Skip to main content

Early Access

The Teams API is currently in Early Access and available exclusively for Enterprise customers. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0’s product release cycle, read Product Release Stages.
The Auth0 Teams API allows you to streamline Tenant Lifecycle management. By extending your “Teams superpower” into your existing infrastructure, you can programmatically manage your tenants and integrate them directly into your internal identity lifecycle management workflows. Use the Teams API to call the authorization server and handle token handoffs at your own, assigned token endpoint. With the Teams API, you can customize access for your Team members. With the Teams API, you can assign Teams administrators to:
  • Create new tenants
  • Invite and manage members of your Team
  • Review Team activity
The Teams API follows the OpenAPI Specification (OAS) with an easy-to-download schema. To further accelerate development, we provide full support for Auth0 SDKs and Terraform.

Before you begin

Before you enable the Auth0 Teams API, you must:
For Private Cloud customers: Tenant Member Management is currently in Beta for Private Cloud deployments. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. Contact Auth0 Support to participate in the program. To learn more about Beta programs, read Product Release Stages.

How it works

The Teams API uses the OAuth 2.0 Client Credentials flow to provide secure, scoped access to the API. Use the Teams Dashboard to create and configure a new Production tenant to use with the Teams API. This is your Auth Tenant and should populate in your Teams Tenant menu. Authentication is handled through a dedicated authorization server you configure one time. This server:
  • Issues a Client ID and Secret for your application
  • Provides a token endpoint to mint access tokens
  • Allows you to customize access scopes to match your required permissions
The generated access tokens are then passed to downstream services when calling the Teams API for operations such as tenant provisioning or member role assignment.

Audience

To get the audience for the Teams API, you need to create the Auth Tenant. The configuration you provide determines the audience. Once you complete steps in Create Auth Tenant, create the Teams API audience.

Scopes

The Teams API supports the following scopes from Auth0 Management API:
ScopeDescription
read:tenantsAllows Teams admins to view available tenants
create:tenantsAllows Teams admins to create new tenants
delete:tenantsAllows Teams admins to delete existing tenants
read:membersAllow Teams admin to view existing Teams/Tenant members
create:membersAllow Teams admin to create new Teams/Tenant members
delete:membersAllow Teams admin to remove existing Teams/Tenant members.
update:membersAllow Teams admin to update existing Teams/Tenant members.
create:invitationsAllows Teams admin to create new Teams/Tenant invitations.
read:team_activityAllows Teams admin to view Teams activity.

Activate the Teams API

To activate the Teams API, you need to create an Auth Tenant in the Teams Dashboard to handle authentication. The Auth Tenant hosts the application that provides your Client ID and Secret and serves as the home for all token exchange activity.
The Auth Tenant is created only once. You must create an Auth Tenant to host the application that manages your Client ID and Client Secret. This tenant serves as the central hub for all token exchange operations.

Create the Auth Tenant

  1. Navigate to Auth0 Dashboard > Teams.
  2. In the Team’s Dashboard, select Settings.
  3. Select Teams API.
  4. Create Auth Tenant:
    1. If you have not created an authentication tenant, select Create Auth Tenant: ![][image1]
      1. For Create Under, select Private or Public.
        Private: Use Private if your tenant is located in the private cloud. Public: Use Public if your tenant is located in the public cloud. To learn more about Auth0’s cloud environments, read Deployment Options.
      2. Add your tenant name to the Tenant Domain in the format of your tenant name and region. For example: [my-teams-tenant.us](http://my-teams-tenant.us).
      3. Select Create Tenant.
      4. Add a name for your new Auth Tenant and select the necessary scopes.
      5. Select Create Client. ![][image2]
      6. Review the API configuration details to initiate requests to the Teams API. You need to use the Client ID and Client Secret in the request header: ![][image3]
    2. If you’ve already created the Auth Tenant, select +New Client.
      1. Add a Name for your application.
      2. Select the necessary scopes:![][image4]

Mint access tokens

To obtain the necessary bearer token, execute the following credential exchange via the token endpoint: 
curl --request POST \
  --url https://YOUR_DOMAIN/oauth/token \
  --header 'content-type: application/json' \
  --data '{
    "client_id":"YOUR_CLIENT_ID",
    "client_secret":"YOUR_CLIENT_SECRET",
    "audience":"https://YOUR_DOMAIN/api/v2/",
    "grant_type":"client_credentials"
  }'
Sample Code Response: 
{
  "access_token": "eyJhbGciOiJS....",
  "token_type": "Bearer"
}

Roles and responsibilities

Teams API supports the existing Teams and Dashboard roles matrix. You can perform the same role assignments via the API as you would through the Teams Dashboard.

Rate limits

Learn more