\u003C\u002Fp\u003E","short":"\u003Cp\u003ECentralized repository of users that allows single sign on to all applications that use the same directory.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["directory","directories"]}],"E":[{"id":"early-access","title":"Early Access","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality. At this stage, functionality may not be complete, but is ready for validation.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["early access","ea"]},{"id":"end-of-life","title":"End of Life","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors. The new behavior will automatically be enabled for Tenants that did not opt in during the migration window.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["end of life","eol"]},{"id":"end-of-life-date","title":"End of Life Date","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EDate when access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.\u003C\u002Fp\u003E","short":"\u003Cp\u003EDate when access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["end of life date","end of life dates","eol date"]}],"F":[{"id":"fine-grained-auth","title":"Fine-grained Authorization (FGA)","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0’s SaaS product that gives individual users access to specific objects or resources within your application.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0 product allowing individual users access to specific objects or resources.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["fine-grained authorization (fga)","fine-grained authorization","FGA"]},{"id":"flow","title":"Flow","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EProcesses that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProcesses that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["flow","flows"]}],"G":[{"id":"general-availability","title":"General Availability","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use. If a new release replaces an existing feature, Auth0 provides a period of backward compatibility in accordance with our deprecation policy and informs customers so they have time to adopt the new release.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["general availability","GA"]},{"id":"group","title":"Group","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESet of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESet of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["group","groups"]}],"I":[{"id":"id-token","title":"ID Token","associatedPage":{"title":"ID Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens"},"definition":"\u003Cp\u003ECredential meant for the client itself, rather than for accessing a resource. It has a fixed format that clients can parse and validate.\u003C\u002Fp\u003E","short":"\u003Cp\u003ECredential meant for the client itself, rather than for accessing a resource.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["id token","id tokens","identity token","identity tokens"]},{"id":"idp","title":"Identity Provider (IdP)","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EService that stores and manages digital identities. Auth0 supports trusted social, enterprise, and legal identity providers. Auth0 also can function as an identity provider for your applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EService that stores and manages digital identities.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["identity provider (idp)","identity providers","identity provider","idp","idps","identity providers (idps)"]}],"J":[{"id":"json-web-token","title":"JSON Web Token (JWT)","associatedPage":{"title":"JSON Web Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens"},"definition":"\u003Cp\u003EOpen, industry standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\"\u003ERFC 7519\u003C\u002Fa\u003E method for representing claims securely between two parties. At Auth0, ID Tokens are always returned in JWT format, and Access Tokens are often in JWT format. You may decode well-formed JWTs at \u003Ca href=\"https:\u002F\u002Fjwt.io\"\u003EJWT.io\u003C\u002Fa\u003E to view their claims.\u003C\u002Fp\u003E","short":"\u003Cp\u003EStandard ID Token format (and often Access Token format) used to represent claims securely between two parties.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["json web token (jwt)","json web token","json web tokens","jwt","jwts","json web tokens (jwts)"]}],"L":[{"id":"localization","title":"Localization","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAbility to render the New Universal Login experience into a supported language.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAbility to render the New Universal Login experience into a supported language.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["localization"]},{"id":"lock","title":"Lock","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0's UI widget for authenticating users. It is ready to go as-is and is the default face of the Classic Universal Login experience. Lock allows you to customize minor behavioral and appearance options, but its primary goal is ease of use.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0's UI widget for authenticating users.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["lock"]}],"M":[{"id":"management-api","title":"Management API","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0's API to manage Auth0 services and perform administrative tasks programatically.\u003C\u002Fp\u003E","short":"\u003Cp\u003EA product to allow customers to perform administrative tasks. \u003C\u002Fp\u003E","automate":true,"automaticTerms":["management api"]},{"id":"metadata","title":"Metadata","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EInformation users can update, such as preferences or profile settings. Metadata is added to ID tokens and can be stored in user profiles.\u003C\u002Fp\u003E","short":"\u003Cp\u003EUser information stored in user profiles.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["metadata"]},{"id":"migration","title":"Migration","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EProcess by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProcess by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["migration","migrations"]},{"id":"multifactor-authentication","title":"Multi-factor authentication (MFA)","associatedPage":{"title":"Multi-Factor Authentication","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication"},"definition":"\u003Cp\u003EAuthentication process that considers multiple factors. Typically at Auth0, the first factor is the standard username\u002Fpassword exchange, and the second is a code or link via email or SMS, a one-time-password via an app such as Authy or Google Authenticator, or a push notification via a phone app such as Guardian or Duo. Using multiple factors allows your account to remain secure if someone captures one or the other factor--acquires your password or steals your phone, for example.\u003C\u002Fp\u003E","short":"\u003Cp\u003EUser authentication process that uses a factor in addition to username and password such as a code via SMS.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["multi-factor authentication (mfa)","multi-factor authentication","multifactor authentication","mfa"]}],"N":[{"id":"nonce","title":"Nonce","associatedPage":{"title":"Mitigate Replay Attacks When Using the Implicit Flow","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fimplicit-flow-with-form-post\u002Fmitigate-replay-attacks-when-using-the-implicit-flow"},"definition":"\u003Cp\u003EArbitrary (often random or pseudo-random) number issued in an authentication protocol that can be used to help detect and mitigate replay attacks using old communications. In other words, the nonce is only issued once, so if an attacker attempts to replay a transaction with a different nonce, its false transaction can be detected more easily.\u003C\u002Fp\u003E","short":"\u003Cp\u003EArbitrary number issued once in an authentication protocol to detect and prevent replay attacks.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["nonce","nonces"]}],"O":[{"id":"oath2","title":"OAuth 2.0","associatedPage":{"title":"OAuth 2.0 Authorization Framework","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Foauth"},"definition":"\u003Cp\u003EAuthorization framework that defines authorization protocols and workflows. OAuth 2.0 defines roles, authorization grants (or workflows), authorization requests and responses, and token handling. OpenID Connect (OIDC) protocols to verify user identity extends OAuth 2.0.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuthorization framework that defines authorization protocols and workflows.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["oauth 2.0","oauth"]},{"id":"openid","title":"OpenID","associatedPage":{"title":"OpenID Connect Protocol","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fopenid-connect-protocol"},"definition":"\u003Cp\u003EOpen standard for authentication that allows applications to verify users are who they say they are without needing to collect, store, and therefore become liable for a user’s login information.\u003C\u002Fp\u003E","short":"\u003Cp\u003EOpen standard for authentication that allows applications to verify users' identities without collecting and storing login information.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["openid"]},{"id":"organizations","title":"Organizations","associatedPage":{"title":"Organizations","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations"},"definition":"\u003Cp\u003EAuth0 product that allows B2B customers to categorize end-users and define specific roles, login experience, and access to resources.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0 product that allows B2B customers to categorize end-users and define specific roles.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["organizations","organization"]}],"P":[{"id":"passwordless","title":"Passwordless","associatedPage":{"title":"Passwordless","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless"},"definition":"\u003Cp\u003EForm of authentication where the first factor is not a password. Instead, it could be a one-time password received by email or SMS, a push notification, or a biometric sensor. Passwordless uses one-time passwords, so users are less susceptible to the typical password-based attacks (e.g., dictionary or credential stuffing) than with traditional username\u002Fpassword logins.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of authentication that does not rely on a password as the first factor.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["passwordless"]},{"id":"perimeter","title":"Perimeter","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESet of boundaries that encompass a directory, all of its users, and all of the applications which use the directory. In some implementations, this perimeter is a physical location; in others, it is a set of networks or devices connected via VPN.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESet of boundaries that encompass a directory, all of its users, and all of the applications which use the directory.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["perimeter","perimeters"]},{"id":"product-release-stages","title":"Product Release Stages","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EPhases that describe how Auth0 stages, releases, and retires product functionality. Product features may not progress through all release stages, and the time in each stage will vary depending on the scope and impact of the feature.\u003C\u002Fp\u003E","short":"\u003Cp\u003EPhases that describe how Auth0 stages, releases, and retires product functionality.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["product release stages","product release stage"]},{"id":"public-client","title":"Public Client","associatedPage":{"title":"Confidential and Public Applications","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications"},"definition":"\u003Cp\u003EAccording to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Public clients cannot hold credentials securely, so should only use grant types that do not require the use of their client secret. ID Tokens issued to them must be signed asymmetrically using a private key (RS256) and verified using the public key corresponding to the private key used to sign the token.\u003C\u002Fp\u003E","short":"\u003Cp\u003EClient (application) that cannot hold credentials securely. Examples include a native desktop or mobile application and a JavaScript-based client-side web application (such as a single-page app (SPA)).\u003C\u002Fp\u003E","automate":true,"automaticTerms":["public client","public clients"]}],"R":[{"id":"raw-credential","title":"Raw Credential","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EShared secret or set of information that is agreed upon between the user and the resource that allow the resource to verify the identity of a user.\u003C\u002Fp\u003E","short":"\u003Cp\u003EShared secret or set of information that is agreed upon between the user and the resource that allow the resource to verify the identity of a user.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["raw credential","raw credentials"]},{"id":"refresh-token","title":"Refresh Token","associatedPage":{"title":"Refresh Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens"},"definition":"\u003Cp\u003ESpecial kind of token that can be used to obtain a renewed Access Token. It is useful for renewing expiring Access Tokens without forcing the user to log in again. Using the Refresh Token, you can request a new Access Token at any time until the Refresh Token is blocklisted.\u003C\u002Fp\u003E","short":"\u003Cp\u003EToken used to obtain a renewed Access Token without forcing users to log in again.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["refresh token","refresh tokens"]},{"id":"refresh-token-rotation","title":"Refresh Token Rotation","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EStrategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token.\u003C\u002Fp\u003E","short":"\u003Cp\u003EStrategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["refresh token rotation"]},{"id":"relying-party","title":"Relying Party","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEntity (such as a service or application) that depends on a third-party identity provider to authenticate a user.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity (such as a service or application) that depends on a third-party identity provider to authenticate a user.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["relying party","relying parties"]},{"id":"resource-owner","title":"Resource Owner","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEntity (such as a user or application) capable of granting access to a protected resource.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity (such as a user or application) capable of granting access to a protected resource.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["resource owner","resource owners"]},{"id":"resource-server","title":"Resource Server","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EServer hosting protected resources. Resource servers accept and respond to protected resource requests.\u003C\u002Fp\u003E","short":"\u003Cp\u003EServer hosting protected resources. Resource servers accept and respond to protected resource requests.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["resource server","resource servers"]},{"id":"role","title":"Role","associatedPage":{"title":"Role-Based Access Control","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Frbac"},"definition":"\u003Cp\u003EAspect of a user’s identity assigned to the user to indicate the level of access they should have to the system. Roles are essentially collections of permissions.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAspect of a user’s identity assigned to the user to give them a certain set of permissions.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["role","roles"]}],"S":[{"id":"scope","title":"Scope","associatedPage":{"title":"Scopes","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes"},"definition":"\u003Cp\u003EMechanism that defines the specific actions applications can be allowed to do or information that they can request on a user’s behalf. Often, applications will want to make use of the information that has already been created in an online resource. To do so, the application must ask for authorization to access this information on a user’s behalf. When an app requests permission to access a resource through an authorization server, it uses the Scope parameter to specify what access it needs, and the authorization server uses the Scope parameter to respond with the access that was actually granted.\u003C\u002Fp\u003E","short":"\u003Cp\u003EMechanism that determines actions applications can perform on a user's behalf with information previously created in an online resource.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["scope","scopes"]},{"id":"security-assertion-markup-language","title":"Security Assertion Markup Language (SAML)","associatedPage":{"title":"SAML","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml"},"definition":"\u003Cp\u003EXML-based standardized protocol by which two parties can exchange authentication information without the use of a password.\u003C\u002Fp\u003E","short":"\u003Cp\u003EStandardized protocol allowing two parties to exchange authentication information without a password.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["security assertion markup language (saml)","security assertion markup language","saml"]},{"id":"security-token","title":"Security Token","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EDigitally-signed artifact used to prove that the user was successfully authenticated.\u003C\u002Fp\u003E","short":"\u003Cp\u003EDigitally-signed artifact used to prove that the user was successfully authenticated.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["security token","security tokens"]},{"id":"session-cookie","title":"Session Cookie","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEntity emitted by middleware after it establishes that the token it is receiving is signed, valid, and comes from a trusted source (the identity provider). This entity represents the fact that successful authentication occurred with the identity provider. This cookie prevents this process with tokens from needing to be continually repeated, by allowing the user to be considered authenticated as long as the cookie is present.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity that, when present, allows the user to be considered authenticated.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["session cookie","session cookies"]},{"id":"shadow-account","title":"Shadow Account","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EDifficult-to-sustain practice of manually provisioning a user from a local directory separately in a remote directory (essentially creating a copy, or shadow, of the original account) when they need access to remote applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EDifficult-to-sustain practice of manually provisioning a user from a local directory separately in a remote directory.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["shadow account","shadow accounts"]},{"id":"signing-algorithm","title":"Signing Algorithm","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EHashing algorithm used to digitally sign tokens to ensure the token has not been tampered with by bad actors.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAlgorithm used to digitally sign tokens to ensure the token has not been tampered with.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["signing algorithm","signing algorithms"]},{"id":"single-sign-on","title":"Single Sign-On (SSO)","associatedPage":{"title":"Single Sign-On","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on"},"definition":"\u003Cp\u003EService that, after a user logs into one application, automatically logs that user in to other applications, regardless of the platform, technology, or domain the user is using. The user signs in only one time (hence the name of the feature). Similarly, Single Logout (SLO) occurs when, after a user logs out from one application, they are logged out of each application or service where they were logged in. SSO and SLO are possible through the use of sessions.\u003C\u002Fp\u003E","short":"\u003Cp\u003EService that, after a user logs into one applicaton, automatically logs that user in to other applications.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["single sign-on (sso)","single sign-on","single sign on","sso","single signon"]},{"id":"subscription","title":"Subscription","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAgreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAgreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["subscription","subscriptions"]},{"id":"suspicious-ip-throttling","title":"Suspicious IP Throttling","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EForm of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["suspicious ip throttling"]}],"T":[{"id":"tenant","title":"Tenant","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAt Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine. Tenant, in general, is a term borrowed from software multitenant architecture.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAt Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["tenant","tenants"]},{"id":"token-endpoint","title":"Token Endpoint","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEndpoint on the Authorization Server that is used to programmatically request tokens.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEndpoint on the Authorization Server that is used to programmatically request tokens.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["token endpoint","token endpoints"]},{"id":"trigger","title":"Trigger","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEvent that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime. Some Triggers are executed synchronously, blocking the Flow in which they are involved, and some are executed asynchronously.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEvent that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["trigger","triggers"]},{"id":"trust","title":"Trust","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EResource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.\u003C\u002Fp\u003E","short":"\u003Cp\u003EResource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["trust","trusts"]}],"U":[{"id":"universal-login","title":"Universal Login","associatedPage":{"title":"Auth0 Universal Login","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login"},"definition":"\u003Cp\u003EAuth0’s implementation of the authentication flow, which is the key feature of an Authorization Server. Each time a user needs to prove their identity, your \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\"\u003Eapplications\u003C\u002Fa\u003E redirect to Universal Login, and Auth0 will do what’s needed to guarantee the user’s identity.\u003C\u002Fp\u003E","short":"\u003Cp\u003EYour application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["universal login"]}],"W":[{"id":"ws-fed","title":"Web Service Federation (WS-Fed)","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EProtocol for managing user identities between systems, domains, and identity providers with established trust using WS-Trust. This protocol is mainly used for Microsoft products and defines policies on how to share federation metadata. \u003C\u002Fp\u003E","short":"\u003Cp\u003EProtocol for managing user identities across domains.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["web service federation (ws-fed)","web service federation","ws-fed"]}]},"termsById":{"access-token":{"title":"Access Token","associatedPage":{"title":"Access Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Faccess-tokens"},"definition":"\u003Cp\u003ECredential that can be used by an application to access an API. It informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted. An Access Token can be in any format, but two popular options include opaque strings and JSON Web Tokens (JWT). They should be transmitted to the API as a Bearer credential in an HTTP Authorization header.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuthorization credential, in the form of an opaque string or JWT, used to access an API.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["access token","access tokens"]},"account linking":{"title":"Account Linking","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EConnecting user accounts across multiple platforms to allow users access to more than one resource or application by providing credentials one time.\u003C\u002Fp\u003E","short":"\u003Cp\u003EConnecting user accounts across multiple platforms.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["account linking"]},"actions":{"title":"Actions","associatedPage":{"title":"Actions","url":"\u002Fdocs\u002Fcustomize\u002Factions"},"definition":"\u003Cp\u003ESecure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime. Actions are used to customize and extend Auth0's capabilities with custom logic.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESecure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["actions","action"]},"adaptive-multi-factor-authentication":{"title":"Adaptive Multi-factor Authentication","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EMulti-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors.\u003C\u002Fp\u003E","short":"\u003Cp\u003EMulti-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. \u003C\u002Fp\u003E","automate":true,"automaticTerms":["adaptive multi-factor authentication","adaptive MFA","adaptive multifactor authentication"]},"application":{"title":"Application","associatedPage":{"title":"Applications in Auth0","url":"\u002Fdocs\u002Fget-started\u002Fapplications"},"definition":"\u003Cp\u003EYour software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EYour software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["application","applications"]},"attack-protection":{"title":"Attack Protection","associatedPage":{"title":"Attack Protection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection"},"definition":"\u003Cp\u003EFeatures that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication.\u003C\u002Fp\u003E","short":"\u003Cp\u003EFeatures that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["attack protection"]},"audience":{"title":"Audience","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EUnique identifier of the audience for an issued token, identified within a JSON Web Token as the \u003Cb\u003Eaud\u003C\u002Fb\u003E claim. The audience value is either the application (\u003Ccode\u003EClient ID\u003C\u002Fcode\u003E) for an ID Token or the API that is being called (\u003Ccode\u003EAPI Identifier\u003C\u002Fcode\u003E) for an Access Token. At Auth0, the Audience value sent in a request for an Access Token dictates whether that token is returned in an opaque or JWT format.\u003C\u002Fp\u003E","short":"\u003Cp\u003EUnique identifier of the audience for an issued token. Named \u003Cb\u003Eaud\u003C\u002Fb\u003E in a token, its value contains the ID of either an application (\u003Ccode\u003EClient ID\u003C\u002Fcode\u003E) for an ID Token or an API (\u003Ccode\u003EAPI Identifier\u003C\u002Fcode\u003E) for an Access Token.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["audience"]},"auth0-dashboard":{"title":"Auth0 Dashboard","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0’s primary administrator interface in which you can register your application or API, connect to a user store or another identity provider, and configure your Auth0 services.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0's main product to configure your services.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["auth0 dashboard"]},"authentication-server":{"title":"Authentication Server","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EServer that confirms or denies a user’s identity. An authentication server does not limit the actions or resources available to the user (although it can provide context for this purpose).\u003C\u002Fp\u003E","short":"\u003Cp\u003EServer that confirms or denies a user’s identity.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["authentication server","authentication servers"]},"authorization-code":{"title":"Authorization Code","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ERandom string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow (either with or without Proof Key for Code Exchange (PKCE)).\u003C\u002Fp\u003E","short":"\u003Cp\u003ERandom string generated by the authorization server and returned to the application as part of the authorization response when using the Authorization Code Flow (either with or without PKCE).\u003C\u002Fp\u003E","automate":false,"automaticTerms":["authorization code","auth code","authorization codes","auth codes"]},"authorization-flow":{"title":"Authorization Flow","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAnother name for Authorization Grants outlined in OAuth 2.0. Authorization flows are the workflows a resource (an application or an AIP) uses to grant requestors access. Based on the type of technology (for example, if an application can store a Client Secret) and the type of requestor, resource owners can use Authorization Code Flow, Proof of Key Code Exchange (PKCE), Resource Owner Password Credential (ROPG), Implicit, or Client Credential.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuthorization grant (or workflow) specified in the OAuth 2.0 framework.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["authorization flow","authorization flows"]},"authorization-server":{"title":"Authorization Server","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ECentralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user. An authorization server does not authenticate users. It’s the role of the authentication server to verify a user’s identity.\u003C\u002Fp\u003E","short":"\u003Cp\u003ECentralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["authorization server","authorization servers"]},"bad-actors":{"title":"Bad Actors","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAlso known as threat actors. Entity (a person or group) that poses a threat to the business or environment with the intention to cause harm. Harm can constitute physical or cyber damages, from breaking into a data center to hacking into systems with stolen credentials.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity (a person or group) that poses a threat to the business or environment with the intention to cause harm.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["bad actors","bad actor"]},"beta":{"title":"Beta","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be restricted to a select number of subscribers (private) or open to all subscribers (public).\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage during which subscribers can explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Beta releases may be public or private.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["beta","betas"]},"block-unblock":{"title":"Block\u002FUnblock Users","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ERemoving or restoring a requestor's access to a resource. Refers to the features from Auth0's Attack Protection suite: Breached Password Detection, Brute-Force Protection, and Suspicious IP Throttling. Each service assesses login\u002Fsign-up trends and blocks IP addresses associated with suspicious activity.\u003C\u002Fp\u003E","short":"\u003Cp\u003ERemoving or restoring a requestor's access to a resource.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["block\u002Funblock users","block\u002Funblock user"]},"bot-detection":{"title":"Bot Detection","associatedPage":{"title":"Bot Detection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbot-detection"},"definition":"\u003Cp\u003EForm of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["bot detection"]},"breached-password-detection":{"title":"Breached Password Detection","associatedPage":{"title":"Breached Password Detection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbreached-password-detection"},"definition":"\u003Cp\u003EForm of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["breached password detection"]},"breaking-change":{"title":"Breaking Change","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EChange to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EChange to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["breaking change","breaking changes"]},"brute-force-protection":{"title":"Brute-force Protection","associatedPage":{"title":"Brute-Force Protection","url":"\u002Fdocs\u002Fsecure\u002Fattack-protection\u002Fbrute-force-protection"},"definition":"\u003Cp\u003EForm of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["brute-force protection","brute force protection"]},"callback":{"title":"Callback","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EURL to which Auth0 sends its response after authentication. It is often the same URL to which a user is redirected after authentication.\u003C\u002Fp\u003E","short":"\u003Cp\u003EURL to which Auth0 sends its response after an API call and sometimes where a user is redirected after authentication.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["callback","callbacks"]},"claim":{"title":"Claim","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAttribute packaged in a security token which represents a claim that the provider of the token is making about an entity.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAttribute packaged in a security token which represents a claim that the provider of the token is making about an entity.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["claim","claims"]},"client-id":{"title":"Client ID","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EIdentification value assigned to your application after registration. This value is used in conjunction with other third-party services and can be found in \u003Cb\u003EAuth0 Dashboard\u003C\u002Fb\u003E > \u003Cb\u003EApplication Settings\u003C\u002Fb\u003E.\u003C\u002Fp\u003E","short":"\u003Cp\u003EIdentification value given to your registered resource from Auth0.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["client id","client ids"]},"client-secret":{"title":"Client Secret","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESecret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESecret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["client secret","client secrets"]},"confidential-client":{"title":"Confidential Client","associatedPage":{"title":"Confidential and Public Applications","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications"},"definition":"\u003Cp\u003EAccording to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Confidential clients can hold credentials in a secure way without exposing them to unauthorized parties and require a trusted backend server to do so. They can use grant types that require them to authenticate by specifying their client ID and secret when calling the token endpoint and can have tokens issued to them that have been signed either symmetrically or asymmetrically.\u003C\u002Fp\u003E","short":"\u003Cp\u003EA client (application) that can hold credentials securely by using a trusted backend server. Examples include a web application with a secure backend and a machine-to-machine (M2M) application.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["confidential client","confidential clients"]},"confused-deputy":{"title":"Confused Deputy","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESituation in which an attacker tricks a client or service into performing an action on their behalf.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESituation in which an attacker tricks a client or service into performing an action on their behalf.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["confused deputy","confused deputies"]},"connection":{"title":"Connection","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ERelationship between Auth0 and the sources of users for your applications. Examples include identity providers (such as Google or Active Directory), passwordless authentication methods, or user databases.\u003C\u002Fp\u003E","short":"\u003Cp\u003ERelationship between Auth0 and the sources of users for your applications.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["connection","connections"]},"custom-domain":{"title":"Custom Domain","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EThird-party domain with a specialized, or vanity, name. Also known as a CNAME.\u003C\u002Fp\u003E","short":"\u003Cp\u003EThird-party domain with a specialized, or vanity, name.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["custom domain","custom domains"]},"deprecation":{"title":"Deprecation","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained. Tenants using the feature or behavior at the time of deprecation will continue to have access.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["deprecation","deprecations"]},"digital-identity":{"title":"Digital Identity","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESet of attributes that define a particular user in the context of a function which is delivered by a particular application.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESet of attributes that define a particular user in the context of a function which is delivered by a particular application.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["digital identity","digital identities"]},"digital-signature":{"title":"Digital Signature","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEncrypted string that protects bits in a token from tampering. If the bits are changed or tampered with, the signature will no longer be able to be verified and it will be rejected.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEncrypted string that protects bits in a token from tampering.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["digital signature","digital signatures"]},"directory":{"title":"Directory","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ECentralized repository of users (the most well-known of which is Active Directory) which centralizes credentials and attributes and makes it unnecessary for each application to have their own local identity setup and pool of users. Allows single sign on to all applications that use the same directory of users.\u003C\u002Fp\u003E","short":"\u003Cp\u003ECentralized repository of users that allows single sign on to all applications that use the same directory.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["directory","directories"]},"early-access":{"title":"Early Access","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality. At this stage, functionality may not be complete, but is ready for validation.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["early access","ea"]},"end-of-life":{"title":"End of Life","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors. The new behavior will automatically be enabled for Tenants that did not opt in during the migration window.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage indicating that the referenced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["end of life","eol"]},"end-of-life-date":{"title":"End of Life Date","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EDate when access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.\u003C\u002Fp\u003E","short":"\u003Cp\u003EDate when access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["end of life date","end of life dates","eol date"]},"fine-grained-auth":{"title":"Fine-grained Authorization (FGA)","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0’s SaaS product that gives individual users access to specific objects or resources within your application.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0 product allowing individual users access to specific objects or resources.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["fine-grained authorization (fga)","fine-grained authorization","FGA"]},"flow":{"title":"Flow","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EProcesses that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProcesses that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["flow","flows"]},"general-availability":{"title":"General Availability","associatedPage":{"title":"Product Release Stages","url":"\u002Fdocs\u002Ftroubleshoot\u002Fproduct-lifecycle\u002Fproduct-release-stages"},"definition":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use. If a new release replaces an existing feature, Auth0 provides a period of backward compatibility in accordance with our deprecation policy and informs customers so they have time to adopt the new release.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProduct release stage during which the referenced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["general availability","GA"]},"group":{"title":"Group","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESet of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESet of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["group","groups"]},"id-token":{"title":"ID Token","associatedPage":{"title":"ID Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fid-tokens"},"definition":"\u003Cp\u003ECredential meant for the client itself, rather than for accessing a resource. It has a fixed format that clients can parse and validate.\u003C\u002Fp\u003E","short":"\u003Cp\u003ECredential meant for the client itself, rather than for accessing a resource.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["id token","id tokens","identity token","identity tokens"]},"idp":{"title":"Identity Provider (IdP)","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EService that stores and manages digital identities. Auth0 supports trusted social, enterprise, and legal identity providers. Auth0 also can function as an identity provider for your applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EService that stores and manages digital identities.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["identity provider (idp)","identity providers","identity provider","idp","idps","identity providers (idps)"]},"json-web-token":{"title":"JSON Web Token (JWT)","associatedPage":{"title":"JSON Web Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Fjson-web-tokens"},"definition":"\u003Cp\u003EOpen, industry standard \u003Ca href=\"https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519\"\u003ERFC 7519\u003C\u002Fa\u003E method for representing claims securely between two parties. At Auth0, ID Tokens are always returned in JWT format, and Access Tokens are often in JWT format. You may decode well-formed JWTs at \u003Ca href=\"https:\u002F\u002Fjwt.io\"\u003EJWT.io\u003C\u002Fa\u003E to view their claims.\u003C\u002Fp\u003E","short":"\u003Cp\u003EStandard ID Token format (and often Access Token format) used to represent claims securely between two parties.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["json web token (jwt)","json web token","json web tokens","jwt","jwts","json web tokens (jwts)"]},"localization":{"title":"Localization","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAbility to render the New Universal Login experience into a supported language.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAbility to render the New Universal Login experience into a supported language.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["localization"]},"lock":{"title":"Lock","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0's UI widget for authenticating users. It is ready to go as-is and is the default face of the Classic Universal Login experience. Lock allows you to customize minor behavioral and appearance options, but its primary goal is ease of use.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0's UI widget for authenticating users.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["lock"]},"management-api":{"title":"Management API","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAuth0's API to manage Auth0 services and perform administrative tasks programatically.\u003C\u002Fp\u003E","short":"\u003Cp\u003EA product to allow customers to perform administrative tasks. \u003C\u002Fp\u003E","automate":true,"automaticTerms":["management api"]},"metadata":{"title":"Metadata","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EInformation users can update, such as preferences or profile settings. Metadata is added to ID tokens and can be stored in user profiles.\u003C\u002Fp\u003E","short":"\u003Cp\u003EUser information stored in user profiles.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["metadata"]},"migration":{"title":"Migration","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EProcess by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage.\u003C\u002Fp\u003E","short":"\u003Cp\u003EProcess by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["migration","migrations"]},"multifactor-authentication":{"title":"Multi-factor authentication (MFA)","associatedPage":{"title":"Multi-Factor Authentication","url":"\u002Fdocs\u002Fsecure\u002Fmulti-factor-authentication"},"definition":"\u003Cp\u003EAuthentication process that considers multiple factors. Typically at Auth0, the first factor is the standard username\u002Fpassword exchange, and the second is a code or link via email or SMS, a one-time-password via an app such as Authy or Google Authenticator, or a push notification via a phone app such as Guardian or Duo. Using multiple factors allows your account to remain secure if someone captures one or the other factor--acquires your password or steals your phone, for example.\u003C\u002Fp\u003E","short":"\u003Cp\u003EUser authentication process that uses a factor in addition to username and password such as a code via SMS.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["multi-factor authentication (mfa)","multi-factor authentication","multifactor authentication","mfa"]},"nonce":{"title":"Nonce","associatedPage":{"title":"Mitigate Replay Attacks When Using the Implicit Flow","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization-flow\u002Fimplicit-flow-with-form-post\u002Fmitigate-replay-attacks-when-using-the-implicit-flow"},"definition":"\u003Cp\u003EArbitrary (often random or pseudo-random) number issued in an authentication protocol that can be used to help detect and mitigate replay attacks using old communications. In other words, the nonce is only issued once, so if an attacker attempts to replay a transaction with a different nonce, its false transaction can be detected more easily.\u003C\u002Fp\u003E","short":"\u003Cp\u003EArbitrary number issued once in an authentication protocol to detect and prevent replay attacks.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["nonce","nonces"]},"oath2":{"title":"OAuth 2.0","associatedPage":{"title":"OAuth 2.0 Authorization Framework","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Foauth"},"definition":"\u003Cp\u003EAuthorization framework that defines authorization protocols and workflows. OAuth 2.0 defines roles, authorization grants (or workflows), authorization requests and responses, and token handling. OpenID Connect (OIDC) protocols to verify user identity extends OAuth 2.0.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuthorization framework that defines authorization protocols and workflows.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["oauth 2.0","oauth"]},"openid":{"title":"OpenID","associatedPage":{"title":"OpenID Connect Protocol","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fopenid-connect-protocol"},"definition":"\u003Cp\u003EOpen standard for authentication that allows applications to verify users are who they say they are without needing to collect, store, and therefore become liable for a user’s login information.\u003C\u002Fp\u003E","short":"\u003Cp\u003EOpen standard for authentication that allows applications to verify users' identities without collecting and storing login information.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["openid"]},"organizations":{"title":"Organizations","associatedPage":{"title":"Organizations","url":"\u002Fdocs\u002Fmanage-users\u002Forganizations"},"definition":"\u003Cp\u003EAuth0 product that allows B2B customers to categorize end-users and define specific roles, login experience, and access to resources.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAuth0 product that allows B2B customers to categorize end-users and define specific roles.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["organizations","organization"]},"passwordless":{"title":"Passwordless","associatedPage":{"title":"Passwordless","url":"\u002Fdocs\u002Fauthenticate\u002Fpasswordless"},"definition":"\u003Cp\u003EForm of authentication where the first factor is not a password. Instead, it could be a one-time password received by email or SMS, a push notification, or a biometric sensor. Passwordless uses one-time passwords, so users are less susceptible to the typical password-based attacks (e.g., dictionary or credential stuffing) than with traditional username\u002Fpassword logins.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of authentication that does not rely on a password as the first factor.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["passwordless"]},"perimeter":{"title":"Perimeter","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003ESet of boundaries that encompass a directory, all of its users, and all of the applications which use the directory. In some implementations, this perimeter is a physical location; in others, it is a set of networks or devices connected via VPN.\u003C\u002Fp\u003E","short":"\u003Cp\u003ESet of boundaries that encompass a directory, all of its users, and all of the applications which use the directory.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["perimeter","perimeters"]},"product-release-stages":{"title":"Product Release Stages","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EPhases that describe how Auth0 stages, releases, and retires product functionality. Product features may not progress through all release stages, and the time in each stage will vary depending on the scope and impact of the feature.\u003C\u002Fp\u003E","short":"\u003Cp\u003EPhases that describe how Auth0 stages, releases, and retires product functionality.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["product release stages","product release stage"]},"public-client":{"title":"Public Client","associatedPage":{"title":"Confidential and Public Applications","url":"\u002Fdocs\u002Fget-started\u002Fapplications\u002Fconfidential-and-public-applications"},"definition":"\u003Cp\u003EAccording to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Public clients cannot hold credentials securely, so should only use grant types that do not require the use of their client secret. ID Tokens issued to them must be signed asymmetrically using a private key (RS256) and verified using the public key corresponding to the private key used to sign the token.\u003C\u002Fp\u003E","short":"\u003Cp\u003EClient (application) that cannot hold credentials securely. Examples include a native desktop or mobile application and a JavaScript-based client-side web application (such as a single-page app (SPA)).\u003C\u002Fp\u003E","automate":true,"automaticTerms":["public client","public clients"]},"raw-credential":{"title":"Raw Credential","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EShared secret or set of information that is agreed upon between the user and the resource that allow the resource to verify the identity of a user.\u003C\u002Fp\u003E","short":"\u003Cp\u003EShared secret or set of information that is agreed upon between the user and the resource that allow the resource to verify the identity of a user.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["raw credential","raw credentials"]},"refresh-token":{"title":"Refresh Token","associatedPage":{"title":"Refresh Tokens","url":"\u002Fdocs\u002Fsecure\u002Ftokens\u002Frefresh-tokens"},"definition":"\u003Cp\u003ESpecial kind of token that can be used to obtain a renewed Access Token. It is useful for renewing expiring Access Tokens without forcing the user to log in again. Using the Refresh Token, you can request a new Access Token at any time until the Refresh Token is blocklisted.\u003C\u002Fp\u003E","short":"\u003Cp\u003EToken used to obtain a renewed Access Token without forcing users to log in again.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["refresh token","refresh tokens"]},"refresh-token-rotation":{"title":"Refresh Token Rotation","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EStrategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token.\u003C\u002Fp\u003E","short":"\u003Cp\u003EStrategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["refresh token rotation"]},"relying-party":{"title":"Relying Party","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEntity (such as a service or application) that depends on a third-party identity provider to authenticate a user.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity (such as a service or application) that depends on a third-party identity provider to authenticate a user.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["relying party","relying parties"]},"resource-owner":{"title":"Resource Owner","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEntity (such as a user or application) capable of granting access to a protected resource.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity (such as a user or application) capable of granting access to a protected resource.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["resource owner","resource owners"]},"resource-server":{"title":"Resource Server","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EServer hosting protected resources. Resource servers accept and respond to protected resource requests.\u003C\u002Fp\u003E","short":"\u003Cp\u003EServer hosting protected resources. Resource servers accept and respond to protected resource requests.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["resource server","resource servers"]},"role":{"title":"Role","associatedPage":{"title":"Role-Based Access Control","url":"\u002Fdocs\u002Fmanage-users\u002Faccess-control\u002Frbac"},"definition":"\u003Cp\u003EAspect of a user’s identity assigned to the user to indicate the level of access they should have to the system. Roles are essentially collections of permissions.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAspect of a user’s identity assigned to the user to give them a certain set of permissions.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["role","roles"]},"scope":{"title":"Scope","associatedPage":{"title":"Scopes","url":"\u002Fdocs\u002Fget-started\u002Fapis\u002Fscopes"},"definition":"\u003Cp\u003EMechanism that defines the specific actions applications can be allowed to do or information that they can request on a user’s behalf. Often, applications will want to make use of the information that has already been created in an online resource. To do so, the application must ask for authorization to access this information on a user’s behalf. When an app requests permission to access a resource through an authorization server, it uses the Scope parameter to specify what access it needs, and the authorization server uses the Scope parameter to respond with the access that was actually granted.\u003C\u002Fp\u003E","short":"\u003Cp\u003EMechanism that determines actions applications can perform on a user's behalf with information previously created in an online resource.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["scope","scopes"]},"security-assertion-markup-language":{"title":"Security Assertion Markup Language (SAML)","associatedPage":{"title":"SAML","url":"\u002Fdocs\u002Fauthenticate\u002Fprotocols\u002Fsaml"},"definition":"\u003Cp\u003EXML-based standardized protocol by which two parties can exchange authentication information without the use of a password.\u003C\u002Fp\u003E","short":"\u003Cp\u003EStandardized protocol allowing two parties to exchange authentication information without a password.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["security assertion markup language (saml)","security assertion markup language","saml"]},"security-token":{"title":"Security Token","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EDigitally-signed artifact used to prove that the user was successfully authenticated.\u003C\u002Fp\u003E","short":"\u003Cp\u003EDigitally-signed artifact used to prove that the user was successfully authenticated.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["security token","security tokens"]},"session-cookie":{"title":"Session Cookie","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEntity emitted by middleware after it establishes that the token it is receiving is signed, valid, and comes from a trusted source (the identity provider). This entity represents the fact that successful authentication occurred with the identity provider. This cookie prevents this process with tokens from needing to be continually repeated, by allowing the user to be considered authenticated as long as the cookie is present.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEntity that, when present, allows the user to be considered authenticated.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["session cookie","session cookies"]},"shadow-account":{"title":"Shadow Account","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EDifficult-to-sustain practice of manually provisioning a user from a local directory separately in a remote directory (essentially creating a copy, or shadow, of the original account) when they need access to remote applications.\u003C\u002Fp\u003E","short":"\u003Cp\u003EDifficult-to-sustain practice of manually provisioning a user from a local directory separately in a remote directory.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["shadow account","shadow accounts"]},"signing-algorithm":{"title":"Signing Algorithm","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EHashing algorithm used to digitally sign tokens to ensure the token has not been tampered with by bad actors.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAlgorithm used to digitally sign tokens to ensure the token has not been tampered with.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["signing algorithm","signing algorithms"]},"single-sign-on":{"title":"Single Sign-On (SSO)","associatedPage":{"title":"Single Sign-On","url":"\u002Fdocs\u002Fauthenticate\u002Fsingle-sign-on"},"definition":"\u003Cp\u003EService that, after a user logs into one application, automatically logs that user in to other applications, regardless of the platform, technology, or domain the user is using. The user signs in only one time (hence the name of the feature). Similarly, Single Logout (SLO) occurs when, after a user logs out from one application, they are logged out of each application or service where they were logged in. SSO and SLO are possible through the use of sessions.\u003C\u002Fp\u003E","short":"\u003Cp\u003EService that, after a user logs into one applicaton, automatically logs that user in to other applications.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["single sign-on (sso)","single sign-on","single sign on","sso","single signon"]},"subscription":{"title":"Subscription","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAgreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAgreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["subscription","subscriptions"]},"suspicious-ip-throttling":{"title":"Suspicious IP Throttling","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EForm of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.\u003C\u002Fp\u003E","short":"\u003Cp\u003EForm of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["suspicious ip throttling"]},"tenant":{"title":"Tenant","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EAt Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine. Tenant, in general, is a term borrowed from software multitenant architecture.\u003C\u002Fp\u003E","short":"\u003Cp\u003EAt Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["tenant","tenants"]},"token-endpoint":{"title":"Token Endpoint","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEndpoint on the Authorization Server that is used to programmatically request tokens.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEndpoint on the Authorization Server that is used to programmatically request tokens.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["token endpoint","token endpoints"]},"trigger":{"title":"Trigger","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EEvent that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime. Some Triggers are executed synchronously, blocking the Flow in which they are involved, and some are executed asynchronously.\u003C\u002Fp\u003E","short":"\u003Cp\u003EEvent that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["trigger","triggers"]},"trust":{"title":"Trust","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EResource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.\u003C\u002Fp\u003E","short":"\u003Cp\u003EResource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.\u003C\u002Fp\u003E","automate":false,"automaticTerms":["trust","trusts"]},"universal-login":{"title":"Universal Login","associatedPage":{"title":"Auth0 Universal Login","url":"\u002Fdocs\u002Fauthenticate\u002Flogin\u002Fauth0-universal-login"},"definition":"\u003Cp\u003EAuth0’s implementation of the authentication flow, which is the key feature of an Authorization Server. Each time a user needs to prove their identity, your \u003Ca href=\"\u002Fdocs\u002Fget-started\u002Fapplications\"\u003Eapplications\u003C\u002Fa\u003E redirect to Universal Login, and Auth0 will do what’s needed to guarantee the user’s identity.\u003C\u002Fp\u003E","short":"\u003Cp\u003EYour application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["universal login"]},"ws-fed":{"title":"Web Service Federation (WS-Fed)","associatedPage":{"url":"\u002Fdocsundefined"},"definition":"\u003Cp\u003EProtocol for managing user identities between systems, domains, and identity providers with established trust using WS-Trust. This protocol is mainly used for Microsoft products and defines policies on how to share federation metadata. \u003C\u002Fp\u003E","short":"\u003Cp\u003EProtocol for managing user identities across domains.\u003C\u002Fp\u003E","automate":true,"automaticTerms":["web service federation (ws-fed)","web service federation","ws-fed"]}},"termLetters":["A","B","C","D","E","F","G","I","J","L","M","N","O","P","R","S","T","U","W"]},"breadcrumbs":[{"title":"Docs","url":"\u002Fdocs"},{"title":"Secure","path":"\u002Fsecure","url":"\u002Fdocs\u002Fsecure"},{"title":"Highly Regulated Identity","path":"\u002Fsecure\u002Fhighly-regulated-identity","url":"\u002Fdocs\u002Fsecure\u002Fhighly-regulated-identity"}],"sidebarBreadcrumbs":[]}}},"options":{"optimizePromiseCallback":false},"plugins":{"MetricsPlugin":undefined,"DevToolsPlugin":{"actionHistory":[],"enableDebug":false}}},"plugins":{"ServiceProxyPlugin":{}}};</script><script src="https://cdn2.auth0.com/docs/1.14124.0/js/client.774e15a7e7eecfc961cc.bundle.js" data-manual="true"></script><input type="hidden" id="__csrf" value="hckjpaun-j9jbAEKks9L9Acn2zJoHOLklfBg"/></body></html>