Get second access token with different audience

Hello,

So I currently have an application setup using the react SDK and that is going well. However, I have a need to fetch a new separate access token for user pointing at the mfa audience with the enroll scope so that user’s on my backend can use it agains the mfa api to kick of a custom mfa enrollment workflow for the user. Given the user is already authenticated and has an access token with our api as the audience am I able to fetch another token with a separate audience and scope? I have tried calling getAccessToken silently with different audience and scope but that throws an error in the console about missing refresh token. While I would also like to avoid making a user log in again, it is not a hard requirement, so long as the original access token for our api does not get overwritten in the process.

Please let me know the best practice for this.

Hi @alindelbert,

Thanks for your question.

I recommend referring to our Error: Missing Refresh Token knowledge article on the error you experienced. Essentially, you might also need to pass in the scope=offline_access in your login request.

Let me quickly add that calling the getAccessTokenSilently() method with https://yourDomain.us.auth0.com/mfa/ as the audience will enforce MFA. Meaning that the user must complete MFA to get an MFA API token, as mentioned this documentation.

While you can specify a secondary audience and silently authenticate, in this specific instance, because MFA is required, the user won’t need to provide their credentials again but will still need to complete MFA.

The alternative is to use the ROPG grant flow to get an MFA API access token.

Let me know how this works for you.

Best,
Rueben