Token Vault simplifies how your applications access external APIs on a user’s behalf. When you integrate with Token Vault, you gain a secure way to manage application access to a wide range of external services and their APIs, such as Google, GitHub, and Microsoft. When a user connects with a supported external provider and authorizes access using scopes, Auth0 automatically adds that connected account to the user profile. A connected account enables applications to access external APIs using a unified Auth0 user profile. To learn more, read Connected Accounts for Token Vault. Auth0 stores the access and refresh tokens for each connected account in the Token Vault. To retrieve these stored credentials from Token Vault, your application performs a secure token exchange. This token exchange enables your application to get the necessary tokens to call an external API, removing the need for you to build and maintain custom integrations with each provider.Documentation Index
Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Supported external providers
Token Vault supports popular external providers, including:Social
- Microsoft
- Box
- Slack
- GitHub
- Custom social connection
Enterprise
- Google Workspace
- Microsoft Azure AD (Entra ID)
- Connect
Common use cases
Common Token Vault use cases include:- An AI agent running as a web application calls external APIs to perform tasks on the user’s behalf, such as scheduling a meeting in Google Calendar.
- An internal or backend service can access Token Vault to exchange an Auth0 access token for an external provider’s access token to call external APIs.
How it works
When a user connects with a supported external provider and authorizes the connection:- Auth0 obtains access and refresh tokens using OAuth 2.0 scopes, with the user explicitly approving the requested permissions.
- Auth0 securely stores the tokens for each connected account in the Token Vault. Because each connected account is linked to the user profile, the application can access external APIs and services without requiring the user to re-authorize the connection.
- The application calls Auth0 to exchange a user’s valid Auth0 token for an external provider’s access token, issued to that user. To learn more, read Supported token exchanges.
- Using the external provider’s access token, your application can then call external APIs on the user’s behalf.
Supported token exchanges
To call an external provider’s APIs, your application must exchange a valid Auth0 token for an external provider’s access token from Token Vault. The type of Auth0 token used for the exchange depends on your client application type and use case. Applications can access Token Vault using the following token exchanges:| Token exchange | Description | Client application type |
|---|---|---|
| Refresh token exchange | Exchanges an Auth0 refresh token for an external provider’s access token. | Applications that need to maintain a user’s session and access external APIs when the user isn’t actively using the application, such as web, mobile, and native applications. |
| Access token exchange | Exchanges an Auth0 access token for an external provider’s access token. | APIs or microservices that need to exchange access tokens they’ve received from other services or applications, such as a Single-Page Application (SPA). |
| Privileged worker token exchange | Exchanges a signed JWT bearer token for an external provider’s access or refresh token. | Backend applications or service workers in service-to-service (M2M) flows. |
Get started
To get started with Token Vault, read the following:| Read… | To learn… |
|---|---|
| Connected Accounts for Token Vault | How to configure and use Connected Accounts for Token Vault. |
| Refresh Token Exchange with Token Vault | How an application uses the refresh token exchange with Token Vault to call external APIs. |
| Access Token Exchange with Token Vault | How an application uses the access token exchange with Token Vault to call external APIs. |
| Privileged Worker Token Exchange with Token Vault | How an application uses the privileged worker token exchange with Token Vault to call external APIs. |
| Configure Token Vault | How to configure the Token Vault, including the token exchange. |