Auth0
Feature availability
Section titled “Feature availability”| Feature | Support |
|---|---|
| OAuth2/OIDC clients | ✅ Full |
| SAML clients | ❌ Not supported |
| Resource servers | ✅ Native |
| Client cloning | ✅ Full |
-
Create or sign in to your Auth0 tenant:
Go to manage.auth0.com and create a tenant if you don’t have one.
-
Create a Machine-to-Machine application:
In the Auth0 dashboard: Applications → Applications → Create Application. Choose Machine to Machine Applications and give it a name (e.g.
Taco Management). -
Authorize the Management API:
After creation, select the Management API and grant the following scopes:
Clients:
read:clientscreate:clientsupdate:clientsdelete:clientsread:client_keysupdate:client_keys
Resource servers:
read:resource_serverscreate:resource_serversupdate:resource_serversdelete:resource_servers
Client grants (needed to configure
client_credentialsaudiences):read:client_grantscreate:client_grantsupdate:client_grantsdelete:client_grants
-
Copy credentials:
From the application’s Settings tab, note:
- Domain (e.g.
your-tenant.auth0.com) - Client ID
- Client Secret
- Domain (e.g.
-
Set environment variables:
Terminal window OPENID_PROVIDER=auth0AUTH0_DOMAIN=your-tenant.auth0.comOPENID_PROVIDER_AUTH_CLIENT_ID=your-m2m-client-idOPENID_PROVIDER_AUTH_CLIENT_SECRET=your-m2m-client-secret
Client management notes
Section titled “Client management notes”- Application types (SPA, native, regular web, M2M) map to Auth0’s
app_typefield. - Resource servers created in Taco appear as Auth0 APIs (identifier = audience).
- Client cloning copies grant types, callback URLs, scopes, and metadata into a new Auth0 application.
OIDC login (optional)
Section titled “OIDC login (optional)”To protect the Taco dashboard with Auth0 SSO, create a separate Regular Web Application in Auth0 and set:
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://your-tenant.auth0.comAUTH_CLIENT_ID=your-oidc-client-idAUTH_CLIENT_SECRET=your-oidc-client-secretAdd <BASE_URL>/api/auth/callback/oidc to the Auth0 application’s Allowed Callback URLs.