> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Understand third-party access tokens issued by identity providers after user authentication and how to use them to call the third-party APIs.

# Identity Provider Access Tokens

<Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=Identity+providers">Identity providers</Tooltip> issue third-party <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=access+tokens">access tokens</Tooltip> after users authenticate with that provider. You can use these access tokens to call the API of the third-party provider that issued them. For example, you can use an access token issued after a user authenticates with Facebook to call the Facebook Graph API.

For individual users, the identity provider tokens are available in the `identities` array on the `user` object under the element for the particular connection. To securely access tokens for a specific user, you need an [access token for the Management API](/docs/secure/tokens/access-tokens/management-api-access-tokens) that includes the `read:user_idp_tokens` scope. Then, you can make an HTTP GET call to the [Get a User endpoint](https://auth0.com/docs/api/management/v2/#!/Users/get_users_by_id) to retrieve the tokens.

For admin users of Enterprise connections set up using an <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth+2.0">OAuth 2.0</Tooltip> consent flow, the identity provider tokens are available in the `connection` object. To securely access tokens for a connection, you need an [access token for the Management API](/docs/secure/tokens/access-tokens/management-api-access-tokens) that includes the `read:connections` scope. Then, you can make an HTTP GET call to the [Get a Connection endpoint](https://auth0.com/docs/api/management/v2/connections/get-connections-by-id) to retrieve the tokens.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The contents of third-party access tokens will vary depending on the issuing identity provider. Because tokens are created and managed by a third-party (such as Facebook, GitHub, etc.), the validity period for third-party tokens will vary by the issuer. If you believe these tokens have been compromised, you must revoke or reset them with the third-party that issued them.
</Callout>

## Renew third-party tokens

There is no standard way to renew identity provider access tokens through Auth0. The mechanism for renewing identity provider access tokens varies for each provider. For certain identity providers, Auth0 can store a [refresh token](/docs/secure/tokens/refresh-tokens), which you can use to obtain a new access token for the identity provider. Here is a list of some of the identity providers:

* BitBucket
* Google OAuth 2.0 (pass the parameter `access_type=offline`, as well the `connection_scope` parameter with required scopes, when calling the Auth0 `/authorize` endpoint)
* Any other OAuth 2.0 identity provider
* SharePoint
* Azure AD

You can retrieve <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip> in the same manner you retrieve access tokens. Review the guidelines above for more information.

## Validate third-party tokens

In general, if you have received an access token from an identity provider, you don't need to validate it. You can pass it to the issuer, and the issuer takes care of the rest.

## Learn more

* [Management API Access Tokens](/docs/secure/tokens/access-tokens/management-api-access-tokens)