fix: revert changes to top-level token-vault docs

priley86 · priley86 · commit 65ee01f8b6cd · 2025-10-16T12:54:54.000-04:00
diff --git a/main/docs/secure/tokens/token-vault.mdx b/main/docs/secure/tokens/token-vault.mdx
@@ -1,14 +1,14 @@
 ---
-description: Learn how Token Vault securely stores the access and refresh
-  tokens of external providers.
+description: Learn how Token Vault securely stores federated access and refresh
+  tokens.
 'og:image': https://cdn2.auth0.com/docs/1.14553.0/img/share-image.png
 'og:title': Token Vault
 'og:url': https://auth0.com/docs/
 permalink: token-vault
 sidebarTitle: Overview
 title: Token Vault
-'twitter:description': Learn how Token Vault securely stores the access and
-  refresh tokens of external providers.
+'twitter:description': Learn how Token Vault securely stores federated access and
+  refresh tokens.
 'twitter:title': Token Vault
 ---
 <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
@@ -19,7 +19,7 @@ Token Vault is currently available in Early Access for public cloud tenants. To
 
 Token Vault enables your applications to securely access third-party APIs on the user's behalf. There is no need to manage <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip> or build custom integrations per provider—Auth0 handles it all for you. You gain access to a wide range of external providers’ APIs and services, all through a single Auth0 integration.
 
-When a user authenticates with a supported external provider and uses <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth">OAuth</Tooltip> scopes to authorize access, Auth0 stores the access and refresh tokens for that connection in the Token Vault. Token Vault organizes the tokens issued by external providers into tokensets, with one tokenset per authorized connection.
+When a user authenticates with a supported external provider and uses <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth">OAuth</Tooltip> scopes to authorize access, Auth0 stores the access and refresh tokens for that connection in the Token Vault. Token Vault organizes the federated tokens issued by external providers into tokensets, with one tokenset per authorized connection.
 
 You can then call the external provider's APIs using these stored credentials via Auth0 to get a user’s Google Calendar events, access GitHub repos, create a Microsoft Word document, and more.
 
@@ -35,12 +35,12 @@ For Early Access, Auth0 supports Token Vault for the following social and enterp
 
 ## How it works
 
-When a user authenticates with a supported external provider and authorizes the third-party connection:
+When a user authenticates with a supported external provider and authorizes the federated connection:
 
 1. Auth0 obtains access tokens using OAuth 2.0 scopes to control access. Users explicitly approve requested permissions.
-2. Auth0 securely stores the access and refresh tokens of external providers in the Token Vault.
+2. Auth0 securely stores federated access and refresh tokens in the Token Vault.
 3. The application [links user accounts](/docs/manage-users/user-accounts/user-account-linking) with the user's consent. As a result, the user won’t have to create separate accounts for each external provider.
-4. Your application calls Auth0 to exchange a valid Auth0 refresh token for an external provider's access token. Your application can perform this exchange multiple times while Auth0 manages refreshing the access tokens stored in the Token Vault. Using an external provider's access token, your application can call external APIs on the user’s behalf.
+4. Your application calls Auth0 to exchange a valid Auth0 refresh token with an access token for a federated connection. Your application can perform this exchange multiple times while Auth0 manages refreshing the federated access tokens stored in the Token Vault. Using a federated access token, your application can call third-party APIs on the user’s behalf.
 
 Token Vault allows for seamless federated identity and simplifies integration across multiple external providers via a single Auth0 interface.
 
diff --git a/main/docs/secure/tokens/token-vault/call-apis-with-token-vault.mdx b/main/docs/secure/tokens/token-vault/call-apis-with-token-vault.mdx
@@ -16,7 +16,7 @@ Token Vault is currently available in Early Access for public cloud tenants. To
 
 </Callout>
 
-Token Vault organizes the access and <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip> issued by external providers into tokensets, with one tokenset per authorized connection. Applications can access the Token Vault when they exchange a valid Auth0 refresh token for an external provider's <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> stored in the tokenset. This enables applications to request access tokens without the user having to re-authorize the connection. Using the external provider's access token, the application can call external APIs on the user’s behalf.
+Token Vault organizes federated access and <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip> issued by external providers into tokensets, with one tokenset per authorized connection. Applications can access the Token Vault when they exchange a valid Auth0 refresh token for a federated <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> stored in the tokenset. This enables applications to request federated access tokens without the user having to re-authorize the connection. Using the federated access token, the application can call third-party APIs on the user’s behalf.
 
 Let’s walk through a real-world example: A user wants to schedule a meeting in their Google Calendar using a productivity app.
 
@@ -66,7 +66,7 @@ When the user logs into a new Google social connection:
 
 ## Call third-party API
 
-To schedule the meeting, the application needs to call the Google Calendar API. The application can use a valid Auth0 refresh token to request a Google access token with the scopes granted in the login flow without the user having to re-authorize the connection. To learn more, read [Manage Token Vault refresh tokens](#manage-token-vault-refresh-tokens).
+To schedule the meeting, the application needs to call the Google Calendar API. The application can use a valid Auth0 refresh token to request a Google access token with the scopes granted in the login flow without the user having to re-authorize the connection. To learn more, read [Manage federated refresh tokens](#manage-federated-refresh-tokens).
 
 To call the Google Calendar API:
 
@@ -128,7 +128,7 @@ Request:
 </tr>
 <tr>
 <td><code>client_secret</code></td>
-<td>Client secret. <strong>Note:</strong> You can use any client authentication method to get an external provider's access token.</td>
+<td>Client secret. <strong>Note:</strong> You can use any client authentication method to get a federated access token.</td>
 </tr>
 <tr>
 <td><code>subject_token_type</code></td>
@@ -159,7 +159,7 @@ The Auth0 Authorization Server validates and loads the user profile associated w
 2. If the authorization request contains `login_hint`, Auth0 looks for an identity matching both the connection name and the `login_hint`.
 3. If Auth0 can’t find the user, it returns a `401` status code with an error message.
 
-Once the Auth0 Authorization Server validates the user, it locates the external provider's access token within the Token Vault. If it is still valid, Auth0 returns the external provider's access token with its scopes and expiry time:
+Once the Auth0 Authorization Server validates the user, it locates the federated access token within the Token Vault. If it is still valid, Auth0 returns the federated access token with its scopes and expiry time:
 
 ```json lines
 {
@@ -176,16 +176,16 @@ Once the Auth0 Authorization Server validates the user, it locates the external
 
 
 
-If the external provider's access token has expired, Auth0 uses the refresh token stored in the Token Vault to get a new access token with the same scopes. Auth0 then stores it in the corresponding tokenset and returns it to the application. To learn more about how Auth0 manages refresh tokens, read [Manage Token Vault refresh tokens](#manage-token-vault-refresh-tokens).
+If the federated access token has expired, Auth0 uses the federated refresh token stored in the Token Vault to get a new federated access token with the same scopes. Auth0 then stores it in the corresponding tokenset and returns it to the application. To learn more about how Auth0 manages federated refresh tokens, read [Manage federated refresh tokens](#manage-federated-refresh-tokens).
 
-Using the Token Vault access token, the application calls the Google Calendar API on the user’s behalf.
+Using the federated access token, the application calls the Google Calendar API on the user’s behalf.
 
-## Manage Token Vault refresh tokens
+## Manage federated refresh tokens
 
-Auth0 securely stores refresh and access tokens for external providers in a tokenset within the Token Vault, with one tokenset per authorized connection. Auth0 manages refresh tokens on the server, so your application only has to handle storing and exchanging Auth0 refresh tokens for an external provider's access tokens.
+Auth0 securely stores the federated refresh and access tokens of external providers in a tokenset within the Token Vault, with one tokenset per authorized connection. Auth0 manages federated refresh tokens on the server, so your application only has to handle storing and exchanging Auth0 refresh tokens for federated access tokens.
 
 To learn more about how Auth0 manages Auth0 refresh tokens for different types of applications, read [Refresh tokens](/docs/secure/tokens/refresh-tokens).
 
-### Token Vault refresh token expiration policy
+### Federated refresh token expiration policy
 
-Auth0 deletes refresh tokens from tokensets when they expire based on the expiration date set by the external provider or if they have not been exchanged for an access token for 1+ years.
+Auth0 deletes federated refresh tokens from tokensets when they expire based on the expiration date set by the external provider or if they have not been exchanged for a federated access token for 1+ years.
diff --git a/main/docs/secure/tokens/token-vault/configure-token-vault.mdx b/main/docs/secure/tokens/token-vault/configure-token-vault.mdx
@@ -24,13 +24,13 @@ Auth0 supports Token Vault for the following social and enterprise <Tooltip tip=
 * <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect
 * Custom social connection
 
-Once a user authenticates with a supported external provider and authorizes the connection, you can get an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> to call external APIs on the user’s behalf. To learn more, read [Call APIs with Token Vault](/docs/secure/tokens/token-vault/call-apis-with-token-vault).
+Once a user authenticates with a supported external provider and authorizes the federated connection, you can get an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> to call third-party APIs on the user’s behalf. To learn more, read [Call APIs with Token Vault](/docs/secure/tokens/token-vault/call-apis-with-token-vault).
 
 To configure Token Vault, you need to:
 
-1. Configure your application with the Token Vault grant type.
-2. Enable Token Vault for a supported social or enterprise connection.
-3. Manage tokensets within the Token Vault for your social or enterprise connection.
+1. Configure your application with the Token Exchange (Federated Connection) grant type.
+2. Enable Token Vault for a federated connection.
+3. Manage tokensets within the Token Vault for your federated connection.
 
 <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
 
@@ -42,9 +42,9 @@ If you need to trigger MFA challenges for interactive flows, enable **Customize
 
 ## Configure application
 
-Configure your application with the Token Vault grant type using the <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> or <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.
+Configure your application with the Token Exchange (Federated Connection) grant type using the <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> or <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.
 
-Only certain types of clients can use the Token Vault grant type:
+Only certain types of clients can use the Token Exchange (Federated Connection) grant type:
 
 1. The client must be a first-party client, i.e. the `is_first_party` property is `true`.
 2. The client must be a confidential client with a valid authentication mechanism, i.e. the `token_endpoint_auth_method` property must not be set to `none`.
@@ -54,7 +54,7 @@ Only certain types of clients can use the Token Vault grant type:
 
 1. Navigate to **Applications > Applications**.
 2. Select the application you want to configure.
-3. Under **Advanced Settings > Grant Types**, select the **Token Vault** grant type.
+3. Under **Advanced Settings > Grant Types**, select the **Token Exchange (Federated Connection)** grant type.
 4. Select **Save Changes**.
 
 <Frame>![](/docs/images/cdy7uua7fh8z/4pDrKjLpUISfhhGAfc0EaU/28517676a42ec418c75a7034a0cad343/configure_federated_connection_token_exchange.png)</Frame>
@@ -83,9 +83,9 @@ curl --location --request PATCH 'https://{tenantDomain}/api/v2/clients/{clientId
 
 </Tab></Tabs>
 
-## Configure Third-Party Connection
+## Configure federated connection
 
-Use the Auth0 Dashboard or Management API to configure a supported social or enterprise connection to retrieve and store access tokens for external APIs in the Token Vault.
+Use the Auth0 Dashboard or Management API to configure a federated connection to retrieve and store access tokens for third-party APIs in the Token Vault.
 
 Once you enable Token Vault for your connection, access and <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip> will no longer be stored in the user’s `identities` array. Instead, they will be stored in a secure tokenset within the Token Vault. To learn more, read [Manage tokensets](#manage-tokensets).
 
@@ -218,4 +218,3 @@ Response: 204 No-Content
 ```
 
 
-
