Skip to main content
Token Vault simplifies how your applications access external APIs on a user’s behalf. When you integrate with Token Vault, you gain a secure way to manage application access to a wide range of external services and their APIs, such as Google, GitHub, and Microsoft. When a user connects with a supported external provider and authorizes access using scopes, Auth0 automatically adds that connected account to the user profile. A connected account enables applications to access external APIs through a unified Auth0 user profile. To learn more, read Connected Accounts for Token Vault. Auth0 stores the access and refresh tokens for each connected account in the Token Vault. To retrieve these stored credentials from Token Vault, your application performs a secure token exchange. This token exchange enables your application to get the necessary tokens to call an external API, removing the need for you to build and maintain custom integrations with each provider.

Supported external providers

Token Vault supports the following external providers:

Social

  • Google
  • Microsoft
  • Box
  • Slack
  • GitHub
  • Custom social connection

Enterprise

  • Google Workspace
  • Microsoft Azure AD (Entra ID)
  • Connect
To see the full list of supported external providers, read Auth0 Integrations.

Common use cases

Common Token Vault use cases include:
  • An AI agent running as a web application calls external APIs to perform tasks on the user’s behalf, such as scheduling a meeting in Google Calendar.
  • An internal or backend service can access Token Vault to exchange an Auth0 access token for an external provider’s access token to call external APIs.

How it works

When a user connects with a supported external provider and authorizes the connection:
  • Auth0 obtains access and refresh tokens using OAuth 2.0 scopes, with the user explicitly approving the requested permissions.
  • Auth0 securely stores the tokens for each connected account in the Token Vault. Because each connected account is linked to the user profile, the application can access external APIs and services on the user’s behalf using a single set of credentials.
  • The application calls Auth0 to exchange a user’s valid Auth0 token for an external provider’s access token, issued to that user. To learn more, read Supported token exchanges.
  • Using the external provider’s access token, your application can then call external APIs on the user’s behalf.

Supported token exchanges

To call an external provider’s APIs, your application must exchange a valid Auth0 token for an external provider’s access token from Token Vault. The type of Auth0 token used for the exchange depends on your client application type and use case. Applications can access Token Vault using the following token exchanges:
Token exchangeDescriptionClient application type
Refresh token exchangeExchanges an Auth0 refresh token for an external provider’s access token.Applications that need to maintain a user’s session and access external APIs when the user isn’t actively using the application, such as web, mobile, and native applications.
Access token exchangeExchanges an Auth0 access token for an external provider’s access token.APIs or microservices that need to exchange access tokens they’ve received from other services or applications, such as a Single-Page Application (SPA).

Get started

To get started with Token Vault, read the following:
Read…To learn…
Connected Accounts for Token VaultHow to configure and use Connected Accounts for Token Vault.
Refresh Token Exchange with Token VaultHow an application uses the refresh token exchange with Token Vault to call external APIs.
Access Token Exchange with Token VaultHow an application uses the access token exchange with Token Vault to call external APIs.
Configure Token VaultHow to configure the Token Vault.