Skip to main content
Custom Token Exchange is currently available in Early Access for all Auth0 Enterprise and B2B Pro customers. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0’s product release cycle, read Product Release Stages. To learn more about subscription types, review the Auth0 pricing page.
To add protection against token theft or other security risks, you can add Multi-factor Authentication to a Custom Token Exchange request using one of the following methods: When you add MFA, the Auth0 Authorization Server rejects the initial Custom Token Exchange call to the /token endpoint with a mfa_required error. You can use the error in the Auth0 MFA API to challenge and verify a factor to obtain the requested Auth0 access, ID, and refresh tokens.
Custom Token Exchange Early Access does not support api.authentication.challengeWith() or api.authentication.enrollWith(). If you use those methods with your Post-Login Action, the transaction will fail with a non-recoverable error. Make sure you don’t use those methods when event.transaction.protocol==oauth2-token-exchange depending on the subject_token_type value.
When a Custom Token Exchange transaction is associated with an Organization, api.multifactor.enable() and MFA policies are also not supported. To learn more about how to use the MFA grant, read Authenticate Using the Resource Owner Password Flow with MFA, as Custom Token Exchange follows the same model. You can also check out a detailed example in Use case: Perform MFA during Custom Token Exchange.