Token Vault

Token Vault simplifies how your applications access external APIs on a user's behalf. When you integrate with Token Vault, you gain a secure way to manage application access to a wide range of external providers’ APIs and their services, such as Google, GitHub, and Microsoft.

When a user authenticates with a supported external provider and authorizes access using OAuth scopes, Auth0 stores the external provider’s access and refresh tokens in the Token Vault. Token Vault organizes these tokens into tokensets, with one tokenset per authorized user connection.

To retrieve these stored credentials from Token Vault, your application must perform a secure token exchange. This token exchange enables your application to get the necessary tokens to call an external provider’s API, removing the need for you to build and maintain custom integrations with each provider.

Supported external providers

Token Vault supports the following external providers:

  • Google

  • Microsoft

  • Box

  • Slack

  • GitHub

  • OpenID Connect

  • Custom social connection

To see the full list of supported external providers, read Auth0 Integrations.

Use cases

Common Token Vault use cases include:

  • An AI agent running as a web application calls external APIs to perform tasks on the user’s behalf, such as scheduling a meeting in Google Calendar.

  • An internal or backend service can access Token Vault to exchange an Auth0 access token for an external provider’s access token to call external APIs.

How it works

When a user authenticates with a supported external provider and authorizes the connection: 

  1. Auth0 obtains access and refresh tokens using OAuth 2.0 scopes, with the user explicitly approving the requested permissions.

  2. Auth0 securely stores the tokens in the Token Vault.

  3. The application links user accounts with the user's consent. As a result, the user won’t have to create separate accounts for each external provider.

  4. The application calls Auth0 to exchange a valid Auth0 token for an external provider’s access token. To learn more, read Supported token exchanges.

  5. Using the external provider’s access token, your application can then call external APIs on the user's behalf.

Supported token exchanges

To call an external provider’s APIs, your application must exchange a valid Auth0 token for an external provider’s access token from Token Vault. The type of Auth0 token used for the exchange depends on your client type and use case.

Applications can access Token Vault using the following token exchanges:

Token exchange Description Client types
Refresh token exchange Exchanges an Auth0 refresh token for an external provider’s access token. Applications that need to maintain a user's session and access external APIs when the user isn't actively using the application, such as web, mobile, and native applications.
Access token exchange Exchanges an Auth0 access token for an external provider’s access token. APIs or microservices that need to exchange access tokens they’ve received from other services or applications, such as a Single-Page Application (SPA).

Get started

To get started with Token Vault, read the following:

Read… To learn…
Refresh Token Exchange with Token Vault How an application uses the refresh token exchange with Token Vault to call external APIs.
Access Token Exchange with Token Vault How an application uses the access token exchange with Token Vault to call external APIs.
Configure Token Vault How to configure Token Vault for an application and supported external provider.
Configure Refresh Token Exchange with Token Vault How to configure your application to exchange an Auth0 refresh token for an external provider’s access token from Token Vault.
Configure Access Token Exchange with Token Vault How to configure your application to exchange an Auth0 access token for an external provider’s access token from Token Vault.