Skip to main content
In anonymous user flows, where there is no authenticated user, Auth0 still provides a mechanism to establish a session anonymously. Auth0 issues a session token and an access token in response to an anonymous token request. While you can use access tokens to make authenticated calls to a secured API as with any authenticated flow, the session token contains the anonymous user identity and session information attributes, which are then used to continue the anonymous session later. The access token is usually a JSON Web Token (JWT) whose claims can be read and processed by a resource server, whereas the session token is opaque and only meant to be read by Auth0. Typically, a user needs a new access token when gaining access to a resource for the first time, or after the previous access token granted to them expires. A session token is a credential artifact that your application can use to get a new access token when necessary. You can continue to request new access tokens until the anonymous session expires. By default, a session token is not bound to the device that created the session. It can be ported and used in a different device. A session token can be included in authorization requests, and the information inside the session token is surfaced in Actions, to complement the login transaction.