Skip to content

fix: update Custom Token Exchange limitations#765

Open
dlozlla wants to merge 2 commits intoauth0:mainfrom
dlozlla:cte-docs-fixes
Open

fix: update Custom Token Exchange limitations#765
dlozlla wants to merge 2 commits intoauth0:mainfrom
dlozlla:cte-docs-fixes

Conversation

@dlozlla
Copy link

@dlozlla dlozlla commented Mar 13, 2026

Description

Updates the Custom Token Exchange (CTE) limitations section on the overview page (main/docs/authenticate/custom-token-exchange.mdx):

  • Removed the Organization + MFA limitation (api.multifactor.enable() and MFA policies not supported when associated with an Organization), which is no longer accurate.
  • Added a missing limitation about consent: the target API must have Allow Skipping User Consent enabled, since consent cannot be collected in a non-interactive flow. This was already documented in the French-Canadian and Japanese translations but missing from the English source page.

References

  • Server-side enforcement: CustomTokenExchangeProfile.js — #consentRequired() method rejects requests when the resource server does not allow skipping consent for first-party clients.

Testing

  • Run mint dev from the main/ directory and navigate to the /docs/authenticate/custom-token-exchange to verify the updated limitations list renders correctly.

Checklist

  • I've read and followed CONTRIBUTING.md.
  • I've tested the site build for this change locally.
  • I've made appropriate docs updates for any code or config changes.
  • I've coordinated with the Product Docs and/or Docs Management team about non-trivial changes.

@dlozlla @claude
fix: update Custom Token Exchange limitations
0025364 
Remove stale Organization MFA limitation and add missing consent
requirement: target API must have Allow Skipping User Consent enabled.

Co-Authored-By: Claude <noreply@anthropic.com>
@dlozlla dlozlla requested a review from a team as a code owner March 13, 2026 16:44
avanscoy
avanscoy reviewed Mar 16, 2026
View reviewed changes
main/docs/authenticate/custom-token-exchange.mdx Outdated
* Custom DB Connections with import mode `ON` are not supported for `setUserByConnection()` operations
* Specific delegation support (e.g. `actor_token` and `actor` claim)
* Third-party and non-OIDC conformant clients
* The target API must have **Allow Skipping User Consent** enabled, since consent cannot be collected in a non-interactive flow.
Copy link
Contributor

@avanscoy avanscoy Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need the comma here.

@dlozlla
Fix punctuation in user consent note
c0609d3 
Removed unnecessary comma in the consent requirement note.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avanscoy avanscoy avanscoy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dlozlla @avanscoy