> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how Token Vault securely stores federated access and refresh tokens.

# Token Vault

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Token Vault is currently available in Early Access for public cloud tenants. To enable Token Vault, contact your Auth0 representative.
</Callout>

Token Vault enables your applications to securely access third-party APIs on the user's behalf. There is no need to manage <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip> or build custom integrations per provider—Auth0 handles it all for you. You gain access to a wide range of external providers’ APIs and services, all through a single Auth0 integration.

When a user authenticates with a supported external provider and uses <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth">OAuth</Tooltip> scopes to authorize access, Auth0 stores the access and refresh tokens for that connection in the Token Vault. Token Vault organizes the federated tokens issued by external providers into tokensets, with one tokenset per authorized connection.

You can then call the external provider's APIs using these stored credentials via Auth0 to get a user’s Google Calendar events, access GitHub repos, create a Microsoft Word document, and more.

For Early Access, Auth0 supports Token Vault for the following social and enterprise <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=identity+providers">identity providers</Tooltip>:

* Google
* Microsoft
* Box
* Slack
* GitHub
* <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect
* Custom social connection

## How it works

When a user authenticates with a supported external provider and authorizes the federated connection:

1. Auth0 obtains access tokens using OAuth 2.0 scopes to control access. Users explicitly approve requested permissions.
2. Auth0 securely stores federated access and refresh tokens in the Token Vault.
3. The application [links user accounts](/docs/manage-users/user-accounts/user-account-linking) with the user's consent. As a result, the user won’t have to create separate accounts for each external provider.
4. Your application calls Auth0 to exchange a valid Auth0 refresh token with an access token for a federated connection. Your application can perform this exchange multiple times while Auth0 manages refreshing the federated access tokens stored in the Token Vault. Using a federated access token, your application can call third-party APIs on the user’s behalf.

Token Vault allows for seamless federated identity and simplifies integration across multiple external providers via a single Auth0 interface.

## Common use cases

Learn about some common Token Vault use cases:

* A user downloads a productivity app that integrates with Auth0 and connects their Google and Microsoft user accounts. With user account linking, they can log into the productivity app using a single set of credentials managed by Auth0.
* An AI agent integrated into an application calls third-party APIs to perform tasks on the user’s behalf, such as scheduling a meeting in Google Calendar.

## Get started

To get started with Token Vault, read the following:

<table class="table">
  <thead>
    <tr>
      <th><strong>Read…</strong></th>
      <th><strong>To learn…</strong></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><a href="/docs/secure/tokens/token-vault/configure-token-vault">Configure Token Vault</a></td>
      <td>How to configure the Token Vault.</td>
    </tr>

    <tr>
      <td><a href="/docs/secure/tokens/token-vault/call-apis-with-token-vault">Call APIs with Token Vault</a></td>
      <td>How an application accesses the Token Vault to get an access token to call third-party APIs.</td>
    </tr>
  </tbody>
</table>
