Skip to main content
In anonymous user flows, in which there is no authenticated user, Auth0 provides a mechanism to establish a session anonymously. Auth0 issues a session token and an access token in response to an /anonymous/token request. To learn more, read Configure Anonymous Sessions.
  • The session token contains the anonymous user identity and session information attributes.
  • The access token is usually a JSON Web Token (JWT) whose claims can be read and processed by a resource server (API), whereas the session token is opaque and only meant to be read by Auth0.
Typically, a user needs a new access token when gaining access to a resource for the first time, or after the previous access token granted to them expires. A session token is a credential artifact that your application can use to get a new access token when necessary. You can continue to request new access tokens until the anonymous_session_lifetime expires.

Session token benefits

  • A session token is not bound to the device that created the session. It can be ported and used on a different device.
  • A session token can be included in authorization requests, and the information inside the session token is available in Actions, to complement the login transaction.

Learn more