getClients

Auth0 v3.41.0, Apr 28 26

Viewing docs for Auth0 v3.41.0
published on Tuesday, Apr 28, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-auth0

Viewing docs for Auth0 v3.41.0
published on Tuesday, Apr 28, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-auth0

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as auth0 from "@pulumi/auth0";

// Auth0 clients with "External" in the name
const externalApps = auth0.getClients({
    nameFilter: "External",
});
// Auth0 clients filtered by non_interactive or spa app type
const m2mApps = auth0.getClients({
    appTypes: [
        "non_interactive",
        "spa",
    ],
});
// Auth0 clients filtered by is_first_party equal to true
const firstPartyApps = auth0.getClients({
    isFirstParty: true,
});

import pulumi
import pulumi_auth0 as auth0

# Auth0 clients with "External" in the name
external_apps = auth0.get_clients(name_filter="External")
# Auth0 clients filtered by non_interactive or spa app type
m2m_apps = auth0.get_clients(app_types=[
    "non_interactive",
    "spa",
])
# Auth0 clients filtered by is_first_party equal to true
first_party_apps = auth0.get_clients(is_first_party=True)

package main

import (
	"github.com/pulumi/pulumi-auth0/sdk/v3/go/auth0"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// Auth0 clients with "External" in the name
		_, err := auth0.GetClients(ctx, &auth0.GetClientsArgs{
			NameFilter: pulumi.StringRef("External"),
		}, nil)
		if err != nil {
			return err
		}
		// Auth0 clients filtered by non_interactive or spa app type
		_, err = auth0.GetClients(ctx, &auth0.GetClientsArgs{
			AppTypes: []string{
				"non_interactive",
				"spa",
			},
		}, nil)
		if err != nil {
			return err
		}
		// Auth0 clients filtered by is_first_party equal to true
		_, err = auth0.GetClients(ctx, &auth0.GetClientsArgs{
			IsFirstParty: pulumi.BoolRef(true),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Auth0 = Pulumi.Auth0;

return await Deployment.RunAsync(() => 
{
    // Auth0 clients with "External" in the name
    var externalApps = Auth0.Index.GetClients.Invoke(new()
    {
        NameFilter = "External",
    });

    // Auth0 clients filtered by non_interactive or spa app type
    var m2mApps = Auth0.Index.GetClients.Invoke(new()
    {
        AppTypes = new[]
        {
            "non_interactive",
            "spa",
        },
    });

    // Auth0 clients filtered by is_first_party equal to true
    var firstPartyApps = Auth0.Index.GetClients.Invoke(new()
    {
        IsFirstParty = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.auth0.Auth0Functions;
import com.pulumi.auth0.inputs.GetClientsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        // Auth0 clients with "External" in the name
        final var externalApps = Auth0Functions.getClients(GetClientsArgs.builder()
            .nameFilter("External")
            .build());

        // Auth0 clients filtered by non_interactive or spa app type
        final var m2mApps = Auth0Functions.getClients(GetClientsArgs.builder()
            .appTypes(            
                "non_interactive",
                "spa")
            .build());

        // Auth0 clients filtered by is_first_party equal to true
        final var firstPartyApps = Auth0Functions.getClients(GetClientsArgs.builder()
            .isFirstParty(true)
            .build());

    }
}

variables:
  # Auth0 clients with "External" in the name
  externalApps:
    fn::invoke:
      function: auth0:getClients
      arguments:
        nameFilter: External
  # Auth0 clients filtered by non_interactive or spa app type
  m2mApps:
    fn::invoke:
      function: auth0:getClients
      arguments:
        appTypes:
          - non_interactive
          - spa
  # Auth0 clients filtered by is_first_party equal to true
  firstPartyApps:
    fn::invoke:
      function: auth0:getClients
      arguments:
        isFirstParty: true

Example coming soon!

Using getClients

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getClients(args: GetClientsArgs, opts?: InvokeOptions): Promise<GetClientsResult>
function getClientsOutput(args: GetClientsOutputArgs, opts?: InvokeOptions): Output<GetClientsResult>

def get_clients(app_types: Optional[Sequence[str]] = None,
                external_client_id: Optional[str] = None,
                is_first_party: Optional[bool] = None,
                name_filter: Optional[str] = None,
                opts: Optional[InvokeOptions] = None) -> GetClientsResult
def get_clients_output(app_types: pulumi.Input[Optional[Sequence[pulumi.Input[str]]]] = None,
                external_client_id: pulumi.Input[Optional[str]] = None,
                is_first_party: pulumi.Input[Optional[bool]] = None,
                name_filter: pulumi.Input[Optional[str]] = None,
                opts: Optional[InvokeOptions] = None) -> Output[GetClientsResult]

func GetClients(ctx *Context, args *GetClientsArgs, opts ...InvokeOption) (*GetClientsResult, error)
func GetClientsOutput(ctx *Context, args *GetClientsOutputArgs, opts ...InvokeOption) GetClientsResultOutput

> Note: This function is named GetClients in the Go SDK.

public static class GetClients 
{
    public static Task<GetClientsResult> InvokeAsync(GetClientsArgs args, InvokeOptions? opts = null)
    public static Output<GetClientsResult> Invoke(GetClientsInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetClientsResult> getClients(GetClientsArgs args, InvokeOptions options)
public static Output<GetClientsResult> getClients(GetClientsArgs args, InvokeOptions options)

fn::invoke:
  function: auth0:index/getClients:getClients
  arguments:
    # arguments dictionary

data "auth0_getclients" "name" {
    # arguments
}

The following arguments are supported:

AppTypes List<string>: Filter clients by application types.
ExternalClientId string: Filter clients by CIMD external client ID URL.
IsFirstParty bool: Filter clients by first party status.
NameFilter string: Filter clients by name (partial matches supported).

AppTypes []string: Filter clients by application types.
ExternalClientId string: Filter clients by CIMD external client ID URL.
IsFirstParty bool: Filter clients by first party status.
NameFilter string: Filter clients by name (partial matches supported).

app_types list(string): Filter clients by application types.
external_client_id string: Filter clients by CIMD external client ID URL.
is_first_party bool: Filter clients by first party status.
name_filter string: Filter clients by name (partial matches supported).

appTypes List<String>: Filter clients by application types.
externalClientId String: Filter clients by CIMD external client ID URL.
isFirstParty Boolean: Filter clients by first party status.
nameFilter String: Filter clients by name (partial matches supported).

appTypes string[]: Filter clients by application types.
externalClientId string: Filter clients by CIMD external client ID URL.
isFirstParty boolean: Filter clients by first party status.
nameFilter string: Filter clients by name (partial matches supported).

app_types Sequence[str]: Filter clients by application types.
external_client_id str: Filter clients by CIMD external client ID URL.
is_first_party bool: Filter clients by first party status.
name_filter str: Filter clients by name (partial matches supported).

appTypes List<String>: Filter clients by application types.
externalClientId String: Filter clients by CIMD external client ID URL.
isFirstParty Boolean: Filter clients by first party status.
nameFilter String: Filter clients by name (partial matches supported).

getClients Result

The following output properties are available:

Clients List<GetClientsClient>: List of clients matching the filter criteria.
Id string: The provider-assigned unique ID for this managed resource.
AppTypes List<string>: Filter clients by application types.
ExternalClientId string: Filter clients by CIMD external client ID URL.
IsFirstParty bool: Filter clients by first party status.
NameFilter string: Filter clients by name (partial matches supported).

Clients []GetClientsClient: List of clients matching the filter criteria.
Id string: The provider-assigned unique ID for this managed resource.
AppTypes []string: Filter clients by application types.
ExternalClientId string: Filter clients by CIMD external client ID URL.
IsFirstParty bool: Filter clients by first party status.
NameFilter string: Filter clients by name (partial matches supported).

clients list(object): List of clients matching the filter criteria.
id string: The provider-assigned unique ID for this managed resource.
app_types list(string): Filter clients by application types.
external_client_id string: Filter clients by CIMD external client ID URL.
is_first_party bool: Filter clients by first party status.
name_filter string: Filter clients by name (partial matches supported).

clients List<GetClientsClient>: List of clients matching the filter criteria.
id String: The provider-assigned unique ID for this managed resource.
appTypes List<String>: Filter clients by application types.
externalClientId String: Filter clients by CIMD external client ID URL.
isFirstParty Boolean: Filter clients by first party status.
nameFilter String: Filter clients by name (partial matches supported).

clients GetClientsClient[]: List of clients matching the filter criteria.
id string: The provider-assigned unique ID for this managed resource.
appTypes string[]: Filter clients by application types.
externalClientId string: Filter clients by CIMD external client ID URL.
isFirstParty boolean: Filter clients by first party status.
nameFilter string: Filter clients by name (partial matches supported).

clients Sequence[GetClientsClient]: List of clients matching the filter criteria.
id str: The provider-assigned unique ID for this managed resource.
app_types Sequence[str]: Filter clients by application types.
external_client_id str: Filter clients by CIMD external client ID URL.
is_first_party bool: Filter clients by first party status.
name_filter str: Filter clients by name (partial matches supported).

clients List<Property Map>: List of clients matching the filter criteria.
id String: The provider-assigned unique ID for this managed resource.
appTypes List<String>: Filter clients by application types.
externalClientId String: Filter clients by CIMD external client ID URL.
isFirstParty Boolean: Filter clients by first party status.
nameFilter String: Filter clients by name (partial matches supported).

Supporting Types

GetClientsClient

AllowedClients List<string>: List of applications ID's that will be allowed to make delegation request. By default, all applications will be allowed.
AllowedLogoutUrls List<string>: URLs that Auth0 may redirect to after logout.
AllowedOrigins List<string>: URLs that represent valid origins for cross-origin resource sharing. By default, all your callback URLs will be allowed.
AppType string: Type of application the client represents. Possible values are: native, spa, regularWeb, nonInteractive, resourceServer,ssoIntegration. Specific SSO integrations types accepted as well are: rms, box, cloudbees, concur, dropbox, mscrm, echosign, egnyte, newrelic, office365, salesforce, sentry, sharepoint, slack, springcm, zendesk, zoom, expressConfiguration
AsyncApprovalNotificationChannels List<string>: List of notification channels enabled for CIBA (Client-Initiated Backchannel Authentication) requests initiated by this client. Valid values are guardian-push and email. The order is significant as this is the order in which notification channels will be evaluated.
Callbacks List<string>: URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.
ClientMetadata Dictionary<string, string>: Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/\()<>@ [Tab] [Space].
ClientSecret string: Secret for the client. Keep this private. To access this attribute you need to add the read:client_keys scope to the Terraform client. Otherwise, the attribute will contain an empty string.
Description string: Description of the purpose of the client.
ExpressConfigurations List<GetClientsClientExpressConfiguration>: Express Configuration settings for the client. Used with OIN Express Configuration.
ExternalClientId string: The URL of the Client ID Metadata Document. Only present for CIMD-registered clients.
ExternalMetadataCreatedBy string: Who created the external metadata client: admin (via Management API), client (self-registered), or unknown.
ExternalMetadataType string: Type of external metadata. Value is cimd for CIMD-registered clients.
GrantTypes List<string>: Types of grants that this client is authorized to use.
IsFirstParty bool: Indicates whether this client is a first-party client.
IsTokenEndpointIpHeaderTrusted bool: Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to clientSecretPost or clientSecretBasic. Setting this property when creating the resource, will default the authentication method to clientSecretPost. To change the authentication method to clientSecretBasic use the auth0.ClientCredentials resource.
JwksUri string: URL for the JSON Web Key Set (JWKS) containing the public keys used for privateKeyJwt authentication. Only present for CIMD clients using privateKeyJwt authentication.
MyOrganizationConfigurations List<GetClientsClientMyOrganizationConfiguration>: Configuration for self-service organization features, controlling how organizations are created and managed for this client.
OidcLogouts List<GetClientsClientOidcLogout>: Configure OIDC logout for the Client
OrganizationDiscoveryMethods List<string>: Methods for discovering organizations during the pre_login_prompt. Can include email (allows users to find their organization by entering their email address) and/or organizationName (requires users to enter the organization name directly). These methods can be combined. Setting this property requires that organizationRequireBehavior is set to preLoginPrompt.
ResourceServerIdentifier string: The identifier of a resource server that client is associated withThis property can be sent only when app_type=resource_server.This property can not be changed, once the client is created.
SessionTransfers List<GetClientsClientSessionTransfer>
SkipNonVerifiableCallbackUriConfirmationPrompt string: Indicates whether the confirmation prompt appears when using non-verifiable callback URIs. Set to true to skip the prompt, false to show it, or null to unset. Accepts (true/false/null) or ("true"/"false"/"null")
TokenExchanges List<GetClientsClientTokenExchange>: Allows configuration for token exchange
TokenQuotas List<GetClientsClientTokenQuota>: The token quota configuration.
WebOrigins List<string>: URLs that represent valid web origins for use with web message response mode.
ClientId string: The ID of the client. If not provided, name must be set.
Name string: The name of the client. If not provided, clientId must be set.

AllowedClients []string: List of applications ID's that will be allowed to make delegation request. By default, all applications will be allowed.
AllowedLogoutUrls []string: URLs that Auth0 may redirect to after logout.
AllowedOrigins []string: URLs that represent valid origins for cross-origin resource sharing. By default, all your callback URLs will be allowed.
AppType string: Type of application the client represents. Possible values are: native, spa, regularWeb, nonInteractive, resourceServer,ssoIntegration. Specific SSO integrations types accepted as well are: rms, box, cloudbees, concur, dropbox, mscrm, echosign, egnyte, newrelic, office365, salesforce, sentry, sharepoint, slack, springcm, zendesk, zoom, expressConfiguration
AsyncApprovalNotificationChannels []string: List of notification channels enabled for CIBA (Client-Initiated Backchannel Authentication) requests initiated by this client. Valid values are guardian-push and email. The order is significant as this is the order in which notification channels will be evaluated.
Callbacks []string: URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.
ClientMetadata map[string]string: Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/\()<>@ [Tab] [Space].
ClientSecret string: Secret for the client. Keep this private. To access this attribute you need to add the read:client_keys scope to the Terraform client. Otherwise, the attribute will contain an empty string.
Description string: Description of the purpose of the client.
ExpressConfigurations []GetClientsClientExpressConfiguration: Express Configuration settings for the client. Used with OIN Express Configuration.
ExternalClientId string: The URL of the Client ID Metadata Document. Only present for CIMD-registered clients.
ExternalMetadataCreatedBy string: Who created the external metadata client: admin (via Management API), client (self-registered), or unknown.
ExternalMetadataType string: Type of external metadata. Value is cimd for CIMD-registered clients.
GrantTypes []string: Types of grants that this client is authorized to use.
IsFirstParty bool: Indicates whether this client is a first-party client.
IsTokenEndpointIpHeaderTrusted bool: Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to clientSecretPost or clientSecretBasic. Setting this property when creating the resource, will default the authentication method to clientSecretPost. To change the authentication method to clientSecretBasic use the auth0.ClientCredentials resource.
JwksUri string: URL for the JSON Web Key Set (JWKS) containing the public keys used for privateKeyJwt authentication. Only present for CIMD clients using privateKeyJwt authentication.
MyOrganizationConfigurations []GetClientsClientMyOrganizationConfiguration: Configuration for self-service organization features, controlling how organizations are created and managed for this client.
OidcLogouts []GetClientsClientOidcLogout: Configure OIDC logout for the Client
OrganizationDiscoveryMethods []string: Methods for discovering organizations during the pre_login_prompt. Can include email (allows users to find their organization by entering their email address) and/or organizationName (requires users to enter the organization name directly). These methods can be combined. Setting this property requires that organizationRequireBehavior is set to preLoginPrompt.
ResourceServerIdentifier string: The identifier of a resource server that client is associated withThis property can be sent only when app_type=resource_server.This property can not be changed, once the client is created.
SessionTransfers []GetClientsClientSessionTransfer
SkipNonVerifiableCallbackUriConfirmationPrompt string: Indicates whether the confirmation prompt appears when using non-verifiable callback URIs. Set to true to skip the prompt, false to show it, or null to unset. Accepts (true/false/null) or ("true"/"false"/"null")
TokenExchanges []GetClientsClientTokenExchange: Allows configuration for token exchange
TokenQuotas []GetClientsClientTokenQuota: The token quota configuration.
WebOrigins []string: URLs that represent valid web origins for use with web message response mode.
ClientId string: The ID of the client. If not provided, name must be set.
Name string: The name of the client. If not provided, clientId must be set.

allowed_clients list(string): List of applications ID's that will be allowed to make delegation request. By default, all applications will be allowed.
allowed_logout_urls list(string): URLs that Auth0 may redirect to after logout.
allowed_origins list(string): URLs that represent valid origins for cross-origin resource sharing. By default, all your callback URLs will be allowed.
app_type string: Type of application the client represents. Possible values are: native, spa, regularWeb, nonInteractive, resourceServer,ssoIntegration. Specific SSO integrations types accepted as well are: rms, box, cloudbees, concur, dropbox, mscrm, echosign, egnyte, newrelic, office365, salesforce, sentry, sharepoint, slack, springcm, zendesk, zoom, expressConfiguration
async_approval_notification_channels list(string): List of notification channels enabled for CIBA (Client-Initiated Backchannel Authentication) requests initiated by this client. Valid values are guardian-push and email. The order is significant as this is the order in which notification channels will be evaluated.
callbacks list(string): URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.
client_metadata map(string): Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/\()<>@ [Tab] [Space].
client_secret string: Secret for the client. Keep this private. To access this attribute you need to add the read:client_keys scope to the Terraform client. Otherwise, the attribute will contain an empty string.
description string: Description of the purpose of the client.
express_configurations list(object): Express Configuration settings for the client. Used with OIN Express Configuration.
external_client_id string: The URL of the Client ID Metadata Document. Only present for CIMD-registered clients.
external_metadata_created_by string: Who created the external metadata client: admin (via Management API), client (self-registered), or unknown.
external_metadata_type string: Type of external metadata. Value is cimd for CIMD-registered clients.
grant_types list(string): Types of grants that this client is authorized to use.
is_first_party bool: Indicates whether this client is a first-party client.
is_token_endpoint_ip_header_trusted bool: Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to clientSecretPost or clientSecretBasic. Setting this property when creating the resource, will default the authentication method to clientSecretPost. To change the authentication method to clientSecretBasic use the auth0.ClientCredentials resource.
jwks_uri string: URL for the JSON Web Key Set (JWKS) containing the public keys used for privateKeyJwt authentication. Only present for CIMD clients using privateKeyJwt authentication.
my_organization_configurations list(object): Configuration for self-service organization features, controlling how organizations are created and managed for this client.
oidc_logouts list(object): Configure OIDC logout for the Client
organization_discovery_methods list(string): Methods for discovering organizations during the pre_login_prompt. Can include email (allows users to find their organization by entering their email address) and/or organizationName (requires users to enter the organization name directly). These methods can be combined. Setting this property requires that organizationRequireBehavior is set to preLoginPrompt.
resource_server_identifier string: The identifier of a resource server that client is associated withThis property can be sent only when app_type=resource_server.This property can not be changed, once the client is created.
session_transfers list(object)
skip_non_verifiable_callback_uri_confirmation_prompt string: Indicates whether the confirmation prompt appears when using non-verifiable callback URIs. Set to true to skip the prompt, false to show it, or null to unset. Accepts (true/false/null) or ("true"/"false"/"null")
token_exchanges list(object): Allows configuration for token exchange
token_quotas list(object): The token quota configuration.
web_origins list(string): URLs that represent valid web origins for use with web message response mode.
client_id string: The ID of the client. If not provided, name must be set.
name string: The name of the client. If not provided, clientId must be set.

allowedClients List<String>: List of applications ID's that will be allowed to make delegation request. By default, all applications will be allowed.
allowedLogoutUrls List<String>: URLs that Auth0 may redirect to after logout.
allowedOrigins List<String>: URLs that represent valid origins for cross-origin resource sharing. By default, all your callback URLs will be allowed.
appType String: Type of application the client represents. Possible values are: native, spa, regularWeb, nonInteractive, resourceServer,ssoIntegration. Specific SSO integrations types accepted as well are: rms, box, cloudbees, concur, dropbox, mscrm, echosign, egnyte, newrelic, office365, salesforce, sentry, sharepoint, slack, springcm, zendesk, zoom, expressConfiguration
asyncApprovalNotificationChannels List<String>: List of notification channels enabled for CIBA (Client-Initiated Backchannel Authentication) requests initiated by this client. Valid values are guardian-push and email. The order is significant as this is the order in which notification channels will be evaluated.
callbacks List<String>: URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.
clientMetadata Map<String,String>: Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/\()<>@ [Tab] [Space].
clientSecret String: Secret for the client. Keep this private. To access this attribute you need to add the read:client_keys scope to the Terraform client. Otherwise, the attribute will contain an empty string.
description String: Description of the purpose of the client.
expressConfigurations List<GetClientsClientExpressConfiguration>: Express Configuration settings for the client. Used with OIN Express Configuration.
externalClientId String: The URL of the Client ID Metadata Document. Only present for CIMD-registered clients.
externalMetadataCreatedBy String: Who created the external metadata client: admin (via Management API), client (self-registered), or unknown.
externalMetadataType String: Type of external metadata. Value is cimd for CIMD-registered clients.
grantTypes List<String>: Types of grants that this client is authorized to use.
isFirstParty Boolean: Indicates whether this client is a first-party client.
isTokenEndpointIpHeaderTrusted Boolean: Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to clientSecretPost or clientSecretBasic. Setting this property when creating the resource, will default the authentication method to clientSecretPost. To change the authentication method to clientSecretBasic use the auth0.ClientCredentials resource.
jwksUri String: URL for the JSON Web Key Set (JWKS) containing the public keys used for privateKeyJwt authentication. Only present for CIMD clients using privateKeyJwt authentication.
myOrganizationConfigurations List<GetClientsClientMyOrganizationConfiguration>: Configuration for self-service organization features, controlling how organizations are created and managed for this client.
oidcLogouts List<GetClientsClientOidcLogout>: Configure OIDC logout for the Client
organizationDiscoveryMethods List<String>: Methods for discovering organizations during the pre_login_prompt. Can include email (allows users to find their organization by entering their email address) and/or organizationName (requires users to enter the organization name directly). These methods can be combined. Setting this property requires that organizationRequireBehavior is set to preLoginPrompt.
resourceServerIdentifier String: The identifier of a resource server that client is associated withThis property can be sent only when app_type=resource_server.This property can not be changed, once the client is created.
sessionTransfers List<GetClientsClientSessionTransfer>
skipNonVerifiableCallbackUriConfirmationPrompt String: Indicates whether the confirmation prompt appears when using non-verifiable callback URIs. Set to true to skip the prompt, false to show it, or null to unset. Accepts (true/false/null) or ("true"/"false"/"null")
tokenExchanges List<GetClientsClientTokenExchange>: Allows configuration for token exchange
tokenQuotas List<GetClientsClientTokenQuota>: The token quota configuration.
webOrigins List<String>: URLs that represent valid web origins for use with web message response mode.
clientId String: The ID of the client. If not provided, name must be set.
name String: The name of the client. If not provided, clientId must be set.

allowedClients string[]: List of applications ID's that will be allowed to make delegation request. By default, all applications will be allowed.
allowedLogoutUrls string[]: URLs that Auth0 may redirect to after logout.
allowedOrigins string[]: URLs that represent valid origins for cross-origin resource sharing. By default, all your callback URLs will be allowed.
appType string: Type of application the client represents. Possible values are: native, spa, regularWeb, nonInteractive, resourceServer,ssoIntegration. Specific SSO integrations types accepted as well are: rms, box, cloudbees, concur, dropbox, mscrm, echosign, egnyte, newrelic, office365, salesforce, sentry, sharepoint, slack, springcm, zendesk, zoom, expressConfiguration
asyncApprovalNotificationChannels string[]: List of notification channels enabled for CIBA (Client-Initiated Backchannel Authentication) requests initiated by this client. Valid values are guardian-push and email. The order is significant as this is the order in which notification channels will be evaluated.
callbacks string[]: URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.
clientMetadata {[key: string]: string}: Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/\()<>@ [Tab] [Space].
clientSecret string: Secret for the client. Keep this private. To access this attribute you need to add the read:client_keys scope to the Terraform client. Otherwise, the attribute will contain an empty string.
description string: Description of the purpose of the client.
expressConfigurations GetClientsClientExpressConfiguration[]: Express Configuration settings for the client. Used with OIN Express Configuration.
externalClientId string: The URL of the Client ID Metadata Document. Only present for CIMD-registered clients.
externalMetadataCreatedBy string: Who created the external metadata client: admin (via Management API), client (self-registered), or unknown.
externalMetadataType string: Type of external metadata. Value is cimd for CIMD-registered clients.
grantTypes string[]: Types of grants that this client is authorized to use.
isFirstParty boolean: Indicates whether this client is a first-party client.
isTokenEndpointIpHeaderTrusted boolean: Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to clientSecretPost or clientSecretBasic. Setting this property when creating the resource, will default the authentication method to clientSecretPost. To change the authentication method to clientSecretBasic use the auth0.ClientCredentials resource.
jwksUri string: URL for the JSON Web Key Set (JWKS) containing the public keys used for privateKeyJwt authentication. Only present for CIMD clients using privateKeyJwt authentication.
myOrganizationConfigurations GetClientsClientMyOrganizationConfiguration[]: Configuration for self-service organization features, controlling how organizations are created and managed for this client.
oidcLogouts GetClientsClientOidcLogout[]: Configure OIDC logout for the Client
organizationDiscoveryMethods string[]: Methods for discovering organizations during the pre_login_prompt. Can include email (allows users to find their organization by entering their email address) and/or organizationName (requires users to enter the organization name directly). These methods can be combined. Setting this property requires that organizationRequireBehavior is set to preLoginPrompt.
resourceServerIdentifier string: The identifier of a resource server that client is associated withThis property can be sent only when app_type=resource_server.This property can not be changed, once the client is created.
sessionTransfers GetClientsClientSessionTransfer[]
skipNonVerifiableCallbackUriConfirmationPrompt string: Indicates whether the confirmation prompt appears when using non-verifiable callback URIs. Set to true to skip the prompt, false to show it, or null to unset. Accepts (true/false/null) or ("true"/"false"/"null")
tokenExchanges GetClientsClientTokenExchange[]: Allows configuration for token exchange
tokenQuotas GetClientsClientTokenQuota[]: The token quota configuration.
webOrigins string[]: URLs that represent valid web origins for use with web message response mode.
clientId string: The ID of the client. If not provided, name must be set.
name string: The name of the client. If not provided, clientId must be set.

allowed_clients Sequence[str]: List of applications ID's that will be allowed to make delegation request. By default, all applications will be allowed.
allowed_logout_urls Sequence[str]: URLs that Auth0 may redirect to after logout.
allowed_origins Sequence[str]: URLs that represent valid origins for cross-origin resource sharing. By default, all your callback URLs will be allowed.
app_type str: Type of application the client represents. Possible values are: native, spa, regularWeb, nonInteractive, resourceServer,ssoIntegration. Specific SSO integrations types accepted as well are: rms, box, cloudbees, concur, dropbox, mscrm, echosign, egnyte, newrelic, office365, salesforce, sentry, sharepoint, slack, springcm, zendesk, zoom, expressConfiguration
async_approval_notification_channels Sequence[str]: List of notification channels enabled for CIBA (Client-Initiated Backchannel Authentication) requests initiated by this client. Valid values are guardian-push and email. The order is significant as this is the order in which notification channels will be evaluated.
callbacks Sequence[str]: URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.
client_metadata Mapping[str, str]: Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/\()<>@ [Tab] [Space].
client_secret str: Secret for the client. Keep this private. To access this attribute you need to add the read:client_keys scope to the Terraform client. Otherwise, the attribute will contain an empty string.
description str: Description of the purpose of the client.
express_configurations Sequence[GetClientsClientExpressConfiguration]: Express Configuration settings for the client. Used with OIN Express Configuration.
external_client_id str: The URL of the Client ID Metadata Document. Only present for CIMD-registered clients.
external_metadata_created_by str: Who created the external metadata client: admin (via Management API), client (self-registered), or unknown.
external_metadata_type str: Type of external metadata. Value is cimd for CIMD-registered clients.
grant_types Sequence[str]: Types of grants that this client is authorized to use.
is_first_party bool: Indicates whether this client is a first-party client.
is_token_endpoint_ip_header_trusted bool: Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to clientSecretPost or clientSecretBasic. Setting this property when creating the resource, will default the authentication method to clientSecretPost. To change the authentication method to clientSecretBasic use the auth0.ClientCredentials resource.
jwks_uri str: URL for the JSON Web Key Set (JWKS) containing the public keys used for privateKeyJwt authentication. Only present for CIMD clients using privateKeyJwt authentication.
my_organization_configurations Sequence[GetClientsClientMyOrganizationConfiguration]: Configuration for self-service organization features, controlling how organizations are created and managed for this client.
oidc_logouts Sequence[GetClientsClientOidcLogout]: Configure OIDC logout for the Client
organization_discovery_methods Sequence[str]: Methods for discovering organizations during the pre_login_prompt. Can include email (allows users to find their organization by entering their email address) and/or organizationName (requires users to enter the organization name directly). These methods can be combined. Setting this property requires that organizationRequireBehavior is set to preLoginPrompt.
resource_server_identifier str: The identifier of a resource server that client is associated withThis property can be sent only when app_type=resource_server.This property can not be changed, once the client is created.
session_transfers Sequence[GetClientsClientSessionTransfer]
skip_non_verifiable_callback_uri_confirmation_prompt str: Indicates whether the confirmation prompt appears when using non-verifiable callback URIs. Set to true to skip the prompt, false to show it, or null to unset. Accepts (true/false/null) or ("true"/"false"/"null")
token_exchanges Sequence[GetClientsClientTokenExchange]: Allows configuration for token exchange
token_quotas Sequence[GetClientsClientTokenQuota]: The token quota configuration.
web_origins Sequence[str]: URLs that represent valid web origins for use with web message response mode.
client_id str: The ID of the client. If not provided, name must be set.
name str: The name of the client. If not provided, clientId must be set.

allowedClients List<String>: List of applications ID's that will be allowed to make delegation request. By default, all applications will be allowed.
allowedLogoutUrls List<String>: URLs that Auth0 may redirect to after logout.
allowedOrigins List<String>: URLs that represent valid origins for cross-origin resource sharing. By default, all your callback URLs will be allowed.
appType String: Type of application the client represents. Possible values are: native, spa, regularWeb, nonInteractive, resourceServer,ssoIntegration. Specific SSO integrations types accepted as well are: rms, box, cloudbees, concur, dropbox, mscrm, echosign, egnyte, newrelic, office365, salesforce, sentry, sharepoint, slack, springcm, zendesk, zoom, expressConfiguration
asyncApprovalNotificationChannels List<String>: List of notification channels enabled for CIBA (Client-Initiated Backchannel Authentication) requests initiated by this client. Valid values are guardian-push and email. The order is significant as this is the order in which notification channels will be evaluated.
callbacks List<String>: URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.
clientMetadata Map<String>: Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/\()<>@ [Tab] [Space].
clientSecret String: Secret for the client. Keep this private. To access this attribute you need to add the read:client_keys scope to the Terraform client. Otherwise, the attribute will contain an empty string.
description String: Description of the purpose of the client.
expressConfigurations List<Property Map>: Express Configuration settings for the client. Used with OIN Express Configuration.
externalClientId String: The URL of the Client ID Metadata Document. Only present for CIMD-registered clients.
externalMetadataCreatedBy String: Who created the external metadata client: admin (via Management API), client (self-registered), or unknown.
externalMetadataType String: Type of external metadata. Value is cimd for CIMD-registered clients.
grantTypes List<String>: Types of grants that this client is authorized to use.
isFirstParty Boolean: Indicates whether this client is a first-party client.
isTokenEndpointIpHeaderTrusted Boolean: Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to clientSecretPost or clientSecretBasic. Setting this property when creating the resource, will default the authentication method to clientSecretPost. To change the authentication method to clientSecretBasic use the auth0.ClientCredentials resource.
jwksUri String: URL for the JSON Web Key Set (JWKS) containing the public keys used for privateKeyJwt authentication. Only present for CIMD clients using privateKeyJwt authentication.
myOrganizationConfigurations List<Property Map>: Configuration for self-service organization features, controlling how organizations are created and managed for this client.
oidcLogouts List<Property Map>: Configure OIDC logout for the Client
organizationDiscoveryMethods List<String>: Methods for discovering organizations during the pre_login_prompt. Can include email (allows users to find their organization by entering their email address) and/or organizationName (requires users to enter the organization name directly). These methods can be combined. Setting this property requires that organizationRequireBehavior is set to preLoginPrompt.
resourceServerIdentifier String: The identifier of a resource server that client is associated withThis property can be sent only when app_type=resource_server.This property can not be changed, once the client is created.
sessionTransfers List<Property Map>
skipNonVerifiableCallbackUriConfirmationPrompt String: Indicates whether the confirmation prompt appears when using non-verifiable callback URIs. Set to true to skip the prompt, false to show it, or null to unset. Accepts (true/false/null) or ("true"/"false"/"null")
tokenExchanges List<Property Map>: Allows configuration for token exchange
tokenQuotas List<Property Map>: The token quota configuration.
webOrigins List<String>: URLs that represent valid web origins for use with web message response mode.
clientId String: The ID of the client. If not provided, name must be set.
name String: The name of the client. If not provided, clientId must be set.

GetClientsClientExpressConfiguration

AdminLoginDomain string: The domain that admins are expected to log in via for authenticating for express configuration.
ConnectionProfileId string: The ID of the connection profile to use for this application.
EnableClient bool: When true, all connections made via express configuration will be enabled for this application.
EnableOrganization bool: When true, all connections made via express configuration will have the associated organization enabled.
InitiateLoginUriTemplate string: The URI users should bookmark to log in to this application. Variable substitution is permitted for: organization_name, organization_id, and connection_name.
LinkedClients List<GetClientsClientExpressConfigurationLinkedClient>: List of client IDs that are linked to this express configuration (e.g. web or mobile clients).
OinSubmissionId string: The identifier of the published application in the OKTA OIN.
OktaOinClientId string: The unique identifier for the Okta OIN Express Configuration Client.
UserAttributeProfileId string: The ID of the user attribute profile to use for this application.

AdminLoginDomain string: The domain that admins are expected to log in via for authenticating for express configuration.
ConnectionProfileId string: The ID of the connection profile to use for this application.
EnableClient bool: When true, all connections made via express configuration will be enabled for this application.
EnableOrganization bool: When true, all connections made via express configuration will have the associated organization enabled.
InitiateLoginUriTemplate string: The URI users should bookmark to log in to this application. Variable substitution is permitted for: organization_name, organization_id, and connection_name.
LinkedClients []GetClientsClientExpressConfigurationLinkedClient: List of client IDs that are linked to this express configuration (e.g. web or mobile clients).
OinSubmissionId string: The identifier of the published application in the OKTA OIN.
OktaOinClientId string: The unique identifier for the Okta OIN Express Configuration Client.
UserAttributeProfileId string: The ID of the user attribute profile to use for this application.

admin_login_domain string: The domain that admins are expected to log in via for authenticating for express configuration.
connection_profile_id string: The ID of the connection profile to use for this application.
enable_client bool: When true, all connections made via express configuration will be enabled for this application.
enable_organization bool: When true, all connections made via express configuration will have the associated organization enabled.
initiate_login_uri_template string: The URI users should bookmark to log in to this application. Variable substitution is permitted for: organization_name, organization_id, and connection_name.
linked_clients list(object): List of client IDs that are linked to this express configuration (e.g. web or mobile clients).
oin_submission_id string: The identifier of the published application in the OKTA OIN.
okta_oin_client_id string: The unique identifier for the Okta OIN Express Configuration Client.
user_attribute_profile_id string: The ID of the user attribute profile to use for this application.

adminLoginDomain String: The domain that admins are expected to log in via for authenticating for express configuration.
connectionProfileId String: The ID of the connection profile to use for this application.
enableClient Boolean: When true, all connections made via express configuration will be enabled for this application.
enableOrganization Boolean: When true, all connections made via express configuration will have the associated organization enabled.
initiateLoginUriTemplate String: The URI users should bookmark to log in to this application. Variable substitution is permitted for: organization_name, organization_id, and connection_name.
linkedClients List<GetClientsClientExpressConfigurationLinkedClient>: List of client IDs that are linked to this express configuration (e.g. web or mobile clients).
oinSubmissionId String: The identifier of the published application in the OKTA OIN.
oktaOinClientId String: The unique identifier for the Okta OIN Express Configuration Client.
userAttributeProfileId String: The ID of the user attribute profile to use for this application.

adminLoginDomain string: The domain that admins are expected to log in via for authenticating for express configuration.
connectionProfileId string: The ID of the connection profile to use for this application.
enableClient boolean: When true, all connections made via express configuration will be enabled for this application.
enableOrganization boolean: When true, all connections made via express configuration will have the associated organization enabled.
initiateLoginUriTemplate string: The URI users should bookmark to log in to this application. Variable substitution is permitted for: organization_name, organization_id, and connection_name.
linkedClients GetClientsClientExpressConfigurationLinkedClient[]: List of client IDs that are linked to this express configuration (e.g. web or mobile clients).
oinSubmissionId string: The identifier of the published application in the OKTA OIN.
oktaOinClientId string: The unique identifier for the Okta OIN Express Configuration Client.
userAttributeProfileId string: The ID of the user attribute profile to use for this application.

admin_login_domain str: The domain that admins are expected to log in via for authenticating for express configuration.
connection_profile_id str: The ID of the connection profile to use for this application.
enable_client bool: When true, all connections made via express configuration will be enabled for this application.
enable_organization bool: When true, all connections made via express configuration will have the associated organization enabled.
initiate_login_uri_template str: The URI users should bookmark to log in to this application. Variable substitution is permitted for: organization_name, organization_id, and connection_name.
linked_clients Sequence[GetClientsClientExpressConfigurationLinkedClient]: List of client IDs that are linked to this express configuration (e.g. web or mobile clients).
oin_submission_id str: The identifier of the published application in the OKTA OIN.
okta_oin_client_id str: The unique identifier for the Okta OIN Express Configuration Client.
user_attribute_profile_id str: The ID of the user attribute profile to use for this application.

adminLoginDomain String: The domain that admins are expected to log in via for authenticating for express configuration.
connectionProfileId String: The ID of the connection profile to use for this application.
enableClient Boolean: When true, all connections made via express configuration will be enabled for this application.
enableOrganization Boolean: When true, all connections made via express configuration will have the associated organization enabled.
initiateLoginUriTemplate String: The URI users should bookmark to log in to this application. Variable substitution is permitted for: organization_name, organization_id, and connection_name.
linkedClients List<Property Map>: List of client IDs that are linked to this express configuration (e.g. web or mobile clients).
oinSubmissionId String: The identifier of the published application in the OKTA OIN.
oktaOinClientId String: The unique identifier for the Okta OIN Express Configuration Client.
userAttributeProfileId String: The ID of the user attribute profile to use for this application.

GetClientsClientExpressConfigurationLinkedClient

ClientId string: The ID of the linked client.

ClientId string: The ID of the linked client.

client_id string: The ID of the linked client.

clientId String: The ID of the linked client.

clientId string: The ID of the linked client.

client_id str: The ID of the linked client.

clientId String: The ID of the linked client.

GetClientsClientMyOrganizationConfiguration

AllowedStrategies List<string>: The list of connection strategies that are allowed when creating organizations for this client (e.g. "okta", "samlp").
ConnectionDeletionBehavior string: Controls the behavior when deleting connections associated with organizations for this client. Possible values: allow, allowIfEmpty.
ConnectionProfileId string: The ID of the connection profile to use when creating organizations for this client.
UserAttributeProfileId string: The ID of the user attribute profile to use when creating organizations for this client.

AllowedStrategies []string: The list of connection strategies that are allowed when creating organizations for this client (e.g. "okta", "samlp").
ConnectionDeletionBehavior string: Controls the behavior when deleting connections associated with organizations for this client. Possible values: allow, allowIfEmpty.
ConnectionProfileId string: The ID of the connection profile to use when creating organizations for this client.
UserAttributeProfileId string: The ID of the user attribute profile to use when creating organizations for this client.

allowed_strategies list(string): The list of connection strategies that are allowed when creating organizations for this client (e.g. "okta", "samlp").
connection_deletion_behavior string: Controls the behavior when deleting connections associated with organizations for this client. Possible values: allow, allowIfEmpty.
connection_profile_id string: The ID of the connection profile to use when creating organizations for this client.
user_attribute_profile_id string: The ID of the user attribute profile to use when creating organizations for this client.

allowedStrategies List<String>: The list of connection strategies that are allowed when creating organizations for this client (e.g. "okta", "samlp").
connectionDeletionBehavior String: Controls the behavior when deleting connections associated with organizations for this client. Possible values: allow, allowIfEmpty.
connectionProfileId String: The ID of the connection profile to use when creating organizations for this client.
userAttributeProfileId String: The ID of the user attribute profile to use when creating organizations for this client.

allowedStrategies string[]: The list of connection strategies that are allowed when creating organizations for this client (e.g. "okta", "samlp").
connectionDeletionBehavior string: Controls the behavior when deleting connections associated with organizations for this client. Possible values: allow, allowIfEmpty.
connectionProfileId string: The ID of the connection profile to use when creating organizations for this client.
userAttributeProfileId string: The ID of the user attribute profile to use when creating organizations for this client.

allowed_strategies Sequence[str]: The list of connection strategies that are allowed when creating organizations for this client (e.g. "okta", "samlp").
connection_deletion_behavior str: Controls the behavior when deleting connections associated with organizations for this client. Possible values: allow, allowIfEmpty.
connection_profile_id str: The ID of the connection profile to use when creating organizations for this client.
user_attribute_profile_id str: The ID of the user attribute profile to use when creating organizations for this client.

allowedStrategies List<String>: The list of connection strategies that are allowed when creating organizations for this client (e.g. "okta", "samlp").
connectionDeletionBehavior String: Controls the behavior when deleting connections associated with organizations for this client. Possible values: allow, allowIfEmpty.
connectionProfileId String: The ID of the connection profile to use when creating organizations for this client.
userAttributeProfileId String: The ID of the user attribute profile to use when creating organizations for this client.

GetClientsClientOidcLogout

BackchannelLogoutInitiators List<GetClientsClientOidcLogoutBackchannelLogoutInitiator>: Configure OIDC logout initiators for the Client
BackchannelLogoutSessionMetadatas List<GetClientsClientOidcLogoutBackchannelLogoutSessionMetadata>: Controls whether session metadata is included in the logout token. Default value is null.
BackchannelLogoutUrls List<string>: Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.

BackchannelLogoutInitiators []GetClientsClientOidcLogoutBackchannelLogoutInitiator: Configure OIDC logout initiators for the Client
BackchannelLogoutSessionMetadatas []GetClientsClientOidcLogoutBackchannelLogoutSessionMetadata: Controls whether session metadata is included in the logout token. Default value is null.
BackchannelLogoutUrls []string: Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.

backchannel_logout_initiators list(object): Configure OIDC logout initiators for the Client
backchannel_logout_session_metadatas list(object): Controls whether session metadata is included in the logout token. Default value is null.
backchannel_logout_urls list(string): Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.

backchannelLogoutInitiators List<GetClientsClientOidcLogoutBackchannelLogoutInitiator>: Configure OIDC logout initiators for the Client
backchannelLogoutSessionMetadatas List<GetClientsClientOidcLogoutBackchannelLogoutSessionMetadata>: Controls whether session metadata is included in the logout token. Default value is null.
backchannelLogoutUrls List<String>: Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.

backchannelLogoutInitiators GetClientsClientOidcLogoutBackchannelLogoutInitiator[]: Configure OIDC logout initiators for the Client
backchannelLogoutSessionMetadatas GetClientsClientOidcLogoutBackchannelLogoutSessionMetadata[]: Controls whether session metadata is included in the logout token. Default value is null.
backchannelLogoutUrls string[]: Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.

backchannel_logout_initiators Sequence[GetClientsClientOidcLogoutBackchannelLogoutInitiator]: Configure OIDC logout initiators for the Client
backchannel_logout_session_metadatas Sequence[GetClientsClientOidcLogoutBackchannelLogoutSessionMetadata]: Controls whether session metadata is included in the logout token. Default value is null.
backchannel_logout_urls Sequence[str]: Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.

backchannelLogoutInitiators List<Property Map>: Configure OIDC logout initiators for the Client
backchannelLogoutSessionMetadatas List<Property Map>: Controls whether session metadata is included in the logout token. Default value is null.
backchannelLogoutUrls List<String>: Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.

GetClientsClientOidcLogoutBackchannelLogoutInitiator

Mode string: Determines the configuration method for enabling initiators. custom enables only the initiators listed in the backchannelLogoutSelectedInitiators set, all enables all current and future initiators.
SelectedInitiators List<string>: Contains the list of initiators to be enabled for the given client.

Mode string: Determines the configuration method for enabling initiators. custom enables only the initiators listed in the backchannelLogoutSelectedInitiators set, all enables all current and future initiators.
SelectedInitiators []string: Contains the list of initiators to be enabled for the given client.

mode string: Determines the configuration method for enabling initiators. custom enables only the initiators listed in the backchannelLogoutSelectedInitiators set, all enables all current and future initiators.
selected_initiators list(string): Contains the list of initiators to be enabled for the given client.

mode String: Determines the configuration method for enabling initiators. custom enables only the initiators listed in the backchannelLogoutSelectedInitiators set, all enables all current and future initiators.
selectedInitiators List<String>: Contains the list of initiators to be enabled for the given client.

mode string: Determines the configuration method for enabling initiators. custom enables only the initiators listed in the backchannelLogoutSelectedInitiators set, all enables all current and future initiators.
selectedInitiators string[]: Contains the list of initiators to be enabled for the given client.

mode str: Determines the configuration method for enabling initiators. custom enables only the initiators listed in the backchannelLogoutSelectedInitiators set, all enables all current and future initiators.
selected_initiators Sequence[str]: Contains the list of initiators to be enabled for the given client.

mode String: Determines the configuration method for enabling initiators. custom enables only the initiators listed in the backchannelLogoutSelectedInitiators set, all enables all current and future initiators.
selectedInitiators List<String>: Contains the list of initiators to be enabled for the given client.

GetClientsClientOidcLogoutBackchannelLogoutSessionMetadata

Include bool: The include property determines whether session metadata is included in the logout token.

Include bool: The include property determines whether session metadata is included in the logout token.

include bool: The include property determines whether session metadata is included in the logout token.

include Boolean: The include property determines whether session metadata is included in the logout token.

include boolean: The include property determines whether session metadata is included in the logout token.

include bool: The include property determines whether session metadata is included in the logout token.

include Boolean: The include property determines whether session metadata is included in the logout token.

GetClientsClientSessionTransfer

AllowRefreshToken bool: Indicates whether the application is allowed to use a refresh token when using a sessionTransferToken session.
AllowedAuthenticationMethods List<string>
CanCreateSessionTransferToken bool: Indicates whether the application(Native app) can use the Token Exchange endpoint to create a session_transfer_token
EnforceCascadeRevocation bool: Indicates whether revoking the parent Refresh Token that initiated a Native to Web flow and was used to issue a Session Transfer Token should trigger a cascade revocation affecting its dependent child entities. Usually configured in the native application.
EnforceDeviceBinding string: Configures the level of device binding enforced when a sessionTransferToken is consumed. Can be one of ip, asn or none.
EnforceOnlineRefreshTokens bool: Indicates whether Refresh Tokens created during a native-to-web session are tied to that session's lifetime. This determines if such refresh tokens should be automatically revoked when their corresponding sessions are. Usually configured in the web application.

AllowRefreshToken bool: Indicates whether the application is allowed to use a refresh token when using a sessionTransferToken session.
AllowedAuthenticationMethods []string
CanCreateSessionTransferToken bool: Indicates whether the application(Native app) can use the Token Exchange endpoint to create a session_transfer_token
EnforceCascadeRevocation bool: Indicates whether revoking the parent Refresh Token that initiated a Native to Web flow and was used to issue a Session Transfer Token should trigger a cascade revocation affecting its dependent child entities. Usually configured in the native application.
EnforceDeviceBinding string: Configures the level of device binding enforced when a sessionTransferToken is consumed. Can be one of ip, asn or none.
EnforceOnlineRefreshTokens bool: Indicates whether Refresh Tokens created during a native-to-web session are tied to that session's lifetime. This determines if such refresh tokens should be automatically revoked when their corresponding sessions are. Usually configured in the web application.

allow_refresh_token bool: Indicates whether the application is allowed to use a refresh token when using a sessionTransferToken session.
allowed_authentication_methods list(string)
can_create_session_transfer_token bool: Indicates whether the application(Native app) can use the Token Exchange endpoint to create a session_transfer_token
enforce_cascade_revocation bool: Indicates whether revoking the parent Refresh Token that initiated a Native to Web flow and was used to issue a Session Transfer Token should trigger a cascade revocation affecting its dependent child entities. Usually configured in the native application.
enforce_device_binding string: Configures the level of device binding enforced when a sessionTransferToken is consumed. Can be one of ip, asn or none.
enforce_online_refresh_tokens bool: Indicates whether Refresh Tokens created during a native-to-web session are tied to that session's lifetime. This determines if such refresh tokens should be automatically revoked when their corresponding sessions are. Usually configured in the web application.

allowRefreshToken Boolean: Indicates whether the application is allowed to use a refresh token when using a sessionTransferToken session.
allowedAuthenticationMethods List<String>
canCreateSessionTransferToken Boolean: Indicates whether the application(Native app) can use the Token Exchange endpoint to create a session_transfer_token
enforceCascadeRevocation Boolean: Indicates whether revoking the parent Refresh Token that initiated a Native to Web flow and was used to issue a Session Transfer Token should trigger a cascade revocation affecting its dependent child entities. Usually configured in the native application.
enforceDeviceBinding String: Configures the level of device binding enforced when a sessionTransferToken is consumed. Can be one of ip, asn or none.
enforceOnlineRefreshTokens Boolean: Indicates whether Refresh Tokens created during a native-to-web session are tied to that session's lifetime. This determines if such refresh tokens should be automatically revoked when their corresponding sessions are. Usually configured in the web application.

allowRefreshToken boolean: Indicates whether the application is allowed to use a refresh token when using a sessionTransferToken session.
allowedAuthenticationMethods string[]
canCreateSessionTransferToken boolean: Indicates whether the application(Native app) can use the Token Exchange endpoint to create a session_transfer_token
enforceCascadeRevocation boolean: Indicates whether revoking the parent Refresh Token that initiated a Native to Web flow and was used to issue a Session Transfer Token should trigger a cascade revocation affecting its dependent child entities. Usually configured in the native application.
enforceDeviceBinding string: Configures the level of device binding enforced when a sessionTransferToken is consumed. Can be one of ip, asn or none.
enforceOnlineRefreshTokens boolean: Indicates whether Refresh Tokens created during a native-to-web session are tied to that session's lifetime. This determines if such refresh tokens should be automatically revoked when their corresponding sessions are. Usually configured in the web application.

allow_refresh_token bool: Indicates whether the application is allowed to use a refresh token when using a sessionTransferToken session.
allowed_authentication_methods Sequence[str]
can_create_session_transfer_token bool: Indicates whether the application(Native app) can use the Token Exchange endpoint to create a session_transfer_token
enforce_cascade_revocation bool: Indicates whether revoking the parent Refresh Token that initiated a Native to Web flow and was used to issue a Session Transfer Token should trigger a cascade revocation affecting its dependent child entities. Usually configured in the native application.
enforce_device_binding str: Configures the level of device binding enforced when a sessionTransferToken is consumed. Can be one of ip, asn or none.
enforce_online_refresh_tokens bool: Indicates whether Refresh Tokens created during a native-to-web session are tied to that session's lifetime. This determines if such refresh tokens should be automatically revoked when their corresponding sessions are. Usually configured in the web application.

allowRefreshToken Boolean: Indicates whether the application is allowed to use a refresh token when using a sessionTransferToken session.
allowedAuthenticationMethods List<String>
canCreateSessionTransferToken Boolean: Indicates whether the application(Native app) can use the Token Exchange endpoint to create a session_transfer_token
enforceCascadeRevocation Boolean: Indicates whether revoking the parent Refresh Token that initiated a Native to Web flow and was used to issue a Session Transfer Token should trigger a cascade revocation affecting its dependent child entities. Usually configured in the native application.
enforceDeviceBinding String: Configures the level of device binding enforced when a sessionTransferToken is consumed. Can be one of ip, asn or none.
enforceOnlineRefreshTokens Boolean: Indicates whether Refresh Tokens created during a native-to-web session are tied to that session's lifetime. This determines if such refresh tokens should be automatically revoked when their corresponding sessions are. Usually configured in the web application.

GetClientsClientTokenExchange

AllowAnyProfileOfTypes List<string>: List of allowed profile types for token exchange. Supported values include: custom_authentication, on_behalf_of_token_exchange.

AllowAnyProfileOfTypes []string: List of allowed profile types for token exchange. Supported values include: custom_authentication, on_behalf_of_token_exchange.

allow_any_profile_of_types list(string): List of allowed profile types for token exchange. Supported values include: custom_authentication, on_behalf_of_token_exchange.

allowAnyProfileOfTypes List<String>: List of allowed profile types for token exchange. Supported values include: custom_authentication, on_behalf_of_token_exchange.

allowAnyProfileOfTypes string[]: List of allowed profile types for token exchange. Supported values include: custom_authentication, on_behalf_of_token_exchange.

allow_any_profile_of_types Sequence[str]: List of allowed profile types for token exchange. Supported values include: custom_authentication, on_behalf_of_token_exchange.

allowAnyProfileOfTypes List<String>: List of allowed profile types for token exchange. Supported values include: custom_authentication, on_behalf_of_token_exchange.

GetClientsClientTokenQuota

ClientCredentials List<GetClientsClientTokenQuotaClientCredential>: The token quota configuration for client credentials.

ClientCredentials []GetClientsClientTokenQuotaClientCredential: The token quota configuration for client credentials.

client_credentials list(object): The token quota configuration for client credentials.

clientCredentials List<GetClientsClientTokenQuotaClientCredential>: The token quota configuration for client credentials.

clientCredentials GetClientsClientTokenQuotaClientCredential[]: The token quota configuration for client credentials.

client_credentials Sequence[GetClientsClientTokenQuotaClientCredential]: The token quota configuration for client credentials.

clientCredentials List<Property Map>: The token quota configuration for client credentials.

GetClientsClientTokenQuotaClientCredential

Enforce bool: If enabled, the quota will be enforced and requests in excess of the quota will fail. If disabled, the quota will not be enforced, but notifications for requests exceeding the quota will be available in logs.
PerDay int: Maximum number of issued tokens per day
PerHour int: Maximum number of issued tokens per hour

Enforce bool: If enabled, the quota will be enforced and requests in excess of the quota will fail. If disabled, the quota will not be enforced, but notifications for requests exceeding the quota will be available in logs.
PerDay int: Maximum number of issued tokens per day
PerHour int: Maximum number of issued tokens per hour

enforce bool: If enabled, the quota will be enforced and requests in excess of the quota will fail. If disabled, the quota will not be enforced, but notifications for requests exceeding the quota will be available in logs.
per_day number: Maximum number of issued tokens per day
per_hour number: Maximum number of issued tokens per hour

enforce Boolean: If enabled, the quota will be enforced and requests in excess of the quota will fail. If disabled, the quota will not be enforced, but notifications for requests exceeding the quota will be available in logs.
perDay Integer: Maximum number of issued tokens per day
perHour Integer: Maximum number of issued tokens per hour

enforce boolean: If enabled, the quota will be enforced and requests in excess of the quota will fail. If disabled, the quota will not be enforced, but notifications for requests exceeding the quota will be available in logs.
perDay number: Maximum number of issued tokens per day
perHour number: Maximum number of issued tokens per hour

enforce bool: If enabled, the quota will be enforced and requests in excess of the quota will fail. If disabled, the quota will not be enforced, but notifications for requests exceeding the quota will be available in logs.
per_day int: Maximum number of issued tokens per day
per_hour int: Maximum number of issued tokens per hour

enforce Boolean: If enabled, the quota will be enforced and requests in excess of the quota will fail. If disabled, the quota will not be enforced, but notifications for requests exceeding the quota will be available in logs.
perDay Number: Maximum number of issued tokens per day
perHour Number: Maximum number of issued tokens per hour

Package Details

Repository: Auth0 pulumi/pulumi-auth0
License: Apache-2.0
Notes: This Pulumi package is based on the auth0 Terraform Provider.

Viewing docs for Auth0 v3.41.0
published on Tuesday, Apr 28, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-auth0

auth0.getClients

On this page

On this page

Example Usage

Using getClients

getClients Result

Supporting Types

GetClientsClient

GetClientsClientExpressConfiguration

GetClientsClientExpressConfigurationLinkedClient

GetClientsClientMyOrganizationConfiguration

GetClientsClientOidcLogout

GetClientsClientOidcLogoutBackchannelLogoutInitiator

GetClientsClientOidcLogoutBackchannelLogoutSessionMetadata

GetClientsClientSessionTransfer

GetClientsClientTokenExchange

GetClientsClientTokenQuota

GetClientsClientTokenQuotaClientCredential

Package Details

On this page

On this page