With this resource, you can manage Auth0 tenants, including setting logos and support contact information, setting error pages, and configuring default tenant behaviors.
resource "auth0_tenant" "my_tenant" {
friendly_name = "Tenant Name"
picture_url = "http://example.com/logo.png"
support_email = "support@example.com"
support_url = "http://example.com/support"
allowed_logout_urls = ["http://example.com/logout"]
session_lifetime = 8760
sandbox_version = "12"
enabled_locales = ["en"]
default_redirection_uri = "https://example.com/login"
flags {
disable_clickjack_protection_headers = true
enable_public_signup_user_exists_error = true
use_scope_descriptions_for_consent = true
no_disclose_enterprise_connections = false
disable_management_api_sms_obfuscation = false
disable_fields_map_fix = false
}
session_cookie {
mode = "non-persistent"
}
sessions {
oidc_logout_prompt_enabled = false
}
}
allow_organization_name_in_authentication_api
(Boolean) Whether to accept an organization name instead of an ID on auth endpoints.allowed_logout_urls
(List of String) URLs that Auth0 may redirect to after logout.customize_mfa_in_postlogin_action
(Boolean) Whether to enable flexible factors for MFA in the PostLogin action.default_audience
(String) API Audience to use by default for API Authorization flows. This setting is equivalent to appending the audience to every authorization request made to the tenant for every application.default_directory
(String) Name of the connection to be used for Password Grant exchanges. Options include auth0-adldap
, ad
, auth0
, email
, sms
, waad
, and adfs
.default_redirection_uri
(String) The default absolute redirection URI. Must be HTTPS or an empty string.enabled_locales
(List of String) Supported locales for the user interface. The first locale in the list will be used to set the default locale.flags
(Block List, Max: 1) Configuration settings for tenant flags. (see below for nested schema)friendly_name
(String) Friendly name for the tenant.idle_session_lifetime
(Number) Number of hours during which a session can be inactive before the user must log in again.picture_url
(String) URL of logo to be shown for the tenant. Recommended size is 150px x 150px. If no URL is provided, the Auth0 logo will be used.sandbox_version
(String) Selected sandbox version for the extensibility environment, which allows you to use custom scripts to extend parts of Auth0's functionality.session_cookie
(Block List, Max: 1) Alters behavior of tenant's session cookie. Contains a single mode
property. (see below for nested schema)session_lifetime
(Number) Number of hours during which a session will stay valid.sessions
(Block List, Max: 1) Sessions related settings for the tenant. (see below for nested schema)support_email
(String) Support email address for authenticating users.support_url
(String) Support URL for authenticating users.id
(String) The ID of this resource.flags
Optional:
allow_legacy_delegation_grant_types
(Boolean) Whether the legacy delegation endpoint will be enabled for your account (true) or not available (false).allow_legacy_ro_grant_types
(Boolean) Whether the legacy auth/ro
endpoint (used with resource owner password and passwordless features) will be enabled for your account (true) or not available (false).allow_legacy_tokeninfo_endpoint
(Boolean) If enabled, customers can use Tokeninfo Endpoint, otherwise they can not use it.dashboard_insights_view
(Boolean) Enables new insights activity page view.dashboard_log_streams_next
(Boolean) Enables beta access to log streaming changes.disable_clickjack_protection_headers
(Boolean) Indicates whether classic Universal Login prompts include additional security headers to prevent clickjacking.disable_fields_map_fix
(Boolean) Disables SAML fields map fix for bad mappings with repeated attributes.disable_management_api_sms_obfuscation
(Boolean) If true, SMS phone numbers will not be obfuscated in Management API GET calls.enable_adfs_waad_email_verification
(Boolean) If enabled, users will be presented with an email verification prompt during their first login when using Azure AD or ADFS connections.enable_apis_section
(Boolean) Indicates whether the APIs section is enabled for the tenant.enable_client_connections
(Boolean) Indicates whether all current connections should be enabled when a new client is created.enable_custom_domain_in_emails
(Boolean) Indicates whether the tenant allows custom domains in emails. Before enabling this flag, you must have a custom domain with status: ready
.enable_dynamic_client_registration
(Boolean) Indicates whether the tenant allows dynamic client registration.enable_idtoken_api2
(Boolean) Whether ID tokens can be used to authorize some types of requests to API v2 (true) or not (false).enable_legacy_logs_search_v2
(Boolean) Indicates whether to use the older v2 legacy logs search.enable_legacy_profile
(Boolean) Whether ID tokens and the userinfo endpoint includes a complete user profile (true) or only OpenID Connect claims (false).enable_pipeline2
(Boolean) Indicates whether advanced API Authorization scenarios are enabled.enable_public_signup_user_exists_error
(Boolean) Indicates whether the public sign up process shows a user_exists
error if the user already exists.mfa_show_factor_list_on_enrollment
(Boolean) Used to allow users to pick which factor to enroll with from the list of available MFA factors.no_disclose_enterprise_connections
(Boolean) Do not Publish Enterprise Connections Information with IdP domains on the lock configuration file.require_pushed_authorization_requests
(Boolean) Makes the use of Pushed Authorization Requests mandatory for all clients across the tenant. This feature currently needs to be enabled on the tenant in order to make use of it.revoke_refresh_token_grant
(Boolean) Delete underlying grant when a refresh token is revoked via the Authentication API.use_scope_descriptions_for_consent
(Boolean) Indicates whether to use scope descriptions for consent.session_cookie
Optional:
mode
(String) Behavior of tenant session cookie. Accepts either "persistent" or "non-persistent".sessions
Required:
oidc_logout_prompt_enabled
(Boolean) When active, users will be presented with a consent prompt to confirm the logout request if the request is not trustworthy. Turn off the consent prompt to bypass user confirmation.Import is supported using the following syntax:
# As this is not a resource identifiable by an ID within the Auth0 Management API,
# tenant can be imported using a random string.
#
# We recommend [Version 4 UUID](https://www.uuidgenerator.net/version4)
#
# Example:
terraform import auth0_tenant.my_tenant "82f4f21b-017a-319d-92e7-2291c1ca36c4"