> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# My Account API Reference
> Documentation for Auth0's My Account API
Version: 1.0 (Current)
The Auth0 My Account API provides a dedicated set of endpoints for users to manage their own account information. Customers can use these APIs to build self-service experiences in their applications or progressively add details to a user account.
The My Account API operates within the context of the currently logged-in user and can be used directly within user-facing applications.
Using Auth0 domain vs. custom domain
The My Account API supports using your canonical Auth0 domain or your custom domain, but you must use the same one throughout the entire process, including:
* Getting an access token
* Setting the audience value
* Calling the My Account API endpoint
To learn more, read [Custom Domains](https://auth0.com/docs/customize/custom-domains).
## Activate the My Account API
You can activate the My Account API for your tenant in the Auth0 Dashboard:
1. Navigate to **Authentication > APIs**.
2. Locate the My Account API banner.
3. Select **Activate**.
By default, the My Account API is created with the following application API access policies:
`require_client_grant` for user flows
`deny_all` for client (machine-to-machine) flows
For an application to access the My Account API on the user's behalf, you must explicitly create a client grant for that application, which allows you to define the maximum scopes the application can request. Alternatively, you can change the policy for user access flows to `allow_all`, which allows any application in your tenant to request any scope from the My Account API.
Because the My Account API exposes sensitive information and operations, Auth0 does not recommend using `allow_all` for user access flows. You should follow a least privilege principle with the My Account API to ensure applications only get access to what they truly need, minimizing potential security risks.
The final permissions granted to the application will be determined by the intersection of the scopes allowed by the application API access policy, the Role-Based Access Control (RBAC) permissions assigned to the end user, and any user consent given (if applicable).
Supported flows
You cannot update the application API policy for client access to the My Account API, which means you cannot access the My Account API using the Client Credentials Flow.
To learn more about how to manage application API access policies and their associated client grants, read [Application Access to APIs: Client Grants](https://auth0.com/docs/get-started/applications/application-access-to-apis-client-grants).
## Get an access token
You can get an access token for the My Account API in the same way you'd get an access token for one of your own APIs.
Sensitive operations
If you're going to allow the My Account API to perform sensitive operations (such as enrolling an authentication method), we strongly recommend that you use [step-up authentication](https://auth0.com/docs/secure/multi-factor-authentication/step-up-authentication) to enforce additional security policies through [multi-factor authentication (MFA)](https://auth0.com/docs/secure/multi-factor-authentication).
If you're using Universal Login, read the following articles:
* [Call Your API Using the Authorization Code Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/call-your-api-using-the-authorization-code-flow)
* [Call Your API Using the Authorization Code Flow with PKCE](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce/call-your-api-using-the-authorization-code-flow-with-pkce)
If you're using embedded login, read the following articles:
* [Call Your API Using Resource Owner Password Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow/call-your-api-using-resource-owner-password-flow)
* [Login Flow with Native Passkeys API](https://auth0.com/docs/native-passkeys-api#login-flow)
## Examples
### Universal Login with authorization code flow
**Step 1: Request authorization code**
```bash lines theme={null}
curl --request GET \
--url 'https://{yourDomain}/authorize?response_type=code&client_id={yourClientId}&redirect_uri=%7ByourRedirectUri%7D&scope=create%3Ame%3Aauthentication_methods&offline_access=&audience=https%3A%2F%2F{yourDomain}%2Fme%2F'
```
**Step 2: Exchange code for access token**
```bash lines theme={null}
curl --request POST \
--url 'https://{yourDomain}/oauth/token' \
--header 'content-type: application/json' \
--data '{"grant_type": "authorization_code","client_id": "{yourClientId}","client_secret": "{yourClientId}","code": "{yourAuthorizationCode}","redirect_uri": "{yourRedirectUri}","audience": "{yourAudience}","scope": "create:me:authentication_methods","offline_access": ""}'
```
### Embedded login with native passkeys
**Step 1: Request login challenge**
```bash lines theme={null}
curl --request POST \
--url 'https://{yourDomain}/passkey/challenge' \
--header 'content-type: application/json' \
--data '{"client_id": "{yourDomain}"}'
```
**Step 2: Authenticate existing user**
```bash lines theme={null}
curl --request POST \
--url 'https://{yourDomain}/oauth/token' \
--header 'content-type: application/json' \
--data '{ "grant_type": "urn:okta:params:oauth:grant-type:webauthn", "client_id": "{yourClientId}", "scope": "create:me:authentication_methods offline_access", "audience": "https://{yourDomain}/me/" "auth_session": "{sessionIdFromTheFirstRequest}", "authn_response": "{authenticatorResponse}"}'
```
### Authentication
Bearer and DPoP tokens are supported depending on the API configuration
| | |
| -------------------------- | ------ |
| Security Scheme Type: | http |
| HTTP Authorization Scheme: | bearer |