Availability varies by Auth0 plan

Both your specific login implementation and your Auth0 plan or custom agreement affect whether this feature is available. To learn more, read Pricing.
You can link user accounts through a variety of methods:
  • Action with external linking application
  • Auth0
  • Auth0.js library

Action with external linking application

You can use an Action along with an external linking application to link user accounts with the Management API.
Auth0 does not automatically change to the correct primary user after Account Linking, so it must be changed within the Actions code upon successful Account Linking.Every manual account link should prompt the user to enter credentials. Your tenant should request authentication for both accounts before linking occurs to avoid allowing malicious actors to access legitimate user accounts.
The following steps illustrate an example implementation:
  1. Action identifies the potential user accounts to link (if they exist).
  2. Action redirects the user to an external linking application with a token payload that contains candidate user identities: 
    {
  "current_identity": {
    "user_id": event.user.user_id,
    "provider": event.connection.strategy,
    "connection": event.connection.name
  },
  "candidate_identities": [
    {
      "user_id": USER_ID_1,
      "provider": PROVIDER_1,
      "connection": CONNECTION_1
    },
    {
      "user_id": USER_ID_2,
      "provider": PROVIDER_2,
      "connection": CONNECTION_2
    },
    ...
  ]
}
  3. External linking application prompts the user to authenticate using the credentials for the account they wish to link.
  4. External linking application redirects the user back to the Action with a token payload that contains the primary and secondary user identities: 
    {
  "primary_identity": {
    "user_id": PRIMARY_USER_ID,
    "provider": PRIMARY_PROVIDER_STRATEGY,
    "connection": PRIMARY_CONNECTION_NAME,
  },
  "secondary_identity": {
    "user_id": SECONDARY_USER_ID,
    "provider": SECONDARY_PROVIDER_STRATEGY,
    "connection": SECONDARY_CONNECTION_NAME,
  }
}
  5. Action validates the authenticity and contents of the token.
  6. Action calls the Management API to link the accounts based on the results from the external linking application.
  7. Action switches to the primary user if it doesn’t match the event.user.user_id.

Example: Account linking Action

const { ManagementClient, AuthenticationClient } = require('auth0');

/**
 * @constant {string} - Account linking timestamp key
 */
const ACCOUNT_LINKING_TIMESTAMP_KEY = 'account_linking_timestamp';

/**
 * @constant {number} - TTL leeway factor
 */
const TTL_LEEWAY_FACTOR = .2;

/**
 * @constant {string[]} - Properties to complete based on identities
 */
const PROPERTIES_TO_COMPLETE = [
  'given_name',
  'family_name',
  'name'
];

/**
* @param {Event} event
* @param {PostLoginAPI} api
* @returns {Promise<string>} - Management API access token
*/
const getManagementAccessToken = async (event, api) => {
  const managementApiTokenCacheKey = `mgmt-api-token-${event.secrets.MANAGEMENT_API_CLIENT_ID}`;
  const { value: cachedAccessToken } = api.cache.get(managementApiTokenCacheKey) || {};

  if (cachedAccessToken) {
    return cachedAccessToken;
  }

  const authentication = new AuthenticationClient({
    domain: event.secrets.MANAGEMENT_API_DOMAIN,
    clientId: event.secrets.MANAGEMENT_API_CLIENT_ID,
    clientSecret: event.secrets.MANAGEMENT_API_CLIENT_SECRET
  });

  const { data: { access_token: accessToken, expires_in: expiresIn } } = await authentication.oauth.clientCredentialsGrant({
    audience: `https://${event.secrets.MANAGEMENT_API_DOMAIN}/api/v2/`,
  });

  api.cache.set(managementApiTokenCacheKey, accessToken, {
    ttl: expiresIn - expiresIn * TTL_LEEWAY_FACTOR
  });

  return accessToken;
}

/**
* @param {Event} event
* @param {PostLoginAPI} api
* @returns {Promise<ManagementClient>} - Auth0 management client
*/
const getManagementClient = async (event, api) => {
  const token = await getManagementAccessToken(event, api);

  return new ManagementClient({
    domain: event.secrets.MANAGEMENT_API_DOMAIN,
    token,
  });
}

/**
 * @typedef {Object} CandidateUsersIdentities
 * @property {string} user_id
 * @property {string} provider
 * @property {string} connection
 */

/**
 * @typedef {Object} CandidateUsers
 * @property {string} email
 * @property {boolean} email_verified
 * @property {string} user_id
 * @property {CandidateUsersIdentities[]} identities
 */

/**
 * @typedef {Object} CandidateIdentities
 * @property {User['user_id']} user_id
 * @property {string} connection
 * @property {string} provider
 */

/**
 * @typedef {Object} LinkedIdentity
 * @property {User['user_id']} user_id
 */

/**
* @param {Event} event
* @param {PostLoginAPI} api
* @returns {Promise<CandidateUsers[]>} - List of users with the same email address
*/
const getUsersWithSameEmail = async (event, api) => {
  const management = await getManagementClient(event, api);

  const { data } = await management.usersByEmail.getByEmail({
    email: event.user.email,
    fields: 'email,email_verified,user_id,identities',
    include_fields: true,
  });

  return data;
}

/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {CandidateUsers[]} candidateUsers - List of users that match the same email address
* @returns {CandidateIdentities[]} - List of candidate identities
*/
const getCandidateIdentitiesWithVerifiedEmail = (event, candidateUsers) => {
  // Removes current user from candidate identities and checks the email is verified
  return candidateUsers
    .filter((user) => user.user_id !== event.user.user_id && user.email_verified === true)
    .filter((user) => user.identities)
    // .flatMap((user) => user.identities)
    .map((user) => {
      return {
        user_id: user.user_id,
        provider: user.identities[0].provider,
        connection: user.identities[0].connection
      }
    });
}

/**
* @param {Event} event
* @param {PostLoginAPI} api
* @returns {Promise<LinkedIdentity[]>} - Linked identity response
*/
const linkIdentities = async (event, api, primaryIdentity, secondaryIdentity) => {
  const management = await getManagementClient(event, api);

  const { data } = await management.users.link({
    id: primaryIdentity.user_id
  }, {
    provider: secondaryIdentity.provider,
    user_id: secondaryIdentity.user_id
  });

  return data;
}

/**
* @param {Event} event
* @param {PostLoginAPI} api
* @returns {void}
*/
const completeProperties = (event, api) => {
  // go over each property and try to get missing
  // information from secondary identities for ID Token
  for (const property of PROPERTIES_TO_COMPLETE) {
    if (!event.user[property]) {
      for(const identity of event.user.identities) {
        if (identity.profileData && identity.profileData[property]) {
          api.idToken.setCustomClaim(property, identity.profileData[property]);
          break;
        }
      }
    }
  }
}

/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
  if (
    !event.secrets.MANAGEMENT_API_DOMAIN ||
    !event.secrets.MANAGEMENT_API_CLIENT_ID ||
    !event.secrets.MANAGEMENT_API_CLIENT_SECRET ||
    !event.secrets.SESSION_TOKEN_SHARED_SECRET ||
    !event.secrets.ACCOUNT_LINKING_SERVICE_URL
  ) {
    console.log('Missing required configuration for account linking action. Skipping.');
    return;
  }

  // We won't process users for account linking until they have verified their email address.
  // We might consider rejecting logins here or redirecting users to an external tool to
  // remind the user to confirm their email address before proceeding.
  //
  // In this example, we simply won't process users unless their email is verified.
  if (!event.user.email_verified) {
    return;
  }

  // Account linking has already been processed and completed for this user. No further work
  // to be done in this Action.
  if (event.user.app_metadata[ACCOUNT_LINKING_TIMESTAMP_KEY] !== undefined) {
    completeProperties(event, api);
    return;
  }

  try {
    const candidateUsers = await getUsersWithSameEmail(event, api);

    // If there are no candidates, skip
    if (!Array.isArray(candidateUsers) || candidateUsers.length === 0) {
      return;
    }

    const candidateIdentities = getCandidateIdentitiesWithVerifiedEmail(event, candidateUsers);

    // If there are no candidates, skip
    if (candidateIdentities.length === 0) {
      return;
    }

    // Encode the current user and an array of their candidate identities
    const sessionToken = api.redirect.encodeToken({
      payload: {
        current_identity: {
          user_id: event.user.user_id,
          provider: event.connection.strategy,
          connection: event.connection.name
        },
        candidate_identities: candidateIdentities,
      },
      secret: event.secrets.SESSION_TOKEN_SHARED_SECRET,
      expiresInSeconds: 20
    });

    // Redirect to your Account Linking UX
    api.redirect.sendUserTo(event.secrets.ACCOUNT_LINKING_SERVICE_URL, {
      query: {
        session_token: sessionToken
      }
    });
  } catch (err) {
    console.error(err);
    // Handle error
  }
};

/**
* Handler that will be invoked when this action is resuming after an external redirect. If your
* onExecutePostLogin function does not perform a redirect, this function can be safely ignored.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onContinuePostLogin = async (event, api) => {
  // Validate the session token passed to `/continue?state` and extract the `user_id` claim. 
  const { primary_identity: primaryIdentity, secondary_identity: secondaryIdentity } = api.redirect.validateToken({
    secret: event.secrets.SESSION_TOKEN_SHARED_SECRET,
    tokenParameterName: 'session_token',
  });

  try {
    const linkedIdentity = await linkIdentities(event, api, primaryIdentity, secondaryIdentity);

    if (linkedIdentity !== undefined && linkedIdentity.length > 1) {
      if (primaryIdentity.user_id !== event.user.user_id) {
        // The account linking service indicated that the primary user changed.
        api.authentication.setPrimaryUser(primaryIdentity.user_id);
      }
      // Mark the user as having been processed for account linking
      api.user.setAppMetadata(ACCOUNT_LINKING_TIMESTAMP_KEY, Date.now());

      completeProperties(event, api);
    } else {
      // Handle error
      api.access.deny('Account linking failure');
    }
  } catch (err) {
    console.error(err);
    // Handle error
  }
};

Management API

You can use the Management API Link a user account endpoint in two ways:
  • User-initiated client-side account linking using with the update:current_user_identities scope.
  • Server-side account linking using access tokens with the update:users scope.

User-initiated client-side account linking

For user-initiated client-side account linking, you need an access token that contains the following items in the payload:
  • update:current_user_identites scope
  • user_id of the primary account as part of the URL
  • of the secondary account that is signed with RS256 and includes an aud claim identifying the client that matches the value of the requesting access token’s azp claim.
An access token that contains the update:current_user_identities scope can only be used to update the information of the currently logged-in user. Therefore, this method is suitable for scenarios where the user initiates the linking process. 
curl --request POST \
  --url 'https://{yourDomain}/api/v2/users/PRIMARY_ACCOUNT_USER_ID/identities' \
  --header 'authorization: Bearer MANAGEMENT_API_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{"link_with":"SECONDARY_ACCOUNT_ID_TOKEN"}'

Server-side account linking

For server-side account linking, you need an access token that contains the following items in the payload:
  • update:users scope
  • user_id of the primary account as part of the URL
  • user_id of the secondary account
  • ID token of the secondary account that is signed with RS256 and includes an aud claim identifying the client that matches the value of the requesting access token’s azp claim.
Access tokens that contain the update:users scope can be used to update the information of any user. Therefore, this method is intended for use in server-side code only. 
curl --request POST \
  --url 'https://{yourDomain}/api/v2/users/PRIMARY_ACCOUNT_USER_ID/identities' \
  --header 'authorization: Bearer MANAGEMENT_API_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{"provider":"SECONDARY_ACCOUNT_PROVIDER", "user_id": "SECONDARY_ACCOUNT_USER_ID"}'
The secondary user account’s user_id and provider can be deduced by its unique identifier. For example, for the identifier google-oauth2|108091299999329986433:
  • provider is google-oauth2
  • user_id is 108091299999329986433
Alternatively, you can you can send the secondary account’s ID token instead of the provider and user_id: 
curl --request POST \
  --url 'https://{yourDomain}/api/v2/users/PRIMARY_ACCOUNT_USER_ID/identities' \
  --header 'authorization: Bearer MANAGEMENT_API_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{"link_with":"SECONDARY_ACCOUNT_ID_TOKEN"}'

Auth0.js library

You can use the Auth0.js library to perform client-side account linking. Read Auth0.js v9 Reference > User management to learn more.

Learn more