Token Vault is currently available in Early Access for public cloud tenants. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0’s product release cycle, read Product Release Stages. To participate in this program, contact Auth0 Support or your Technical Account Manager.
Supported external providers
Token Vault supports the following external providers:Social
- Microsoft
- Box
- Slack
- GitHub
- Custom social connection
Enterprise
- Google Workspace
- Microsoft Azure AD
- Connect
Use cases
Common Token Vault use cases include:- An AI agent running as a web application calls external APIs to perform tasks on the user’s behalf, such as scheduling a meeting in Google Calendar.
- An internal or backend service can Vault to exchange an Auth0 access token for an external provider’s access token to call external APIs.
How it works
When a user authenticates with a supported external provider and authorizes the connection:- Auth0 obtains access and refresh tokens using OAuth 2.0 scopes, with the user explicitly approving the requested permissions.
- Auth0 securely stores the tokens in the Token Vault.
- The application links user accounts with the user’s consent. As a result, the user won’t have to create separate accounts for each external provider.
- The application calls Auth0 to exchange a valid Auth0 token for an external provider’s access token. To learn more, read Supported token exchanges.
- Using the external provider’s access token, your application can then call external APIs on the user’s behalf.
Supported token exchanges
To call an external provider’s APIs, your application must exchange a valid Auth0 token for an external provider’s access token from Token Vault. The type of Auth0 token used for the exchange depends on your client type and use case. Applications can access Token Vault using the following token exchanges:| Token exchange | Description | Client types |
|---|---|---|
| Refresh token exchange | Exchanges an Auth0 refresh token for an external provider’s access token. | Applications that need to maintain a user’s session and access external APIs when the user isn’t actively using the application, such as web, mobile, and native applications. |
| Access token exchange | Exchanges an Auth0 access token for an external provider’s access token. | APIs or microservices that need to exchange access tokens they’ve received from other services or applications, such as a Single-Page Application (SPA). |
Get started
To get started with Token Vault, read the following:| Read… | To learn… |
|---|---|
| Refresh Token Exchange with Token Vault | How an application uses the refresh token exchange with Token Vault to call external APIs. |
| Access Token Exchange with Token Vault | How an application uses the access token exchange with Token Vault to call external APIs. |
| Configure Token Vault | How to configure Token Vault for an application and supported external provider. |
| Configure Refresh Token Exchange with Token Vault | How to configure your application to exchange an Auth0 refresh token for an external provider’s access token from Token Vault. |
| Configure Access Token Exchange with Token Vault | How to configure your application to exchange an Auth0 access token for an external provider’s access token from Token Vault. |