Call Others' APIs on Users' Behalf

Use Auth0 SDKs to fetch access tokens for social and enterprise identity providers from Auth0’s Token Vault. Using these access tokens, AI agents integrated with the application can call third-party APIs to perform tasks on the user’s behalf. By the end of this quickstart, you should have an AI application integrated with Auth0 that can:

Retrieve access tokens for a Google social connection.
Integrate with an AI agent to call Google APIs.

Pick your tech stack

LangGraph.js + Next.js
Vercel AI + Next.js
LangGraph + FastAPI
Vercel AI + React SPA

Prerequisites

Before getting started, make sure you have completed the following steps:

Create an Auth0 Account

To continue with this quickstart, you need to have an Auth0 account.

Create an Auth0 Application

Go to your Auth0 Dashboard to create a new Auth0 Application.

Navigate to Applications > Applications in the left sidebar.
Click the Create Application button in the top right.
In the pop-up select Regular Web Applications and click Create.
Once the Application is created, switch to the Settings tab.
Scroll down to the Application URIs section.
Set Allowed Callback URLs as: http://localhost:3000/auth/callback
Set Allowed Logout URLs as: http://localhost:3000
Click Save in the bottom right to save your changes.

To learn more about Auth0 applications, read Applications.

Enable Token Vault Grant

Enable the Token Vault Grant for your Auth0 Application. Go to Applications > [Your Application] > Settings > Advanced > Grant Types and enable the Token Vault grant type.

Create an Auth0 API

In your Auth0 Dashboard, go to Applications > APIs.
Create a new API with an identifier (audience).
Once API is created, go to the APIs Settings > Access Settings and enable Allow Offline Access.
Note down the API identifier for your environment variables.

To learn more about Auth0 APIs, read APIs.

Create a Custom API Client

The Custom API Client allows your API server to perform token exchanges using access tokens instead of refresh tokens. This client enables Token Vault to exchange an access token for an external API access token (e.g., Google Calendar API).

Navigate to Applications > APIs
Click the Create API button to create a new Custom API.
Go to the Custom API you created and click the Add Application button in the right top corner.
After that click the Configure Application button in the right top corner.
Note down the client id and client secret for your environment variables.

Configure Google Social Integration

Set up a Google developer account that allows for third-party API calls by following the Google Social Integration instructions.

OpenAI Platform

Set up an OpenAI account and API key.

Use sample app (recommended)
Integrate into your app

Clone sample app

Clone this sample app from the Auth0 AI samples repository:

git clone https://github.com/auth0-samples/auth0-ai-samples.git
cd auth0-ai-samples/call-apis-on-users-behalf/others-api/langchain-next-js

Create your environment file

In the root directory of your project, create a new .env.local file and add the following content:

.env.local

# Auth0 configuration
APP_BASE_URL='http://localhost:3000'
AUTH0_SECRET='random 32 byte value'
AUTH0_DOMAIN='<your-auth0-domain>'
AUTH0_CLIENT_ID='<your-auth0-application-client-id>'
AUTH0_CLIENT_SECRET='<your-auth0-application-client-secret>'

AUTH0_AUDIENCE="https://your.domain.us.langgraph.app"
AUTH0_SCOPE="openid profile email"
AUTH0_CUSTOM_API_CLIENT_ID="{yourCustomApiClientId}"
AUTH0_CUSTOM_API_CLIENT_SECRET="{yourCustomApiClientSecret}"

# OpenAI API Key or any provider supported by the Vercel AI SDK
OPENAI_API_KEY="YOUR_API_KEY"

# LANGGRAPH
LANGGRAPH_API_URL=http://localhost:54367
LANGCHAIN_CALLBACKS_BACKGROUND=false

To get your Auth0 application’s AUTH0_DOMAIN, AUTH0_CLIENT_ID, and AUTH0_CLIENT_SECRET, navigate to the Settings tab in the Auth0 Dashboard. You’ll find these values in the Basic Information section at the top. Copy each value to the matching setting.Next, run this command to generate a random 32 byte value and copy it to the AUTH0_SECRET field:

generate random 32 byte value

openssl rand -hex 32

Lastly, set your OpenAI API key or use any provider supported by the Vercel AI SDK:

.env.local

OPENAI_API_KEY="YOUR_API_KEY"

Install packages

Ensure you have npm installed or follow the instructions to install npm in its documentation. In the root directory of your project, run the following command to install the required packages:

npm install

Test your application

Start the application with npm run all:dev. Then, navigate to http://localhost:3000.

This opens LangGraph Studio in a new tab. You can safely close it.

If you are already logged in, make sure to log out and log back in using Google. Then, ask your AI agent to fetch emails from your Gmail account!That’s it! You successfully called a third-party API using Token Vault.

Next steps

You have successfully added the ability to get access tokens for tool calling to your application. For next steps:

Call your APIs on user’s behalf docs.
Learn more about Client-initiated account linking.
Learn more about how Auth0’s Token Vault manages the tokens of supported identity providers.

Auth0 for AI Agents

Get Started

Build with AI

Sample Apps

Guides

Glossary

Call Others' APIs on Users' Behalf

Pick your tech stack

Prerequisites

Clone sample app

Create your environment file

Install packages

Test your application

Next steps

Auth0 for AI Agents

Get Started

Build with AI

Sample Apps

Guides

Glossary

​Pick your tech stack

​Prerequisites

​Clone sample app

​Create your environment file

​Install packages

​Test your application

​Next steps

Pick your tech stack

Prerequisites

Clone sample app

Create your environment file

Install packages

Test your application

Next steps