Skip to main content
Anonymous sessions allow you to create and manage user sessions without requiring authentication. Users can browse, add items to carts or wishlists, complete purchases, and set preferences before creating an account. Users then bring their activity into their authenticated profile when they sign up or log in. Use anonymous sessions for the following use cases:
  • Track guest users across page loads and sessions
  • Store metadata such as shopping cart references, preferences, consents, and profiling information
  • Issue access tokens for API calls without requiring authentication
  • Transfer anonymous activity to authenticated accounts when users sign up or log in
Auth0 anonymous session Metadata is not a secure data store and should not be used to store sensitive information. This includes secrets and high-risk PII like social security numbers or credit card numbers, etc.Additionally, the data stored in an anonymous session is not verified for truthness or accuracy and should never be taken at face value.Auth0 customers are strongly encouraged to evaluate the data stored in metadata and only store that which is necessary for session tagging and access management purposes. To learn more, read Auth0 General Data Protection Regulation Compliance.”

How it works

Gather anonymous sessions data

When you decide to start gathering information about a user, even one who has not authenticated yet, your application sends a POST request to the /anonymous/token endpoint. Auth0 responds with two tokens: Subsequent calls that include the session token continue the same session for the same user_id, so all activity is traceable to a single origin. Using the access token, anonymous users can call any of your existing APIs.
Anonymous session data of user anon@1234-5678-90

Transfer anonymous sessions data to user’s metadata

When a user who has an anonymous session decides to log in or sign up, your application passes the anonymous_session_token to the /authorize endpoint using a cookie or an HTTP header.
cookie example
authorize endpoint example
Auth0 makes the anonymous session data available in your pre-user-registration and post-login Actions triggers using the event.anonymous_session object.
anonymous session object
To learn more about anonymous sessions with Actions, read Anonymous Sessions Use Cases.

End the anonymous session after transfer

Anonymous sessions are not automatically invalidated when a user authenticates. To end the session use the /anonymous/logout endpoint:

Best practices

Here are some best practices for anonymous sessions:
  • Configure appropriate anonymous session lifetimes to avoid losing a user’s anonymous session data; Auth0 recommends a lifetime of 30 days or longer.
  • Select anonymous session’s JSON Web Encryption (JWE) encryption to ensure that potential attackers cannot see the contents of the session.
  • Restrict what anonymous anon@ users can do in your API.
  • Validate tokens and sanitize metadata, never trust metadata or tokens from clients without server-side validation.
  • Cache access tokens since they can be reused until they expire.
  • Batch and minimize metadata updates. Avoid frequent metadata updates.

Limitations

  • Password reset flows are not supported by anonymous sessions.
  • Device Code is not supported because the authentication request and the actual login happen on different devices.
  • Client-Initiated Backchannel Authentication (CIBA) is not supported because the authentication request and confirmation happen on different devices.
  • Custom token exchange is not supported due to the nature of the transactions (for example, impersonation), which creates a likelihood of attributing anonymous data to the wrong user.
  • Refresh token exchange is not supported by anonymous sessions because the user is already logged in if they had a refresh token.

Learn more