https://example-client.com/mcp-metadata.json). The CIMD URL is the application’s client ID and proves domain ownership, ensuring only trusted tenant administrators can register applications.
When you import an application from its CIMD URL, Auth0 fetches, validates, and persists the metadata to register the application as a CIMD client. While Auth0 maintains a record of these settings, the hosted CIMD remains the source of truth; metadata updates are synchronized through manual refreshes. This application registration process is called manual CIMD registration.
You can only register third-party applications using manual CIMD, which are subject to enhanced security controls. Once registered, set up your CIMD client as a third-party application in Auth0.
CIMD clients always register with
third_party_security_mode: "strict", regardless of your tenant’s Create Permissive Third-Party Clients by Default setting. Permissive mode is not available for CIMD clients. Strict third-party applications do not support Rules, and login flows for CIMD clients fail if your tenant has active Rules. If you use Rules, migrate to Actions before registering CIMD clients.Key benefits
Manual CIMD registration has the following benefits:- Uses asymmetric cryptography (public/private keys) instead of shared symmetric secrets that can be leaked.
- Application owners manage client metadata directly in the CIMD; Auth0 simply pulls and persists these updates.
- The client ID is the CIMD URL hosted on a secure HTTPS domain, which serves as a human-readable proof of ownership in audit logs.
Third-party applications, including CIMD clients, do not support Organizations. Organizations support for third-party applications will be introduced in a future release.
Rate limits for CIMD clients will be introduced in a future release. You will be able to set a specific rate limit for a CIMD client, as well as a shared rate limit on the aggregated traffic from all CIMD clients in a tenant.
Use cases
Common use cases for manual CIMD registration include:- MCP clients: Only need to be registered with CIMD once per deployment. All instances of that deployment use the same registration credentials. To learn how Auth0 secures MCP clients and servers, read Auth for MCP.
- Third-party integrations: Partner applications, SaaS platforms, and external services that authenticate users on behalf of organizations. These applications manage their own client metadata and cryptographic keys, enabling independent updates and key rotation without sharing secrets.
Example CIMD
The following is an example CIMD for a public MCP client, where"token_endpoint_auth_method": "none":
https://example-client.com/mcp-metadata.json
How it works
The following diagram shows the end-to-end manual CIMD registration flow:Phase 1: Registration
During manual CIMD registration, a tenant admin registers the application by importing its externally hosted CIMD to Auth0:- Application creation: The tenant admin creates a CIMD app in Auth0 by:
- Selecting Import from URL in the Auth0 Dashboard
- Making a POST request to the
/registerendpoint, providing theexternal_client_id
- Metadata fetch: Auth0 makes a GET request to the client’s domain to retrieve the CIMD (client.json).
- Security validation: Auth0 maps and validates the CIMD URL against the CIMD URL validation rules and the CIMD against the CIMD validation rules, verifying that the
external_client_idmatches the CIMD URL, among other checks. - Persistence: Once validated, Auth0 stores the client metadata in the database.
- Confirmation: Auth0 returns a success response; the application has been successfully registered as a CIMD client in Auth0.
Phase 2: Authorization
Once registered, the application uses its CIMD URL as its identity during the OAuth flow.- User-initiated task: The user initiates a task that requires the application to access an API.
- Authorization request: The application makes a request to the Auth0 Authorization Server, passing its CIMD URL as the
client_id. - Client resolution: The Auth0 Authorization Server queries the database to resolve the provided URL (
client_id) to the stored client configuration (external_client_id). - User consent: Auth0 displays a consent screen to the user, identifying the application by the
client_nameretrieved from the CIMD metadata. - Redirection: After the user approves consent, Auth0 redirects the user back to the application with an authorization code.
- Code exchange: The application exchanges the authorization code for an access token at the token endpoint.
- Authorization complete: The Auth0 Authorization Server returns an access token where the
client_idis set to the CIMD URL. The application can now access the API on the user’s behalf.
Prerequisites
Before registering an application with manual CIMD, make sure your tenant and application meet the following requirements:Tenant configuration
- Enable CIMD support: Enable the Client ID Metadata Document Registration toggle in your tenant settings to indicate CIMD support in the Auth0 Authorization Server metadata, allowing clients to automatically discover this capability when connecting.
- Navigate to Settings > Advanced and scroll down to the Settings section.
- Toggle on Client ID Metadata Document Registration.
- Resource Parameter Compatibility Profile (Optional): For MCP clients, we recommend enabling this profile in your tenant settings. This allows the authorization server to handle resource-specific requests (RFC 8707) by checking the
resourceparameter if theaudienceis not provided.
Supported client types
You can register the following client types with manual CIMD in Auth0:- Application type: Must be a native or regular web application.
- Third-party application: Must be a third-party application (
is_first_party: false), which is subject to enhanced security controls. Once registered, set up your CIMD client as a third-party application in Auth0.
Supported authentication methods
CIMD clients cannot use authentication methods based on shared symmetric secrets, such asclient_secret_post, client_secret_basic, or client_secret_jwt.
Depending on whether the client is public or confidential, Auth0 supports the following authentication methods for CIMD clients:
- Public clients:
- No client authentication required at the token endpoint; set
token_endpoint_auth_methodtononein client metadata - Must use Proof Key for Code Exchange (PKCE) for authorization flows
- No client authentication required at the token endpoint; set
- Confidential clients:
- Only Private Key JWT authentication is supported; set
token_endpoint_auth_methodtoprivate_key_jwtin client metadata - Provide a
jwks_urito host public keys. Thejwks_urimust share the exact same origin (scheme, host, and port) as the CIMD URL. To learn more, read CIMD JSON validation rules.
- Only Private Key JWT authentication is supported; set
Private Key JWT authentication is available only for Enterprise customers. To learn more about Enterprise plans, review Pricing or contact Auth0 Sales.
CIMD clients that use Private Key JWT authentication must implement key rotation by generating a new key pair with a new, unique
kid.Register applications with manual CIMD
When creating an application in Auth0, register it manually with CIMD using the Auth0 Dashboard or Management API.- Auth0 Dashboard
- Management API
To register an application with manual CIMD using the Auth0 Dashboard:
- Navigate to Applications > Applications.
- Select Create Application > Import from URL.
- Enter the CIMD URL. Then, select Preview. Auth0 validates the CIMD URL against the CIMD URL validation rules.
- If your CIMD URL is valid, Auth0 loads the CIMD and validates it against the CIMD JSON validation rules. Preview your client metadata and troubleshoot it for any validation errors.
- Select Create.
Set up CIMD client
Manual CIMD registration is limited to third-party applications (is_first_party: false), which are subject to enhanced security controls. Once you’ve registered your CIMD client, set it up as a third-party application in Auth0:
- Configure API access policy: Create client grants to authorize its access to APIs
- Promote connections to the domain level: Make connections available on the domain or tenant level to authenticate your users
Refresh client metadata
Once you’ve registered the CIMD client, you can manually refresh client metadata. Auth0 fetches fresh client metadata from the CIMD, which you can preview and save. When you refresh client metadata, Auth0 updates theapp_type and grant_types to match the values in the hosted CIMD. To learn more about CIMD fields, read CIMD JSON validation rules.
In the Auth0 Dashboard:
- Navigate to Applications > Applications and select your CIMD client.
- At the top-right corner, select Refresh Client Metadata.
- Select Refresh Preview to preview the latest client metadata in the CIMD. Review any validation warnings or errors.
- Select Save.
Get CIMD client
To get a CIMD client, make aGET request to the /v2/clients/{clientId} endpoint, where {clientID} is the Auth0-generated client ID assigned to the CIMD client:
external_client_id, or the CIMD URL, as the query parameter to the /v2/clients endpoint:
external_client_id, name, callbacks, token_endpoint_auth_method, and more.
Update CIMD client
You can update the fields in the Auth0 database for a registered CIMD client. Updating the CIMD client in Auth0 does not automatically update the CIMD hosted on the application’s domain. You can only update the following fields for CIMD clients:
To update a CIMD client, make a
PATCH request to the /v2/clients/{clientId} endpoint, where {clientID} is the Auth0-generated client ID assigned to the CIMD client:
CIMD URL validation rules
To pass validation in Auth0, CIMD URLs must meet the following requirements:CIMD JSON validation rules
Auth0 applies the following CIMD JSON validation rules:- Unsupported properties: Auth0 ignores unsupported properties during mapping and reports them as warnings in the validation response.
- Inline JWKS: Providing an inline
jwksobject instead of ajwks_uriis not supported and will trigger aninvalid_client_metadataerror. - Private keys: Any JWKS retrieved via
jwks_urithat contains private key material (thedparameter) will be rejected. - Fetch security: Both the CIMD document and the
jwks_uriare subject to 5KB and 12KB size limits, respectively, and neither supports HTTP redirects.
Security considerations
CIMD client key rotation for private_key_jwt authentication
To successfully rotate keys for CIMD clients using Private Key JWT authentication, generate a new key pair with a new, uniquekid. If you rotate your private key and update your JWKS with new key material under the same kid, Auth0’s CIMD registration rejects the new key and preserves the old one. This ensures that key rotation requires explicit addition of new keys rather than silent replacement.
Make sure you refresh your key registration in Auth0 after rotating your keys. To learn more, read Rotate signing keys.