Auth0
Identity & SSOsystem_type: "auth0"PQC-seal Auth0 Management API tokens and proxy user management and tenant configuration calls.
Overview#
The Auth0 connector proxies calls to the Auth0 Management API v2. Machine-to-machine application credentials are sealed in QuantaVault. QuantaSeal automatically refreshes Management API access tokens before they expire (tokens last 24 hours by default).
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1An Auth0 tenant
- 2A Machine-to-Machine application authorized for the Auth0 Management API with the required scopes
- 3Client ID and Client Secret from the M2M application
- 4Your Auth0 domain (e.g. yourorg.us.auth0.com)
- 5A QuantaSeal API key
Configuration#
Follow these steps to connect Auth0 to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
In Auth0 Dashboard, create a Machine-to-Machine application.
- 2
Authorize it for the Auth0 Management API with the required scopes (read:users, create:users, etc.).
- 3
Note the Client ID and Client Secret.
- 4
Seal credentials: POST /api/v2/vault/seal with credential_type: oauth2_client and values: {client_id, client_secret, domain, audience: 'https://yourorg.us.auth0.com/api/v2/'}.
- 5
Create the integration: POST /api/v2/integrations with system_type: auth0.
Authentication Types#
Use oauth2_client with the M2M app client_id and client_secret. QuantaSeal exchanges these for a Management API access token and refreshes automatically.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
get_users | List users with optional query. |
get_user | Retrieve a user by ID. |
create_user | Create a new Auth0 user. |
update_user | Update a user's profile or metadata. |
delete_user | Permanently delete a user. |
get_logs | Retrieve tenant log events. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQRAUTH0000001",
"operation": "get_users",
"payload": {
"q": "email:*@example.com",
"fields": "user_id,email,last_login",
"per_page": 20,
"page": 0
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted Auth0 users>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
401 - access_denied: Service not enabled within domain
The M2M app must be explicitly authorized for the Management API in the Auth0 Dashboard under Applications → your app → APIs tab.