Auth0 Tenant Comparator

UI v2.13.1

Compare two Auth0 tenants via the Management API. Drag saved profile tiles onto Tenant A or Tenant B; expand each card to edit credentials. Run Compare tenants for fresh scan results.

How to add an M2M application (Tenant Comparator)

Automated path (recommended): one Read Tenant Settings wizard below provisions or fixes the M2M app in your tenant, then Save Read Tenant Settings profile adds credentials to your saved configuration list on the main page — load that profile into Tenant A or Tenant B when you are ready to compare. When Tenant Admin Access has a valid Management domain and credentials, the wizard can use it (no pasted bearer). Otherwise click Do it for me and paste a temporary token. Same phased flow as Configure Tenant Admin Access → Auth0 Admin Tools wizard. If you are not using Tenant Admin Access, enter a full Management Auth0 Domain on Tenant A or B first so planned URLs can resolve. Optional dashboard and copy-paste JSON are collapsed under Manual at the bottom — expand only if you need them.

Read Tenant Settings

Read Tenant Settings — automated setup

Click Do it for me below to paste a temporary Management API bearer token (not stored by this wizard). Then use Check configuration — it runs the planned reads. If anything is missing or wrong, the action button switches to Create Read Tenant Settings Application or Update configuration (PATCH/POST). When everything matches, use Save Read Tenant Settings profile to add Read Tenant Settings credentials to your saved configuration list (then load into Tenant A or B). The client secret comes from Create Read Tenant Settings Application (POST response) or from Check configuration when your token has read:client_keys (GET /api/v2/clients/:id includes client_secret in the fields list).

To run Check configuration, provide a full Management hostname: save one under ⚙️ Tenant Admin Access, enter Auth0 Domain on this tenant card, or use a Management API token whose iss is a full hostname (e.g. https://tenant.us.auth0.com/).

Manual: Auth0 Dashboard & copy-paste API (optional)

Create a Machine to Machine application, authorize the Auth0 Management API with the scopes below, then use its Client ID and Client Secret here or under Tenant Admin Access. For client credentials, the audience is https://YOUR_TENANT.auth0.com/api/v2/ (use your tenant domain from the dashboard).

Auth0 Dashboard

Open manage.auth0.com and sign in.
Select the tenant you want (tenant switcher, upper left).
In the left sidebar, open Applications → Applications.
Click Create Application (or + Create Application) to open the create dialog.
Enter name Read Tenant Settings, choose type Machine to Machine, then click Create.
On Authorize Machine to Machine Application, select Auth0 Management API and continue to the scope list.
Enable every scope in the list below, then click Authorize.
Open the application → Settings. Under Application URIs, set Allowed Callback URLs to https://auth0-tools.idpify.com and save.

Auth0 Management API — scopes

For the M2M app, authorize Auth0 Management API with:

read:client_keys
read:client_grants
read:clients
read:connections
read:resource_servers
read:rules
read:hooks
read:actions
read:email_provider
read:tenant_settings
read:triggers
read:guardian_factors
read:custom_domains
read:email_templates
read:mfa_policies
read:roles
read:prompts
read:branding
read:log_streams
read:attack_protection
read:organizations
read:phone_providers
read:phone_templates
read:forms
read:flows
read:connection_profiles
read:group_roles

POST /api/v2/clients (copy-paste body)

Call POST https://YOUR_TENANT.auth0.com/api/v2/clients with a Management API access token that is allowed to create clients. Request body:

{
  "name": "Read Tenant Settings",
  "app_type": "non_interactive",
  "grant_types": [
    "client_credentials"
  ],
  "callbacks": [
    "https://auth0-tools.idpify.com"
  ]
}

POST /api/v2/client-grants (after the client exists)

The create-client call does not grant Management API permissions. Use the client_id from the create response and POST to https://YOUR_TENANT.auth0.com/api/v2/client-grants (token needs permission to create client grants). scope must be a JSON array of strings (not one space-separated string). If a grant already exists, use PATCH …/client-grants/{id} with the same scope shape. Body:

{
  "client_id": "YOUR_NEW_CLIENT_ID",
  "audience": "https://YOUR_TENANT.auth0.com/api/v2/",
  "scope": [
    "read:client_keys",
    "read:client_grants",
    "read:clients",
    "read:connections",
    "read:resource_servers",
    "read:rules",
    "read:hooks",
    "read:actions",
    "read:email_provider",
    "read:tenant_settings",
    "read:triggers",
    "read:guardian_factors",
    "read:custom_domains",
    "read:email_templates",
    "read:mfa_policies",
    "read:roles",
    "read:prompts",
    "read:branding",
    "read:log_streams",
    "read:attack_protection",
    "read:organizations",
    "read:phone_providers",
    "read:phone_templates",
    "read:forms",
    "read:flows",
    "read:connection_profiles",
    "read:group_roles"
  ]
}

Compare tenant configuration

▼

Filter by group

No favorite profiles. Mark profiles as favorites to see them here when collapsed.

Filter by group

Saved profiles store domain and credentials only. Drag a tile onto Tenant A or Tenant B to load it, or use the edit icon to rename. Run Compare tenants for fresh Management API data.

No saved profiles yet. Expand Tenant A or B, enter credentials, and click Save as profile, or use Save Read Tenant Settings profile above.

Tenant A

▼

Profile:Tenant A

Domain:—

Auth:—

Display name

Auth0 Domain

Client ID (M2M)

Client Secret (M2M)

Bearer token (optional — if set without M2M client ID, token is used instead)

Adds credentials to the tiles above. Drag a tile onto this card to load a saved profile.

Uses Domain + M2M or bearer above for this tenant.

Tenant B

▼

Profile:Tenant B