Multi-Resource Refresh Token
Multi-Resource Refresh Token support is currently available in Early Access. If you are interested in using this feature, please reach out to your Sales exec/Technical Account Manager or through the Auth0 Support Center.
To learn more about Auth0's product release cycle, review Product Release Stages.
Multi-Resource Refresh Tokens (MRRT) allows a single refresh token to receive access tokens for multiple APIs, each with their own scopes and permissions. MRRT builds on standard OAuth 2.0 behavior by allowing refresh tokens to maintain multiple authorization policies.
When an application exchanges a refresh token for an access token, it can select from a set of configured audience and scopes. By doing so, MRRT streamlines authentication flows by avoiding the need to get a new refresh token for each API. When using MRRT, Auth0 merges two sources of authorization to determine what access token to issue during a refresh token exchange:
The audience and scopes granted in the original authentication flow.
The audience and scopes configured in the application’s MRRT policy.
This allows applications to reuse the refresh token not only for APIs requested at login, but also for additional APIs allowed in the MRRT policy.
The key benefits of MRRT include:
A single refresh token, per application, to manage when controlling access to multiple APIs.
No need to go through a full authorization flow every time your application needs to access a new API.
Performance improvement and reduced load on the authorization server.
Decrease risk of rate limitation due to repeated full authorization code flows.
How it works
1. Application authenticates with Auth0.
2. Auth0 returns an access token and a multi-resource refresh token.
3. Application uses the access token to call API 1.
4. Application exchanges the multi-resource refresh token for access to API 2.
5. Auth0 returns a new access token scoped to API 2.
6. Application calls API 2 using the new access token.
For example, A native application authenticates the user and requests access to https://api.example.com audience. Then, the application needs access to the https://billing.example.com audience. If both APIs are included in the application’s MRRT policy, the application can exchange a refresh token for an access token for either API.
Learn how to Configure and Implement Multi-resource refresh token.
Limitations
Each access token issued through MRRT is scoped to a single API. If your application requires access to multiple APIs, you must request separate access tokens for each API.
MRRT supports only first-party applications.
MRRT supports APIs configured to allow skipping user consent.
The Auth0 Management API can not be included in the MRRT policies.