React Native Auth0 - v5.5.0
    Preparing search index...

    Interface ICredentialsManager

    Defines the contract for securely managing user credentials on the device. Implementations are responsible for secure storage (e.g., Keychain on iOS, EncryptedSharedPreferences on Android) and token refresh logic.

    interface ICredentialsManager {
        saveCredentials(credentials: Credentials): Promise<void>;
        getCredentials(
            scope?: string,
            minTtl?: number,
            parameters?: Record<string, any>,
            forceRefresh?: boolean,
        ): Promise<Credentials>;
        hasValidCredentials(minTtl?: number): Promise<boolean>;
        clearCredentials(): Promise<void>;
        getSSOCredentials(
            parameters?: Record<string, any>,
            headers?: Record<string, string>,
        ): Promise<SessionTransferCredentials>;
        getApiCredentials(
            audience: string,
            scope?: string,
            minTtl?: number,
            parameters?: Record<string, any>,
        ): Promise<ApiCredentials>;
        clearApiCredentials(audience: string, scope?: string): Promise<void>;
    }
    Index

    Methods

    saveCredentials getCredentials hasValidCredentials clearCredentials getSSOCredentials getApiCredentials clearApiCredentials

    Methods

    • Securely saves a set of credentials to the device's storage.

      Parameters

      • credentials: Credentials

        The credentials object to store.

      Returns Promise<void>

      A promise that resolves when the credentials have been saved.

    • Retrieves the stored credentials.

      Parameters

      • Optionalscope: string

        The scopes to request for the new access token (used during refresh).

      • OptionalminTtl: number

        The minimum time-to-live (in seconds) required for the access token. If the token expires sooner, a refresh will be attempted.

      • Optionalparameters: Record<string, any>

        Additional parameters to send during the token refresh request.

      • OptionalforceRefresh: boolean

        If true, a token refresh will be attempted even if the current access token is not expired.

      Returns Promise<Credentials>

      A promise that resolves with the user's credentials.

      If the access token is expired and a refresh token is available, this method should attempt to automatically refresh the tokens and store the new ones.

    • Checks if a valid, non-expired set of credentials exists in storage.

      Parameters

      • OptionalminTtl: number

        The minimum time-to-live (in seconds) required for the access token to be considered valid.

      Returns Promise<boolean>

      A promise that resolves with true if valid credentials exist, false otherwise.

    • Removes all credentials from the device's storage.

      Returns Promise<void>

      A promise that resolves when the credentials have been cleared.

    • Obtains session transfer credentials for performing Native to Web SSO.

      Parameters

      • Optionalparameters: Record<string, any>

        Optional additional parameters to pass to the token exchange.

      • Optionalheaders: Record<string, string>

        Optional additional headers to include in the token exchange request. iOS only - this parameter is ignored on Android.

      Returns Promise<SessionTransferCredentials>

      A promise that resolves with the session transfer credentials.

      This method exchanges the stored refresh token for a session transfer token that can be used to authenticate in web contexts without requiring the user to log in again. The session transfer token can be passed as a cookie or query parameter to the /authorize endpoint to establish a web session.

      Session transfer tokens are short-lived and expire after a few minutes. Once expired, they can no longer be used for web SSO.

      If Refresh Token Rotation is enabled, this method will also update the stored credentials with new tokens (ID token and refresh token) returned from the token exchange.

      // Get session transfer credentials
      const ssoCredentials = await auth0.credentialsManager.getSSOCredentials();

      // Option 1: Use as a cookie
      const cookie = `auth0_session_transfer_token=${ssoCredentials.sessionTransferToken}; path=/; domain=.yourdomain.com; secure; httponly`;
      document.cookie = cookie;

      // Option 2: Use as a query parameter
      const authorizeUrl = `https://${domain}/authorize?session_transfer_token=${ssoCredentials.sessionTransferToken}&...`;
      window.location.href = authorizeUrl;

      https://auth0.com/docs/authenticate/single-sign-on/native-to-web/configure-implement-native-to-web

    • Retrieves API-specific credentials for a given audience using the Multi-Resource Refresh Token (MRRT).

      Parameters

      • audience: string

        The identifier of the API for which to get credentials (e.g., 'https://api.example.com').

      • Optionalscope: string

        The scopes to request for the new access token. If omitted, default scopes configured for the API will be used.

      • OptionalminTtl: number

        The minimum time-to-live (in seconds) required for the access token. If the token expires sooner, a refresh will be attempted.

      • Optionalparameters: Record<string, any>

        Additional parameters to send during the token refresh request.

      Returns Promise<ApiCredentials>

      A promise that resolves with the API credentials.

      This method obtains an access token for a specific API (audience). If a valid token is already cached, it's returned. Otherwise, it uses the refresh token to get a new one.

      If the operation fails. Common error types include:

      • NO_CREDENTIALS: No stored credentials found
      • NO_REFRESH_TOKEN: Refresh token is not available (ensure 'offline_access' scope was requested during login)
      • API_EXCHANGE_FAILED: Token exchange for API credentials failed
      • STORE_FAILED: Failed to store API credentials
      • LARGE_MIN_TTL: Requested minimum TTL exceeds token lifetime
      • NO_NETWORK: Network error during token exchange
      try {
        const apiCredentials = await credentialsManager.getApiCredentials(
          'https://api.example.com',
          'read:data write:data'
        );
        console.log('Access Token:', apiCredentials.accessToken);
      } catch (error) {
        if (error instanceof CredentialsManagerError) {
          console.log('Error type:', error.type);
        }
      }

    • Removes cached credentials for a specific audience. Optionally filter by scope to clear only specific scope-based credentials.

      This clears the stored API credentials for the given audience, forcing the next getApiCredentials call for this audience to perform a fresh token exchange.

      Parameters

      • audience: string

        The identifier of the API for which to clear credentials.

      • Optionalscope: string

        Optional scope to clear. If credentials were fetched with a scope, it is recommended to pass the same scope when clearing them.

      Returns Promise<void>

      A promise that resolves when the credentials are cleared.

      If the operation fails.

      // Clear all credentials for an audience
      await credentialsManager.clearApiCredentials('https://api.example.com');

      // Clear credentials for specific scope (recommended)
      await credentialsManager.clearApiCredentials('https://api.example.com', 'read:data');

    Settings

    Member Visibility

    On This Page

    Methods