> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth0

> How DSALTA integrates with Auth0 — data collected, setup guide, and automated compliance checks.

## Overview

DSALTA connects to Auth0 using read-only Management API access to collect compliance evidence automatically. DSALTA syncs your tenant users (email and blocked status) and applications, then runs access reviews. Data syncs every 24 hours and feeds into your Data Library modules.

<Info>
  **Read-only access.** DSALTA never modifies, creates, or deletes resources in your Auth0 tenant.
</Info>

## How to Connect

Auth0 connects directly with Management API credentials — there's no app to install. The recommended method uses a **Machine-to-Machine application**, which is durable: DSALTA mints a short-lived, read-only Management API token as needed. A free-tier Auth0 account works; no paid or enterprise plan is required.

**Before you begin**

* An Auth0 account (free tier works).
* A Machine-to-Machine application authorized for the Auth0 Management API with the **read:users** and **read:clients** scopes.

<Steps>
  <Step title="Create a Machine-to-Machine application">
    In the [Auth0 Dashboard](https://manage.auth0.com/#/applications), go to **Applications → Applications** and click **Create Application**. Choose **Machine to Machine Applications**, then select the **Auth0 Management API**. When prompted for permissions (scopes), enable **read:users** and **read:clients**, then click **Authorize**.
  </Step>

  <Step title="Copy the Domain, Client ID, and Client Secret">
    Open the new application's **Settings** tab and copy the **Domain** (for example `your-tenant.us.auth0.com`), the **Client ID**, and the **Client Secret**.
  </Step>

  <Step title="Connect Auth0">
    In the DSALTA sidebar, go to **Integrations**, find **Auth0**, and click **Connect**. Paste the Domain, Client ID, and Client Secret in the secure window and submit. DSALTA verifies the credentials before saving.
  </Step>

  <Step title="Finish">
    DSALTA runs an initial sync — usually a few minutes — after which the compliance checks below activate.
  </Step>
</Steps>

<Note>
  **Alternative: Management API token.** You can also connect with your Auth0 Domain and a **Management API access token** (from the Management API's **API Explorer** tab, with the **read:users** scope). This is quick to test, but the token expires — use the Machine-to-Machine application method for a lasting connection.
</Note>

## Automated Compliance Checks

Each check below runs automatically every 24 hours. Click any check for step-by-step remediation guidance.

| Check                                                                                                                | Description                                                                 |
| -------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- |
| [User access to Critical System should be valid](/integrations/auth0/user-access-to-critical-system-should-be-valid) | Checks that every user with Auth0 access is an active, authorized employee. |
| [Offboarded users should not have active access](/integrations/auth0/offboarded-users-should-not-have-active-access) | Checks that offboarded employees no longer have active Auth0 access.        |

## Troubleshooting

<AccordionGroup>
  <Accordion title="Integration shows Disconnected">
    Re-authenticate from **Integrations → Auth0 → Reconnect**. If you connected with a Management API token, this usually happens because the token expired — reconnect with a fresh token, or switch to the Machine-to-Machine application method for a durable connection. If you connected with a Machine-to-Machine application, confirm the Client Secret has not been rotated and the application is still authorized for the Management API.
  </Accordion>

  <Accordion title="Data is not syncing">
    Confirm the connected application is authorized for the Auth0 Management API with the **read:users** and **read:clients** scopes, then trigger a manual sync from the integration settings.
  </Accordion>
</AccordionGroup>
