> ## Documentation Index
> Fetch the complete documentation index at: https://auth0-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes the settings related to tenants available in the Auth0 Dashboard.

# Tenant Settings

Use the **Tenant Settings** page in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> at [Dashboard > Settings](https://manage.auth0.com/#/tenant) to configure various settings related to your Auth0 tenant.

## Recommended settings

When you configure your tenant, set the following items:

* **Specify the Environment Tag.** Tenants tagged as **Production** are granted higher rate limits than tenants tagged as **Development** or **Staging**. On non-Enterprise plans, only one tenant per subscription can be tagged as **Production**. To learn more, read [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments).
* **Set the Support Email and Support URL.** If a user encounters an issue while logging in, they'll want to reach out for help. Set these values to direct them to an email address or landing page to get assistance.
* **Configure a custom error page.** If possible, you should host your own custom error page and configure Auth0 to use it instead of the default page. This allows you to provide more complete and customized explanations to users about what to do in the event of an error.
* **Set up a <Tooltip tip="Custom Domain: Third-party domain with a specialized, or vanity, name." cta="View Glossary" href="/docs/glossary?term=custom+domain">custom domain</Tooltip>.** If you are on a paid plan, you can configure a custom domain for your Auth0 tenant. A custom domain unifies the login experience with your brand and provides additional benefits. To learn more, read [Custom Domains](/docs/customize/custom-domains).
* **Set the <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=Single+Sign-On">Single Sign-On</Tooltip> (SSO) session timeout.** The SSO session timeout value specifies the time until a user's session expires. The value is 7 days by default, which is the length of time users can access your Auth0-integrated applications without re-entering their credentials. To learn more, read [Sessions](/docs/manage-users/sessions).
* **Set up tenant members.** Configure additional Auth0 Dashboard users and enable <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=multi-factor+authentication">multi-factor authentication</Tooltip> (MFA). To learn more, read [Manage Dashboard Access](/docs/get-started/manage-dashboard-access) and [Manage Dashboard Access with Multi-Factor Authentication](/docs/get-started/manage-dashboard-access/add-change-remove-mfa).
* **Disable the Enable Application Connections setting.** If this setting is enabled, all configured connections will be automatically enabled for any new application you create. As a result, users may be able to log in to the application through connections that you did not intend to be available. Disable this setting so you can explicitly enable the connections appropriate for each application.
* **Enable <Tooltip tip="Attack Protection: Features that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication." cta="View Glossary" href="/docs/glossary?term=Attack+Protection">Attack Protection</Tooltip>.** Protect your users against brute force attacks and breached passwords. To learn more, read [Attack Protection](/docs/secure/attack-protection).

## General

On the **General** tab, you can customize basic tenant settings.

### Settings

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/4okToiwlkNQBxwr8QGE3Rs/7e96db0efab4082ebb9f78cb43ee302c/Basic_Settings_-_EN.png" alt="Dashboard Tenant Settings General Settings tab" />
</Frame>

* **Friendly Name**: Name you want to be displayed to your users on the <Tooltip tip="Universal Login: Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity." cta="View Glossary" href="/docs/glossary?term=Universal+Login">Universal Login</Tooltip> page. Typically this is the name of your company or organization.
* **Logo URL**: URL of the logo you want to be displayed on the Universal Login page. Minimum recommended resolution is 200 pixels (width) by 200 pixels (height).
* **Support Email**: Email address used to contact your support team.
* **Support URL**: Link to your company or organization support page.

### Environment Tag

You can identify your tenant as a production, staging, or development tenant to differentiate it from other tenants. Higher rate limits apply to tenants tagged as Production with a paid subscription. To learn more, read [Set Up Multiple Environments](/docs/get-started/auth0-overview/create-tenants/set-up-multiple-environments).

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/27OH1jFXce97CSjk7TPeD7/deafc344f675fb11ff5d3d589ffadee9/2025-02-26_14-27-31.png" alt="undefined" />
</Frame>

### API Authorization Settings

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/17yNCRrB6dWcHp6zLFb74j/d1f7c516bce3bf66e9f4bfbd201411a3/Auth_Settings_-_EN.png" alt="Dashboard Tenant Settings General Tab API Authorization Settings" />
</Frame>

* **Default <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=Audience">Audience</Tooltip>**: API identifier to use for [Authorization Flows](/docs/get-started/authentication-and-authorization-flow). If you enter a value, all <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+tokens">access tokens</Tooltip> issued by Auth0 will specify this API identifier as an audience. Setting the **Default Audience** is equivalent to appending this audience to every authorization request made to your tenant for every application. This will cause new behavior that might result in breaking changes for some of your applications. Please [contact support](/docs/troubleshoot/customer-support/open-and-manage-support-tickets) if you require assistance.
* **Default Directory**: Name of the default connection to be used for both the [Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow) and [Universal Login Experience](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/universal-experience). Its value should be the exact name of an existing connection for one of the following strategies: `auth0-adldap`, `ad`, `auth0`, `email`, `sms`, `waad`, or `adfs`.

### Error Pages

In the event of an authorization error, you can either display a generic error page to your users or you can redirect users to your own custom error page. To learn more, read [Custom Error Pages](/docs/customize/login-pages/custom-error-pages).

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/kteu7boTA7G67HZXHFYOF/86c12c57e7513dfa07d6dc890ff0823e/Error_Pages_-_EN.png" alt="Dashboard Tenant Settings General Error Pages" />
</Frame>

### Languages

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/2G20DUg0pvS4HEChCe3oM8/c15256a4f74cb6188aa2bddda1883095/Lanaguage_Picker_-_EN.png" alt="Dashboard Tenant Settings General Tab Languages" />
</Frame>

* **Default Language**: Language your tenant will use by default.
* **Supported Languages**: Languages also supported by your tenant.

## Subscription

On the **Subscription** tab, you can review your current subscription and compare features of your current plan to other Auth0 subscription plans. You can also change your subscription plan. To learn more, read [Manage Subscription](/docs/troubleshoot/customer-support/manage-subscriptions).

If you have an Enterprise subscription, please refer to your Auth0 agreement for details.

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/3yISRVTJOwP4Yo2uG0iZdO/3ffec2e74f090fbcecc3da052fb08ce4/Screenshot_2024-12-06_at_17.10.02.png" alt="Auth0 Tenant Settings Subscription tab" />
</Frame>

## Payment

On the **Payment** tab, you can enter or update your billing details.

## Tenant Members

On the **Tenant Members** tab, you can view a list tenant members assigned to your tenant. You may also add or remove tenant members and review their assigned roles and if they have multi-factor authentication (MFA) enabled. To learn more, read [Manage Dashboard Access](/docs/get-started/manage-dashboard-access).

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/3206A7slUJ1cwOjHM3o3Om/a236c35e51540dc427df2b67813af70a/Tenant_Members_-_EN.png" alt="Dashboard Tenant Settings Tenant Members tab" />
</Frame>

## Custom Domains

On the **Custom Domains** tab, you can configure a custom domain to maintain a consistent user experience. When you create a custom domain, users will remain in your domain for login rather than being redirected to your `auth0.com` domain. To learn more, read [Custom Domains](/docs/customize/custom-domains).

<Card title="Availability varies by Auth0 plan">
  Both your specific login implementation and your Auth0 plan or custom agreement affect whether this feature is available. To learn more, read [Pricing](https://auth0.com/pricing).
</Card>

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/5RFqn9GqGZ0e9RCbHzvVIk/665b0706c4c8e90dc7a8c397c5f32b15/dashboard-tenant-settings-custom-domains-v2.png" alt="Dashboard Tenant Settings Custom Domains tab" />
</Frame>

## Signing Keys

On the **Signing Keys** tab, you can securely manage the signing key and certificate used to sign <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+tokens">ID tokens</Tooltip>, access tokens, <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> assertions, and <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=WS-Fed">WS-Fed</Tooltip> assertions that are sent to your applications.

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/7r8t3EGctFmvkCgPrU0i2R/f79ac74dac5cded37b39bd8a8b80951d/dashboard-tenant-settings-signing-keys.png" alt="Dashboard Tenant Settings Signing Keys tab" />
</Frame>

* **Rotation Settings**: Settings that allow you to rotate the application signing key and certificate. You can choose whether or not to revoke the signing key upon rotation. To learn more, read [Signing Keys](/docs/get-started/tenant-settings/signing-keys).

  * **Rotate Signing Key**: Rotates the signing key without revoking it; effectively, moves the current key to the previous key. All tokens signed with the previous key will still be valid until it is revoked.
  * **Rotate & Revoke Signing Key**: Rotates the signing key and then revokes it; effectively, moves the current key to the previous key, and then invalidates the previous key. Make sure you have updated your application with the next key in the queue before you rotate and revoke the current key.
* **List of Valid Keys**: List of valid application signing keys for your tenant, which are also available at the Metadata endpoint for your application. Valid keys include:

  * **Next in queue**: Key that will be used when the signing key is next rotated.
  * **Currently used**: Key that is currently in use.
  * **Previously used**: Key that was previously used. Its appearance indicates that the signing key has been rotated, but the previously-used key has not yet been revoked.
* **List of Revoked Keys**: List of the last three revoked keys for your tenant. More data about revoked keys is available in tenant logs.

## Advanced

On the **Advanced** tab, you can configure advanced tenant settings.

### Login and Logout

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/Login_and_Logout_-_EN.png" alt="Dashboard Tenant Settings Advanced Tab Login and Logout" />
</Frame>

* **Tenant Login URI**: URI that points to a route in your application that starts the OIDC login flow by redirecting to the `/authorize` endpoint; it should take the form of `https://mytenant.org/login`. This will only be used in scenarios where Auth0 needs your tenant to start the OIDC login flow. To learn more, see [Configure Default Login Routes](/docs/authenticate/login/auth0-universal-login/configure-default-login-routes).
* **Allowed Logout URLs**: URLs Auth0 can redirect to after logout when no client\_id is specified on the Logout endpoint invocation. Useful as a global list when Single Sign-on (SSO) is enabled. To learn more, read [Logout](docs/authenticate/login/logout).
* **Allowed ACR Values**: List of allowed Authentication Context Class Reference (ACR).  These values are included in the OpenID Configuration document. When populated, values not listed here will be rejected if used in authentication flows.
* **RP-Initiated Logout End Session Endpoint Discovery**: Controls if the logout endpoint is advertised in the OpenID Configuration responses as `end_session_endpoint`.
* **RP-Initiated Logout End-User Confirmation**: Controls whether the user is asked to confirm login if the RP-Initiated logout request does not include the correct hints.
* **Non-Verifiable Callback URI End-User Confirmation**: Controls whether the user is prompted to confirm login when a custom URI scheme is used as callback. Auth0 recommends that you **do not** skip end-user confirmation in these cases. To learn more, read [Measures Against Application Impersonation](docs/secure/security-guidance/measures-against-app-impersonation.mdx).

### Login Session Management

The **Login Session Management** settings configure the login session lifetime that represents the Auth0 <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=Authorization+Server">Authorization Server</Tooltip> session layer. The authorization server session layer drives single sign-on (SSO). To learn more, read [Single Sign-on](/docs/authenticate/single-sign-on).

Timeouts for tokens issued by Auth0 can be configured elsewhere. Token timeouts are often used to drive the Application session layer and appear in token claims, such as in the expiration claim for <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect (OIDC) ID tokens or the lifetime assertion for SAML.

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/q2fGPzoUqCcXj7OxcHhjy/de15afcd26e8ea80937733034ffbd387/Screenshot_2024-11-06_at_11.02.16.png" alt="Dashboard Tenant Settings Advanced Login Session Management" />
</Frame>

* **Inactivity timeout**: Timeframe (in minutes) after which a user's session will expire if they haven’t interacted with the Authorization Server. It will be superseded by system limits if over 4,320 minutes (3 days) for non-Enterprise plans or 144,000 minutes (100 days) for Enterprise plans.
* **Require log in after**: Timeframe (in minutes) after which a user will be required to log in again, regardless of their activity. It will be superseded by system limits if over 43,200 minutes (30 days) for non-Enterprise plans or 525,600 minutes (365 days) for Enterprise plans.

### Device Flow User Code Format

If you are using the [Device Authorization Flow](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow), these settings configure the randomly generated user code. To learn more, read [Configure Device User Code Settings](/docs/get-started/tenant-settings/configure-device-user-code-settings).

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/5bz66ACqxQh00GCuTLUbkT/410c57d3275127b7953ab6624dcf9a87/Device_Flow_User_Code_Format_-_EN.png" alt="Dashboard Tenant Settings Advanced Tab Device Flow User Code Format" />
</Frame>

* **User Code Character Set**: Character set used to generate the user code.
* **User Code Mask**: Mask used to format the user code. The mask defines the length of the user code and formats it into a friendly, readable value, allowing spaces or hyphens for readability.

### Global client information

The **Global <Tooltip tip="Client ID: Identification value given to your registered resource from Auth0." cta="View Glossary" href="/docs/glossary?term=Client+ID">Client ID</Tooltip>** and **Global <Tooltip tip="Client ID: Identification value given to your registered resource from Auth0." cta="View Glossary" href="/docs/glossary?term=Client+Secret">Client Secret</Tooltip>** are used to generate tokens for legacy Auth0 APIs. Typically, you will not need these values. If you need to have the global client secret changed, please [contact support](https://support.auth0.com).

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/1ILkvoM7wZx7OE1Ak8Fn8W/4224394d4b1d180787568342ec211fbb/Global_Client_Info_-_EN.png" alt="Dashboard Tenant Settings Advanced Tab Global Client Information" />
</Frame>

### Settings (Advanced)

* **Change Password Flow v2**: When enabled, the newest version of the Change Password Flow will be used. The previous version has been deprecated, and we strongly recommend enabling v2. This flag is presented only for backward compatibility, and once enabled, you can no longer disable it. You can customize the user interface for the Change Password widget on the [Universal Login > Password Reset](https://manage.auth0.com/#/password_reset) tab in the Auth0 Dashboard.
* **Dynamic Client Registration (DCR)**: When enabled, third-party developers will be able to dynamically register applications for your APIs. You can also update this flag using the [`/tenant/patch_settings`](https://auth0.com/docs/api/management/v2#!/Tenants/patch_settings) endpoint of the Auth0 <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>. By default, this feature is disabled. To learn more, read [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration).
* **Resource Parameter Compatibility Profile**: The resource parameter compatibility profile determines how Auth0 handles the `resource` parameter in authorization requests.
  * When enabled:
    * Auth0 uses the `resource` parameter to specify which resource server (API) the client application wants to access
    * Auth0 checks the `audience` parameter first; if not provided, it falls back to the `resource` parameter
    * The `resource` parameter is consumed by Auth0 and is not forwarded to the upstream IdP
  * When disabled (default):
    * Auth0 uses only the `audience` parameter to specify the resource server
    * The `resource` parameter is treated as an upstream IdP parameter and will be forwarded to the IdP
* **Client ID Metadata Document (CIMD) Registration**: Enable manual CIMD registration by importing an externally hosted Client ID Metadata Document (CIMD) from a URL. CIMD is a JSON file containing client metadata hosted on a secure HTTPS domain controlled by the application. To learn more, read [Register Applications with CIMD](/docs/get-started/auth0-overview/create-applications/register-applications-with-cimd).
* **Enable Application Connections**: When enabled, all current connections will be enabled for any new application that is created.
* **Use a generic response in public signup API error message**: When enabled, errors generated while using the public signup API will return a generic response. This helps protect against user registration enumeration by preventing <Tooltip tip="Bad Actors: Entity (a person or group) that poses a threat to the business or environment with the intention to cause harm." cta="View Glossary" href="/docs/glossary?term=bad+actors">bad actors</Tooltip> from being able to guess previously-registered identifiers (username, email, or phone) from reading error response codes, such as `user_exists`.
* **Enable Publishing of Enterprise Connections Information with <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=IdP">IdP</Tooltip> domains**: When enabled, it supports [Home Realm Discovery](/docs/authenticate/login/auth0-universal-login/identifier-first) and [Auth0 Lock](/docs/libraries/lock) relies on a checked public file that includes enterprise connection information. If you don’t require that functionality, you can disable it.
* **Enable email verification flow during login for Azure AD and ADFS connections**: When enabled, users will be presented with an email verification prompt during their first login when using Azure AD or ADFS connections.
* **<Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=Refresh+Token">Refresh Token</Tooltip> Revocation Deletes Grant**: When enabled, it deletes the underlying grant when you revoke a refresh token using the Authentication API `/oauth/revoke` endpoint.

  <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
    For existing tenants, this feature is enabled by default to preserve the existing behavior. For new tenants (as of 13 January 2021), this feature is disabled by default to ensure that the revocation of a refresh token will not revoke the grant. If a grant revocation is needed, a separate request must be sent using a grant revocation endpoint.
  </Callout>
* **Allow Organization Names in Authentication API**: When enabled, [/authorize](https://auth0.com/docs/api/authentication#authorize-application) and [SAML](https://auth0.com/docs/api/authentication#saml) endpoints can accept both organization IDs and names. Additionally, ID and access tokens will include both `org_id` and `org_name` claims. Before enabling this setting, review [Use Organization Names in Authentication API](/docs/manage-users/organizations/configure-organizations/use-org-name-authentication-api) for important considerations and potential impacts.
* **Allow Pushed Authorization Requests (PAR):** When enabled, the `/par` endpoint can accept authorization requests pushed to it from a client application. This prevents the client application from sending requests via the insecure front channel (i.e. the browser).

### Extensibility

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0-actions-triggers-prototype/docs/images/cdy7uua7fh8z/3RVLXoBWLAuJkptdP60U2Y/0567b30150e75c7e85db541183dd95f7/Tenant_Settings_-_Extensibility_-_English.png" alt="Dashboard Tenant Settings Advanced Tab Extensibility" />
</Frame>

* **Runtime**: Select the version of the Node.js runtime environment you want to use for Auth0 extensibility features, including [Custom Database Action Scripts](/docs/authenticate/database-connections/custom-db/templates) and [Custom Social Connections](/docs/authenticate/identity-providers/social-identity-providers/oauth2).
* **Verify Custom DB Scripts:** Select and run a Node.js runtime version compatibility check for enabled Custom Databases.

  <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
    The Verify Custom Database Action Scripts feature:

    * Is available if your tenant has 1 to 10 [database connections](/docs/authenticate/database-connections/custom-db/create-db-connection).
    * Requires [custom database scripts](/docs/authenticate/database-connections/custom-db/templates) to be enabled.
    * Only checks Node.js runtime compatibility. Functionality is not verified.
  </Callout>

### Migrations

In this section, you can choose to enable or disable various migrations that are available.

### Feature Previews

In this section, you can choose to enable or disable feature previews that are available.

### Delete tenant or subscription

Deleted tenants cannot be restored and the tenant name cannot be used again when creating new tenants. To learn how to reset your tenant configuration, read [Delete or Reset Tenants](/docs/troubleshoot/customer-support/manage-subscriptions/delete-or-reset-tenant).

## Learn more

* [Manage Subscriptions](/docs/troubleshoot/customer-support/manage-subscriptions)
* [Delete or Reset Tenants](/docs/troubleshoot/customer-support/manage-subscriptions/delete-or-reset-tenant)
* [Manage Dashboard Access](/docs/get-started/manage-dashboard-access)
* [Signing Keys](/docs/get-started/tenant-settings/signing-keys)
* [Custom Domains](/docs/customize/custom-domains)