How it works
When you decide to start tracking a user — even one who has not authenticated yet — your application sends aPOST /anonymous/token request. Auth0 responds with two tokens:
- A session token (JWT or JWE) that identifies and persists the anonymous session
- An access token (OAuth 2.0-compliant) that the user can present to your resource servers
user_id, so all activity is traceable to a single origin. Because the access token is OAuth 2.0-compliant, anonymous users can call any of your existing APIs without additional plumbing.
What Anonymous Sessions provide
- Track guest users across page loads and sessions
- Store metadata such as shopping cart references, preferences, consents, and profiling information
- Issue OAuth 2.0 access tokens for API calls without requiring authentication
- Transfer anonymous activity to authenticated accounts when users sign up or log in
Key concepts
Session token
The session token is a JWT or JWE that contains:| Claim | Description |
|---|---|
user_id | Anonymous identifier (for example, anon|a7f3b2c9e1) |
session_id | Unique session identifier |
created_at | When the session was created |
metadata | Application-defined data (cart, preferences, and so on) |
iss | Token issuer (your Auth0 domain) |
exp | Expiration timestamp |
Access token
The access token lets your application call resource server APIs. It contains:- A
subclaim that holds the anonymoususer_id - Standard OAuth 2.0 claims:
aud,iss,exp,iat,scope
Anonymous user ID
Each anonymous user has a unique identifier in UUID format, consistent across all tokens for that session. If you include auser_id in the initial session creation call, Auth0 uses it instead of generating one.
Anonymous session ID
Each anonymous session has its own identifier. The same anonymous user may have more than one session — for example, when a previous session expired, or when you supply your own user IDs.Limitations
- Session transfer only occurs during login (Post-Login Action) and sign-up (Pre-Registration Action).
- Password reset flows do not link anonymous sessions.
- The following grant types are not supported: Device Code, Client-Initiated Backchannel Authentication (CIBA), custom token exchange, and refresh token exchange.
- Anonymous sessions are not a secure data store. To learn more, read Anonymous Sessions Best Practices.
Learn more
- Quick Start: Anonymous Sessions — Configure Anonymous Sessions and create your first session in five steps.
- Transfer Anonymous Sessions to Users — Migrate cart, preference, and activity data when a guest signs up or logs in.
- Claims Mapping — Include anonymous session attributes in access tokens without writing Actions code.
- Anonymous Sessions Best Practices — Security, performance, and implementation recommendations.