Prerequisites
Before configuring CIBA for your application, make sure you complete the following prerequisites:- Integrate Guardian SDK into your application
- Enable Auth0 Guardian push notifications for your tenant
- Set an authentication method for your application
Integrate Guardian SDK into your application
To use the CIBA flow with push notifications, you need a mobile application that integrates the Guardian SDK. This allows the authorizing user to approve push notification challenges initiated by the CIBA flow. To learn how to install the Guardian SDK for your application, read Auth0 Guardian and the relevant sections for your mobile device platform.Enable Auth0 Guardian push notifications for your tenant
To submit a CIBA push notification, you must enable the Auth0 Guardian push notifications for your tenant. To approve a CIBA push notification challenge, the authorizing user must also be enrolled in the Auth0 Guardian push notification factor. To learn more, read User Authentication with CIBA. Use the to enable the Auth0 Guardian Push Notification factor for your tenant. In the Auth0 Dashboard:- Select Security>Multi-factor Auth.
- Enable Push Notification using Auth0 Guardian. This may require some configuration settings. To learn more, read Configure Push Notifications for MFA.

Set an authentication method for your application
You must set an authentication method other than None to use with the CIBA flow for your application. You can use the Auth0 Dashboard to set an authentication method for your application, including mTLS authentication, Private Key , and authentication. To set the authentication method for your application, read Credential Settings.Configure CIBA for your application
You can configure CIBA for your application with the Auth0 Dashboard or Management API. There are some restrictions on the types of clients that can use the CIBA grant type. You can only use the CIBA grant type if:- The client is a first-party client i.e. the is_first_partyproperty istrue.
- The client is confidential with an authentication mechanism, i.e. the token_endpoint_auth_methodproperty must not be set tonone.
- The client must be OIDC conformant i.e. the oidc_conformantmust betrue. This is the default for all new clients.
- Auth0 Dashboard
- Management API
To configure CIBA for your application with the Auth0 Dashboard:
- Navigate to Applications > Applications in the Auth0 Dashboard.
- Create an application and then enable Client Initiated Backchannel Authentication (CIBA) under the Grant Types tab:

- Click Save Changes.