Skip to content

Auth0

FeatureSupport
OAuth2/OIDC clients✅ Full
SAML clients❌ Not supported
Resource servers✅ Native
Client cloning✅ Full
  1. Create or sign in to your Auth0 tenant:

    Go to manage.auth0.com and create a tenant if you don’t have one.

  2. Create a Machine-to-Machine application:

    In the Auth0 dashboard: Applications → Applications → Create Application. Choose Machine to Machine Applications and give it a name (e.g. Taco Management).

  3. Authorize the Management API:

    After creation, select the Management API and grant the following scopes:

    Clients:

    • read:clients
    • create:clients
    • update:clients
    • delete:clients
    • read:client_keys
    • update:client_keys

    Resource servers:

    • read:resource_servers
    • create:resource_servers
    • update:resource_servers
    • delete:resource_servers

    Client grants (needed to configure client_credentials audiences):

    • read:client_grants
    • create:client_grants
    • update:client_grants
    • delete:client_grants
  4. Copy credentials:

    From the application’s Settings tab, note:

    • Domain (e.g. your-tenant.auth0.com)
    • Client ID
    • Client Secret
  5. Set environment variables:

    Terminal window
    OPENID_PROVIDER=auth0
    AUTH0_DOMAIN=your-tenant.auth0.com
    OPENID_PROVIDER_AUTH_CLIENT_ID=your-m2m-client-id
    OPENID_PROVIDER_AUTH_CLIENT_SECRET=your-m2m-client-secret
  • Application types (SPA, native, regular web, M2M) map to Auth0’s app_type field.
  • Resource servers created in Taco appear as Auth0 APIs (identifier = audience).
  • Client cloning copies grant types, callback URLs, scopes, and metadata into a new Auth0 application.

To protect the Taco dashboard with Auth0 SSO, create a separate Regular Web Application in Auth0 and set:

Terminal window
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://your-tenant.auth0.com
AUTH_CLIENT_ID=your-oidc-client-id
AUTH_CLIENT_SECRET=your-oidc-client-secret

Add <BASE_URL>/api/auth/callback/oidc to the Auth0 application’s Allowed Callback URLs.