You can enable third-party applications for your tenant. See First-Party and Third-Party Applications for details on the differences between the two types of applications.
  1. Update your application’s ownership to third-party in Auth0. By default, applications registered in Auth0 are first-party applications. If you want your application to be a third-party application, you must update its ownership.
  2. Promote the connections you will use with third-party applications to domain level in Auth0. Third-party applications can only authenticate users from connections flagged as domain-level connections. Domain-level connections can be enabled for selected first-party applications while also being open to all third-party application users for authentication.
  3. Update your application’s login page. If you use Lock in the Universal Login Page, you must also:
    1. Upgrade to Lock version 11 or later.
    2. Set the __useTenantInfo: config.isThirdPartyClient flag when instantiating Lock.
    3. For Private Cloud users only: Set the configurationBaseUrl option to https://{config.auth0Domain}/ when instantiating Lock.

Access token current_user_* scopes

Neither first- nor third-party applications can use to invoke endpoints. Instead, they should get with the following current_user_* scopes required by each endpoint:
ScopeEndpoint
read:current_userList or search users
Get a user
Get user MFA enrollments
update:current_user_metadataUpdate a user
Delete a user’s multi-factor provider
create:current_user_device_credentialsCreate a device public key
delete:current_user_device_credentialsDelete a device credential
update:current_user_identitiesLink a user account
Unlink a user identity

Script example

<script src="https://cdn.auth0.com/js/lock/11.x.y/lock.min.js"></script>
...
<script>
  // Decode utf8 characters properly
  var config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))));

  var connection = config.connection;
  var prompt = config.prompt;
  var languageDictionary;
  var language;
  if (config.dict && config.dict.signin && config.dict.signin.title) {
    languageDictionary = { title: config.dict.signin.title };
  } else if (typeof config.dict === 'string') {
    language = config.dict;
  }

  var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
    auth: {
      redirectUrl: config.callbackURL,
      responseType: config.callbackOnLocationHash ? 'token' : 'code',
      params: config.internalOptions
    },
    assetsUrl:  config.assetsUrl,
    allowedConnections: connection ? [connection] : null,
    configurationBaseUrl: 'https://' + config.auth0Domain + '/', // for PSaaS only
    rememberLastLogin: !prompt,
    language: language,
    languageDictionary: languageDictionary,
    closable: false,
    __useTenantInfo: config.isThirdPartyClient // required for all Tenants
  });

  lock.show();
</script>

Learn more