Skip to main content
For example, a sales assistant AI agent might need to:
  • Read a user’s calendar to schedule a meeting.
  • Access a user’s documents to summarize them.
  • Connect to a CRM like Salesforce to retrieve customer information.
You can securely access external APIs on the user’s behalf using Auth0’s Token Vault. Once an AI agent has authenticated a user with a supported external provider, the user is prompted to authorize the connection and connect their external account. With the user’s consent, the AI agent can initiate a Connect Account flow, linking the user profile to external services like Google, GitHub, Slack, and more. Once the external account has been successfully connected, the AI agent can fetch the stored credentials in Token Vault to access external APIs on the user’s behalf. For example, the user can provide consent for your AI agent to access their Google Calendar to view their schedule or set up meetings, or their Salesforce account to retrieve customer information.

What is Connected Accounts for Token Vault

Connected Accounts for Token Vault creates and manages a unified Auth0 user profile linked to multiple external accounts, enabling seamless authorization. Your application then fetches the stored credentials in Token Vault to interact with external APIs on the user’s behalf. Once a user successfully connects and authorizes access to a supported external provider, Auth0:
  • Associates the account with the user as a connected account.
  • Stores the external provider’s access and refresh tokens for the connected account in the Token Vault.
The AI Agent then fetches the stored credentials in Token Vault to interact with external APIs on the user’s behalf.

What is Token Vault

Auth0’s Token Vault is a secure service for storing and managing tokens for external services. Your AI agents can use the access tokens from Token Vault to call external APIs on behalf of your users. This capability is essential for building trustworthy AI agents that can securely interact with services from external providers, such as Google, Microsoft, Salesforce, or any other API provider that uses OAuth 2.0. Token Vault is built on top of OAuth 2.0 Token Exchange (RFC 8693) and supports social and enterprise connections to other Identity Providers (IdPs). There is no need to manage refresh tokens or build custom integrations per provider because Auth0 handles it all for you. You gain access to a wide range of external providers’ APIs and services, all through a single Auth0 integration.

Why Is Calling APIs with Token Vault Important for AI agents

Hardcoding API keys or asking users to constantly re-authenticate with these external services is insecure and provides a poor user experience. Token Vault solves this by providing a secure mechanism to store and use the user’s credentials (in the form of tokens) for these services. By using Token Vault, you can:
  • Securely store and manage tokens: Offload the complexity and risk of storing sensitive user credentials.
  • Maintain user context: Enable agents to act on behalf of a specific user, ensuring that the agent only has the permissions that the user has granted.
  • Provide a seamless user experience: Avoid repeatedly prompting users for authentication with external services.
  • Enhance security: Prevent the exposure of tokens to the frontend or to the end-user.

How it works

The process of using Token Vault involves the following key steps:
  1. User authentication and consent: The AI agent triggers the Connected Accounts flow, which redirects the user to authenticate with an external Identity Provider (e.g., Google. The user then grants your application permission to access their data by approving the requested OAuth scopes. Upon completion, the external account is added to the user profile.
  2. Secure token storage: Auth0 receives access and refresh tokens from the external provider and stores them securely within Token Vault.
  3. Token exchange: Your application can then exchange a valid Auth0 refresh token or access token for an external provider’s access token from Token Vault. This allows your application to obtain the necessary credentials to call external APIs without the user having to re-authenticate. It also means your application does not need to store or manage any credentials.
  4. API call: With the external provider’s access token, your AI agent can make authorized calls to the external API on the user’s behalf.

Supported integrations

Token Vault supports a variety of social and enterprise identity providers, including:

View All Integrations

Using Token Vault

To begin using Token Vault to call external APIs on behalf of your users, you will need to:

Configure connections

Set up connections to the external service (e.g., Google, Microsoft) in your Auth0 Dashboard.

Configure Token Vault

Configure Token Vault to enable AI agents to securely store and retrieve tokens from the Token Vault.

Call other's APIs on user's behalf

Use our SDKs for your preferred frameworks to easily obtain access tokens for the connections.
By leveraging Auth0’s Token Vault, you can build powerful and trustworthy AI agents that securely and seamlessly integrate with the broader ecosystem of APIs and services.

Get started

To begin using Auth0 Token Vault with your AI agents, refer to the following resources:

Quickstarts

Call Other's APIs on User's Behalf

Guides

Check Google Calendar Availability

List GitHub Repositories

List Slack Channels

Get Salesforce Opportunities

Sample Apps

Assistant0: Next.js + LangGraph

Assistant0: FastAPI + LangGraph

Assistant0: Next.js + Vercel AI SDK

Assistant0: Next.js + LlamaIndex

Auth0 AI SDK TypeScript samples

Auth0 AI SDK Python samples

Learn more

Configure Token Vault

Connected Accounts for Token Vault

Refresh Token Exchange with Token Vault

Access Token Exchange with Token Vault