releases.shpreview

Custom Token Exchange adds Delegated Authorization support

1 featureThis release1 featureNew capabilitiesAI-tallied from the release notes
From the original release noteView original ↗

We're excited to announce that Custom Token Exchange now supports Delegated Authorization. This release is available to all Enterprise, B2B Professional, and B2C Professional customers.

Delegated Authorization covers scenarios where a principal (e.g. a human support agent, a backend service, an AI agent) performs actions in the context of a user. Unlike traditional impersonation where the actor's identity is lost, delegated authorization preserves both identities: the sub claim identifies the user being acted for, while a standards-based act claim (per RFC 8693) identifies who is actually performing the action. Every token carries a verifiable record of the delegation.

With the flexibility to define custom actor semantics and authorization logic via Actions, customers now have the tools to address emerging access patterns, including agentic AI flows, alongside traditional delegation scenarios like support tooling and service-to-service chains.

Key highlights of this release:

  • Actor token parameters: Pass actor_token and actor_token_type to convey the acting party's credential
  • setActor() Action command: Developers explicitly control when and how delegation act claim is included in tokens via the new setActor() method
  • Auth0 ID tokens as actor tokens: Automatic validation when the actor is an Auth0-managed user
  • Audit trail: Actor identity captured in tenant logs for compliance and traceability
  • Nesting support: Up to 5 levels of delegation chains for multi-hop service scenarios

To learn more, visit the Custom Token Exchange documentation.

set-Actor-Actions

Fetched May 27, 2026