Auth0 Custom Token Exchange (CTE) implements OAuth 2.0 RFC 8693 to let developers exchange foreign tokens (from legacy IdPs, partner systems, or custom auth services) for Auth0 tokens without forcing re-authentication. The flow involves three actors: your app, Auth0's authorization server, and a custom Action you write. The Action validates the incoming token, runs authorization logic, and sets the user via setUserById() or setUserByConnection(). Setup requires enabling CTE on your application, writing an Action with the CTE trigger, and creating a Token Exchange Profile that maps a subject_token_type URI to your Action. Auth0 handles client authentication, RBAC, Post-Login Actions, and token issuance; you own the validation logic. Attack protection via Suspicious IP Throttling is built in when using rejectInvalidSubjectToken(). CTE is currently in Public Early Access for Enterprise, B2B, and B2C Pro plans.
Table of contents
The Token You Have vs. the Token You NeedHow It Works: The Core ModelThree Concepts You Need to KnowThe RequestSetting It UpInside the Action: What Is AvailableSecurity: You Own the ValidationWhat Happens After Your ActionWhen to Use CTEStart Building TodaySort: