メインコンテンツへスキップ
Connected Accounts for Token Vault enables applications to securely access external APIs on the user’s behalf through Token Vault. While standard user authentication handles user login through a social or enterprise identity provider, Connected Accounts links a user profile to external services like Google, GitHub, Slack, and more, facilitating delegated access to external APIs on the user’s behalf. Once a user successfully connects and authorizes access to a supported external provider, Auth0:
  • Associates the account with the user as a connected account.
  • Stores the external provider’s access and refresh tokens for the connected account in the Token Vault.
Connected Accounts for Token Vault creates and manages a unified Auth0 user profile linked to multiple external accounts, enabling seamless authorization. Your application then fetches the stored credentials in Token Vault to interact with external APIs on the user’s behalf.

User authentication vs Connected Accounts

When you configure Connected Accounts for a supported social or enterprise connection, Auth0 uses the Connected Accounts flow (/me/v1/connected-accounts endpoint) to retrieve and store access and refresh tokens in the Token Vault instead of using the social or enterprise login flow (/authorize endpoint). After successfully completing the Connected Accounts flow, Auth0 adds the user account to the connected_accounts array on the user profile. In contrast, for the social or enterprise login flow, Auth0 adds the user account to the identities array on the user profile. The following table explains the differences between the user authentication and Connected Accounts flows: You can enable user authentication, Connected Accounts, or both for supported social or enterprise connections. The following table explains the behavior for the different Purpose settings, including how to pass scopes to the connection:

How it works

The Connected Accounts flow uses the My Account API to create and manage connected accounts for a user across supported external providers. Before the user can initiate a Connected Accounts request from the client application, the client application needs to get an access token with the Connected Accounts scopes to access the My Account API. The following sequence diagram illustrates the end-to-end Connected Accounts flow:
When a user logs in via a supported external provider through Auth0, they initiate a Connected Accounts request from the client application:
  1. The client application makes a POST request to the My Account API’s /me/v1/connected-accounts/connect endpoint, passing scopes and other parameters to send to the external provider. To learn more, read Initiate Connected Accounts request.
  2. The My Account API creates a unique auth_session and connect_uri containing a ticket that redirects the user to a web browser. The client application saves the auth_session for later verification. If DPoP is configured, the My Account API validates the DPoP Proof JWT.
  3. The client application redirects the user to the connect_uri with the ticket as a query parameter for user authentication and authorization in the browser. The client application may also pass a code_challenge or code_challenge_method to the URL, as in the Authorization Code Flow with PKCE.
  4. The user connects and authorizes the permissions for the connection in the consent screen.
  5. After the user successfully authorizes the connection, the external provider redirects the user to the My Account API, which redirects the user to the client application using the redirect_uri with a single-use connect_code.
  6. The client application presents the connect_code, code_verifier (if applicable), and the original auth_session to the My Account API by making a POST request to the /me/v1/connected-accounts/complete endpoint. To learn more, read Complete Connected Accounts request.
  7. The My Account API validates the request by confirming:
    • The auth_session matches the ID originally issued for the user
    • The request is coming from the same device that initiated the Connected Accounts flow
    • The DPoP Proof JWT (if configured)
    • The single-use connect_code
    • The code_verifier (if using the PKCE flow)
  8. After successful validation, the Auth0 Authorization Server adds the account to the connected_accounts array on the user profile and stores the access and refresh tokens for the connected account in the Token Vault.
  9. My Account API completes the flow by sending a 200 status code back to the client application, indicating that the account was successfully connected.

Prerequisites

Before configuring Connected Accounts, make sure you:
  • Configure Token Vault for your client application to securely store the access and refresh tokens associated with each connected account in the Token Vault.
  • Configure the My Account API, which is used by authenticated users to connect and manage accounts.
  • Configure Multi-Resource Refresh Token (MRRT) to get an access token for the My Account API.
  • (Optional) Configure DPoP for the My Account API and your client application to sender constrain access tokens, preventing token theft. By default, the My Account API can accept DPoP-bound access tokens.

Configure My Account API

To use Connected Accounts, configure the My Account API in the Auth0 Dashboard:
  1. Navigate to Applications > APIs and activate the My Account API.
  2. Once activated, select Auth0 My Account API and then the Application Access tab.
  3. Find your client application and select Edit to configure its application access policies.
  4. Select User Access and under Authorization, select Authorized.
  5. For the permissions, select All the Connected Accounts scopes for the application.
  6. Select Save. This creates a client grant that allows your client application to access the My Account API with the Connected Accounts scopes on the user’s behalf.
  7. If you’re using Multi-Resource Refresh Token, navigate to the Settings tab. Under Access Settings, select Allow Skipping User Consent.

Configure Multi-Resource Refresh Token

Configure Multi-Resource Refresh Token (MRRT) to get a single long-lived refresh token that can be exchanged for new My Account API access tokens and other APIs without requiring the user to re-authenticate. You can configure MRRT with the Auth0 Dashboard or the Management API.
To configure MRRT with the Auth0 Dashboard:
  1. Navigate to Applications > Applications and select your application.
  2. Under Multi-Resource Refresh Token, select Edit Configuration.
  3. To enable MRRT with the My Account API, toggle on the My Account API.

Configure Connected Accounts

Before configuring Connected Accounts for a connection, make sure you’ve authorized the connection for your client application. In the Auth0 Dashboard:
  1. Navigate to Authentication > Social Connections or Enterprise Connections and select the connection.
  2. Select Applications and then toggle on the connection for your client application.
You can configure Connected Accounts with the Auth0 Dashboard or the Management API.
To configure Connected Accounts with the Auth0 Dashboard:
  1. Navigate to Authentication > Social Connections or Enterprise Connections.
  2. Select Create Connection or select an existing connection.
  3. In Purpose, toggle on Connected Accounts for Token Vault. Depending on your Purpose setting, you may need to enable offline_access in the Auth0 Dashboard, allowing the client application to obtain a refresh token from the external provider during the Connected Accounts flow. To learn more, read User authentication vs Connected Accounts.
  4. Click Save.

Get access token for Connected Accounts

Before initiating a Connected Accounts request, get an access token for the My Account API with the Connected Accounts scopes. The following sections explain how to use Multi-Resource Refresh Token (MRRT) to get an access token for the My Account API.

Fetch a refresh token

After configuring MRRT for the client application, initiate the authorization code flow and exchange the resulting authorization code for a refresh token. The following is an authorization code flow request for a confidential client that includes the offline_scope to return a refresh token and a single-use authorization code for the My Account API identifier https://{yourDomain}/me/:
Exchange the single-use authorization code for a refresh token at the /token endpoint:

Exchange refresh token for My Account API access token

Once you’ve obtained a refresh token, exchange it for a My Account API access token with the Connected Accounts scopes using the refresh token grant type:

Initiate Connected Accounts request

To initiate a Connected Accounts request, make a POST request to the My Account API’s /me/v1/connected-accounts/connect endpoint with the following parameters:
For a Google social connection, make sure you select offline_access in the Auth0 Dashboard when configuring your connection. This is required for your client application to fetch a refresh token from the Auth0 Authorization Server.
If successful, the My Account API returns a response like the following:
In the web browser, navigate to the connect_uri with the ticket as a query parameter. Authorize the list of scopes in the consent screen, then extract and save the connect_code in the URL fragment.

Complete Connected Accounts request

To complete a Connected Accounts request, make a POST request to the /me/v1/connected-accounts/complete endpoint with the following parameters:
If successful, the My Account API returns a response like the following:

Manage Connected Accounts

To manage a user’s connected accounts, use the /me/v1/connected-accounts collection. Before using the /connected-accounts collection, get an access token for Connected Accounts.

Query connected accounts connections

Make a GET request to the /me/v1/connected-accounts/connections endpoint to return a list of connections that are linked to the user profile:
If successful, the My Accounts API returns a response like the following:

Query connected accounts

Make a GET request to the /me/v1/connected-accounts/accounts endpoint to return a list of connected accounts linked to the user profile:
If successful, the My Accounts API returns a response like the following:
You can also use the Management API to return a list of connected accounts for a user profile by making a GET request to the /users/{userId}/connected-accounts endpoint:
If successful, the Management API returns a response like the following:

Query connected accounts for a given connection

Make a GET request to the /me/v1/connected-accounts/accounts endpoint and pass the connection name as a query parameter to return a list of connected accounts filtered by a given connection linked to a user profile:
If successful, the My Accounts API returns a response like the following, filtered for google-oauth2 connections:

Delete connected account

Make a DELETE request to the /me/v1/connected-accounts/accounts/{connectedAccountId} endpoint to delete a connected account for a given ID:
When you delete a connected account, Auth0 removes the external provider’s access and refresh tokens from the Token Vault. This does not automatically revoke the external provider’s tokens, and the refresh token could still be used to obtain new access tokens. You have to manually revoke the tokens for the external provider if they have been shared or copied elsewhere. If successful, the My Accounts API returns a response like the following: