Tokens used by Auth0


This document is designed to clarify and disambiguate the numerous types of tokens referenced in Auth0 documentation, what each is used for and how to use it.

Auth0 uses two types of tokens:

  • JSON Web Tokens (JWT): These are tokens that conform to the JSON Web Token standard and contain information about an identity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token.
  • Opaque tokens: Opaque tokens are tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token.

There are six primary tokens used in Auth0's token based authentication scenarios and referenced in Auth0 documentation:

ID Token

The ID token, usually referred to as id_token in code samples, is a JSON Web Token (JWT) that contains user profile attributes represented in the form of claims. The id_token is consumed by the client and used to get user information like the user's name, email, and so forth, typically used for UI display.

For more information refer to ID Token.

Access Token

The Access Token, commonly referred to as access_token, is a credential that can be used by a client to access an API. Auth0 uses access tokens to protect access to the Auth0 Management API.

For more information refer to: Access Token.

Identity Provider Access Tokens

When a user authenticates via Auth0 with another social provider's authentication service, such as Facebook or LinkedIn, the social provider will return an access token that can be used by the client program to call that social provider's API.

More information

Auth0 refresh_token

The Refresh token is a long-lived token that is used to obtain a new id_token after a previous one has expired. This is useful for applications running on mobile devices that call remote APIs and do not want to require the user to log in every time the user uses the mobile app.

More information

Delegation Tokens

The Auth0 id_token's can be exchanged for another token, called a Delegation Token, that can be used to call either other application APIs registered as clients in the same Auth0 tenant or APIs represented by some types of application Addons registered in the same Auth0 tenant.

More information

Auth0 Management APIv2 Token

The Auth0 Management APIv2 token is used to call v2 of the Auth0 Management API. This allows a specific tenant in Auth0 to call Auth0 APIv2. This APIv2 token is a JWT, and contains various scope claims, such as read:users or update:clients, and is signed with a client API key and secret for the entire tenant.

More information

Additional Reading and References

Authenticating a user

Getting User Profile info from Auth0

Getting User Profile info from other providers

Some basic user profile information from third party providers is made available in the Auth0 user profile object.

Calling the Auth0 Management APIv2

The Auth0 Management APIv2 can be called from a web application (not a Single Page Application) by embedding the application’s client id and client secret in the calls to the Auth0 Management APIv2 endpoints.

Calling the Auth0 Authentication API endpoints

The Auth0 Authentication API endpoints provide a rich set of features for authenticating users, retrieving tokens, refreshing tokens, and obtaining tokens with which to call other APIs. This API provides the /authorize, /userinfo, /tokeninfo, /delegation, and impersonation endpoints.

Calling the API of the social provider through which the user authenticated

Calling an API developed by a customer

This is best done by registering the API in Auth0 and obtaining a delegation token with which to call the API.


Account Linking

Understanding the expiration of different token types