Add Third-Party Applications documentation

[dlozlla]

Description

Adds documentation for Third-Party Applications EA R1, launching with the Auth for MCP GA announcement (April 30, 2026).

7 new pages:

• Third-Party Applications — Overview with get-started flow, use cases (partner integrations, AI agents/MCP, developer ecosystems, XAA)
• Security Considerations — OAuth 2.1 alignment, explicit API authorization, restricted client config, unsupported features, RT defaults, redirect protection, /authorize parameter validation
• Configure Third-Party Applications — Step-by-step: create app (Dashboard + API), configure default and per-app API permissions, promote connections, DCR
• Troubleshooting — 14 error scenarios with causes and solutions
• Permissive Mode — Backward compatibility for pre-existing customers, feature comparison, migration path
• User Consent — Moved to Applications level (covers both 1P and 3P consent). Added OAuth consent intro, replaced localhost box with app impersonation link, kept password-based flows
• First-Party and Third-Party Applications — Rewritten as strict-only conceptual bridge. Absorbs ownership pages. Promoted from Confidential/Public subgroup to top level

10 existing pages updated:

• docs.json — New Third-Party Applications group, 1P/3P promoted, Confidential/Public trimmed, User Consent at Applications level
• confidential-and-public-applications — Orthogonality callout, updated links
• application-access-to-apis-client-grants — New "Default permissions for third-party applications" section
• api-access-policies-for-applications — 1P vs 3P access policy table, default permissions via Dashboard
• application-grant-types — Third-party restrictions table
• dynamic-client-registration — "DCR and third-party applications" section
• application-settings — Restricted properties callout
• set-up-database-connections / update-application-connections — Domain-level connection callouts
• promote-connections-to-domain-level — Rewritten intro for 3P context

Placeholders for screenshots (5), code snippets (4) marked with [SCREENSHOT PLACEHOLDER] and [CODE PLACEHOLDER].

Redirects needed (not configured in this PR): old paths under confidential-and-public-applications/ for removed pages (enable-third-party-applications, view-application-ownership, update-application-ownership, old user-consent URL, old
first-party-and-third-party URL).

References

• JIRA: ROAD-7640 (EA Release 1 for Auth for MCP GA)
• Information Architecture spec: Confluence — Public Docs
• Release strategy: Confluence — Secure-By-Default Release Strategy
• Deprecation comms (separate deliverable): Confluence — Deprecation Communications
• Migration guide (separate deliverable): Confluence — Migration Guide

Testing

1. Run cd main && mintlify dev (requires Node.js v20)
2. Navigate to Get Started > Applications in Auth0
3. Verify navigation: Confidential/Public (trimmed), 1P/3P article (top-level), Third-Party Applications group (5 pages), User Consent (top-level)
4. Verify all internal links resolve (no 404s within the new/updated pages)
5. Review placeholder locations — search for [SCREENSHOT PLACEHOLDER] and [CODE PLACEHOLDER]

Checklist

• I've read and followed CONTRIBUTING.md.
• I've tested the site build for this change locally.
• I've made appropriate docs updates for any code or config changes.
• I've coordinated with the Product Docs and/or Docs Management team about non-trivial changes.

[CharlesRea]

Whilst we're here - this page is already very long; could we use separate tabs for the Configure API application access policy section above for Dashboard vs API? Currently I feel the 3P content gets lost at the bottom.

[CharlesRea]

In Grant Types section: Available grant types are based on the application type. -> Available grant types are based on the application type and application ownership.

[CharlesRea]

Application Properties section - consider if we should explain app ownership briefly and link out to relevant page (since we show app ownesrhip in this section in the dashboard)

[CharlesRea]

We are adding new configuration around redirection handling that will need to be added here

[CharlesRea]

We're missing closing tags for Tabs and Tab here (looks like this renders incorrectly currently)

[CharlesRea]

I think a better link is this one: /docs/get-started/applications/third-party-applications/configure-third-party-applications#configure-api-access-policies (the current linked page just links here in the end to explain how to configure).

But it seems we are somewhat duplicating the docs here bleow, with just the UI docs. Do we want to include the API docs below as well, or just link out to this page only?

(I think having it in both places is indeed useful, as this page is actually the first place I would expect to find this info)

[CharlesRea]

Correct syntax looks like this:

{% if application.callback_domain == '' %}https://YOUR_FALLBACK_DOMAIN{% endif %}{% if application.callback_domain != '' %}{{ application.callback_domain }}/result-page{% endif %}

[CharlesRea]

We won't error, we will just not return OIDC response:

Suggested change

	### `invalid_request` for OIDC scopes
	**Cause**: OIDC scopes (`openid`, `profile`, `email`) are not available for third-party applications in this release.
	**Solution**: Remove OIDC scopes from your authorization request and use API scopes only. OIDC support for third-party applications is planned for a future release.
	### No ID token returned from `/oauth/token` endpoin.
	**Cause**: OIDC is not available for third-party applications in this release. OIDC scopes (`openid`, `profile`, `email`) are not returned in access tokens
	**Solution**: Remove OIDC scopes from your authorization request and use API scopes only. OIDC support for third-party applications is planned for a future release.

[CharlesRea]

Correct syntax looks like this:

{% if application.callback_domain == '' %}https://YOUR_FALLBACK_DOMAIN{% endif %}{% if application.callback_domain != '' %}{{ application.callback_domain }}/result-page{% endif %}

[CharlesRea]

Password is not supported for permissive 3P apps

[semgrepcode-auth0]

Semgrep found 2 ssc-4759c514-b537-20ef-d52f-ebb0a5c388fa findings:

• universal-components/pnpm-lock.yaml
  • L2471 - Triage
  • L2474 - Triage

Risk: Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.

Fix: Upgrade this library to at least version 1.15.0 at docs-v2/universal-components/pnpm-lock.yaml:2474.

Reference(s): GHSA-fvcv-3m26-pcqx, CVE-2026-40175

Semgrep found 2 ssc-5ea2c631-7cef-a4e0-e641-d179af079827 findings:

• universal-components/pnpm-lock.yaml
  • L2471 - Triage
  • L2474 - Triage

Risk: Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.

Manual Review Advice: A vulnerability from this advisory is reachable if you have NO_PROXY configured in your environment

Fix: Upgrade this library to at least version 1.15.0 at docs-v2/universal-components/pnpm-lock.yaml:2474.

Reference(s): GHSA-3p68-rc4w-qgx5, CVE-2025-62718