> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-chore-teams-api-autoupdate.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Teams API

> Documentation for Auth0's Teams API

<Warning>
  <p class="uppercase font-bold">Early Access</p>

  The Teams API is currently in Early Access and available exclusively for Enterprise customers. By using this feature, you agree to the applicable Free Trial terms in [Okta's Master Subscription Agreement](https://www.okta.com/legal/). To learn more about Auth0's product release cycle, read [Product Release Stages](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages).
</Warning>

The Auth0 Teams API allows you  to streamline Tenant Lifecycle management. By extending your "Teams superpower" into your existing infrastructure, you can programmatically manage your tenants and integrate them directly into your internal identity lifecycle management workflows. Use the Teams API to call the authorization server and handle token handoffs at your own, assigned token endpoint. With the Teams API, you can customize access for your Team members.

With the Teams API, you can assign Teams administrators to:

* Create new tenants
* Invite and manage members of your Team
* Review Team activity

The Teams API follows the [OpenAPI Specification (OAS)](https://swagger.io/docs/specification/v3_0/about/) with an easy-to-download schema. To further accelerate development, we provide full support for [Auth0 SDKs](https://auth0.com/docs/libraries) and Terraform.

<Card title="Before you begin">
  Before you enable the Auth0 Teams API, you must:

  * Create an Auth0 account with an Enterprise plan.
  * Assign a Team Owner to onboard members via the Teams API.
  * [Enable Tenant Member Management](https://auth0.com/docs/get-started/auth0-teams/tenant-member-management).

  <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
    For Private Cloud customers: Tenant Member Management is currently in Beta for Private Cloud deployments. By using this feature, you agree to the applicable Free Trial terms in Okta's [Master Subscription Agreement](https://www.okta.com/legal). Contact [Auth0 Support](https://support.auth0.com) to participate in the program. To learn more about Beta programs, read [Product Release Stages](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#product-release-stages).
  </Callout>
</Card>

## How it works

The Teams API uses the OAuth 2.0 [Client Credentials flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow#client-credentials-flow) to provide secure, scoped access to the API. Use the Teams Dashboard to create and configure a new Production tenant to use with the Teams API. This is your Auth Tenant and should populate in your Teams Tenant menu.

Authentication is handled through a dedicated authorization server you configure one time. This server:

* Issues a Client ID and Secret for your application
* Provides a token endpoint to mint access tokens
* Allows you to customize access scopes to match your required permissions

The generated access tokens are then passed to downstream services when calling the Teams API for operations such as tenant provisioning or member role assignment.

### Audience

To get the audience for the Teams API, you need to create the Auth Tenant. The configuration you provide determines the audience. Once you complete steps in [Create Auth Tenant](#create-the-auth-tenant), create the Teams API audience.

### Scopes

The Teams API supports the following scopes from [Auth0 Management API](https://auth0.com/docs/api/management/v2):

| Scope                | Description                                                |
| :------------------- | :--------------------------------------------------------- |
| `read:tenants`       | Allows Teams admins to view available tenants              |
| `create:tenants`     | Allows Teams admins to create new tenants                  |
| `delete:tenants`     | Allows Teams admins to delete existing tenants             |
| `read:members`       | Allow Teams admin to view existing Teams/Tenant members    |
| `create:members`     | Allow Teams admin to create new Teams/Tenant members       |
| `delete:members`     | Allow Teams admin to remove existing Teams/Tenant members. |
| `update:members`     | Allow Teams admin to update existing Teams/Tenant members. |
| `create:invitations` | Allows Teams admin to create new Teams/Tenant invitations. |
| `read:team_activity` | Allows Teams admin to view Teams activity.                 |

## Activate the Teams API

To activate the Teams API, you need to create an Auth Tenant in the Teams Dashboard to handle authentication. The Auth Tenant hosts the application that provides your Client ID and Secret and serves as the home for all token exchange activity.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The Auth Tenant is created only once. You must create an Auth Tenant to host the application that manages your Client ID and Client Secret. This tenant serves as the central hub for all token exchange operations.
</Callout>

<h3 id="create-the-auth-tenant">
  Create the Auth Tenant
</h3>

1. Navigate to [**Auth0 Dashboard > Teams**](https://accounts.auth0.com/teams/#/tenants).
2. In the Team's Dashboard, select **Settings**.
3. Select **Teams API**.
4. Create Auth Tenant:
   1. If you have not created an authentication tenant, select **Create Auth Tenant**:
      !\[]\[image1]
      1. For Create Under, select **Private** or **Public**.
         <Callout>
           [**Private**](https://auth0.com/docs/get-started/applications/confidential-and-public-applications#confidential-applications): Use Private if your tenant is located in the private cloud.
           [**Public**](https://auth0.com/docs/get-started/applications/confidential-and-public-applications#confidential-and-public-applications): Use Public if your tenant is located in the public cloud.
           To learn more about Auth0's cloud environments, read [Deployment Options](https://auth0.com/docs/deploy-monitor/deployment-options).
         </Callout>
      2. Add your tenant name to the Tenant Domain in the format of your tenant name and region. For example: `[my-teams-tenant.us](http://my-teams-tenant.us)`.
      3. Select **Create Tenant**.
      4. Add a name for your new Auth Tenant and select the necessary scopes.
      5. Select **Create Client**.
         !\[]\[image2]
      6. Review the API configuration details to initiate requests to the Teams API. You need to use the Client ID and Client Secret in the request header:
         !\[]\[image3]

   2. If you've already created the Auth Tenant, select **+New Client**.
      1. Add a Name for your application.
      2. Select the necessary scopes:!\[]\[image4]

## Mint access tokens

To obtain the necessary bearer token, execute the following credential exchange via the token endpoint:

```shell theme={null}
curl --request POST \
  --url https://YOUR_DOMAIN/oauth/token \
  --header 'content-type: application/json' \
  --data '{
    "client_id":"YOUR_CLIENT_ID",
    "client_secret":"YOUR_CLIENT_SECRET",
    "audience":"https://YOUR_DOMAIN/api/v2/",
    "grant_type":"client_credentials"
  }'
```

Sample Code Response:

```json theme={null}
{
  "access_token": "eyJhbGciOiJS....",
  "token_type": "Bearer"
}
```

## Roles and responsibilities

Teams API supports the existing Teams and Dashboard roles matrix. You can perform the same role assignments via the API as you would through the Teams Dashboard.

## Rate limits

## Learn more

* [Team Member Management](https://auth0.com/docs/get-started/auth0-teams/team-member-management)
* [Tenant Member Management](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role)