/
Contact usSee pricingStart building
Node
​

    About Stytch

    Introduction
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Migrations
      Migration overview
      Migrating users statically
      Migrating users dynamically
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for users
      Migrating from Stytch Consumer to B2B
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    Magic Links

    • Email Magic Links

        • Getting started with the API
        Getting started with the SDK
        Replacing your password reset flow
        Building an invite user flow
        Add magic links to an existing auth flow
        Adding PKCE to a Magic Link flow
        Magic Link redirect routing

    • Embeddable Magic Links

        • Getting started with the API
    MFA
      Overview
      Backend integration
      Frontend integration
      Remembered device flow
    Mobile Biometrics
      Overview
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0
    OAuth

    • Identity providers

        • Overview
        Provider setup
      Getting started with the API (Google)
      Add Google One Tap via the SDK
      Email address behavior
      Adding PKCE to an OAuth flow
    Connected Apps
      Overview
      Getting started with the SDK
      Getting started with the API
      Client types
      OAuth scopes

    • Integration Guides

        • Integrate with an Existing Auth System
        MCP Authorization Overview
        Integrate with MCP servers deployed on Cloudflare
        Integrate with MCP servers on Vercel
        Integrate with CLI Apps
        Integrate with AI agents

    • Resources

        • Consent Management
        Custom Domains
        Testing Integrations
    Passcodes
      Getting started with the API
      Getting started with the SDK

    • Toll fraud

        • What is SMS toll fraud?
        How you can prevent toll fraud
      Unsupported countries
    Passkeys & WebAuthn

    • Passkeys

        • Passkeys overview
        Set up Passkeys with the frontend SDK

    • WebAuthn

        • Getting started with the API
        Getting started with the SDK
    Passwords
      Getting started with the API
      Getting started with the SDK
      Password strength policy

    • Email verification

        • Overview
        Email verification before password creation
        Email verification after password creation
    Sessions
      How to use sessions
      Backend integrations
      Frontend integrations
      Custom claims
      Custom claim templates
      Session tokens vs JWTs
      How to use Stytch JWTs
    TOTP
      Getting started with the API
      Getting started with the SDK
    Web3
      Getting started with the API
      Getting started with the SDK
    Trusted Auth Tokens
      Overview
      Getting Started with External IDPs
      Getting Started with Custom Auth Factors
    Device History
      New device notifications

    RBAC

    Resources
      Overview
      Role assignment
    Integration Guides
      Start here
      Backend integration
      Headless frontend integration
      (Legacy) Implement RBAC with metadata

    3rd Party Integrations

    Planetscale
    Supabase
    Feathery
    Unit

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

Consumer Authentication

/

Guides

/

Authentication

/

Trusted Auth Tokens

/

Overview

Trusted Auth Tokens Overview

The Trusted Auth Tokens feature allows developers to attest end-user identities by exchanging signed JWTs for Stytch sessions. This gives teams the power to integrate custom authentication factors or external identity providers without needing bespoke code or full OIDC/OAuth support.

Use this feature to build flexible auth flows that use existing JWT infrastructure and securely interoperate with partners.

Use cases

Trusted auth tokens support a range of powerful patterns:

  • 3rd-party SSO integrations – Exchange external identity provider tokens (e.g., Vercel, Zendesk) for Stytch sessions.
  • Bring-your-own-auth – Let your product issue its own ID tokens that Stytch accepts via a secure profile.
  • Custom auth factors – Layer on external authentication (like biometric scans or hardware device attestation) and represent them in the Stytch session.

How it works

  1. Configure a Trusted Auth Token Profile in the Stytch dashboard with:
    • JWT issuer and audience
    • Public key(s) or JWKS endpoint
    • Attribute mappings for session identity, external identifiers, and RBAC role assignments
  2. Issue a token from your backend or accept one from a 3rd party.
  3. Exchange the token using Stytch's API to start or extend a session.

Setting up a Trusted Auth Token Profile

In Dashboard, navigate to the Trusted Auth Tokens page. Here you can create a new Trusted Auth Token Profile for the provider of the tokens that you want to attest, or view and edit existing profiles.

The issuer (iss) and audience (aud) should match the corresponding values in the JWTs that you are trying to attest.

Attribute mappings are used to tie per-user claims within the JWT to Stytch platform attributes. The following attribute mappings are available today:

AttributeRequiredPurpose
emailYesThe email address of the user identified by the JWT
token_idYesA unique identifier for the JWT
external_user_idAn optional external user id to attach to the user
role_idsAn string array of RBAC Role IDs to assign to the user

JIT Provisioning

By default, Trusted Auth Tokens cannot be used to create new users. Trusted Auth Tokens can only be used to authenticate an existing user. To allow Trusted Auth Tokens to create new users, enable the Allow JIT Provisioning toggle in the dashboard.

Exchanging a Trusted Auth Token for a Session

Once you have a profile set up for the source of your trusted auth tokens, you can use the backend API to exchange a token for a Stytch session, or add it as an auth factor for an existing session using the Attest Session API endpoint. The API endpoint is available in all Stytch Backend and Frontend SDKs.

const stytch = require('stytch');

const client = new stytch.Client({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
});

const params = {
  profile_id: "trusted-auth-token-profile-test-41920359-8bbb-4fe8-8fa3-aaa83f35f02c",
  token: "eyJhb...",
  session_duration_minutes: 60,
};

client.sessions.attest(params)
  .then(resp => {
    console.log(resp)
  })
  .catch(err => {
    console.log(err)
  });

You can view the full Attest Session endpoint documentation here.

Putting it all together

Suppose you configure a Trusted Auth Token Profile with an issuer of https://auth.example.com, an audience of https://api.example.com and the following attribute mapping:

  • email: email
  • token_id: jti
  • external_user_id: sub
  • roles: assignments

A JWT with the following claims:

{
  "iss": "https://auth.example.com",
  "aud": "https://api.example.com",
  "sub": "user_123456",
  "email": "ada.lovelace@example.com",
  "jti": "tok_654321",
  "assignments": [
    "editor",
    "reader"
  ]
}

Can be exchanged to log in or create a user with the following properties:

{
  "user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
  "external_id": "user_123456",
  "emails": [
    {
      "email": "ada.lovelace@example.com",
      "email_id": "email-test-81bf03a8-86e1-4d95-bd44-bb3495224953",
      "verified": false
    }
  ],
  "roles": [
    "stytch_user",
    "editor",
    "reader"
  ]
}

as well as a session with the following properties:

{
  "user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
  "authentication_factors": [
    {
      "delivery_method": "trusted_token_exchange",
      "trusted_auth_token_factor": {
        "token_id": "tok_654321"
      }
    }
  ]
}

What's next

Read on for next steps:

  • Accept credentials from an External Identity Provider
  • Create custom JWTs using Private Keys
  • Add custom claims to your Stytch session JWTs using Custom Claim Templates

Use cases

How it works

Setting up a Trusted Auth Token Profile

JIT Provisioning

Exchanging a Trusted Auth Token for a Session

Putting it all together

What's next