Selecting a specific connected account when using Auth0 Token Vault token exchange

Get Help
,
1

Hi everyone :waving_hand:,

We’ve run into a question while using Auth0 Token Vault and were hoping the community could help clarify what’s possible here.

Context

We’re using the Token Vault token exchange flow to exchange an Auth0 access token for a Google access token:

# 1) Token exchange: Auth0 access token -> Google access token (Token Vault)
exchange_payload = {
    "client_id": CUSTOM_CLIENT_ID,
    "client_secret": CUSTOM_CLIENT_SECRET,
    "subject_token": access_token,
    "grant_type": "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token",
    "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
    "requested_token_type": "http://auth0.com/oauth/token-type/federated-connection-access-token",
    "connection": "google-oauth2"
    # Optional: "login_hint": "user@gmail.com"
}

exchange_res = requests.post(
    f"https://{AUTH0_DOMAIN}/oauth/token",
    json=exchange_payload
)

We can also successfully query the connected accounts for the current user:

accounts_res = requests.get(
    f"https://{AUTH0_DOMAIN}/me/v1/connected-accounts/accounts",
    headers=headers,
)

accounts_data = accounts_res.json()
accounts = accounts_data.get("accounts", [])

print("\nConnected accounts (parsed):")
if not accounts:
    print("No connected accounts found.")
else:
    for acc in accounts:
        print("-" * 40)
        print(f"ID:         {acc.get('id')}")
        print(f"Connection: {acc.get('connection')}")
        print(f"AccessType: {acc.get('access_type')}")
        print(f"Scopes:     {', '.join(acc.get('scopes', []))}")
        print(f"CreatedAt:  {acc.get('created_at')}")

Example output (simplified):

Connected accounts:
----------------------------------------
ID:         cac_ft8iPJvQHvFKr1ceabtktF
Connection: google-oauth2
AccessType: offline
CreatedAt:  2025-12-04T16:04:45.967Z
----------------------------------------
ID:         cac_tBV7uLn6NTAKgHPX1cw9DP
Connection: google-oauth2
AccessType: offline
CreatedAt:  2026-01-24T14:24:09.969Z

What we tried

We attempted to use the optional login_hint parameter in the token exchange request (with the correct Google account email corresponding to one of the connected accounts).

However, whenever we include login_hint, the exchange fails with the following error:

{
  "error": "federated_connection_refresh_token_not_found",
  "error_description": "Federated connection Refresh Token not found."
}

This happens even though:

  • The connected account exists

  • The account has offline access

  • The email in login_hint matches the linked Google account

Question

When a user has multiple google-oauth2 connected accounts, we’d like to explicitly choose which one is used during the token exchange.

Specifically:

  • Is login_hint expected to work in this scenario, or is it unsupported for Token Vault exchanges?

  • Is there another supported way to select a specific connected account (for example by connected account ID like cac_ft8iPJvQHvFKr1ceabtktF)?

  • Or is the behavior intentionally implicit when multiple accounts exist for the same connection?

Our goal is to reliably obtain a Google access token for a particular linked Google account, rather than letting Auth0 choose implicitly.

Any guidance, confirmation of support, or recommended patterns would be greatly appreciated :folded_hands:

Thanks in advance for your help!

2 Likes
3

Hi @laszlo.kovacs

Welcome to the Auth0 Community!

Indeed, the new Token Vault feature can be quite confusing, especially if the documentation is not clear enough about the API calls made for the specific exchange.

When making the Access Token exchange with Google, can you try passing in the user’s Google user_id which you want to select instead of their email address? As far as I am concerned, since you are making a request to Google to retrieve the necessary tokens, it required their Google account’s user_id instead of the email address in order to find and retrieve the correct ones. I believe when you are passing their email as the login_hint, it is unable to identify the correct users and provide their tokens.

Let me know if that will provide you with an refresh token for the specific user or if you receive a different error.

Kind Regards,
Nik

4

Hi Nik,

Thanks a lot for your help!

I tried using the provider account’s user_id to identify a specific account during the token exchange, and that approach does work :+1:
However, this solution isn’t entirely ideal for us, because it assumes that we already know the provider user_id.

In practice, we don’t have access to that value ahead of time. For testing your suggestion, I managed to collect the user_id in a somewhat hacky way, but that’s not something we can rely on in a real implementation.

Ideally, it would help a lot if the connected accounts endpoint returned the provider-specific user_id (for example, the sub claim). If the response from:

https://auth0.com/docs/secure/call-apis-on-users-behalf/token-vault/connected-accounts-for-token-vault#query-connected-accounts

included this identifier in a provider-agnostic way, then we could reliably select the correct connected account and pass that value to the access token exchange endpoint:

https://auth0.com/docs/secure/call-apis-on-users-behalf/token-vault/access-token-exchange-with-token-vault#step-3-backend-api-performs-access-token-exchange

At the moment, even though using user_id works for identification, we can’t use it in a convenient or supported way, because the /me/v1/connected-accounts/accounts endpoint doesn’t expose this information. This makes account selection difficult when multiple accounts are connected for the same provider.

Do you have any recommendations or best practices for handling this scenario?

Thanks again for your help — it’s much appreciated.

Best regards,
László

2 Likes