Privileged Worker Token Exchange with Token Vault is currently in Beta. To learn more about Auth0’s product release cycle, read Product Release Stages. To participate in this program, contact Auth0 Support or your Technical Account Manager.
Prerequisites
Only certain types of clients can use the Privileged Worker Token Exchange with Token Vault:- The client must be a first-party client, i.e. the
is_first_party propertyistrue. - The client must be a confidential client with a valid authentication mechanism, i.e. the
token_endpoint_auth_methodproperty must not be set tonone. - The client must be OIDC conformant, i.e. the
oidc_conformantmust betrue.
- Enable the Token Vault grant type for your client application.
- Configure Private Key JWT or mutual TLS authentication for your client application.
Configure client application
To configure the client application’s privileged access to Token Vault, you need to provide a public key that will be used to verify a signed JWT as the subject token.- Auth0 Dashboard
- Management API
- Navigate to Applications > Applications and select your application.
- Select the Settings tab, scroll to the Privileged Worker section, and toggle on Enable Privileged Worker. In the modal, select an existing public key credential or upload a new one, then select Save.
- Once the credential is saved, enter at least one IP address or CIDR range in the IP Allowlist field.
- Select Save Changes.

Configuring an
ip_allowlist is required as part of the client configuration. Any Privileged Worker token exchange request from an IP not in the list will be rejected.Create signed JWT subject token
After configuring your client application with the public key, you need to create the subject token that will be exchanged for an access token for an external API. The subject token is a JSON Web Token (JWT) with the necessary claims. It is signed with the private key. The JWT has a standard format and claims: Header| Claim | Description |
|---|---|
typ | Required. Must be token-vault-req+jwt. |
kid | Optional. Only needed if you have multiple public keys configured. |
| Claim | Description |
|---|---|
sub | Required. The user ID for whom you want to get the token. |
aud | Required. Your tenant host. |
iss | Required. Your client ID making the request. |
iat | Required. Issued-at timestamp. |
exp | Optional. Expiration timestamp. Tokens older than 60 seconds are rejected regardless. |
jti | Required. A unique identifier for this JWT (UUID v4 recommended) for replay protection. |
audit_context | Required. A human-readable string (1–256 characters) describing the business reason for this privileged access. |
Do not include personally identifiable information (PII) in
audit_context. This value is recorded in tenant logs and may be visible to administrators and log streaming destinations.Request token for external API
Once you have the signed JWT, you can make a request for the access token for the external API:| Parameter | Description |
|---|---|
grant_type | The grant type. For Token Vault, set to urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token |
client_id | Client application ID |
client_secret | Client secret. Note: For Privileged Worker Token Exchange, we recommend using Private Key JWT or mTLS authentication. |
subject_token_type | Type of subject token. For Privileged Worker Token Exchange, set to JWT: urn:ietf:params:oauth:token-type:jwt |
subject_token | The signed JWT bearer token that the Auth0 Authorization Server validates to identify the user. |
requested_token_type | The requested token type. For Privileged Worker Token Exchange, you can request an access or refresh token. |
connection | The connection name, in this case, google-oauth2. |