Token Vault is currently available in Early Access for public cloud tenants. To enable Token Vault, contact your Auth0 representative.
Auth0 supports Token Vault for the following social and enterprise :
  • Google
  • Microsoft
  • Box
  • Slack
  • GitHub
  • Connect
  • Custom social connection
Once a user authenticates with a supported external provider and authorizes the federated connection, you can get an to call third-party APIs on the user’s behalf. To learn more, read Call APIs with Token Vault. To configure Token Vault, you need to:
  1. Configure your application with the Token Exchange (Federated Connection) grant type.
  2. Enable Token Vault for a federated connection.
  3. Manage tokensets within the Token Vault for your federated connection.
If you have previously set your MFA policy to Always in the Auth0 Dashboard, you need to set it to Never to retrieve an access token from Token Vault. Otherwise, you will receive an error. To learn more about the different MFA policies, read Enable MFA in the Auth0 Dashboard.If you need to trigger MFA challenges for interactive flows, enable Customize MFA Factors using Actions when setting up MFA for your tenant. You can then use an Action to trigger an MFA challenge based on the event.transaction.protocol property. To learn more, read Customize MFA selection for Universal Login.

Configure application

Configure your application with the Token Exchange (Federated Connection) grant type using the or . Only certain types of clients can use the Token Exchange (Federated Connection) grant type:
  1. The client must be a first-party client, i.e. the is_first_party property is true.
  2. The client must be a confidential client with a valid authentication mechanism, i.e. the token_endpoint_auth_method property must not be set to none.
  3. The client must be OIDC conformant, i.e. the oidc_conformant must be true.
  1. Navigate to Applications > Applications.
  2. Select the application you want to configure.
  3. Under Advanced Settings > Grant Types, select the Token Exchange (Federated Connection) grant type.
  4. Select Save Changes.

Configure federated connection

Use the Auth0 Dashboard or Management API to configure a federated connection to retrieve and store access tokens for third-party APIs in the Token Vault. Once you enable Token Vault for your connection, access and will no longer be stored in the user’s identities array. Instead, they will be stored in a secure tokenset within the Token Vault. To learn more, read Manage tokensets.
To enable Token Vault for a supported social and enterprise/custom connection:
  1. Navigate to Authentication > Social Connections or Enterprise Connections.
  2. Select Create Connection or select an existing connection.
  3. In Permissions, select the desired scopes for your connection. You can filter by scope name or keywords. Whenever the user is redirected to authorize this connection, Auth0 always requests the scopes you selected. At runtime, this list is automatically completed with any additional scopes included in the connection_scope parameter of the authorization request.
  4. In Advanced, toggle Enable Token Vault.
  5. Select Save Changes.

Manage tokensets

The Auth0 securely stores the user’s access and refresh token in the Token Vault, which maintains one tokenset per authorized connection. To manage tokensets for a user, use the Management API:

Get user’s tokensets

To get a user’s tokensets, you need a Management API access token with the read:federated_connections_tokensets scope. Make a GET request to the /federated-connections-tokensets endpoint: 
curl --request GET \
  --url 'https://{tenantDomain}/api/v2/users/{user_id}/federated-connections-tokensets' \
  --header 'Authorization: Bearer {your_management_api_access_token}'
If successful, you should receive a list of tokensets for the user: 
Status Code: 200
[{
  "connection": "google-oauth2",
  "id": "some-unique-tokenset-id1",
  "issued_at": 1733455897,
  "expires_at": 1733455897,
  "last_used_at": 1733453897,
  "scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/calendar.events",
},{
  "id": "some-unique-tokenset-id2",
  "connection": "google-oauth2",
  "issued_at": 1733455897,
  "expires_at": 1733455897,
  "last_used_at": 1733453897,
  "scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/calendar.events",
},{
  "connection": "google-oauth2",
  "issued_at": 1733455897,
  "id": "some-unique-tokenset-id3",
  "expires_at": 1733455897,
 "last_used_at": 1733453897,
  "scope": "Calendar.Read Calendar.Write",
}]
Note: The value for last_used_at is updated max once per day.

Delete a tokenset

To delete a tokenset, you need a Management API access token with the update:federated_connections_tokensets scope. Make a DELETE request to the /tokensets endpoint: 
curl --request DELETE \
  --url 'https://{tenantDomain}/api/v2/users/{user_id}/federated-connections-tokensets/{tokenset_id}' \
  --header 'Authorization: Bearer {your_management_api_access_token}'
If successful, you should receive the following response: 
Response: 204 No-Content