Supported external providers
Token Vault supports popular external providers, including:Social
- Microsoft
- Box
- Slack
- GitHub
- Custom social connection
Enterprise
- Google Workspace
- Microsoft Azure AD (Entra ID)
- Connect
Common use cases
Common Token Vault use cases include:- An AI agent running as a web application calls external APIs to perform tasks on the user’s behalf, such as scheduling a meeting in Google Calendar.
- An internal or backend service can access Token Vault to exchange an Auth0 access token for an external provider’s access token to call external APIs.
How it works
When a user connects with a supported external provider and authorizes the connection:- Auth0 obtains access and refresh tokens using OAuth 2.0 scopes, with the user explicitly approving the requested permissions.
- Auth0 securely stores the tokens for each connected account in the Token Vault. Because each connected account is linked to the user profile, the application can access external APIs and services without requiring the user to re-authorize the connection.
- The application calls Auth0 to exchange a user’s valid Auth0 token for an external provider’s access token, issued to that user. To learn more, read Supported token exchanges.
- Using the external provider’s access token, your application can then call external APIs on the user’s behalf.
Use with Organizations
If your application uses Organizations, authenticate the user with the target organization first and then initiate the Connected Accounts flow for the external provider you want to use. When you use Organizations with Token Vault:- Organizations define the login, branding, and access policy context for the session.
- Connected Accounts still link the external provider to the individual Auth0 user profile.
- Each organization member connects and authorizes their own external account; Token Vault does not create a shared organization account.