Selecting a specific connected account when using Auth0 Token Vault token exchange

Get Help
,
1

Hi everyone :waving_hand:,

We’ve run into a question while using Auth0 Token Vault and were hoping the community could help clarify what’s possible here.

Context

We’re using the Token Vault token exchange flow to exchange an Auth0 access token for a Google access token:

# 1) Token exchange: Auth0 access token -> Google access token (Token Vault)
exchange_payload = {
    "client_id": CUSTOM_CLIENT_ID,
    "client_secret": CUSTOM_CLIENT_SECRET,
    "subject_token": access_token,
    "grant_type": "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token",
    "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
    "requested_token_type": "http://auth0.com/oauth/token-type/federated-connection-access-token",
    "connection": "google-oauth2"
    # Optional: "login_hint": "user@gmail.com"
}

exchange_res = requests.post(
    f"https://{AUTH0_DOMAIN}/oauth/token",
    json=exchange_payload
)

We can also successfully query the connected accounts for the current user:

accounts_res = requests.get(
    f"https://{AUTH0_DOMAIN}/me/v1/connected-accounts/accounts",
    headers=headers,
)

accounts_data = accounts_res.json()
accounts = accounts_data.get("accounts", [])

print("\nConnected accounts (parsed):")
if not accounts:
    print("No connected accounts found.")
else:
    for acc in accounts:
        print("-" * 40)
        print(f"ID:         {acc.get('id')}")
        print(f"Connection: {acc.get('connection')}")
        print(f"AccessType: {acc.get('access_type')}")
        print(f"Scopes:     {', '.join(acc.get('scopes', []))}")
        print(f"CreatedAt:  {acc.get('created_at')}")

Example output (simplified):

Connected accounts:
----------------------------------------
ID:         cac_ft8iPJvQHvFKr1ceabtktF
Connection: google-oauth2
AccessType: offline
CreatedAt:  2025-12-04T16:04:45.967Z
----------------------------------------
ID:         cac_tBV7uLn6NTAKgHPX1cw9DP
Connection: google-oauth2
AccessType: offline
CreatedAt:  2026-01-24T14:24:09.969Z

What we tried

We attempted to use the optional login_hint parameter in the token exchange request (with the correct Google account email corresponding to one of the connected accounts).

However, whenever we include login_hint, the exchange fails with the following error:

{
  "error": "federated_connection_refresh_token_not_found",
  "error_description": "Federated connection Refresh Token not found."
}

This happens even though:

  • The connected account exists

  • The account has offline access

  • The email in login_hint matches the linked Google account

Question

When a user has multiple google-oauth2 connected accounts, we’d like to explicitly choose which one is used during the token exchange.

Specifically:

  • Is login_hint expected to work in this scenario, or is it unsupported for Token Vault exchanges?

  • Is there another supported way to select a specific connected account (for example by connected account ID like cac_ft8iPJvQHvFKr1ceabtktF)?

  • Or is the behavior intentionally implicit when multiple accounts exist for the same connection?

Our goal is to reliably obtain a Google access token for a particular linked Google account, rather than letting Auth0 choose implicitly.

Any guidance, confirmation of support, or recommended patterns would be greatly appreciated :folded_hands:

Thanks in advance for your help!

1 Like