/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On
    • Resources

      • Overview
        External SSO Connections
        Standalone SSO
    • Integration Guides

      • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth
    • Resources

      • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      Client types
    • Integration Guides

      • Integrate with AI agents
        Integrate with a remote MCP server
    • Resources

      • About Remote MCP Servers
        Consent Management
    Sessions
    • Resources

      • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims
    • Integration Guides

      • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links
    • Resources

      • Overview
        Email Security Scanner Protections
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication
    • Resources

      • Overview
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
    • Resources

      • Overview
        Strength policies
    • Integration Guides

      • Pre-built UI frontend integration
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0
    Trusted Auth Tokens
      How to use Trusted Auth Tokens

    Authorization & Provisioning

    RBAC
    • Resources

      • Overview
        Stytch Resources & Roles
        Role assignment
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
    SCIM
    • Resources

      • Overview
        Supported actions
    • Integration Guides

      • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authentication

/

Trusted Auth Tokens

/

How to use Trusted Auth Tokens

How to Use Trusted Auth Tokens

The Trusted Auth Tokens feature allow developers to attest end-user identities by exchanging pre-verified JWTs for Stytch sessions. This gives teams the power to integrate custom authentication factors or external identity providers without needing bespoke code or full OIDC/OAuth support.

Use this feature to build flexible auth flows that use existing JWT infrastructure and securely interoperate with partners.


Use cases

Trusted auth tokens support a range of powerful patterns:

  • 3rd-party SSO integrations – Exchange external identity provider tokens (e.g., Vercel, Zendesk) for Stytch sessions.
  • Bring-your-own-auth – Let your product issue its own ID tokens that Stytch accepts via a secure profile.
  • Custom auth factors – Layer on external authentication (like biometric scans or hardware device attestation) and represent them in the Stytch session.

How it works

  1. Configure a Trusted Auth Token Profile in the Stytch dashboard with:
    • JWT issuer and audience
    • Public key(s) or JWKS endpoint
    • Attribute mapping for session identity
  2. Issue a token from your backend or accept one from a 3rd party.
  3. Exchange the token using Stytch's API to start or extend a session.

Setting up a Trusted Auth Token Profile

In Dashboard, navigate to the Trusted Auth Tokens page. Here you can create a new Trusted Auth Token Profile for the provider of the tokens that you want to attest, or view and edit existing profiles.

The issuer (iss) and audience (aud) should match the corresponding values in the JWTs that you are trying to attest.

For the public keys, provide either a dynamic JWKS url, or add up to five static PEMs.

Lastly, the attribute mapping allows you to map the field names in the JWTs you wish to attest to corresponding fields in Stytch. The email value will be used to determine who you are trying to create or update a session for (note: the user or member must already exist in the Stytch project), and the token id used to identify the token in the session's auth factor.

Use cases

How it works

Setting up a Trusted Auth Token Profile

Attesting a Trusted Auth Token

Once you have a profile set up for the source of your trusted auth tokens, you can use the backend API to exchange a token for a Stytch session, or add it as an auth factor for an existing session.

You can view the full B2B Attest Session documentation here.