Skip to main content
Register an application in Auth0 by importing an externally hosted Client ID Metadata Document (CIMD) from a URL. A CIMD is a JSON file containing client metadata hosted on your domain (e.g., https://example-client.com/mcp-metadata.json). The CIMD URL is the application’s client ID and proves domain ownership, ensuring only trusted tenant administrators can register applications. When you import an application from its CIMD URL, Auth0 fetches, validates, and persists the metadata to register the application as a CIMD client. While Auth0 maintains a record of these settings, the hosted CIMD remains the source of truth; metadata updates are synchronized through manual refreshes. This application registration process is called manual CIMD registration. You can only register third-party applications using manual CIMD, which are subject to enhanced security controls. Once registered, set up your CIMD client as a third-party application in Auth0.

Key benefits

Manual CIMD registration has the following benefits:
  1. Uses asymmetric cryptography (public/private keys) instead of shared symmetric secrets that can be leaked.
  2. Application owners manage client metadata directly in the CIMD; Auth0 simply pulls and persists these updates.
  3. The client ID is the CIMD URL hosted on a secure HTTPS domain, which serves as a human-readable proof of ownership in audit logs.
Third-party applications, including CIMD clients, do not support Organizations. Organizations support for third-party applications will be introduced in a future release.
Rate limits for CIMD clients will be introduced in a future release. You will be able to set a specific rate limit for a CIMD client, as well as a shared rate limit on the aggregated traffic from all CIMD clients in a tenant.

Use cases

Common use cases for manual CIMD registration include:
  • MCP clients: Only need to be registered with CIMD once per deployment. All instances of that deployment use the same registration credentials. To learn how Auth0 secures MCP clients and servers, read Auth for MCP.
  • Third-party integrations: Partner applications, SaaS platforms, and external services that authenticate users on behalf of organizations. These applications manage their own client metadata and cryptographic keys, enabling independent updates and key rotation without sharing secrets.

Example CIMD

The following is an example CIMD for a public MCP client, where "token_endpoint_auth_method": "none":
https://example-client.com/mcp-metadata.json
Auth0 automatically maps and validates CIMD fields. To learn more about supported client types, read Prerequisites.

How it works

The following diagram shows the end-to-end manual CIMD registration flow:

Phase 1: Registration

During manual CIMD registration, a tenant admin registers the application by importing its externally hosted CIMD to Auth0:
  1. Application creation: The tenant admin creates a CIMD app in Auth0 by:
    • Selecting Import from URL in the Auth0 Dashboard
    • Making a POST request to the /register endpoint, providing the external_client_id
  2. Metadata fetch: Auth0 makes a GET request to the client’s domain to retrieve the CIMD (client.json).
  3. Security validation: Auth0 maps and validates the CIMD URL against the CIMD URL validation rules and the CIMD against the CIMD validation rules, verifying that the external_client_id matches the CIMD URL, among other checks.
  4. Persistence: Once validated, Auth0 stores the client metadata in the database.
  5. Confirmation: Auth0 returns a success response; the application has been successfully registered as a CIMD client in Auth0.

Phase 2: Authorization

Once registered, the application uses its CIMD URL as its identity during the OAuth flow.
  1. User-initiated task: The user initiates a task that requires the application to access an API.
  2. Authorization request: The application makes a request to the Auth0 Authorization Server, passing its CIMD URL as the client_id.
  3. Client resolution: The Auth0 Authorization Server queries the database to resolve the provided URL (client_id) to the stored client configuration (external_client_id).
  4. User consent: Auth0 displays a consent screen to the user, identifying the application by the client_name retrieved from the CIMD metadata.
  5. Redirection: After the user approves consent, Auth0 redirects the user back to the application with an authorization code.
  6. Code exchange: The application exchanges the authorization code for an access token at the token endpoint.
  7. Authorization complete: The Auth0 Authorization Server returns an access token where the client_id is set to the CIMD URL. The application can now access the API on the user’s behalf.

Prerequisites

Before registering an application with manual CIMD, make sure your tenant and application meet the following requirements:

Tenant configuration

  • Enable CIMD support: Enable the Client ID Metadata Document Registration toggle in your tenant settings to indicate CIMD support in the Auth0 Authorization Server metadata, allowing clients to automatically discover this capability when connecting.
    • Navigate to Settings > Advanced and scroll down to the Settings section.
    • Toggle on Client ID Metadata Document Registration.
  • Resource Parameter Compatibility Profile (Optional): For MCP clients, we recommend enabling this profile in your tenant settings. This allows the authorization server to handle resource-specific requests (RFC 8707) by checking the resource parameter if the audience is not provided.

Supported client types

You can register the following client types with manual CIMD in Auth0:

Supported authentication methods

CIMD clients cannot use authentication methods based on shared symmetric secrets, such as client_secret_post, client_secret_basic, or client_secret_jwt. Depending on whether the client is public or confidential, Auth0 supports the following authentication methods for CIMD clients:
  • Public clients:
    • No client authentication required at the token endpoint; set token_endpoint_auth_method to none in client metadata
    • Must use Proof Key for Code Exchange (PKCE) for authorization flows
  • Confidential clients:
    • Only Private Key JWT authentication is supported; set token_endpoint_auth_method to private_key_jwt in client metadata
    • Provide a jwks_uri to host public keys. The jwks_uri must share the exact same origin (scheme, host, and port) as the CIMD URL. To learn more, read CIMD JSON validation rules.
Private Key JWT authentication is available only for Enterprise customers. To learn more about Enterprise plans, review Pricing or contact Auth0 Sales.
CIMD clients that use Private Key JWT authentication must implement key rotation by generating a new key pair with a new, unique kid.

Register applications with manual CIMD

When creating an application in Auth0, register it manually with CIMD using the Auth0 Dashboard or Management API.
To register an application with manual CIMD using the Auth0 Dashboard:
  1. Navigate to Applications > Applications.
  2. Select Create Application > Import from URL.
  3. Enter the CIMD URL. Then, select Preview. Auth0 validates the CIMD URL against the CIMD URL validation rules.
  4. If your CIMD URL is valid, Auth0 loads the CIMD and validates it against the CIMD JSON validation rules. Preview your client metadata and troubleshoot it for any validation errors.
  5. Select Create.

Set up CIMD client

Manual CIMD registration is limited to third-party applications (is_first_party: false), which are subject to enhanced security controls. Once you’ve registered your CIMD client, set it up as a third-party application in Auth0: To learn more, read Configure Third-Party Applications.

Refresh client metadata

Once you’ve registered the CIMD client, you can manually refresh client metadata. Auth0 fetches fresh client metadata from the CIMD, which you can preview and save. When you refresh client metadata, Auth0 updates the app_type and grant_types to match the values in the hosted CIMD. To learn more about CIMD fields, read CIMD JSON validation rules. In the Auth0 Dashboard:
  1. Navigate to Applications > Applications and select your CIMD client.
  2. At the top-right corner, select Refresh Client Metadata.
  3. Select Refresh Preview to preview the latest client metadata in the CIMD. Review any validation warnings or errors.
  4. Select Save.

Get CIMD client

To get a CIMD client, make a GET request to the /v2/clients/{clientId} endpoint, where {clientID} is the Auth0-generated client ID assigned to the CIMD client:
Alternatively, pass the external_client_id, or the CIMD URL, as the query parameter to the /v2/clients endpoint:
If successful, Auth0 returns a response that includes the CIMD client configuration with fields like external_client_id, name, callbacks, token_endpoint_auth_method, and more.

Update CIMD client

You can update the fields in the Auth0 database for a registered CIMD client. Updating the CIMD client in Auth0 does not automatically update the CIMD hosted on the application’s domain. You can only update the following fields for CIMD clients: To update a CIMD client, make a PATCH request to the /v2/clients/{clientId} endpoint, where {clientID} is the Auth0-generated client ID assigned to the CIMD client:

CIMD URL validation rules

To pass validation in Auth0, CIMD URLs must meet the following requirements:

CIMD JSON validation rules

Auth0 applies the following CIMD JSON validation rules:
  • Unsupported properties: Auth0 ignores unsupported properties during mapping and reports them as warnings in the validation response.
  • Inline JWKS: Providing an inline jwks object instead of a jwks_uri is not supported and will trigger an invalid_client_metadata error.
  • Private keys: Any JWKS retrieved via jwks_uri that contains private key material (the d parameter) will be rejected.
  • Fetch security: Both the CIMD document and the jwks_uri are subject to 5KB and 12KB size limits, respectively, and neither supports HTTP redirects.
Auth0 supports the following CIMD properties:

Security considerations

CIMD client key rotation for private_key_jwt authentication

To successfully rotate keys for CIMD clients using Private Key JWT authentication, generate a new key pair with a new, unique kid. If you rotate your private key and update your JWKS with new key material under the same kid, Auth0’s CIMD registration rejects the new key and preserves the old one. This ensures that key rotation requires explicit addition of new keys rather than silent replacement. Make sure you refresh your key registration in Auth0 after rotating your keys. To learn more, read Rotate signing keys.