Configure Token Vault
Token Vault is currently available in Early Access. It is automatically available for your tenant.
Auth0 supports Token Vault for the following social and enterprise identity providers:
Google
Microsoft
Box
Slack
GitHub
OpenID Connect
Custom connection
Once a user authenticates with a supported external provider and authorizes the federated connection, you can get an access token to call third-party APIs on the user’s behalf. To learn more, read Call APIs with Token Vault.
To configure Token Vault, you need to:
Configure your application with the Token Exchange (Federated Connection) grant type.
Enable Token Vault for a federated connection.
Manage tokensets within the Token Vault for your federated connection.
Configure application
Configure your application with the Token Exchange (Federated Connection) grant type using the Auth0 Dashboard or Management API.
Only certain types of clients can use the Token Exchange (Federated Connection) grant type:
The client must be a first-party client, i.e. the
is_first_partyproperty istrue.The client must be a confidential client with a valid authentication mechanism, i.e. the
token_endpoint_auth_methodproperty must not be set tonone.The client must be OIDC conformant, i.e. the
oidc_conformantmust betrue.
Navigate to Applications > Applications.
Select the application you want to configure.
Under Advanced Settings > Grant Types, select the Token Exchange (Federated Connection) grant type.
Select Save Changes.
To enable Token Vault for an application, make a PATCH call to the Update a Client endpoint to add the urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token grant type to the client JSON object:
curl --location --request PATCH 'https://[YOUR TENANT].auth0.com/api/v2/clients/[CLIENT ID]' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer [MANAGEMENT ACCESS TOKEN]' \ --data '{ "grant_types": [ "authorization_code", "refresh_token", "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token" ] }'Was this helpful?
Configure federated connection
Use the Auth0 Dashboard or Management API to configure a federated connection to retrieve and store access tokens for third-party APIs in the Token Vault.
Once you enable Token Vault for your connection, access and refresh tokens will no longer be stored in the user’s identities array. Instead, they will be stored in a secure tokenset within the Token Vault. To learn more, read Manage tokensets.
To enable Token Vault for a supported social and enterprise/custom connection:
Navigate to Authentication > Social Connections or Enterprise Connections.
Select Create Connection or select an existing connection.
In Permissions, select the desired scopes for your connection. You can filter by scope name or keywords. Whenever the user is redirected to authorize this connection, Auth0 always requests the scopes you selected. At runtime, this list is automatically completed with any additional scopes included in the
connection_scopeparameter of the authorization request.In Advanced, toggle Enable Token Vault.
Select Save Changes.
To enable Token Vault for a supported social and enterprise connection, make a PATCH call to the Update a connection endpoint to add the federated_connections_access_tokens object to the connection:
curl -L -X PATCH 'https://login.auth0.com/api/v2/connections/:id' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--d '{"options": {"federated_connections_access_tokens": {
"active": true}}}'Was this helpful?
Manage tokensets
The Auth0 Authorization Server securely stores the user's access and refresh token in the Token Vault, which maintains one tokenset per authorized connection.
To manage tokensets for a user, use the Management API:
Get user’s tokensets
To get a user's tokensets, you need a Management API access token with the read:federated_connections_tokensets scope.
Make a GET request to the /federated-connections-tokensets endpoint:
GET https://example.us.auth0.com/api/v2/users/{user_id}/federated-connections-tokensets
Authorization: Bearer <M2M_TOKEN_FOR_API_V2_WITH_READ:federated_connections_tokensets>Was this helpful?
If successful, you should receive a list of tokensets for the user:
Status Code: 200
[{
"connection": "google-oauth2",
"id": "some-unique-tokenset-id1",
"issued_at": 1733455897,
"expires_at": 1733455897,
"last_used_at": 1733453897,
"scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/calendar.events",
},{
"id": "some-unique-tokenset-id2",
"connection": "google-oauth2",
"issued_at": 1733455897,
"expires_at": 1733455897,
"last_used_at": 1733453897,
"scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/calendar.events",
},{
"connection": "google-oauth2",
"issued_at": 1733455897,
"id": "some-unique-tokenset-id3",
"expires_at": 1733455897,
"last_used_at": 1733453897,
"scope": "Calendar.Read Calendar.Write",
}]Was this helpful?
Note: The value for last_used_at is updated max once per day.
Delete a tokenset
To delete a tokenset, you need a Management API access token with the update:federated_connections_tokensets scope.
Make a DELETE request to the /tokensets endpoint:
DELETE https://example.auth0.com/api/v2/users/{user-id}/federated-connections-tokensets/{tokenset-id}
Authorization: Bearer <M2M_TOKEN_FOR_API_V2_WITH_UPDATE:federated_connections_tokensets>Was this helpful?
If successful, you should receive the following response:
Response: 204 No-ContentWas this helpful?