Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0.com/llms.txt

Use this file to discover all available pages before exploring further.

The My Account API is available in Early Access. To request access, contact your Auth0 account manager or contact Auth0 Support. To learn more about Auth0’s product release cycle, read Product Release Stages.
The Auth0 My Account API provides a dedicated set of endpoints for users to manage their own account information. Customers can use these APIs to build self-service experiences in their applications or progressively add details to a user account. The My Account API operates within the context of the currently logged-in user and can be used directly within user-facing applications.
Using Auth0 domain vs. custom domainThe My Account API supports using your canonical Auth0 domain or your custom domain, but you must use the same one throughout the entire process, including:
  • Getting an access token
  • Setting the audience value
  • Calling the My Account API endpoint
For more information, read Custom Domains.

Activate the My Account API

You can activate the My Account API for your tenant in the :
  1. Navigate to Applications > APIs.
  2. Locate the MyAccount API banner.
  3. Select Activate.
By default, the My Account API is created with the following application API access policies:
  • require_client_grant for user flows
  • deny_all for client (machine-to-machine) flows
For an application to access the My Account API on the user’s behalf, you must explicitly create a client grant for that application, which allows you to define the maximum scopes the application can request. Alternatively, you can change the policy for user access flows to allow_all, which allows any application in your tenant to request any scope from the My Account API. Auth0 does not recommend using allow_all for user access flows because the My Account API exposes sensitive information and operations. You should follow a least privilege principle with My Account API to ensure applications only get access to what they truly need, minimizing potential security risks. The final permissions granted to the application will be determined by the intersection of the scopes allowed by the application API access policy, the Role-Based Access Control (RBAC) permissions assigned to the end user, and any user consent given (if applicable).
You cannot update the application API policy for client access to the My Account API, which means you cannot access the My Account API using the Client Credentials Flow.
To learn more about how to manage application API access policies and their associated client grants, read Application Access to APIs: Client Grants.

Default Policy setting

Authentication Assurance for the My Account API is currently in Early Access with a single-option policy. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0’s product release cycle, read Product Release Stages. To participate in the program, contact Auth0 Support.
The Default Policy provides built-in authentication assurance for the My Account API by requiring Step-up Authentication. When enabled, Auth0 automatically enforces that users have authenticated recently and with a second factor. The policy enforces 2FA within 15 minutes. Auth0 applies this rule at login and on every Refresh Token exchange:
  • If a user has an enrolled MFA factor, 2FA must be completed at login and again when their tokens are older than 15 minutes.
  • If a user has no enrollable factor, Auth0 allows initial access but returns an unmet_authentication_requirements error on refresh token exchanges after 15 minutes.
The Default Policy is not compatible with Classic Login. Enable this feature if your tenant uses Universal Login or a supported embedded flow (Resource Owner Password Flow or native passkeys).

Enable Default Policy

To enable the Default Policy for the My Account API:
  1. Navigate to Applications > APIs, then select the My Account API.
  2. Select the Settings tab.
  3. Under Default Policy, toggle on Require 2FA.
  4. Select Save.
When your tenant has the Default Policy enabled, it is automatically attached whenever a new My Account API is created.

Authentication requirements hierarchy

The Default Policy sits between the tenant-level MFA policy and any MFA logic you define in Actions:
  1. Tenant MFA policy — the base default applied across all authentication on your tenant
  2. Default Policy — overrides the tenant level specifically for the My Account API
  3. Actions — any MFA commands in Actions always take precedence over both

Default Policy behavior

The behavior depends on whether the user has an enrollable second factor. Users with an enrolled MFA factor For users enrolled with TOTP, email, or another supported factor:
  1. At login, Auth0 challenges the user with their enrolled factor before issuing tokens.
  2. The refresh token records the authentication method and timestamp (AMR).
  3. On refresh token exchange within 15 minutes of the last challenge, Auth0 issues a new access token without re-challenging.
  4. On refresh token exchange after 15 minutes, Auth0 challenges the user again before issuing tokens.
Users without an enrolled MFA factor For users with no verified email and no enrolled factor:
  1. At login, Auth0 allows access without a second factor.
  2. On refresh token exchange within 15 minutes, Auth0 issues a new access token without challenge.
  3. On refresh token exchange after 15 minutes, Auth0 returns an unmet_authentication_requirements error.
When unmet_authentication_requirements is returned on a refresh token exchange, the token cannot be refreshed. Your application must restart the full authentication flow to obtain new tokens.The same error is returned for a silent login (prompt=none) when the user cannot satisfy the policy after 15 minutes.

Get an access token

You can get an for the My Account API in the same way you’d get an access token for one of your own APIs.
If you need authentication assurance beyond the Default Policy — for example, to require a specific factor or to apply requirements to only certain operations — you can use step-up authentication with Actions to define custom MFA logic. Note that Actions always override the Default Policy.
If you’re using , read the following articles: If you’re using embedded login, read the following articles:

Audience

The of the My Account API is https://{yourDomain}/me/.

Scope

The My Account API supports the following scopes:
ScopeDescription
create:me:authentication_methodsAllows the user to enroll a new authentication method.
read:me:authentication_methodsAllows the user to view existing authentication methods.
update:me:authentication_methodsAllows the user to modify existing authentication methods.
delete:me:authentication_methodsAllows the user to modify existing authentication methods.
read:me:factorsAllows the user to view the factors they can enroll.
For Connected Accounts with Token Vault, the My Account API supports the following scopes:
ScopeDescription
create:me:connected_accountsAllows the user to connect a new account to their user profile.
read:me:connected_accountsAllows the user to view the existing connected accounts linked to their user profile.
delete:me:connected_accountsAllows the user to delete a connected account from their user profile.

Examples

Universal Login with authorization code flow

Step 1: Request authorization code
Step 2: Exchange code for access token

Embedded login with native passkeys

Step 1: Request login challenge
Step 2: Authenticate existing user

Rate limits

During Early Access, the My Account API is limited at a tenant level to 25 requests per second.

Cross-Origin Requests

If you intend to call the My Account API directly from a browser-based application (like a Single Page Application) running on a different domain than your Auth0 tenant, you will encounter browser security policies known as Cross-Origin Resource Sharing (CORS). By default, browsers block these cross-origin requests. To allow your application to successfully make requests to the API, you must add your application’s domain (its “origin”) to your client’s configuration:
  1. Navigate to Dashboard > Applications. Select the application to view.
  2. Under Cross-Origin Authentication, toggle on Allow Cross-Origin Authentication.
  3. Locate Allowed Origins (CORS), and enter your application’s origin URL.
  4. Select Save.
To learn more, read Configure Cross-Origin Resource Sharing.
If you do not need to use CORS for your application, ensure that Allow Cross-Origin Authentication is toggled off. Adding your application’s URL to this list tells Auth0 to trust requests from that origin, allowing your client-side application to access the API.