Custom Token Exchange adds Delegated Authorization support
We're excited to announce that Custom Token Exchange now supports Delegated Authorization. This release is available to all Enterprise, B2B Professional, and B2C Professional customers.
Delegated Authorization covers scenarios where a principal (e.g. a human support agent, a backend service, an AI agent) performs actions in the context of a user. Unlike traditional impersonation where the actor's identity is lost, delegated authorization preserves both identities: the sub claim identifies the user being acted for, while a standards-based act claim (per RFC 8693) identifies who is actually performing the action. Every token carries a verifiable record of the delegation.
With the flexibility to define custom actor semantics and authorization logic via Actions, customers now have the tools to address emerging access patterns, including agentic AI flows, alongside traditional delegation scenarios like support tooling and service-to-service chains.
Key highlights of this release:
- Actor token parameters: Pass
actor_tokenandactor_token_typeto convey the acting party's credential setActor()Action command: Developers explicitly control when and how delegationactclaim is included in tokens via the newsetActor()method- Auth0 ID tokens as actor tokens: Automatic validation when the actor is an Auth0-managed user
- Audit trail: Actor identity captured in tenant logs for compliance and traceability
- Nesting support: Up to 5 levels of delegation chains for multi-hop service scenarios
To learn more, visit the Custom Token Exchange documentation.

Fetched May 27, 2026
