> ## Documentation Index > Fetch the complete documentation index at: https://auth0.com/llms.txt > Use this file to discover all available pages before exploring further. > Learn about the custom-token-exchange Action trigger's API object. # Actions Triggers: custom-token-exchange - API Object The API object for the custom-token-exchange Actions trigger includes: ## `api.access` Modify the access of the token exchange request, such as rejecting the request. ### `api.access.deny(code, reason)` Mark the current token exchange as denied. If the request is being denied due to an invalid subject token, we recommend that api.access.rejectInvalidSubjectToken be used instead, to distinguish between brute force attempts on the subject token, and other reasons to deny the request. The error code justifying the rejection of the token exchange. Can be invalid\_request, server\_error, or any custom code A human-readable explanation for rejecting the token exchange request. ```js theme={null} exports.onExecuteCustomTokenExchange = async (event, api) => { // 1. Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // 2. Apply your authorization policy on the user const isAuthorized = await authorizeAccess(subject_token.sub); if (!isAuthorized) { api.access.deny('Unauthorized_login', 'User cannot login due to reason: X'); } // if user is authorized, go on as indicated here }; ``` ### `api.access.rejectInvalidSubjectToken(reason)` Mark the provided subject token from the request as invalid. This will cause the request to be rejected with an "invalid\_request" error code. This will signal to the Attack Protection features that an invalid subject token has been provided, so that protections to prevent brute force attacks on the subject token can be applied. A human-readable explanation for rejecting the token exchange request. ```js theme={null} exports.onExecuteCustomTokenExchange = async (event, api) => { try { // Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // set the user for the transaction api.authentication.setUserById(subject_token.id); } catch (error) { if (error.message === 'Invalid Token') { // If specifically the problem is the subject_token is invalid console.error('Invalid Token error'); api.access.rejectInvalidSubjectToken('Invalid subject_token'); } else { // if there is any other unexpected error, throw a server error throw error; } } }; ``` ## `api.authentication` Indicate the result of the authentication of the subject token, to specify the user whom tokens will be issued for. ### `api.authentication.setUserById(user_id)` Indicate the user corresponding to the subject\_token, by providing the userId. The token exchange request will issue tokens for this user. This must be an existing user. Note: Exactly one of api.authentication.setUserByConnection api.authentication.setUserById must be called by the Custom Token Exchange action. The ID of the user; must be an existing user. ```js theme={null} exports.onExecuteCustomTokenExchange = async (event, api) => { // 1. Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // 2. Apply your authorization policy on the user const isAuthorized = await authorizeAccess(subject_token.sub); if (!isAuthorized) { api.access.deny('Unauthorized_login', 'User cannot login due to reason: X'); } // 3. Set the user for the transaction api.authentication.setUserById(subject_token.sub); return; }; ``` ### `api.authentication.setUserByConnection(connection_name, user_attributes, options)` Indicate the user corresponding to the subject\_token, by providing a connection and user attributes. The token exchange request will issue tokens for this user. This can be either an existing user, or a new user. If the user does not exist, it will be created. The user\_id property of the user\_profile will be used to determine if the user already exists. Note: Exactly one of api.authentication.setUserByConnection api.authentication.setUserById must be called by the Custom Token Exchange action. Name of the connection the user should be stored in. The user's profile attributes, including user\_id, and optionally other attributes such as email, name, etc. The user\_id field is required, and should be the unique identifier of the user within the connection; this will be used to determine if the user exists or should be created. In existing users, this user\_id can be found by inspecting the identities array of the normalized user profile. If the user already exists, the following user attributes cannot be updated: email, email\_verified, phone, phone\_verified, username. If these do not match the existing user, an error will be returned. The user's email. Whether this email address is verified (true) or unverified (false). The user's family name(s). The user's given name(s). The user's full name. The user's nickname. The user's phone number (following the E.164 recommendation). Whether this phone number has been verified (true) or not (false). A URI pointing to the user's picture. The user's unique identifier within the connection. The user's username. Whether the user will receive a verification email after creation (true) or no email (false). Options to control the behavior of the setUserByConnection command. * `creationBehavior` - behavior to apply if no user with the specified user\_id exists in the connection. Can be 'create\_if\_not\_exists', which will cause a new user to be created using the supplied user attributes; or 'none', which will result in no user being created and an error being returned if no user exists. * `updateBehavior` - Behavior to apply if a user with specified user\_id already exists in the connection. Can be 'replace', which results in the existing user's attributes being replaced with the specified user attributes; or 'none' which means the existing user will not be modified. Behavior to apply if no user with the specified user\_id exists in the connection. Allowed values: `create_if_not_exists`, `none` Behavior to apply if a user with specified user\_id already exists in the connection. Allowed values: `none`, `replace` ```js Set user by connection with full profile attributes theme={null} exports.onExecuteCustomTokenExchange = async (event, api) => { // 1. Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // 2. Apply your authorization policy on the user const isAuthorized = await authorizeAccess(subject_token.sub); if (!isAuthorized) { api.access.deny('Unauthorized_login', 'User cannot login due to reason: X'); } // 3. Set the user for the transaction api.authentication.setUserByConnection( 'My Connection', { user_id: subject_token.sub, email: subject_token.email, email_verified: subject_token.email_verified, phone_number: subject_token.phone_number, phone_verified: subject_token.phone_number_verified, username: subject_token.preferred_username, name: subject_token.name, given_name: subject_token.given_name, family_name: subject_token.family_name, nickname: subject_token.nickname, verify_email: false }, { creationBehavior: 'create_if_not_exists', updateBehavior: 'none' } ); return; }; ``` ```js Create a user without verifying email theme={null} exports.onExecuteCustomTokenExchange = async (event, api) => { // Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // Create a user but don't verify email api.authentication.setUserByConnection( 'My Connection', { user_id: subject_token.sub, email: subject_token.email, email_verified: false, verify_email: false }, { creationBehavior: 'create_if_not_exists', updateBehavior: 'none' } ); return; }; ``` ### `api.authentication.setOrganization(organization_id_or_name)` Set the organization for the user associated with the token exchange. The ID or name of the organization to set for the user. ```js theme={null} exports.onExecuteCustomTokenExchange = async (event, api) => { // 1. Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // 2. Apply your authorization policy on the user const isAuthorized = await authorizeAccess(subject_token.sub); if (!isAuthorized) { api.access.deny('Unauthorized_login', 'User cannot login due to reason: X'); } // 3. Set the organization for the transaction api.authentication.setOrganization('org_xS525r979AS33MSf'); // 4. Set the user for the transaction. You may also use setUserByConnection() api.authentication.setUserById(subject_token.sub); return; }; ``` ### `api.authentication.setActor(actor)` Set the actor for the token exchange to represent the entity acting on behalf of the subject. Must be used alongside the setUserById or SetUserByConnection commands. Calling setActor is optional. Receiving an actor\_token in the request does not automatically produce an act claim; the Action must explicitly call this method. Refresh tokens are not issued when an actor is set for the transaction. A nested object representing a delegation chain. Up to 4 additional act levels are allowed (5 actors total, including the root actor). For each level, the `sub` field is required; up to 5 additional custom properties (string, boolean, or number values) may be provided. ```js theme={null} exports.onExecuteCustomTokenExchange = async (event, api) => { // 1. Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); const actor_token = await validateToken(event.transaction.actor_token, jwksUri); // 2. Set the actor for the transaction api.authentication.setActor({ sub: actor_token.sub }); // 3. Set the user for the transaction api.authentication.setUserById(subject_token.sub); return; }; ``` ## `api.user` Request changes to the user corresponding to the subject token. ### `api.user.setAppMetadata(key, value)` Set application-specific metadata for the user corresponding to the subject token. The metadata property to be set. The value of the metadata property. This may be set to `null` to remove the metadata property. ```js theme={null} exports.onExecuteCustomTokenExchange = async (event, api) => { // Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // set the user for the transaction api.authentication.setUserById(subject_token.id); // set user group based on info contained in subject_token api.user.setAppMetadata('group', subject_token.group); return; }; ``` ### `api.user.setUserMetadata(key, value)` Set general metadata for the user corresponding to the subject token. The metadata property to be set. The value of the metadata property. This may be set to `null` to remove the metadata property. ```js theme={null} exports.onExecuteCustomTokenExchange = async (event, api) => { // Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // set the user for the transaction api.authentication.setUserById(subject_token.id); // set user preferred_locale based on info contained in subject_token api.user.setUserMetadata('preferred_locale', subject_token.locale); return; }; ``` ## `api.cache` Store and retrieve data that persists across executions. ### `api.cache.delete(key)` Delete a record describing a cached value at the supplied key if it exists. The key of the cache record to delete. ### `api.cache.get(key)` Retrieve a record describing a cached value at the supplied key, if it exists. If a record is found, the cached value can be found at the `value` property of the returned object. The key of the record stored in the cache. ### `api.cache.set(key, value, options)` Store or update a string value in the cache at the specified key. Values stored in this cache are scoped to the Trigger in which they are set. They are subject to the [Actions Cache Limits](https://auth0.com/docs/customize/actions/limitations). Values stored in this way will have lifetimes of *up to* the specified `ttl` or `expires_at` values. If no lifetime is specified, a default of lifetime of 15 minutes will be used. Lifetimes may not exceed the maximum duration listed at [Actions Cache Limits](https://auth0.com/docs/customize/actions/limitations). **Important**: This cache is designed for short-lived, ephemeral data. Items may not be available in later transactions even if they are within their supplied their lifetime. The key of the record to be stored. The value of the record to be stored. Options for adjusting cache behavior. The absolute expiry time in milliseconds since the unix epoch. While cached records may be evicted earlier, they will never remain beyond the the supplied `expires_at`. *Note*: This value should not be supplied if a value was also provided for `ttl`. If both options are supplied, the earlier expiry of the two will be used. The time-to-live value of this cache entry in milliseconds. While cached values may be evicted earlier, they will never remain beyond the the supplied `ttl`. *Note*: This value should not be supplied if a value was also provided for `expires_at`. If both options are supplied, the earlier expiry of the two will be used.