How can I renew accessToken for external API

Hi there,

I am building my very first own application, and it is a challenge! :sweat_smile:
But, I am not a quitter, so after 2 months struggling with setting up auth0 for my app, I finally come here hoping someone can help me get through this last part now.

I am building an app that works with data from Exact Online. So the user should be able to login to their exact online account and after that they should be able to get data from their Exact Online accounts through the API with the accessToken that Exact Online provided.

I was able to receive the Exact Online accessToken from the identitites part of the user like this in my Node.js express server.js:

app.get('/api/accesstoken', async (req, res) => {
    const userID = req.query.userID;
    const apiToken = process.env.REACT_APP_AUTH0_MANAGEMENT_API_ACCESS_TOKEN;
    const options = {
        headers: {
            Authorization: `Bearer ${apiToken}`

    try {
        const response = await axios.get(`https:[...]/api/v2/users/${encodeURIComponent(userID)}?fields=identities&include_fields=true`, options);
        const identities =;
        const accessToken = identities[0].access_token;
        res.send({ accessToken });

    } catch (error) {
        res.status(500).send({ error: 'Error fetching user data' });
        console.log("error: ", error);

I can make a successful API call to Exact Online with this, only after the accessToken expires (10 minutes) it does not get renewed, so I need to logout and login again.

I am a bit stuck on how to handle this, because I can’t seem to receive the RefreshToken that Exact Online provides from the management API, so building a renewal flow into my code is not possible, right? Or am I doing something completely wrong maybe? Is there some workaround for this use case?

Se the big question is, how can I make sure that the user gets a new Exact Online accessToken every 10 minutes for as long as they are active in the app? (So not the auth0 accessToken, because I cannot use that to make API calls to exact online).

I can’t find any documentation about this specific use case and chatGPT 4 also had no clue :wink:, so I hope a real expert is around here to help me get through this.

What am I missing, or doing wrong, or: is what I want even possible?

Thank you in advance for taking the time to read my question and see if you can give me some advice.

Hi Sabrina :wave:

If your application is looking for an Exact Online specific Access Token (or an Exact Online specific Refresh Token ) in order to call Exact Online specific APIs - either directly, or via an SDK - then you will typically need to redirect to the Exact Online Authorization server directly in order to obtain said token(s). You can do this once authentication via Auth0 has completed, and it should be a seamless operation - i.e. the user should not be asked to interactively login - as the (Exact Online) SSO session already established by authenticating via Auth0 will be used.

For convenience, Auth0 typically stores the Access Token that might returned by an upstream IdP as part of first-factor authentication. And Auth0 typically stores such a token as part of the user’s profile record in the corresponding entry in the identities array, and accessible via a call to the Auth0 Management API. However, such tokens are typically short-lived, and typically are provided so that Auth0 Extensibility - such as an Action, Rule or Hook - can call upstream IdP services to obtain additional information about a user as part of the login process. Auth0 does not typically store any Refresh Token delivered by an upstream IdP.

Hope that helps :slight_smile:

1 Like

Hi Peter,

So, in other words, I cant use auth0 with exact online, I should set up my own oauth 2.0 flow in my app? Delete everything and start over - once again? I think I want to cry a liitle now :disappointed:

Hi Sabrina

Auth0 is an Authorization Server as defined here, so you can absolutely leverage Exact Online as an upstream IdP to Auth0 - using Auth0 to abstract any nuances with respect to the Exact Online OIDC implementation; using Exact Online to provide (user) profile information; using Auth0 to provide SSO and add factors such as MFA, etc. And also use Auth0 to secure your own APIs via OAuth 2 protocol. However, Auth0 is not designed to proxy 3rd party APIs - such as the Exact Online API - nor generate OAuth 2 tokens for use on their behalf.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.