> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure Client-Initiated Backchannel Authentication for your tenant.

# Configure Client-Initiated Backchannel Authentication

Learn how to configure Client-Initiated Backchannel Authentication (CIBA) for your application. To learn more, read [Client-Initiated Backchannel Authentication Flow](/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow).

## Prerequisites

Before configuring CIBA for your application, make sure you complete the following prerequisites:

* [Integrate Guardian SDK into your application](#integrate-guardian-sdk-into-your-application)
* [Enable Auth0 Guardian push notifications for your tenant](#enable-auth0-guardian-push-notifications-for-your-tenant)
* [Set an authentication method for your application](#set-an-authentication-method-for-your-application)

### Integrate Guardian SDK into your application

To use the CIBA flow with push notifications, you need a mobile application that integrates the Guardian SDK. This allows the authorizing user to approve push notification challenges initiated by the CIBA flow.

To learn how to install the Guardian SDK for your application, read [Auth0 Guardian](/docs/secure/multi-factor-authentication/auth0-guardian#guardian-sdks) and the relevant sections for your mobile device platform.

### Enable Auth0 Guardian push notifications for your tenant

To submit a CIBA push notification, you must enable the [Auth0 Guardian push notifications](/docs/secure/multi-factor-authentication/auth0-guardian#enroll-in-push-notifications) for your tenant. To approve a CIBA push notification challenge, the authorizing user must also be enrolled in the Auth0 Guardian push notification factor. To learn more, read [User Authentication with CIBA](/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow/user-authentication-with-ciba).

Use the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> to enable the Auth0 Guardian Push Notification factor for your tenant.

In the Auth0 Dashboard:

1. Select **Security>Multi-factor Auth.**

2. Enable **Push Notification using Auth0 Guardian**. This may require some <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> configuration settings. To learn more, read [Configure Push Notifications for MFA](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-push-notifications-for-mfa).

<Frame>
  <img src="https://mintcdn.com/docs-staging-quickstart-revamp/KCEsvkqT5-VRQ297/images/cdy7uua7fh8z/7JKyznvsjTupJpTU7NwdSA/54b04e5b734226e1ee73c4165048b4f6/image2.png?fit=max&auto=format&n=KCEsvkqT5-VRQ297&q=85&s=667fc015f386a1b1b46d6948873b03d4" alt="" width="979" height="138" data-path="images/cdy7uua7fh8z/7JKyznvsjTupJpTU7NwdSA/54b04e5b734226e1ee73c4165048b4f6/image2.png" />
</Frame>

### Set an authentication method for your application

You must set an [authentication method](/docs/secure/application-credentials#application-authentication-methods) other than **None** to use with the CIBA flow for your application. You can use the Auth0 Dashboard to set an authentication method for your application, including mTLS authentication, Private Key <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip>, and <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=Client+Secret">Client Secret</Tooltip> authentication.

To set the authentication method for your application, read [Credential Settings](/docs/get-started/applications/credentials).

## Configure CIBA for your application

You can configure CIBA for your application with the [Auth0 Dashboard](https://manage.auth0.com/) or [Management API](https://auth0.com/docs/api/management/v2).

There are some restrictions on the types of clients that can use the CIBA grant type. You can only use the CIBA grant type if:

* The client is a first-party client i.e. the `is_first_party` property is `true`.
* The client is confidential with an authentication mechanism, i.e. the `token_endpoint_auth_method` property must not be set to `none`.
* The client must be OIDC conformant i.e. the `oidc_conformant` must be `true`. This is the default for all new clients.

<Tabs>
  <Tab title="Auth0 Dashboard">
    To configure CIBA for your application with the Auth0 Dashboard:

    1. Navigate to **Applications > Applications** in the Auth0 Dashboard.
    2. Create an application and then enable **Client Initiated Backchannel Authentication (CIBA)** under the **Grant Types** tab:

    <Frame>
      <img src="https://mintcdn.com/docs-staging-quickstart-revamp/A1o6LcInzX_m5Dvq/images/cdy7uua7fh8z/54TD5VRQVAOWxBdnFEpvTT/223866f22f6c3ddfa87e48221d69ba58/CIBA_grant_-_English.png?fit=max&auto=format&n=A1o6LcInzX_m5Dvq&q=85&s=5fa42bd286e9e42992cc32a10e0f8f7a" alt="" width="1192" height="550" data-path="images/cdy7uua7fh8z/54TD5VRQVAOWxBdnFEpvTT/223866f22f6c3ddfa87e48221d69ba58/CIBA_grant_-_English.png" />
    </Frame>

    3. Click **Save Changes**.
  </Tab>

  <Tab title="Management API">
    To configure CIBA for your application using the Management API, use the [Update a Client](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id) endpoint to add the `urn:openid:params:grant-type:ciba` grant type to the list of grant types on the client object:

    ```bash lines
    curl --location --request PATCH 'https://[YOUR TENANT].auth0.com/api/v2/clients/[CLIENT ID]' \
    --header 'Content-Type: application/json' \
    --header 'Authorization: Bearer [MANAGEMENT ACCESS TOKEN]' \
    --data '{
        "grant_types": [
            "authorization_code",
            "refresh_token",
            "urn:openid:params:grant-type:ciba"
        ]
    }'
    ```

    You can also use our Go Management API SDK library. To learn more, read [SDKs](/docs/libraries):

    ```go lines
    myClient := &Client{
    		Name:        auth0.Stringf("CIBA-enabled-client"),
    		Description: auth0.String("This is a CIBA enabled client."),
    		GrantTypes:  &[]string{"urn:openid:params:grant-type:ciba"},
    	}

    	err := api.Client.Create(context.Background(), myClient)
    ```
  </Tab>
</Tabs>
