> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# API Access Policies for Applications
> Learn how to configure API Access Policies for Applications.
API Access Policies for Applications enables you to control how applications access your APIs registered in Auth0. These policies define how applications interact with an API, such as whether they can successfully obtain an access token to access the API's resources.
You can configure the application API access policy for each API registered in the Auth0 Dashboard. To learn more, read [Configure API application access policy](#configure-api-application-access-policy).
## User-delegated access vs. client access
You can configure separate application API access policies for user-delegated access and client (machine-to-machine) access:
* **Client access**: used for machine-to-machine access, which corresponds to the [Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow).
* **User-delegated access**: used for all access flows that generate an access token associated with an end-user, allowing the application to access an API on the user's behalf. User-delegated access flows do not include the Client Credentials Flow. To learn more about user-delegated access flows, read [Authentication and Authorization Flows](/docs/get-started/authentication-and-authorization-flow).
## Application API access policies
The application API access policies are:
| Policy | Description | Access Flow |
| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| `All apps allowed` | When configured for an API, any application in your tenant can get an access token to the API. No specific grant is required. | The default for user-delegated access when you create an API. You can only configure `allow_all` for user-delegated access. |
| `Per-app authorization` | When configured for an API, only applications with a client grant defined can get an access token for the API. The client grant establishes the maximum permissions an application can request from the API. To learn more about how to create and manage client grants, read [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants). | The default for the Client Credentials Flow when you create an API. |
| `No apps allowed` | When configured for an API, no application can get an access token to the API, regardless of any other settings or grants. Access is completely restricted. | You can configure `deny_all` for both user and client access. |
When configuring an API's application access policy, Auth0 recommends using `Per-app authorization`, which follows a least privilege principle approach. To learn more, read [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants).
When you set the application access policy for an API to `Per-app authorization`, you must explicitly provide the required scopes as part of the token request. This does not apply to refresh token requests, where if you omit the scopes, the authorization server assumes the application wants all the scopes it was granted in the original access token. As a result, the authorization server returns an access token with the same scopes originally granted by the resource owner.
## Configure API application access policy
You can configure an API's application access policy using the Auth0 Dashboard or the Management API.
To configure an API's application access policy:
1. Navigate to [Dashboard > Applications > APIs](https://manage.auth0.com/#/apis) and select your API.
2. Select the **Settings** tab and scroll down to **Application Access Policy** to configure the **User-Delegated Access** and **Client Access** policies.
* Configure the **User-Delegated Access** policy to **All apps allowed**, **Per-app authorization**, or **No apps allowed**.
* **All apps allowed**: Applications are allowed to access the API on the user's behalf.
* **Per-app authorization**: Applications must have a client grant to access the API on the user's behalf.
* **No apps allowed**: Applications are denied access to the API on the user's behalf.
* Configure the **Client Access** policy to **Per-app authorization** or **No apps allowed**.
* **Per-app authorization**: Machine-to-machine applications are allowed to access this API as long as they have the corresponding client grant.
* **No apps allowed**: Restricts machine-to-machine access to this API.
3. Select **Save** to save the **Application Access Policy**.
When **Per-app authorization** is the policy configured for the API, select the **Application Access** tab and then **Edit** to authorize **User-Delegated Access**, **Client Access**, or both for each individual application.
* For **User-Delegated Access**, select **Grant Access** and then the desired permissions. You can also select **Always grant all permissions**.
* For **Client Access**, select **Grant Access** and then the desired permissions. You can also select **Always grant all permissions**. For **Organization Support**, select:
* **None**: Machine-to-machine access cannot be scoped to an organization.
* **Optional**: Machine-to-machine access may be scoped to an organization.
* **Required**: Machine-to-machine access must be scoped to an organization.
You can configure an API's application access policy by updating its `subject_type_authorization` property on the `resource-servers` collection of the [Management API](/docs/api/management/v2/resource-servers/patch-resource-servers-by-id).
The `subject_type_authorization` object contains two nested objects, `user` and `client`, each with a policy attribute that you can set to one of the three access policies defined in [Application API access policies](#application-api-access-policies).
**Existing API**
To configure the application access policy for an existing API, make a `PATCH` request to the `/resource-servers/{id}` endpoint:
```bash lines theme={null}
curl --location --request PATCH 'https://{yourDomain}/api/v2/resource-servers/{RESOURCE_SERVER_ID}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
--data '{
"subject_type_authorization": {
"user": {
"policy": "require_client_grant"
},
"client": {
"policy": "deny_all"
}
}
}'
```
**New API**
To configure the application access policy when creating a new API, make a `POST` request to the `/resource-servers` endpoint:
```bash lines theme={null}
curl --location 'https://{yourDomain}/api/v2/resource-servers' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
--data '{
"name": "{YOUR_NEW_API_NAME}",
"identifier": "{YOUR_NEW_API_IDENTIFIER}",
"scopes": [
{
"value": "{SCOPE_VALUE}",
"description": "{SCOPE_DESCRIPTION}"
}
],
"subject_type_authorization": {
"user": {
"policy": "require_client_grant"
},
"client": {
"policy": "deny_all"
}
}
}'
```
## API access policies and third-party applications
[Third-party applications](/docs/get-started/applications/third-party-applications) always require an explicit client grant to access any API, regardless of the API's configured access policy.
| **API access policy** | **First-party applications** | **Third-party applications** |
| ------------------------ | ---------------------------- | ---------------------------- |
| **Allow All** | Access granted | Requires client grant |
| **Require Client Grant** | Requires client grant | Requires client grant |
| **Deny** | Access denied | Access denied |
You can also configure [default permissions for all third-party applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications#default-permissions-for-all-third-party-applications):
1. Navigate to **Applications > APIs** and select the API.
2. Under the **Settings** tab, navigate to **Default Permissions for Third Party Applications**.
3. Select **Authorized** for **User-delegated Access** or **Client Access**, then select the scopes to grant.
4. Select **Save**.
To learn more, read [Configure API Access Policies for Third-Party Applications](/docs/get-started/applications/third-party-applications/configure-third-party-applications#configure-api-access-policies).
Some existing tenants may have third-party applications with different access policy behavior. To learn more, read [Permissive Mode for Third-Party Applications](/docs/get-started/applications/third-party-applications/permissive-mode).
## Learn more
* [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants)
* [Third-Party Applications](/docs/get-started/applications/third-party-applications)
* [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls)