Passer au contenu principal
The My Account API is available in Limited Early Access.By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement.To learn more about Auth0’s product release cycle, read Product Release Stages. To participate in this program, contact Auth0 Support or your Technical Account Manager.
The Auth0 My Account API provides a dedicated set of endpoints for users to manage their own account information. Customers can use these APIs to build self-service experiences in their applications or progressively add details to a user account. The My Account API operates within the context of the currently logged-in user and can be used directly within user-facing applications.
Using Auth0 domain vs. custom domainThe My Account API supports using your canonical Auth0 domain or your custom domain, but you must use the same one throughout the entire process, including:
  • Getting an access token
  • Setting the audience value
  • Calling the My Account API endpoint
For more information, read Custom Domains.

Activate the My Account API

You can activate the My Account API for your tenant in the :
  1. Navigate to Authentication > APIs.
  2. Locate the MyAccount API banner.
  3. Select Activate.
By default, the My Account API is created with the following application API access policies:
  • require_client_grant for user flows
  • deny_all for client (machine-to-machine) flows
For an application to access the My Account API on the user’s behalf, you must explicitly create a client grant for that application, which allows you to define the maximum scopes the application can request. Alternatively, you can change the policy for user access flows to allow_all, which allows any application in your tenant to request any scope from the My Account API. Because the My Account API exposes sensitive information and operations, Auth0 does notrecommendusing allow_all for user access flows. You should follow a least privilege principle with the My Account API to ensure applications only get access to what they truly need, minimizing potential security risks. The final permissions granted to the application will be determined by the intersection of the scopes allowed by the application API access policy, the Role-Based Access Control (RBAC) permissions assigned to the end user, and any user consent given (if applicable).
You cannot update the application API policy for client access to the My Account API, which means you cannot access the My Account API using the Client Credentials Flow.
To learn more about how to manage application API access policies and their associated client grants, read Application Access to APIs: Client Grants.

Get an access token

You can get an for the My Account API in the same way you’d get an access token for one of your own APIs.
If you’re going to allow the My Account API to perform sensitive operations (such as enrolling an authentication method), we strongly recommend that you use step-up authentication to enforce additional security policies through multi-factor authentication (MFA).
If you’re using , read the following articles: If you’re using embedded login, read the following articles:

Audience

The of the My Account API is https://{yourDomain}/me/.

Scope

The My Account API supports the following scopes:
ScopeDescription
create:me:authentication_methodsAllows the user to enroll a new authentication method.
read:me:authentication_methodsAllows the user to view existing authentication methods.
updated:me:authentication_methodsAllows the user to modify existing authentication methods.
delete:me:authentication_methodsAllows the user to remove existing authentication methods.
read:me:factorsAllows the user to view the factors they can enroll.

Examples

Universal Login with authorization code flow

Step 1: Request authorization code
Step 2: Exchange code for access token

Embedded login with native passkeys

Step 1: Request login challenge
Step 2: Authenticate existing user

Rate limits

During Early Access, the My Account API is limited at a tenant level to 25 requests per second.

Cross-Origin Requests

If you intend to call the My Account API directly from a browser-based application (like a Single Page Application) running on a different domain than your Auth0 tenant, you will encounter browser security policies known as Cross-Origin Resource Sharing (CORS). By default, browsers block these cross-origin requests. To allow your application to successfully make requests to the API, you must add your application’s domain (its “origin”) to your client’s configuration:
  1. Navigate to Auth0 Dashboard > Applications > Applications and select the name of the application.
  2. Under Settings, toggle on ** Allow Cross-Origin Authentication**.
  3. Enter your application’s origin URL under Allowed Origins (CORS).
  4. Save your changes.
If you do not need to use CORS for your application, ensure that Allow Cross-Origin Authentication is toggled off. Adding your application’s URL to this list tells Auth0 to trust requests from that origin, allowing your client-side application to access the API.
To learn more, read Configure Cross-Origin Resource Sharing.