Below you'll find instructions for connecting Auth0 to Ploy via a Machine-to-Machine (M2M) application. This imports users, roles, applications, and groups from your Auth0 tenant. Optionally, if you use the Auth0 Authorization Extension, Ploy can also import the group → role → application access graph.
Auth0 admin access to your tenant.
(Optional) The Auth0 Authorization Extension installed — required only to import group → role → application access relationships. Without this, Ploy will still import users, roles, applications, and groups.
1. Create a Machine-to-Machine application in Auth0
Navigate to Auth0 Dashboard → Applications → Applications.
Click Create Application.
Select Machine to Machine as the application type.
When prompted, authorize it against the Auth0 Management API.
2. Grant Management API permissions
On your new M2M application, go to the APIs tab and configure the Auth0 Management API with exactly these read scopes:
Scope | Description |
|---|---|
| Read users and identities from selected connections. |
| Read roles defined in your tenant. |
| Read which users belong to each role. |
| Read applications (clients) registered in Auth0. |
| Read identity providers and connections. |
3. (Optional) Enable the Authorization Extension API
This step is required only if you want to import group → role → application access relationships. Skip this section if you don't use the Authorization Extension.
In Auth0 Dashboard, go to Extensions → Auth0 Authorization.
Open the Extension, then click the tenant menu (top right) → API.
Toggle API Access to ON.
This publishes an API named auth0-authorization-extension-api (identifier: urn:auth0-authz-api).
Then authorize your M2M application for it:
Go to Auth0 Dashboard → Applications → your M2M application → APIs tab.
Enable auth0-authorization-extension-api.
Grant these read scopes: read:groups, read:roles, read:users (and read:permissions if listed).
4. Collect your credentials
From your M2M application's Settings tab, copy:
Domain — your canonical Auth0 tenant domain (e.g. your-tenant.us.auth0.com). Use this, not a custom login domain.
Client ID
Client Secret
5. Connect in Ploy
Go to Ploy's Integrations page: https://app.joinploy.com/integrations
Select Auth0.
Paste your Domain, Client ID, and Client Secret.
Select which Connections Ploy should import users from.
Select only workforce connections. Auth0 directories often contain your product's end-users (CIAM). Selecting those connections would import all of them as identities. Choose only connections that contain employees.
Click Test to verify the connection.
Click Save the integration.
Members & identities — from the selected connections.
Roles, Applications, Groups.
Access edges — user → group, group → role, role → application. This lets you see which applications a person can reach.
Your M2M application is missing the required Management API scope for that resource. For example, Applications require read:clients. Grant the missing scope in Auth0.
Note: Scope changes can take up to ~24 hours to take effect because the access token is cached. Grant all scopes before connecting in Ploy, or contact support to force a token refresh.
If you expected groups or roles from the Authorization Extension:
Verify the Authorization Extension API is enabled (step 3b).
Verify your M2M app is authorized for auth0-authorization-extension-api (step 3c).
You likely selected a non-workforce (end-user/CIAM) connection. Deselect that connection in Ploy and re-scan. Only select connections containing employees.
Use the canonical *.auth0.com tenant domain, not a custom login domain. For example: your-tenant.us.auth0.com, not login.yourcompany.com.