Call Other's APIs on User's Behalf

Applications with refresh tokens

In a typical scenario, a user interacts with a frontend application (e.g., a chatbot interface). This frontend communicates with a secure backend service, often a Backend for Frontend (BFF) or an agent, which is responsible for calling the external API. Such applications can use refresh tokens for long-lived sessions and use the same refresh tokens to securely call external APIs on the user’s behalf via Token Vault.

Token Vault using Refresh Tokens

By modeling your agent’s backend as a secure application, it can obtain the necessary tokens from Token Vault to interact with external APIs while maintaining the user’s context and permissions.

Applications without refresh tokens

In scenarios where refresh tokens cannot be used, such as single-page applications (SPAs) or headless agents and CLIs, you can still call external APIs on the user’s behalf via Token Vault using Auth0 access tokens. To do so, use the Auth0 Dashboard to configure the following:

An API in Auth0: You need to register an API in the Auth0 Dashboard with the appropriate settings.
A Custom API Client in Auth0: The Custom API Client allows your API server to perform token exchanges using access tokens instead of refresh tokens. This client enables Token Vault to exchange an access token for an external API access token (e.g., Google Calendar API).

Token Vault using Access Tokens

Check out this guide for an example.

Get started

To begin using Auth0 Token Vault with your AI agents, refer to the following resources:

Quickstarts