Authorize — Auth0 Authenticate a user with a social provider, Database/AD/LDAP (Passive), SAML/Windows Azure AD (Passive), Authorization Code Flow, Authorization Code Grant (PKCE) Flow, or Implicit Flow
Passwordless verify — Auth0 Verify with verification code
/passwordless/verify
POST
Oauth token — Auth0 Authenticates a user using a verification code, verifies multi-factor authentication (MFA) using a one-time password (OTP), out-of-band (OOB) challenge, or a recovery code, or exchanges an Authorization Code for a Token
/oauth/token
POST
Dbconnections signup — Auth0 Signup with user's credentials
/dbconnections/signup
POST
Dbconnections change password — Auth0 Send a change password email
/dbconnections/change_password
GET
Userinfo — Auth0 Returns a user's profile
/userinfo
POST
Mfa challenge — Auth0 Request a challenge for multi-factor authentication
/mfa/challenge
POST
Mfa associate — Auth0 Associates or adds a new authenticator for multi-factor authentication (MFA).
/mfa/associate
GET
Mfa authenticators — Auth0 Returns a list of authenticators associated with your application.
/mfa/authenticators
DELETE
Mfa authenticators delete — Auth0 Deletes an associated authenticator using its ID.
/mfa/authenticators/{AUTHENTICATOR_ID}
GET
Samlp login — Auth0 Use this endpoint to accept a SAML request to initiate a login.
/samlp/{client_id}
GET
Samlp metadata — Auth0 This endpoint returns the SAML 2.0 metadata.
/samlp/metadata/{client_id}
POST
Login callback — Auth0 This endpoint accepts an IdP-Initiated Sign On SAMLResponse from a SAML Identity Provider.
/login/callback
GET
Wsfed login — Auth0 This endpoint accepts a WS-Federation request to initiate a login.
/wsfed/{client_id}
GET
Wsfed metadata — Auth0 This endpoint returns the WS-Federation metadata.
Oidc register — With a name and the necessary callback URL, you can dynamically register a client with Auth0. No token is needed for this request.
/oidc/register
POST
Oauth device code — Auth0 Get Device Code
/oauth/device/code
POST
Oauth revoke — Auth0 Revoke Refresh Token
/oauth/revoke
POST
Oauth access token — Auth0 Login using a social provider's access token
/oauth/access_token
POST
Oauth ro — Auth0 Given the user's credentials, this endpoint will authenticate the user with the provider and return a JSON object with the Access Token and an ID Token.
/oauth/ro
POST
Tokeninfo — Auth0 [Deprecated] Return a user profile based on the user's JWT
/tokeninfo
POST
Delegation — Auth0 Obtain a delegation token (from a refresh_token)
/delegation
POST
Unlink — Auth0 Unlink an account
/unlink
POST
Impersonate — Auth0 Obtain an impersonation URL
/users/{user_id}/impersonate
MCP Tools
authorize
Auth0 Authenticate a user with a social provider, Database/AD/LDAP (Passive), SAML/Windows Azure AD (Passive), Authorization Code Flow, Authorization Code Grant (PKCE) Flow, or Implicit Flow
read-onlyidempotent
logout
Auth0 Logout a user
read-onlyidempotent
oidc-logout
Auth0 Logout a user
read-onlyidempotent
saml-logout
Auth0 Logout a user
passwordless-start
Auth0 Start Passwordless flow
passwordless-verify
Auth0 Verify with verification code
oauth-token
Auth0 Authenticates a user using a verification code, verifies multi-factor authentication (MFA) using a one-time password (OTP), out-of-band (OOB) challenge, or a recovery code, or exchanges an Authorization Code for a Token
dbconnections-signup
Auth0 Signup with user's credentials
dbconnections-change-password
Auth0 Send a change password email
userinfo
Auth0 Returns a user's profile
read-onlyidempotent
mfa-challenge
Auth0 Request a challenge for multi-factor authentication
mfa-associate
Auth0 Associates or adds a new authenticator for multi-factor authentication (MFA).
mfa-authenticators
Auth0 Returns a list of authenticators associated with your application.
read-onlyidempotent
mfa-authenticators-delete
Auth0 Deletes an associated authenticator using its ID.
idempotent
samlp-login
Auth0 Use this endpoint to accept a SAML request to initiate a login.
read-onlyidempotent
samlp-metadata
Auth0 This endpoint returns the SAML 2.0 metadata.
read-onlyidempotent
login-callback
Auth0 This endpoint accepts an IdP-Initiated Sign On SAMLResponse from a SAML Identity Provider.
wsfed-login
Auth0 This endpoint accepts a WS-Federation request to initiate a login.
read-onlyidempotent
wsfed-metadata
Auth0 This endpoint returns the WS-Federation metadata.
read-onlyidempotent
oidc-register
With a name and the necessary callback URL, you can dynamically register a client with Auth0. No token is needed for this request.
oauth-device-code
Auth0 Get Device Code
oauth-revoke
Auth0 Revoke Refresh Token
oauth-access-token
Auth0 Login using a social provider's access token
oauth-ro
Auth0 Given the user's credentials, this endpoint will authenticate the user with the provider and return a JSON object with the Access Token and an ID Token.
tokeninfo
Auth0 [Deprecated] Return a user profile based on the user's JWT
delegation
Auth0 Obtain a delegation token (from a refresh_token)
naftiko: 1.0.0-alpha2
info:
label: Auth0 API
description: Auth0 exposes the following APIs for developers to consume in their applications.
tags:
- Auth0
- API
created: '2026-05-06'
modified: '2026-05-06'
capability:
consumes:
- type: http
namespace: auth0
baseUri: https://demo.us.auth0.com
description: Auth0 API HTTP API.
resources:
- name: authorize
path: /authorize
operations:
- name: authorize
method: GET
description: Auth0 Authenticate a user with a social provider, Database/AD/LDAP (Passive), SAML/Windows Azure AD (Passive),
Authorization Code Flow, Authorization Code Grant (PKCE) Flow, or Implicit Flow
inputParameters:
- name: audience
in: query
type: string
description: The unique identifier of the target API you want to access
- name: scope
in: query
type: string
description: The scopes which you want to request authorization for. These must be separated by a space. You can
request any of the standard OpenID Connect (OIDC) scopes abo
- name: response_type
in: query
type: string
required: true
description: 'Indicates to Auth0 which OAuth 2.0 flow you want to perform. Use code for Authorization Code Grant
Flow, token for Implicit Flow, or id_token token for both an '
- name: client_id
in: query
type: string
required: true
description: Your application's ID.
- name: redirect_uri
in: query
type: string
description: The URL to which Auth0 will redirect the browser after authorization has been granted by the user.
- name: state
in: query
type: string
description: An opaque value the applications adds to the initial request that the authorization server includes
when redirecting the back to the application. This value mus
- name: nonce
in: query
type: string
description: A string value which will be included in the ID Token response from Auth0, used to prevent token replay
attacks. It is required for response_type=id_token token
- name: code_challenge_method
in: query
type: string
description: Method used to generate the challenge. The PKCE spec defines two methods, S256 and plain, however,
Auth0 supports only S256 since the latter is discouraged.
- name: code_challenge
in: query
type: string
description: Generated challenge from the code_verifier.
- name: connection
in: query
type: string
description: The name of the connection configured to your application.
- name: prompt
in: query
type: string
description: To initiate a silent authentication request, use prompt=none.
- name: organization
in: query
type: string
description: 'ID of the organization to use when authenticating a user. When not provided, if your application is
configured to Display Organization Prompt, the user will be '
- name: invitation
in: query
type: string
description: Ticket ID of the organization invitation. When inviting a member to an Organization, your application
should handle invitation acceptance by forwarding the invi
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: v2-logout
path: /v2/logout
operations:
- name: logout
method: GET
description: Auth0 Logout a user
inputParameters:
- name: returnTo
in: query
type: string
description: URL to redirect the user after the logout.
- name: client_id
in: query
type: string
description: The client_id of your application.
- name: federated
in: query
type: string
description: Add this query string parameter to the logout URL, to log the user out of their identity provider,
as well.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: oidc-logout
path: /oidc/logout
operations:
- name: oidc-logout
method: GET
description: Auth0 Logout a user
inputParameters:
- name: id_token_hint
in: query
type: string
description: Previously issued ID Token for the user. This is used to indicate which user to log out.
- name: logout_hint
in: query
type: string
description: Optional sid (session ID) value to indicate which user to log out. Should be provided when id_token_hint
is not available.
- name: post_logout_redirect_uri
in: query
type: string
description: URL to redirect the user after the logout.
- name: client_id
in: query
type: string
description: The client_id of your application.
- name: federated
in: query
type: string
description: Add this query string parameter to log the user out of their identity provider.
- name: state
in: query
type: string
description: An opaque value the applications adds to the initial request that the authorization server includes
when redirecting the back to the post_logout_redirect_uri.
- name: ui_locales
in: query
type: string
description: Space-delimited list of locales used to constrain the language list for the request. The first locale
on the list must match the enabled locale in your tenant.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: samlp-client-id-logout
path: /samlp/{CLIENT_ID}/logout
operations:
- name: saml-logout
method: POST
description: Auth0 Logout a user
inputParameters:
- name: CLIENT_ID
in: path
type: string
required: true
description: Client ID of your application configured with the SAML2 Web App addon.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: passwordless-start
path: /passwordless/start
operations:
- name: passwordless-start
method: POST
description: Auth0 Start Passwordless flow
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: passwordless-verify
path: /passwordless/verify
operations:
- name: passwordless-verify
method: POST
description: Auth0 Verify with verification code
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: oauth-token
path: /oauth/token
operations:
- name: oauth-token
method: POST
description: Auth0 Authenticates a user using a verification code, verifies multi-factor authentication (MFA) using
a one-time password (OTP), out-of-band (OOB) challenge, or a recovery code, or exchanges an Authorization Code for
a Token
inputParameters:
- name: auth0-forwarded-for
in: header
type: string
description: End-user IP as a string value. Set this if you want brute-force protection to work in server-side scenarios.
For more information on how and when to use this he
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: dbconnections-signup
path: /dbconnections/signup
operations:
- name: dbconnections-signup
method: POST
description: Auth0 Signup with user's credentials
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: dbconnections-change-password
path: /dbconnections/change_password
operations:
- name: dbconnections-change-password
method: POST
description: Auth0 Send a change password email
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: userinfo
path: /userinfo
operations:
- name: userinfo
method: GET
description: Auth0 Returns a user's profile
inputParameters:
- name: access_token
in: header
type: string
required: true
description: The Auth0 Access Token obtained during login.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: mfa-challenge
path: /mfa/challenge
operations:
- name: mfa-challenge
method: POST
description: Auth0 Request a challenge for multi-factor authentication
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: mfa-associate
path: /mfa/associate
operations:
- name: mfa-associate
method: POST
description: Auth0 Associates or adds a new authenticator for multi-factor authentication (MFA).
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: mfa-authenticators
path: /mfa/authenticators
operations:
- name: mfa-authenticators
method: GET
description: Auth0 Returns a list of authenticators associated with your application.
inputParameters:
- name: ACCESS_TOKEN
in: header
type: string
required: true
description: The Access Token obtained during login.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: mfa-authenticators-authenticator-id
path: /mfa/authenticators/{AUTHENTICATOR_ID}
operations:
- name: mfa-authenticators-delete
method: DELETE
description: Auth0 Deletes an associated authenticator using its ID.
inputParameters:
- name: ACCESS_TOKEN
in: header
type: string
required: true
description: The Access Token obtained during login.
- name: AUTHENTICATOR_ID
in: path
type: string
required: true
description: The ID of the authenticator to delete.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: samlp-client-id
path: /samlp/{client_id}
operations:
- name: samlp-login
method: GET
description: Auth0 Use this endpoint to accept a SAML request to initiate a login.
inputParameters:
- name: client_id
in: path
type: string
required: true
description: Client ID of your application.
- name: connection
in: query
type: string
description: Connection to use during login.
- name: organization
in: query
type: string
description: Organization ID, if authenticating in the context of an organization.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: samlp-metadata-client-id
path: /samlp/metadata/{client_id}
operations:
- name: samlp-metadata
method: GET
description: Auth0 This endpoint returns the SAML 2.0 metadata.
inputParameters:
- name: client_id
in: path
type: string
required: true
description: The client_id of your application.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: login-callback
path: /login/callback
operations:
- name: login-callback
method: POST
description: Auth0 This endpoint accepts an IdP-Initiated Sign On SAMLResponse from a SAML Identity Provider.
inputParameters:
- name: connection
in: query
type: string
required: true
description: The name of an identity provider configured to your application.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: wsfed-client-id
path: /wsfed/{client_id}
operations:
- name: wsfed-login
method: GET
description: Auth0 This endpoint accepts a WS-Federation request to initiate a login.
inputParameters:
- name: client_id
in: path
type: string
required: true
description: The client-id of your application.
- name: wtrealm
in: query
type: string
description: Can be used in place of client-id.
- name: whr
in: query
type: string
description: The name of the connection (used to skip the login page).
- name: wctx
in: query
type: string
description: Your application's state.
- name: wreply
in: query
type: string
description: The callback URL.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: wsfed-federationmetadata-2007-06-federationmetad
path: /wsfed/FederationMetadata/2007-06/FederationMetadata.xml
operations:
- name: wsfed-metadata
method: GET
description: Auth0 This endpoint returns the WS-Federation metadata.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: oidc-register
path: /oidc/register
operations:
- name: oidc-register
method: POST
description: With a name and the necessary callback URL, you can dynamically register a client with Auth0. No token
is needed for this request.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: oauth-device-code
path: /oauth/device/code
operations:
- name: oauth-device-code
method: POST
description: Auth0 Get Device Code
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: oauth-revoke
path: /oauth/revoke
operations:
- name: oauth-revoke
method: POST
description: Auth0 Revoke Refresh Token
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: oauth-access-token
path: /oauth/access_token
operations:
- name: oauth-access-token
method: POST
description: Auth0 Login using a social provider's access token
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: oauth-ro
path: /oauth/ro
operations:
- name: oauth-ro
method: POST
description: Auth0 Given the user's credentials, this endpoint will authenticate the user with the provider and return
a JSON object with the Access Token and an ID Token.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: tokeninfo
path: /tokeninfo
operations:
- name: tokeninfo
method: POST
description: Auth0 [Deprecated] Return a user profile based on the user's JWT
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: delegation
path: /delegation
operations:
- name: delegation
method: POST
description: Auth0 Obtain a delegation token (from a refresh_token)
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: unlink
path: /unlink
operations:
- name: unlink
method: POST
description: Auth0 Unlink an account
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: users-user-id-impersonate
path: /users/{user_id}/impersonate
operations:
- name: impersonate
method: POST
description: Auth0 Obtain an impersonation URL
inputParameters:
- name: user_id
in: path
type: string
required: true
description: The ID of the user to impersonate.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
exposes:
- type: rest
port: 8080
namespace: auth0-rest
description: REST adapter for Auth0 API.
resources:
- path: /authorize
name: authorize
operations:
- method: GET
name: authorize
description: Auth0 Authenticate a user with a social provider, Database/AD/LDAP (Passive), SAML/Windows Azure AD (Passive),
Authorization Code Flow, Authorization Code Grant (PKCE) Flow, or Implicit Flow
call: auth0.authorize
outputParameters:
- type: object
mapping: $.
- path: /v2/logout
name: logout
operations:
- method: GET
name: logout
description: Auth0 Logout a user
call: auth0.logout
outputParameters:
- type: object
mapping: $.
- path: /oidc/logout
name: oidc-logout
operations:
- method: GET
name: oidc-logout
description: Auth0 Logout a user
call: auth0.oidc-logout
outputParameters:
- type: object
mapping: $.
- path: /samlp/{CLIENT_ID}/logout
name: saml-logout
operations:
- method: POST
name: saml-logout
description: Auth0 Logout a user
call: auth0.saml-logout
with:
CLIENT_ID: rest.CLIENT_ID
outputParameters:
- type: object
mapping: $.
- path: /passwordless/start
name: passwordless-start
operations:
- method: POST
name: passwordless-start
description: Auth0 Start Passwordless flow
call: auth0.passwordless-start
outputParameters:
- type: object
mapping: $.
- path: /passwordless/verify
name: passwordless-verify
operations:
- method: POST
name: passwordless-verify
description: Auth0 Verify with verification code
call: auth0.passwordless-verify
outputParameters:
- type: object
mapping: $.
- path: /oauth/token
name: oauth-token
operations:
- method: POST
name: oauth-token
description: Auth0 Authenticates a user using a verification code, verifies multi-factor authentication (MFA) using
a one-time password (OTP), out-of-band (OOB) challenge, or a recovery code, or exchanges an Authorization Code for
a Token
call: auth0.oauth-token
outputParameters:
- type: object
mapping: $.
- path: /dbconnections/signup
name: dbconnections-signup
operations:
- method: POST
name: dbconnections-signup
description: Auth0 Signup with user's credentials
call: auth0.dbconnections-signup
outputParameters:
- type: object
mapping: $.
- path: /dbconnections/change_password
name: dbconnections-change-password
operations:
- method: POST
name: dbconnections-change-password
description: Auth0 Send a change password email
call: auth0.dbconnections-change-password
outputParameters:
- type: object
mapping: $.
- path: /userinfo
name: userinfo
operations:
- method: GET
name: userinfo
description: Auth0 Returns a user's profile
call: auth0.userinfo
outputParameters:
- type: object
mapping: $.
- path: /mfa/challenge
name: mfa-challenge
operations:
- method: POST
name: mfa-challenge
description: Auth0 Request a challenge for multi-factor authentication
call: auth0.mfa-challenge
outputParameters:
- type: object
mapping: $.
- path: /mfa/associate
name: mfa-associate
operations:
- method: POST
name: mfa-associate
description: Auth0 Associates or adds a new authenticator for multi-factor authentication (MFA).
call: auth0.mfa-associate
outputParameters:
- type: object
mapping: $.
- path: /mfa/authenticators
name: mfa-authenticators
operations:
- method: GET
name: mfa-authenticators
description: Auth0 Returns a list of authenticators associated with your application.
call: auth0.mfa-authenticators
outputParameters:
- type: object
mapping: $.
- path: /mfa/authenticators/{AUTHENTICATOR_ID}
name: mfa-authenticators-delete
operations:
- method: DELETE
name: mfa-authenticators-delete
description: Auth0 Deletes an associated authenticator using its ID.
call: auth0.mfa-authenticators-delete
with:
AUTHENTICATOR_ID: rest.AUTHENTICATOR_ID
outputParameters:
- type: object
mapping: $.
- path: /samlp/{client_id}
name: samlp-login
operations:
- method: GET
name: samlp-login
description: Auth0 Use this endpoint to accept a SAML request to initiate a login.
call: auth0.samlp-login
with:
client_id: rest.client_id
outputParameters:
- type: object
mapping: $.
- path: /samlp/metadata/{client_id}
name: samlp-metadata
operations:
- method: GET
name: samlp-metadata
description: Auth0 This endpoint returns the SAML 2.0 metadata.
call: auth0.samlp-metadata
with:
client_id: rest.client_id
outputParameters:
- type: object
mapping: $.
- path: /login/callback
name: login-callback
operations:
- method: POST
name: login-callback
description: Auth0 This endpoint accepts an IdP-Initiated Sign On SAMLResponse from a SAML Identity Provider.
call: auth0.login-callback
outputParameters:
- type: object
mapping: $.
- path: /wsfed/{client_id}
name: wsfed-login
operations:
- method: GET
name: wsfed-login
description: Auth0 This endpoint accepts a WS-Federation request to initiate a login.
call: auth0.wsfed-login
with:
client_id: rest.client_id
outputParameters:
- type: object
mapping: $.
- path: /wsfed/FederationMetadata/2007-06/FederationMetadata.xml
name: wsfed-metadata
operations:
- method: GET
name: wsfed-metadata
description: Auth0 This endpoint returns the WS-Federation metadata.
call: auth0.wsfed-metadata
outputParameters:
- type: object
mapping: $.
- path: /oidc/register
name: oidc-register
operations:
- method: POST
name: oidc-register
description: With a name and the necessary callback URL, you can dynamically register a client with Auth0. No token
is needed for this request.
call: auth0.oidc-register
outputParameters:
- type: object
mapping: $.
- path: /oauth/device/code
name: oauth-device-code
operations:
- method: POST
name: oauth-device-code
description: Auth0 Get Device Code
call: auth0.oauth-device-code
outputParameters:
- type: object
mapping: $.
- path: /oauth/revoke
name: oauth-revoke
operations:
- method: POST
name: oauth-revoke
description: Auth0 Revoke Refresh Token
call: auth0.oauth-revoke
outputParameters:
- type: object
mapping: $.
- path: /oauth/access_token
name: oauth-access-token
operations:
- method: POST
name: oauth-access-token
description: Auth0 Login using a social provider's access token
call: auth0.oauth-access-token
outputParameters:
- type: object
mapping: $.
- path: /oauth/ro
name: oauth-ro
operations:
- method: POST
name: oauth-ro
description: Auth0 Given the user's credentials, this endpoint will authenticate the user with the provider and return
a JSON object with the Access Token and an ID Token.
call: auth0.oauth-ro
outputParameters:
- type: object
mapping: $.
- path: /tokeninfo
name: tokeninfo
operations:
- method: POST
name: tokeninfo
description: Auth0 [Deprecated] Return a user profile based on the user's JWT
call: auth0.tokeninfo
outputParameters:
- type: object
mapping: $.
- path: /delegation
name: delegation
operations:
- method: POST
name: delegation
description: Auth0 Obtain a delegation token (from a refresh_token)
call: auth0.delegation
outputParameters:
- type: object
mapping: $.
- path: /unlink
name: unlink
operations:
- method: POST
name: unlink
description: Auth0 Unlink an account
call: auth0.unlink
outputParameters:
- type: object
mapping: $.
- path: /users/{user_id}/impersonate
name: impersonate
operations:
- method: POST
name: impersonate
description: Auth0 Obtain an impersonation URL
call: auth0.impersonate
with:
user_id: rest.user_id
outputParameters:
- type: object
mapping: $.
- type: mcp
port: 9090
namespace: auth0-mcp
transport: http
description: MCP adapter for Auth0 API for AI agent use.
tools:
- name: authorize
description: Auth0 Authenticate a user with a social provider, Database/AD/LDAP (Passive), SAML/Windows Azure AD (Passive),
Authorization Code Flow, Authorization Code Grant (PKCE) Flow, or Implicit Flow
hints:
readOnly: true
destructive: false
idempotent: true
call: auth0.authorize
with:
audience: tools.audience
scope: tools.scope
response_type: tools.response_type
client_id: tools.client_id
redirect_uri: tools.redirect_uri
state: tools.state
nonce: tools.nonce
code_challenge_method: tools.code_challenge_method
code_challenge: tools.code_challenge
connection: tools.connection
prompt: tools.prompt
organization: tools.organization
invitation: tools.invitation
inputParameters:
- name: audience
type: string
description: The unique identifier of the target API you want to access
- name: scope
type: string
description: The scopes which you want to request authorization for. These must be separated by a space. You can request
any of the standard OpenID Connect (OIDC) scopes abo
- name: response_type
type: string
description: 'Indicates to Auth0 which OAuth 2.0 flow you want to perform. Use code for Authorization Code Grant Flow,
token for Implicit Flow, or id_token token for both an '
required: true
- name: client_id
type: string
description: Your application's ID.
required: true
- name: redirect_uri
type: string
description: The URL to which Auth0 will redirect the browser after authorization has been granted by the user.
- name: state
type: string
description: An opaque value the applications adds to the initial request that the authorization server includes when
redirecting the back to the application. This value mus
- name: nonce
type: string
description: A string value which will be included in the ID Token response from Auth0, used to prevent token replay
attacks. It is required for response_type=id_token token
- name: code_challenge_method
type: string
description: Method used to generate the challenge. The PKCE spec defines two methods, S256 and plain, however, Auth0
supports only S256 since the latter is discouraged.
- name: code_challenge
type: string
description: Generated challenge from the code_verifier.
- name: connection
type: string
description: The name of the connection configured to your application.
- name: prompt
type: string
description: To initiate a silent authentication request, use prompt=none.
- name: organization
type: string
description: 'ID of the organization to use when authenticating a user. When not provided, if your application is
configured to Display Organization Prompt, the user will be '
- name: invitation
type: string
description: Ticket ID of the organization invitation. When inviting a member to an Organization, your application
should handle invitation acceptance by forwarding the invi
outputParameters:
- type: object
mapping: $.
- name: logout
description: Auth0 Logout a user
hints:
readOnly: true
destructive: false
idempotent: true
call: auth0.logout
with:
returnTo: tools.returnTo
client_id: tools.client_id
federated: tools.federated
inputParameters:
- name: returnTo
type: string
description: URL to redirect the user after the logout.
- name: client_id
type: string
description: The client_id of your application.
- name: federated
type: string
description: Add this query string parameter to the logout URL, to log the user out of their identity provider, as
well.
outputParameters:
- type: object
mapping: $.
- name: oidc-logout
description: Auth0 Logout a user
hints:
readOnly: true
destructive: false
idempotent: true
call: auth0.oidc-logout
with:
id_token_hint: tools.id_token_hint
logout_hint: tools.logout_hint
post_logout_redirect_uri: tools.post_logout_redirect_uri
client_id: tools.client_id
federated: tools.federated
state: tools.state
ui_locales: tools.ui_locales
inputParameters:
- name: id_token_hint
type: string
description: Previously issued ID Token for the user. This is used to indicate which user to log out.
- name: logout_hint
type: string
description: Optional sid (session ID) value to indicate which user to log out. Should be provided when id_token_hint
is not available.
- name: post_logout_redirect_uri
type: string
description: URL to redirect the user after the logout.
- name: client_id
type: string
description: The client_id of your application.
- name: federated
type: string
description: Add this query string parameter to log the user out of their identity provider.
- name: state
type: string
description: An opaque value the applications adds to the initial request that the authorization server includes when
redirecting the back to the post_logout_redirect_uri.
- name: ui_locales
type: string
description: Space-delimited list of locales use
# --- truncated at 32 KB (41 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/auth0/refs/heads/main/capabilities/auth0-capability.yaml