Third-party apps get strict security mode; PKCE mandatory

We're excited to announce that Enhanced Security Controls for Third-Party Applications is now Generally Available for all Auth0 customers.

As you open your APIs to AI agents, customers, partners, and external developers, you need strong security defaults for third-party applications. Enhanced security controls give third-party applications a secure-by-default posture, so Auth0 does the heavy lifting, and you stay in control of what external applications can access.

What's included:

• Strict security mode for third-party applications (third_party_security_mode: 'strict')
• OAuth 2.1 alignment: mandatory PKCE, restricted grant types
• Explicit API authorization: third-party applications always require a client grant to access an API
• Default permissions for third-party applications: configure default API permissions that apply automatically to all third-party applications, including those created via Dynamic Client Registration
• Open redirect protection: configurable redirection_policy to prevent redirect-based attacks
• Reduced attack surface: curated property allowlist and feature restrictions

For existing customers using third-party applications: Your existing applications continue to work exactly as they do today — no changes required. A 6-month migration window gives you time to adopt enhanced security controls for new application creation. Review the migration guide for detailed steps.

To learn more, visit the Third-Party Applications documentation.