Auth0 · Schema
TenantSettingsFlags
Flags used to change the behavior of this tenant.
AI AgentsAuthenticationAuthorizationFGAIdentity ManagementMCPOAuthOktaOpenID ConnectSAMLSecuritySCIM
Properties
| Name | Type | Description |
|---|---|---|
| change_pwd_flow_v1 | boolean | Whether to use the older v1 change password flow (true, not recommended except for backward compatibility) or the newer safer flow (false, recommended). |
| enable_apis_section | boolean | Whether the APIs section is enabled (true) or disabled (false). |
| disable_impersonation | boolean | Whether the impersonation functionality has been disabled (true) or not (false). Read-only. |
| enable_client_connections | boolean | Whether all current connections should be enabled when a new client (application) is created (true, default) or not (false). |
| enable_pipeline2 | boolean | Whether advanced API Authorization scenarios are enabled (true) or disabled (false). |
| allow_legacy_delegation_grant_types | boolean | If enabled, clients are able to add legacy delegation grants. |
| allow_legacy_ro_grant_types | boolean | If enabled, clients are able to add legacy RO grants. |
| allow_legacy_tokeninfo_endpoint | boolean | Whether the legacy `/tokeninfo` endpoint is enabled for your account (true) or unavailable (false). |
| enable_legacy_profile | boolean | Whether ID tokens and the userinfo endpoint includes a complete user profile (true) or only OpenID Connect claims (false). |
| enable_idtoken_api2 | boolean | Whether ID tokens can be used to authorize some types of requests to API v2 (true) not not (false). |
| enable_public_signup_user_exists_error | boolean | Whether the public sign up process shows a user_exists error (true) or a generic error (false) if the user already exists. |
| enable_sso | boolean | Whether users are prompted to confirm log in before SSO redirection (false) or are not prompted (true). |
| allow_changing_enable_sso | boolean | Whether the `enable_sso` setting can be changed (true) or not (false). |
| disable_clickjack_protection_headers | boolean | Whether classic Universal Login prompts include additional security headers to prevent clickjacking (true) or no safeguard (false). |
| no_disclose_enterprise_connections | boolean | Do not Publish Enterprise Connections Information with IdP domains on the lock configuration file. |
| enforce_client_authentication_on_passwordless_start | boolean | Enforce client authentication for passwordless start. |
| enable_adfs_waad_email_verification | boolean | Enables the email verification flow during login for Azure AD and ADFS connections |
| revoke_refresh_token_grant | boolean | Delete underlying grant when a Refresh Token is revoked via the Authentication API. |
| dashboard_log_streams_next | boolean | Enables beta access to log streaming changes |
| dashboard_insights_view | boolean | Enables new insights activity page view |
| disable_fields_map_fix | boolean | Disables SAML fields map fix for bad mappings with repeated attributes |
| mfa_show_factor_list_on_enrollment | boolean | Used to allow users to pick what factor to enroll of the available MFA factors. |
| remove_alg_from_jwks | boolean | Removes alg property from jwks .well-known endpoint |
| improved_signup_bot_detection_in_classic | boolean | Improves bot detection during signup in classic universal login |
| genai_trial | boolean | This tenant signed up for the Auth4GenAI trail |
| enable_dynamic_client_registration | boolean | Whether third-party developers can dynamically register applications for your APIs (true) or not (false). This flag enables dy |
| disable_management_api_sms_obfuscation | boolean | If true, SMS phone numbers will not be obfuscated in Management API GET calls. |
| trust_azure_adfs_email_verified_connection_property | boolean | Changes email_verified behavior for Azure AD/ADFS connections when enabled. Sets email_verified to false otherwise. |
| custom_domains_provisioning | boolean | If true, custom domains feature will be enabled for tenant. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/TenantSettingsFlags",
"title": "TenantSettingsFlags",
"type": "object",
"description": "Flags used to change the behavior of this tenant.",
"additionalProperties": false,
"properties": {
"change_pwd_flow_v1": {
"type": "boolean",
"description": "Whether to use the older v1 change password flow (true, not recommended except for backward compatibility) or the newer safer flow (false, recommended).",
"default": false
},
"enable_apis_section": {
"type": "boolean",
"description": "Whether the APIs section is enabled (true) or disabled (false).",
"default": false
},
"disable_impersonation": {
"type": "boolean",
"description": "Whether the impersonation functionality has been disabled (true) or not (false). Read-only.",
"default": false
},
"enable_client_connections": {
"type": "boolean",
"description": "Whether all current connections should be enabled when a new client (application) is created (true, default) or not (false).",
"default": true
},
"enable_pipeline2": {
"type": "boolean",
"description": "Whether advanced API Authorization scenarios are enabled (true) or disabled (false).",
"default": true
},
"allow_legacy_delegation_grant_types": {
"type": "boolean",
"description": "If enabled, clients are able to add legacy delegation grants."
},
"allow_legacy_ro_grant_types": {
"type": "boolean",
"description": "If enabled, clients are able to add legacy RO grants."
},
"allow_legacy_tokeninfo_endpoint": {
"type": "boolean",
"description": "Whether the legacy `/tokeninfo` endpoint is enabled for your account (true) or unavailable (false)."
},
"enable_legacy_profile": {
"type": "boolean",
"description": "Whether ID tokens and the userinfo endpoint includes a complete user profile (true) or only OpenID Connect claims (false)."
},
"enable_idtoken_api2": {
"type": "boolean",
"description": "Whether ID tokens can be used to authorize some types of requests to API v2 (true) not not (false)."
},
"enable_public_signup_user_exists_error": {
"type": "boolean",
"description": "Whether the public sign up process shows a user_exists error (true) or a generic error (false) if the user already exists."
},
"enable_sso": {
"type": "boolean",
"description": "Whether users are prompted to confirm log in before SSO redirection (false) or are not prompted (true)."
},
"allow_changing_enable_sso": {
"type": "boolean",
"description": "Whether the `enable_sso` setting can be changed (true) or not (false)."
},
"disable_clickjack_protection_headers": {
"type": "boolean",
"description": "Whether classic Universal Login prompts include additional security headers to prevent clickjacking (true) or no safeguard (false)."
},
"no_disclose_enterprise_connections": {
"type": "boolean",
"description": "Do not Publish Enterprise Connections Information with IdP domains on the lock configuration file."
},
"enforce_client_authentication_on_passwordless_start": {
"type": "boolean",
"description": "Enforce client authentication for passwordless start."
},
"enable_adfs_waad_email_verification": {
"type": "boolean",
"description": "Enables the email verification flow during login for Azure AD and ADFS connections"
},
"revoke_refresh_token_grant": {
"type": "boolean",
"description": "Delete underlying grant when a Refresh Token is revoked via the Authentication API."
},
"dashboard_log_streams_next": {
"type": "boolean",
"description": "Enables beta access to log streaming changes"
},
"dashboard_insights_view": {
"type": "boolean",
"description": "Enables new insights activity page view"
},
"disable_fields_map_fix": {
"type": "boolean",
"description": "Disables SAML fields map fix for bad mappings with repeated attributes"
},
"mfa_show_factor_list_on_enrollment": {
"type": "boolean",
"description": "Used to allow users to pick what factor to enroll of the available MFA factors."
},
"remove_alg_from_jwks": {
"type": "boolean",
"description": "Removes alg property from jwks .well-known endpoint"
},
"improved_signup_bot_detection_in_classic": {
"type": "boolean",
"description": "Improves bot detection during signup in classic universal login"
},
"genai_trial": {
"type": "boolean",
"description": "This tenant signed up for the Auth4GenAI trail"
},
"enable_dynamic_client_registration": {
"type": "boolean",
"description": "Whether third-party developers can <a href=\"https://auth0.com/docs/api-auth/dynamic-client-registration\">dynamically register</a> applications for your APIs (true) or not (false). This flag enables dynamic client registration.",
"default": false
},
"disable_management_api_sms_obfuscation": {
"type": "boolean",
"description": "If true, SMS phone numbers will not be obfuscated in Management API GET calls.",
"default": true
},
"trust_azure_adfs_email_verified_connection_property": {
"type": "boolean",
"description": "Changes email_verified behavior for Azure AD/ADFS connections when enabled. Sets email_verified to false otherwise.",
"default": false
},
"custom_domains_provisioning": {
"type": "boolean",
"description": "If true, custom domains feature will be enabled for tenant.",
"default": false
}
}
}