Skip to content

Add scope pinning and other improvements to privilege worker docs#1539

Open
seand52 wants to merge 4 commits into
mainfrom
privilege-worker-scope-pinning
Open

Add scope pinning and other improvements to privilege worker docs#1539
seand52 wants to merge 4 commits into
mainfrom
privilege-worker-scope-pinning

Conversation

@seand52

@seand52 seand52 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Description

Update privilege worker documentation with the following:

  • Include new scope pinning functionality
  • Remove all references of refresh token exchanges
  • Improvements to configuration docs to make sure it works as expected

References

Testing

Checklist

  • I've read and followed CONTRIBUTING.md.
  • I've tested the site build for this change locally.
  • I've made appropriate docs updates for any code or config changes.
  • I've coordinated with the Product Docs and/or Docs Management team about non-trivial changes.

@seand52
seand52 requested a review from a team as a code owner July 14, 2026 15:19
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Status Count
🔍 Total 5
✅ Successful 0
⏳ Timeouts 0
🔀 Redirected 0
👻 Excluded 5
❓ Unknown 0
🚫 Errors 0
⛔ Unsupported 0
Full Github Actions output

@mintlify

mintlify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0-docs-dev 🟢 Ready View Preview Jul 14, 2026, 3:26 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@mintlify

mintlify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0-docs-staging 🟢 Ready View Preview Jul 14, 2026, 3:26 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@mintlify

mintlify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0 🟢 Ready View Preview Jul 14, 2026, 3:26 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@mintlify

mintlify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0 🟡 Building Jul 14, 2026, 3:19 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@mintlify

mintlify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0-docs-dev 🟡 Building Jul 14, 2026, 3:19 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@mintlify

mintlify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0-docs-staging 🟡 Building Jul 14, 2026, 3:19 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@hazel-nut hazel-nut left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few copyediting notes

Comment on lines 6 to 8
<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
Privileged Worker Token Exchange with Token Vault is currently in Beta. To learn more about Auth0’s product release cycle, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages). To participate in this program, contact [Auth0 Support](https://support.auth0.com/) or your Technical Account Manager.
Privileged Worker Token Exchange with Token Vault is currently in Early Access. To learn more about Auth0’s product release cycle, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages). To participate in this program, contact [Auth0 Support](https://support.auth0.com/) or your Technical Account Manager.
</Callout>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

## Configure client application

To configure the client application's privileged access to Token Vault, you need to provide a public key that will be used to verify a signed JWT as the subject token.
To configure the client application's privileged access to Token Vault, you need to provide a public key that will be used to verify a signed JWT as the subject token. You also need to restrict which IP addresses the client may make requests from, and pin the client to the connections and scopes it's allowed to request — without these, the Privileged Worker Token Exchange will not work.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To configure the client application's privileged access to Token Vault, you need to provide a public key that will be used to verify a signed JWT as the subject token. You also need to restrict which IP addresses the client may make requests from, and pin the client to the connections and scopes it's allowed to request — without these, the Privileged Worker Token Exchange will not work.
To configure the client application's privileged access to Token Vault, you must:
* Provide a public key, which is used to verify a signed JWT as the subject token.
* Restrict which IP addresses the client may make requests from.
* Pin the client to the connections and scopes it's allowed to request.

2. Select the **Settings** tab, scroll to the **Privileged Worker** section, and toggle on **Enable Privileged Worker**. In the modal, select an existing public key credential or upload a new one, then select **Save**.
3. Once the credential is saved, enter at least one IP address or CIDR range in the **IP Allowlist** field.
4. Select **Save Changes**.
4. Under **Permissions**, select **Add Permission**. In the modal, select a **Connection** and enter the **Scopes** this connection is allowed to request, then select **Save**. Repeat for each connection you want to allow. You can configure up to 5 permissions and 20 scopes in total.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. Under **Permissions**, select **Add Permission**. In the modal, select a **Connection** and enter the **Scopes** this connection is allowed to request, then select **Save**. Repeat for each connection you want to allow. You can configure up to 5 permissions and 20 scopes in total.
4. Under **Permissions**, select **Add Permission**. In the window, select a **Connection** and enter the **Scopes** this connection is allowed to request, then select **Save**. Repeat for each connection you want to allow. You can configure up to 5 permissions and 20 scopes in total.

4. Select **Save Changes**.
4. Under **Permissions**, select **Add Permission**. In the modal, select a **Connection** and enter the **Scopes** this connection is allowed to request, then select **Save**. Repeat for each connection you want to allow. You can configure up to 5 permissions and 20 scopes in total.
5. Select **Save Changes**.
6. For each connection referenced in **Permissions**, make sure it's also enabled for this application. Navigate to **Authentication > [Connection type]**, select the connection, go to the **Applications** tab, and toggle the connection on for your application.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
6. For each connection referenced in **Permissions**, make sure it's also enabled for this application. Navigate to **Authentication > [Connection type]**, select the connection, go to the **Applications** tab, and toggle the connection on for your application.
6. Enable each connection referenced in **Permissions** for this application. Navigate to **Authentication > [Connection type]**, select the connection, go to the **Applications** tab, and toggle the connection on for your application.

### Configure IP allowlist

To restrict which IP addresses may make Privileged Worker exchange requests, configure an `ip_allowlist` on your client. This binds the client credential to known server egress IPs, so a leaked credential cannot be used from an arbitrary IP address. Both IPv4 and IPv6 addresses and CIDR ranges are supported, with a maximum of 10 entries.
For each connection referenced in `grants`, the connection must also be enabled for this client. Enable it with:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For each connection referenced in `grants`, the connection must also be enabled for this client. Enable it with:
For each connection referenced in `grants`, you must also enable the connection for this client:

@@ -1,19 +1,19 @@
---
description: Learn how an application can access the Token Vault to exchange a JWT bearer token for an access or refresh token to call external APIs.
description: Learn how an application can access the Token Vault to exchange a JWT bearer token for an access token to call external APIs.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description: Learn how an application can access the Token Vault to exchange a JWT bearer token for an access token to call external APIs.
description: Grant an application access to Token Vault so it can exchange a JWT bearer token for an access token to call external APIs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants