How to Use Trusted Auth Tokens
The Trusted Auth Tokens feature allow developers to attest end-user identities by exchanging pre-verified JWTs for Stytch sessions. This gives teams the power to integrate custom authentication factors or external identity providers without needing bespoke code or full OIDC/OAuth support.
Use this feature to build flexible auth flows that use existing JWT infrastructure and securely interoperate with partners.
Use cases
Trusted auth tokens support a range of powerful patterns:
- 3rd-party SSO integrations – Exchange external identity provider tokens (e.g., Vercel, Zendesk) for Stytch sessions.
- Bring-your-own-auth – Let your product issue its own ID tokens that Stytch accepts via a secure profile.
- Custom auth factors – Layer on external authentication (like biometric scans or hardware device attestation) and represent them in the Stytch session.
How it works
- Configure a Trusted Auth Token Profile in the Stytch dashboard with:
- JWT issuer and audience
- Public key(s) or JWKS endpoint
- Attribute mapping for session identity
- Issue a token from your backend or accept one from a 3rd party.
- Exchange the token using Stytch's API to start or extend a session.
Setting up a Trusted Auth Token Profile
In Dashboard, navigate to the Trusted Auth Tokens page. Here you can create a new Trusted Auth Token Profile for the provider of the tokens that you want to attest, or view and edit existing profiles.
The issuer (iss) and audience (aud) should match the corresponding values in the JWTs that you are trying to attest.
For the public keys, provide either a dynamic JWKS url, or add up to five static PEMs.
Lastly, the attribute mapping allows you to map the field names in the JWTs you wish to attest to corresponding fields in Stytch. The email value will be used to determine who you are trying to create or update a session for (note: the user or member must already exist in the Stytch project), and the token id used to identify the token in the session's auth factor.