API Settings

​

Settings

​

General Settings

• Id: A unique alphanumeric string generated by Auth0. This information is read-only, and you will only need it if you will be working directly with Auth0’s Management API Resource Servers endpoints.
• Name: A friendly name for the API. Does not affect any functionality. The following characters are not allowed: < >.
• Identifier: A unique identifier for your API. This value is set upon API creation and cannot be modified afterward. We recommend using a URL, but this doesn’t have to be a publicly available URL; Auth0 will not call your API at all.

​

Token Settings

• Maximum Access Token Lifetime (Seconds): The amount of time (in seconds) before an access token expires. The default value is 86400 seconds (24 hours). The maximum value you can set is 2592000 seconds (30 days).
• Implicit / Hybrid Flow Access Token Lifetime (Seconds): The amount of time (in seconds) before an access token issued using an implicit or hybrid flow expires. The default value is 86400 seconds (24 hours). The value cannot exceed the maximum access token lifetime.
• JSON Web Token (JWT) Profile: The profile determines the format of the access tokens issued for the API. The available values are Auth0 and RFC 9068. To learn more, read Access Token Profiles.
• JSON Web Token (JWT) Signing Algorithm: The algorithm with which to sign the tokens. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way. The available values are HS256 and RS256. If you select RS256 (recommended), the token will be signed with your tenant’s private key. This value is set when your API is created and cannot be modified afterward. To learn more about signing algorithms and how they work in Auth0, read Signing Algorithms. The signature is part of a JWT. If you are unfamiliar with JWT structure, please see JSON Web Token Structure.
• JSON Web Encryption (JWE): When enabled, issued access tokens are encrypted using JSON Web Encryption (JWE). format. To learn more, read JSON Web Encryption.

​

RBAC Settings

• Enable RBAC: Enable this setting for RBAC policies to be enforced for the API. To learn more, read Role-Based Access Control and Enable Role-Based Access Control for APIs. For troubleshooting help, review Troubleshoot Role-Based Access Control and Authorization.
• Add Permissions in the Access Token: Enable this setting to add the Permissions claim to the access token. This setting is only available if you enable RBAC. You can configure permissions on the Permissions tab.

​

Access Settings

• Allow Skipping User Consent: Enable this setting for the API to skip user consent for applications flagged as “first party.”
• Allow Offline Access: Enable this setting to allow applications to ask for refresh tokens for the API.

​

Permissions

​

Machine-to-Machine Applications

​

Test

​

Management API Explorer

​

Learn more

• Register APIs
• Tokens
• Signing Algorithms
• API Scopes
• Configure Logical API for Multiple APIs
• Create Machine-to-Machine Applications for Testing