> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about Multi-resource refresh token

# Multi-Resource Refresh Token

Multi-Resource <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=Refresh+Tokens">Refresh Tokens</Tooltip> (MRRT) allows a single [refresh token](/docs/secure/tokens/refresh-tokens) to receive [access tokens](/docs/secure/tokens/access-tokens) for multiple [APIs](/docs/get-started/apis), each with their own scopes and permissions. MRRT builds on standard [OAuth 2.0](/docs/authenticate/protocols/oauth) behavior by allowing refresh tokens to maintain multiple authorization policies.

When an application exchanges a refresh token for an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip>, it can select from a set of configured <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=audience">audience</Tooltip> and scopes. By doing so, MRRT streamlines authentication flows by avoiding the need to get a new refresh token for each API.
When using MRRT, Auth0 merges two sources of authorization to determine what access token to issue during a refresh token exchange:

1. The audience and scopes granted in the original authentication flow.
2. The audience and scopes configured in the application’s MRRT policy.

This allows applications to reuse the refresh token not only for APIs requested at login, but also for additional APIs allowed in the MRRT policy.

**The key benefits of MRRT include**:

* A single refresh token, per application, to manage when controlling access to multiple APIs.
* No need to go through a full <Tooltip tip="Authorization Flow: Authorization grant (or workflow) specified in the OAuth 2.0 framework." cta="View Glossary" href="/docs/glossary?term=authorization+flow">authorization flow</Tooltip> every time your application needs to access a new API.
* Performance improvement and reduced load on the <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=authorization+server">authorization server</Tooltip>.
* Decrease risk of [rate limitation](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy) due to repeated full authorization code flows.

## How it works

<Frame>
  <img src="https://mintcdn.com/docs-dev-actions-triggers-prototype/I3gNYw4Uo9lArprN/docs/images/cdy7uua7fh8z/1V12Rzfm8mafMTaxlcEr25/a9ab2a335a835f0c2ae61eb1d767c9fa/Docs_Diagram_Toolkit_-_Carlos__1_.png?fit=max&auto=format&n=I3gNYw4Uo9lArprN&q=85&s=6ea178729b3d0616f5155a1cc40de647" alt="" width="1400" height="943" data-path="docs/images/cdy7uua7fh8z/1V12Rzfm8mafMTaxlcEr25/a9ab2a335a835f0c2ae61eb1d767c9fa/Docs_Diagram_Toolkit_-_Carlos__1_.png" />
</Frame>

1. Application authenticates with Auth0.

2. Auth0 returns an access token and a multi-resource refresh token.

3. Application uses the access token to call API 1.

4. Application exchanges the multi-resource refresh token for access to API 2.

5. Auth0 returns a new access token scoped to API 2.

6. Application calls API 2 using the new access token.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  For example,  A native application authenticates the user and requests access to `https://api.example.com` audience. Then, the application needs access to the `https://billing.example.com` audience. If both APIs are included in the application’s MRRT policy, the application can exchange a refresh token for an access token for either API.
</Callout>

Learn how to [Configure and Implement Multi-resource refresh token](/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token/configure-and-implement-multi-resource-refresh-token).

## Limitations

* Each access token issued through MRRT is scoped to a single API. If your application requires access to multiple APIs, you must request separate access tokens for each API.
* MRRT supports only [first-party applications](/docs/get-started/applications/first-party-and-third-party-applications#first-party-applications).
* MRRT supports APIs configured to [allow skipping user consent](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications#skip-consent-for-first-party-applications).
* The Auth0 <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip> can not be included in the MRRT policies.