Configure Token Vault

Token Vault is currently available in Early Access for public cloud tenants. To learn more about Auth0's product release cycle, read Product Release Stages. To participate in this program, contact Auth0 Support or your Technical Account Manager.

Once a user authenticates with a supported external provider and authorizes the connection, your application can access Token Vault to exchange an Auth0 token for an external provider’s access token.

To configure Token Vault, you need to:

Enable Token Vault for a supported social or enterprise connection.
Configure your application with the Token Vault grant type.
Configure the token exchange for your application:
- Refresh token exchange
- Access token exchange
Manage tokensets within the Token Vault for your connection.

If you have previously set your MFA policy to Always in the Auth0 Dashboard, you need to set it to Never to retrieve an access token from Token Vault. Otherwise, you will receive an error. To learn more about the different MFA policies, read Enable MFA in the Auth0 Dashboard.

If you need to trigger MFA challenges for interactive flows, enable Customize MFA Factors using Actions when setting up MFA for your tenant. You can then use an Action to trigger an MFA challenge based on the event.transaction.protocol property. To learn more, read Customize MFA selection for Universal Login.

Configure connection

Use the Auth0 Dashboard or Management API to configure a supported social or enterprise connection to retrieve and store access tokens for external APIs in the Token Vault.

Once you enable Token Vault for your connection, access and refresh tokens will no longer be stored in the user’s identities array. Instead, they will be stored in a secure tokenset within the Token Vault. To learn more, read Manage tokensets.

To enable Token Vault for a supported social and enterprise/custom connection:

Navigate to Authentication > Social Connections or Enterprise Connections.
Select Create Connection or select an existing connection.
In Permissions, select the desired scopes for your connection. You can filter by scope name or keywords. Whenever the user is redirected to authorize this connection, Auth0 always requests the scopes you selected. At runtime, this list is automatically completed with any additional scopes included in the connection_scope parameter of the authorization request.
In Advanced, toggle Enable Token Vault.
Select Save Changes.

To enable Token Vault for a supported social and enterprise connection, run the following bash script to set federated_connections_access_tokens to true in the options object:

When you use the options parameter when making a PATCH call to the Update a connection endpoint, you override the existing options object with the options object in your request body. As a result, make sure you include your entire options object in your request body.

# set your variables
export access_token="YOUR_MANAGEMENT_API_ACCESS_TOKEN"
export auth0_domain_url="https://{yourDomain}"
export connection_id="YOUR_CONNECTION_ID"

# run the script to first fetch the options object of your connection, set federated_connections_access_tokens to true, and then patch it to the connection
readonly BODY=$(curl --silent --request GET \
  --header "Authorization: Bearer ${access_token}" \
  --url "${auth0_domain_url}/api/v2/connections/${connection_id}?fields=options" \
  --header 'content-type: application/json' | \
  jq "del(.id) | .options += {\"federated_connections_access_tokens\": {\"active\": true}}")

curl --request PATCH \
  --header "Authorization: Bearer ${access_token}" \
  --header 'content-type: application/json' \
  --url "${auth0_domain_url}/api/v2/connections/${connection_id}" \
  --data "${BODY}"

Was this helpful?

Configure application

Configure your application with the Token Vault grant type using the Auth0 Dashboard or Management API.

Only certain types of clients can use the Token Vault grant type:

The client must be a first-party client, i.e. the is_first_party property is true.
The client must be a confidential client with a valid authentication mechanism, i.e. the token_endpoint_auth_method property must not be set to none.
The client must be OIDC conformant, i.e. the oidc_conformant must be true.

Navigate to Applications > Applications.
Select the application you want to configure.
Under Advanced Settings > Grant Types, select the Token Vault grant type.
Select Save Changes.

To enable Token Vault for an application, make a PATCH call to the Update a Client endpoint to add the urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token grant type to the client JSON object:

curl --location --request PATCH 'https://{yourDomain}/api/v2/clients/{clientId}' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer <YOUR_MANAGEMENT_API_ACCESS_TOKEN>' \
  --data '{
    "grant_types": [
      "authorization_code",
      "refresh_token",
      "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token"
    ]
  }'

Was this helpful?

Manage tokensets

For each user's authorized connection, like Google or Microsoft, Token Vault creates a secure container called a tokenset. A tokenset contains the access and refresh tokens needed to call that external provider's APIs on the user's behalf.

To manage tokensets for a user, use the Management API:

Get user's tokensets
Delete a tokenset

Get user’s tokensets

To get a user's tokensets, you need a Management API access token with the read:federated_connections_tokensets scope.

Make a GET request to the /federated-connections-tokensets endpoint:

curl --request GET \
  --url 'https://{yourDomain}/api/v2/users/{userId}/federated-connections-tokensets' \
  --header 'Authorization: Bearer <YOUR_MANAGEMENT_API_ACCESS_TOKEN>'

Was this helpful?

If successful, you should receive a list of tokensets for the user:

Status Code: 200
[{
  "connection": "google-oauth2",
  "id": "some-unique-tokenset-id1",
  "issued_at": 1733455897,
  "expires_at": 1733455897,
  "last_used_at": 1733453897,
  "scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/calendar.events",
},{
  "id": "some-unique-tokenset-id2",
  "connection": "google-oauth2",
  "issued_at": 1733455897,
  "expires_at": 1733455897,
  "last_used_at": 1733453897,
  "scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/calendar.events",
},{
  "connection": "google-oauth2",
  "issued_at": 1733455897,
  "id": "some-unique-tokenset-id3",
  "expires_at": 1733455897,
 "last_used_at": 1733453897,
  "scope": "Calendar.Read Calendar.Write",
}]

Was this helpful?

Note: The value for last_used_at is updated max once per day.

Delete a tokenset

To delete a tokenset, you need a Management API access token with the update:federated_connections_tokensets scope.

Make a DELETE request to the /tokensets endpoint:

curl --request DELETE \
  --url 'https://{yourDomain}/api/v2/users/{userId}/federated-connections-tokensets/{tokensetId}' \
  --header 'Authorization: Bearer <YOUR_MANAGEMENT_API_ACCESS_TOKEN>'

Was this helpful?

If successful, you should receive the following response:

Response: 204 No-Content

Was this helpful?

When you delete a tokenset, Auth0 removes the external provider’s access and refresh tokens from the Token Vault. This does not revoke the external provider’s tokens, and the refresh token could still be used to obtain new access tokens. You have to manually revoke the tokens for the external provider if they have been shared or copied elsewhere.

Sécuriser

Configure Token Vault

Configure connection

Configure application

Manage tokensets

Get user’s tokensets

Delete a tokenset