Account linking in Auth0 allows a user to connect multiple identity provider accounts, such as Google, GitHub, or a corporate SAML connection, under a single, unified user profile. By default, Auth0 treats each login from a different provider as a separate user. Account linking merges these distinct identities, enabling a user to authenticate from any of their linked accounts and be recognized as the same person by your application.
For AI agents that need to act on a user’s behalf, account linking is critical. An agent might need to access a user’s calendar via their Google account and their code repositories through their GitHub account. Without account linking, the agent would see these as two separate users.By linking these accounts, your AI agents have a holistic view of the user. This unified profile is essential for Token Vault to retrieve the correct tokens for the various external services the agent needs to call. When an agent requests to access an external API, account linking ensures that Auth0 can associate that request with the current user and their authorized connections.Connected Accounts for Token Vault enables a unified Auth0 user profile to be linked to multiple external accounts, such as Google, GitHub, or Slack, where users can log in to any one of their accounts using a single set of credentials.
Once a user successfully connects and authorizes access to a supported external provider, Auth0 adds:
The account on the user profile, now known as a connected account.
The external provider’s access and refresh tokens for that connected account to the Token Vault.
Auth0 adds an account to the user profile using the Connected Accounts flow. When a user logs in via a supported external provider through Auth0, they initiate a Connected Accounts request from the client application:
The client application makes a POST request to the /connected-accounts endpoint, passing scopes in authorization_parameters to send to the external provider.
Auth0 creates a unique session ID and URL that redirects the user to a web browser. The client application saves the session ID for later verification.
The client application redirects the user to URL, which opens in a browser, for user authentication and authorization with the Auth0.
The user connects and authorizes the permissions for the connection in the consent screen.
After the user successfully authorizes the connection, the external provider redirects the user to Auth0, which redirects the user to the client application using the redirect_uri with a single-use code.
The client application presents the connect_code and the original session ID to Auth0 by making a POST request to the /connected-accounts/complete endpoint.
After successful validation, Auth0 adds the account to the connected_accounts array on the user profile and stores the access and refresh tokens for the connected account in the Token Vault.
Auth0 completes the flow by sending a 200 status code back to the client application, indicating that the account was successfully connected.
Once Auth0 successfully adds the connected account to the user profile, the client application can fetch the tokens needed to call the external API associated with the connected account on the user’s behalf.
