- Read a user’s calendar to schedule a meeting.
- Access a user’s documents to summarize them.
- Connect to a CRM like Salesforce to retrieve customer information.
What is Token Vault
Auth0’s Token Vault is a secure service for storing and managing tokens for third-party services. Your GenAI applications can use the access tokens from Token Vault to call external APIs on behalf of your users. This capability is essential for building trustworthy AI agents that can securely interact with third-party services from providers, such as Google, Microsoft, Salesforce, or any other API provider that uses OAuth 2.0. Token Vault is built on top of OAuth 2.0 and provides federated connections to other Identity Providers (IdPs). There is no need to manage refresh tokens or build custom integrations per provider because Auth0 handles it all for you. You gain access to a wide range of external providers’ APIs and services, all through a single Auth0 integration.Why Is Calling APIs with Token Vault Important for GenAI
Hardcoding API keys or asking users to constantly re-authenticate with these external services is insecure and provides a poor user experience. Token Vault solves this by providing a secure mechanism to store and use the user’s credentials (in the form of tokens) for these services. By using Token Vault, you can:- Securely store and manage tokens: Offload the complexity and risk of storing sensitive user credentials.
- Maintain user context: Enable agents to act on behalf of a specific user, ensuring that the agent only has the permissions that the user has granted.
- Provide a seamless user experience: Avoid repeatedly prompting users for authentication with external services.
- Enhance security: Prevent the exposure of tokens to the frontend or to the end-user.
How it works
The process of using Token Vault involves the following key steps:- User authentication and consent: The user links and authenticates with an external Identity Provider (e.g., Google) and grants your application permission to access their data by approving the requested OAuth scopes.
- Secure token storage: Auth0 receives the federated access and refresh tokens from the external provider and stores them securely within Token Vault.
- Token exchange: Your application can then exchange a valid Auth0 refresh token for a federated access token from Token Vault. This allows your application to obtain the necessary credentials to call the third-party API without the user having to re-authenticate. It also means your application does not need to store or manage any credentials.
- API call: With the federated access token, your AI agent can make authorized calls to the third-party API on the user’s behalf.
Supported connections
Token Vault supports a variety of social and enterprise identity providers, including:- Microsoft
- Slack
- GitHub
- Box
- OpenID Connect (OIDC)
- Custom Connections
- More providers coming soon!
Using Token Vault
To begin using Token Vault to call external APIs on behalf of your users, you will need to:Configure connections
Set up connections to the external service (e.g., Google, Microsoft) in your
Auth0 Dashboard.
Configure account linking
Enable Account Linking so that end-users can link multiple third-party
accounts (e.g., Google, Microsoft) together.
Call other's APIs on user's behalf
Use our SDKs for your preferred frameworks to easily obtain access tokens
for the connections.
Get started
To begin using Auth0 Token Vault in your GenAI applications, refer to the following resources:Quickstarts
Guides
Check Google Calendar Availability
List GitHub Repositories
List Slack Channels
Get Salesforce Opportunities
Sample Apps
Assistant0: Next.js + LangGraph
Assistant0: FastAPI + LangGraph
Assistant0: Next.js + Vercel AI SDK
