The My Account API is available in Limited Early Access. To request access, contact your Auth0 account manager. To learn more about Auth0’s product release cycle, read Product Release Stages.
The Auth0 My Account API provides a dedicated set of endpoints for users to manage their own account information. Customers can use these APIs to build self-service experiences in their applications or progressively add details to a user account. The My Account API operates within the context of the currently logged-in user and can be used directly within user-facing applications.
Using Auth0 domain vs. custom domainThe My Account API supports using your canonical Auth0 domain or your custom domain, but you must use the same one throughout the entire process, including:
  • Getting an access token
  • Setting the audience value
  • Calling the My Account API endpoint
For more information, read Custom Domains.

Activate the My Account API

You can activate the My Account API for your tenant in the :
  1. Navigate to Authentication > APIs.
  2. Locate the MyAccount API banner.
  3. Select Activate.

Get an access token

You can get an for the My Account API in the same way you’d get an access token for one of your own APIs.
If you’re going to allow the My Account API to perform sensitive operations (such as enrolling an authentication method), we strongly recommend that you use step-up authentication to enforce additional security policies through multi-factor authentication (MFA).
If you’re using , read the following articles: If you’re using embedded login, read the following articles:

Audience

The of the My Account API is https://{yourDomain}/me/.

Scope

The My Account API supports the following scopes:
ScopeDescription
create:me:authentication-methodsAllows the user to enroll a new authentication method.

Examples

Universal Login with authorization code flow

Step 1: Request authorization code
curl --request GET \
  --url 'https://{yourDomain}/authorize?response_type=code&client_id={yourClientId}&redirect_uri=%7ByourRedirectUri%7D&scope=create%3Ame%3Aauthentication_methods&offline_access=&audience=https%3A%2F%2F{yourDomain}%2Fme%2F'
Step 2: Exchange code for access token
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type": "authorization_code","client_id": "{yourClientId}","client_secret": "{yourClientId}","code": "{yourAuthorizationCode}","redirect_uri": "{yourRedirectUri}","audience": "{yourAudience}","scope": "create:me:authentication_methods","offline_access": ""}'

Embedded login with native passkeys

Step 1: Request login challenge
curl --request POST \
  --url 'https://{yourDomain}/passkey/challenge' \
  --header 'content-type: application/json' \
  --data '{"client_id": "{yourDomain}"}'
Step 2: Authenticate existing user
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/json' \
  --data '{  "grant_type": "urn:okta:params:oauth:grant-type:webauthn",  "client_id": "{yourClientId}",  "scope": "create:me:authentication_methods offline_access",  "audience": "https://{yourDomain}/me/"  "auth_session": "{sessionIdFromTheFirstRequest}",  "authn_response": "{authenticatorResponse}"}'

Endpoints

The My Account API functionality is currently limited to Native Passkey Enrollment. Auth0 will add support for more self-service capabilities in the future.

Authentication methods

Enroll an authentication method
Allows the user to enroll a new authentication method (such as a passkey). ENDPOINT POST https://{yourDomain}/me/authentication-methods SCOPES create:me:authentication-methods BODY PARAMETERS
ParameterData typeRequired?Description
typestringRequiredThe type of authentication method. Available values: passkey.
connectionstringOptionalThe name of the connection on which to create the new authentication method.
identity_user_idstringOptionalThe identifier of the current user identity. Used with linked accounts.

Rate limits

During Early Access, the My Account API is limited at a tenant level to 25 requests per second.