- Track guest users across page loads and sessions
- Store metadata such as shopping cart references, preferences, consents, and profiling information
- Issue access tokens for API calls without requiring authentication
- Transfer anonymous activity to authenticated accounts when users sign up or log in
How it works
Gather anonymous sessions data
When you decide to start gathering information about a user, even one who has not authenticated yet, your application sends aPOST request to the /anonymous/token endpoint.
Auth0 responds with two tokens:
- A session token that identifies and persists the anonymous session.
- An access token that the user can present to your resource servers (APIs).
user_id, so all activity is traceable to a single origin.
Using the access token, anonymous users can call any of your existing APIs.
Anonymous session data of user anon@1234-5678-90
Transfer anonymous sessions data to user’s metadata
When a user who has an anonymous session decides to log in or sign up, your application passes theanonymous_session_token to the /authorize endpoint using a cookie or an HTTP header.
cookie example
authorize endpoint example
pre-user-registration and post-login Actions triggers using the event.anonymous_session object.
anonymous session object
End the anonymous session after transfer
Anonymous sessions are not automatically invalidated when a user authenticates. To end the session use the/anonymous/logout endpoint:
Best practices
Here are some best practices for anonymous sessions:- Configure appropriate anonymous session lifetimes to avoid losing a user’s anonymous session data; Auth0 recommends a lifetime of 30 days or longer.
- Select anonymous session’s JSON Web Encryption (JWE) encryption to ensure that potential attackers cannot see the contents of the session.
-
Restrict what anonymous
anon@users can do in your API. - Validate tokens and sanitize metadata, never trust metadata or tokens from clients without server-side validation.
- Cache access tokens since they can be reused until they expire.
- Batch and minimize metadata updates. Avoid frequent metadata updates.
Limitations
- Password reset flows are not supported by anonymous sessions.
- Device Code is not supported because the authentication request and the actual login happen on different devices.
- Client-Initiated Backchannel Authentication (CIBA) is not supported because the authentication request and confirmation happen on different devices.
- Custom token exchange is not supported due to the nature of the transactions (for example, impersonation), which creates a likelihood of attributing anonymous data to the wrong user.
- Refresh token exchange is not supported by anonymous sessions because the user is already logged in if they had a refresh token.
Learn more
- Configure Anonymous Sessions Learn how to configure anonymous sessions.
- Anonymous Sessions Use Cases Learn about anonymous sessions use cases.