The Management client provides access to Auth0’s Management API for managing your Auth0 tenant resources.
Initialization
client.New()
Creates a new Auth0 Management client with the specified domain and authentication options.
func New(domain string, options ...option.RequestOption) (*Management, error)
Your Auth0 tenant domain (e.g., "your-tenant.auth0.com" or "your-tenant.us.auth0.com").The domain can be provided with or without the https:// scheme - it will be normalized automatically.
Authentication and configuration options. At least one authentication option is required.
*Management client and an error if initialization fails.
Authentication Options
You must provide one of the following authentication options when creating a Management client.
WithClientCredentials
Authenticate using OAuth2 client credentials with a client ID and secret. The SDK automatically fetches and refreshes tokens.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(
context.Background(),
"YOUR_CLIENT_ID",
"YOUR_CLIENT_SECRET",
),
)
Context for the OAuth2 token exchange request.
The client ID of your M2M application.
The client secret of your M2M application.
WithClientCredentialsAndAudience
Authenticate using OAuth2 client credentials with a custom audience.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentialsAndAudience(
context.Background(),
"YOUR_CLIENT_ID",
"YOUR_CLIENT_SECRET",
"https://your-tenant.auth0.com/api/v2/",
),
)
Context for the OAuth2 token exchange request.
The client ID of your M2M application.
The client secret of your M2M application.
The API audience for the access token.
WithClientCredentialsPrivateKeyJwt
Authenticate using Private Key JWT authentication (client assertion).
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentialsPrivateKeyJwt(
context.Background(),
"YOUR_CLIENT_ID",
privateKeyPEM,
"RS256",
),
)
Context for the OAuth2 token exchange request.
The client ID of your M2M application.
PEM-encoded private key for signing the JWT assertion.
The signing algorithm (e.g., "RS256", "RS384", "RS512").
WithClientCredentialsPrivateKeyJwtAndAudience
Authenticate using Private Key JWT with a custom audience.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentialsPrivateKeyJwtAndAudience(
context.Background(),
"YOUR_CLIENT_ID",
privateKeyPEM,
"RS256",
"https://your-tenant.auth0.com/api/v2/",
),
)
Context for the OAuth2 token exchange request.
The client ID of your M2M application.
PEM-encoded private key for signing the JWT assertion.
The signing algorithm (e.g., "RS256", "RS384", "RS512").
The API audience for the access token.
WithToken
Use a pre-acquired static access token.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithToken("YOUR_ACCESS_TOKEN"),
)
A valid Management API access token.
If a TokenSource is also configured (via WithClientCredentials, WithClientCredentialsPrivateKeyJwt, or WithTokenSource), the TokenSource takes priority and this static token will be ignored.
WithTokenSource
Provide a custom oauth2.TokenSource for advanced token management.
import "golang.org/x/oauth2"
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithTokenSource(
oauth2.ReuseTokenSource(nil, myCustomTokenSource),
),
)
tokenSource
oauth2.TokenSource
required
A custom token source that implements the oauth2.TokenSource interface.
- Sharing cached tokens across multiple services
- Integrating with an external token provider
- Implementing custom refresh logic to reduce M2M token usage
The SDK calls TokenSource.Token() on every request. For token caching, wrap your source with oauth2.ReuseTokenSource.
Configuration Options
Additional options can be provided alongside authentication options to customize client behavior.
WithBaseURL
Override the default base URL for the Management API.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(ctx, clientID, clientSecret),
option.WithBaseURL("https://custom-api-gateway.com"),
)
Custom base URL for the Management API.
WithHTTPClient
Use a custom HTTP client with specific settings (timeouts, transport, etc.).
import (
"net/http"
"time"
)
customClient := &http.Client{
Timeout: 30 * time.Second,
}
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(ctx, clientID, clientSecret),
option.WithHTTPClient(customClient),
)
A custom HTTP client implementing the core.HTTPClient interface.
WithMaxAttempts
Configure the maximum number of retry attempts for failed requests.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(ctx, clientID, clientSecret),
option.WithMaxAttempts(5),
)
Maximum number of retry attempts. Default is 3.
WithDebug
Enable debug logging of HTTP requests and responses.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(ctx, clientID, clientSecret),
option.WithDebug(true),
)
Set to true to enable debug logging.
WithUserAgent
Set a custom User-Agent header for requests.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(ctx, clientID, clientSecret),
option.WithUserAgent("MyApp/1.0"),
)
Custom User-Agent string.
WithCustomDomainHeader
Set the custom domain for specific Management API endpoints that support it.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(ctx, clientID, clientSecret),
option.WithCustomDomainHeader("login.example.com"),
)
Your custom domain. The custom domain header is only sent for whitelisted API endpoints.
WithAuth0ClientEnvEntry
Add extra environment keys to the Auth0-Client telemetry header.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(ctx, clientID, clientSecret),
option.WithAuth0ClientEnvEntry("terraform", "1.0"),
)
WithNoAuth0ClientInfo
Disable the Auth0-Client telemetry header.
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(ctx, clientID, clientSecret),
option.WithNoAuth0ClientInfo(),
)
Complete Examples
Basic Client Credentials
package main
import (
"context"
"log"
"github.com/auth0/go-auth0/v2/management/client"
"github.com/auth0/go-auth0/v2/management/option"
)
func main() {
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(
context.Background(),
"YOUR_CLIENT_ID",
"YOUR_CLIENT_SECRET",
),
)
if err != nil {
log.Fatalf("Failed to create management client: %v", err)
}
// Use the client
ctx := context.Background()
clients, err := mgmt.Clients.List(ctx, &management.ListClientsRequestParameters{})
if err != nil {
log.Fatalf("Failed to list clients: %v", err)
}
log.Printf("Found %d clients", len(clients.Results))
}
Private Key JWT Authentication
package main
import (
"context"
"log"
"os"
"github.com/auth0/go-auth0/v2/management/client"
"github.com/auth0/go-auth0/v2/management/option"
)
func main() {
// Read private key from file
privateKeyPEM, err := os.ReadFile("path/to/private-key.pem")
if err != nil {
log.Fatalf("Failed to read private key: %v", err)
}
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentialsPrivateKeyJwt(
context.Background(),
"YOUR_CLIENT_ID",
string(privateKeyPEM),
"RS256",
),
)
if err != nil {
log.Fatalf("Failed to create management client: %v", err)
}
// Use the client
ctx := context.Background()
users, err := mgmt.Users.List(ctx, &management.ListUsersRequestParameters{})
if err != nil {
log.Fatalf("Failed to list users: %v", err)
}
log.Printf("Found %d users", len(users.Results))
}
Custom Token Source
package main
import (
"context"
"log"
"github.com/auth0/go-auth0/v2/management/client"
"github.com/auth0/go-auth0/v2/management/option"
"golang.org/x/oauth2"
)
type customTokenSource struct {
// Your custom token fetching logic
}
func (ts *customTokenSource) Token() (*oauth2.Token, error) {
// Fetch token from your custom source (cache, vault, etc.)
return &oauth2.Token{
AccessToken: "your-token",
TokenType: "Bearer",
}, nil
}
func main() {
// Create a reusable token source with caching
tokenSource := oauth2.ReuseTokenSource(nil, &customTokenSource{})
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithTokenSource(tokenSource),
)
if err != nil {
log.Fatalf("Failed to create management client: %v", err)
}
// Use the client
ctx := context.Background()
tenant, err := mgmt.Tenants.Get(ctx, &management.GetTenantSettingsRequestParameters{})
if err != nil {
log.Fatalf("Failed to get tenant: %v", err)
}
log.Printf("Tenant: %s", tenant.GetFriendlyName())
}
Advanced Configuration
package main
import (
"context"
"log"
"net/http"
"time"
"github.com/auth0/go-auth0/v2/management/client"
"github.com/auth0/go-auth0/v2/management/option"
)
func main() {
// Create custom HTTP client with timeouts
httpClient := &http.Client{
Timeout: 30 * time.Second,
Transport: &http.Transport{
MaxIdleConns: 100,
MaxIdleConnsPerHost: 10,
IdleConnTimeout: 90 * time.Second,
},
}
mgmt, err := client.New(
"your-tenant.auth0.com",
option.WithClientCredentials(
context.Background(),
"YOUR_CLIENT_ID",
"YOUR_CLIENT_SECRET",
),
option.WithHTTPClient(httpClient),
option.WithMaxAttempts(5),
option.WithDebug(true),
option.WithUserAgent("MyApp/2.0"),
option.WithCustomDomainHeader("login.example.com"),
)
if err != nil {
log.Fatalf("Failed to create management client: %v", err)
}
// Use the client
ctx := context.Background()
connections, err := mgmt.Connections.List(ctx, &management.ListConnectionsRequestParameters{})
if err != nil {
log.Fatalf("Failed to list connections: %v", err)
}
log.Printf("Found %d connections", len(connections.Results))
}
Important Notes
Authentication options (WithClientCredentials, WithClientCredentialsAndAudience, WithClientCredentialsPrivateKeyJwt, WithClientCredentialsPrivateKeyJwtAndAudience, and WithTokenSource) are mutually exclusive. If multiple are provided, the last one applied takes effect.
The Management client automatically handles token refresh for OAuth2 client credentials authentication. You don’t need to manually refresh tokens.
The default retry count is 3 attempts. You can customize this with WithMaxAttempts().
Next Steps