/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections
        Standalone SSO

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      Client types

    • Integration Guides

        • Integrate with AI agents
        Integrate with a remote MCP server

    • Resources

        • About Remote MCP Servers
        Consent Management
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authentication

/

Connected Apps

/

Client types

Understanding Client Types in Stytch Connected Apps

Stytch's Connected Apps feature enables Stytch-powered Applications to act as the Identity Provider (IdP) for OAuth 2.0 clients—these might be internal tools, third-party integrations, or community-built apps. All clients fall into one of four categories, defined by two key properties:

  1. Ownership: Is the app first-party (owned by you) or third-party (built by an external developer)?
  2. Confidentiality: Is the app confidential (able to securely store a client secret) or public (unable to store secrets securely)?

Combining these yields four distinct client types: First-Party, First-Party Public, Third-Party, and Third-Party Public.

Note: Connected Apps always act on behalf of an end user and are constrained to a subset of that user's permissions.
For non-interactive machine identities that act independently of user sessions, refer to the M2M Product .

Use Case Overview

Use CaseRecommended Client Type
Secondary sites you own and want to share user data withFirst-Party
Native mobile apps or CLI tools developed by youFirst-Party Public
Third-party integrations that want to access user data (e.g. plugins)Third-Party
Third-party CLI tools, desktop apps, or dynamically registered clientsThird-Party Public

Ownership

First-Party Applications

These are trusted applications developed and managed by you, the owner of the Stytch project. First party applications are:

  • Often exempt from explicit consent screens, depending on your configuration and scopes.
  • Eligible for session exchange, enabling session sharing across websites and devices.

Third-Party Applications

These apps are built and maintained by external developers or companies.

  • End-user consent is required for all interactions.
  • Session exchange is not supported—access is scoped strictly to the OAuth tokens issued.

Confidentiality

Confidential Clients

Confidential clients are capable of storing secrets securely, typically traditional server-based applications. Confidential clients are:

  • Issued a client secret which can be used via client_secret_post or client_secret_basic authentication mechanisms. PKCE is recommended but not required.
  • Must adhere to strict HTTPS redirect URIs in production. Localhost or loopback redirects are not allowed.
  • Refresh tokens do not rotate; they remain valid until revoked or expired.

Public Clients

Public clients run in environments where secure storage is not possible, such as native or CLI apps. Public clients:

  • Are not issued a client secret and use the client_secret=none authentication strategy. Public clients must use PKCE for secure authorization code exchange.
  • May use more permissive redirect URIs, including loopback and custom schemes.
  • Refresh tokens rotate on use, and the platform detects replay attempts to guard against theft.

Use Case Overview

Ownership

First-Party Applications

Third-Party Applications

Confidentiality

Confidential Clients

Public Clients