Auth0 Session & Token Management
Auth0 integration patterns showing how sessions, tokens, and device management work across different client types and security requirements.
Follow the demo script →Unified Profile
Tenant-wide view of all sessions and devices across every application, grouped by Auth0 Authorization Server session. My Account API inline name edit. Fingerprint.com device enrichment. SSO isolation demo via a High Trust App with sso:false.
Unified session viewMy Account APIFingerprint.comSSO isolation
Open demo →Traditional Web App
Authorization Code Flow with server-side session cookie. Back-Channel Logout propagates revocation to all apps when a session ends. Shows active sessions via the Auth0 Session Management API.
Cookie sessionBack-Channel LogoutSession Management APISession revoke
Open demo →SPA with DPoP
Public browser client, no server-side session at all. DPoP binds the access token to an ephemeral ES256 key pair generated in IndexedDB — a stolen token is useless without the private key. A Post-Login Action stamps Refresh Token Metadata (device, browser, IP) on the refresh token at issuance.
DPoP token bindingRefresh Token MetadataNo server-side session@auth0/auth0-spa-js
Open demo →Backend-for-Frontend
Confidential OAuth client — tokens are stored server-side behind an HttpOnly session cookie and never reach the browser. The browser holds a session cookie; it never sees a bearer token. Multi-Resource Refresh Token (MRRT) exchanges one refresh token for access tokens scoped to multiple API audiences, entirely server-side.
HttpOnly session cookieZero browser token exposureMulti-Resource Refresh TokensPKCE ≠ token storage
Open demo →High Trust App
SSO isolation via sso:false on the Auth0 client. Logging into any other app on this tenant does not carry over — the Authorization Server always forces fresh credentials. Demonstrates per-application session isolation for high-sensitivity surfaces.
sso:falseNo SSO reuseIsolated AS sessionPer-app auth enforcement
Open demo →On-Behalf-Of Token Exchange
RFC 8693 token exchange: a middle-tier service presents the user's access token and receives a new token for a downstream API. The user's sub is preserved end-to-end; the act claim records the delegation chain. Demonstrates the canonical pattern for AI agent and microservice architectures.
RFC 8693act delegation chainIdentity preservationAI agent pattern
Open demo →Custom Token Exchange
Exchange any external token — JWT, SAML, or arbitrary format — for full Auth0 AT + ID Token + RT. An Auth0 Action validates the incoming token and maps it to an Auth0 user identity with no browser redirect and no Universal Login. Covers external IdP federation, migration, and device attestation.
Any token formatAuth0 Action validatesNo browser redirectExternal IdP federation
Open demo →SPA with Online Refresh Tokens
Online Refresh Tokens are bound to the Auth0 session instead of being independent — replacing iframe-based silent auth with an actual token exchange. Parked pending the online_refresh_tokens tenant flag being enabled.
Online Refresh Tokens (Beta)Session-bound tokensNo iframe silent authAwaiting tenant flag
Not yet implemented