> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-feat-anonymous-sessions.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Anonymous Sessions

> Learn how to create and manage user sessions without requiring authentication.

export const ReleaseStageNotice = ({feature, stage, plans, contact, terms}) => {
  const stageTextMap = {
    "beta": "Beta",
    "ea": "Early Access"
  };
  const stageText = stageTextMap[stage] || "a product release stage";
  const prsLink = "/docs/troubleshoot/product-lifecycle/product-release-stages";
  const linkify = (text, url) => {
    return <a href={url} target="_blank" rel="noreferrer" class="link">{text}</a>;
  };
  const includeDetails = (plans, contact, terms) => {
    const hasDetails = terms || plans || contact;
    if (!hasDetails) return null;
    return <span data-as="p">
            {plans && <>This feature is available for {linkify(`${plans} plans`, "https://auth0.com/pricing")}. </>}
            {contact && "To participate, contact " + contact + ". "}
            {terms && <>By using this feature, you agree to the applicable Free Trial terms in Okta's {linkify("Master Subscription Agreement", "https://www.okta.com/legal")}.</>}
        </span>;
  };
  return <Warning>
            <span data-as="p">
                <strong>The {feature} feature is in {linkify(stageText, prsLink)}.</strong>
            </span>

            {includeDetails(plans, contact, terms)}
        </Warning>;
};

<ReleaseStageNotice feature="Anonymous Sessions" stage="beta" terms="true" contact="Auth0 Support" />

Anonymous sessions allow you to create and manage [user sessions](/docs/manage-users/sessions) without requiring authentication.

Users can browse, add items to carts or wishlists, complete purchases, and set preferences before creating an account.  Users then bring their activity into their authenticated profile when they sign up or log in.

Use anonymous sessions for the following use cases:

* **Track guest users** across page loads and sessions
* **Store metadata** such as shopping cart references, preferences, consents, and profiling information
* **Issue access tokens** for API calls without requiring authentication
* **Transfer anonymous activity** to authenticated accounts when users sign up or log in

<Warning>
  Auth0 anonymous session Metadata is not a secure data store and should not be used to store sensitive information.
  This includes secrets and high-risk PII like social security numbers or credit card numbers, etc.

  Additionally, the data stored in an anonymous session is not verified for truthness or accuracy and should never be taken at face value.

  Auth0 customers are strongly encouraged to evaluate the data stored in metadata and only store that which is necessary for session tagging and access management purposes.
  To learn more, read [Auth0 General Data Protection Regulation Compliance](/docs/secure/data-privacy-and-compliance/gdpr)."
</Warning>

## How it works

### Gather anonymous sessions data

When you decide to start gathering information about a user, even one who has not authenticated yet, your application sends a `POST` request to the `/anonymous/token` endpoint.

Auth0 responds with two tokens:

* A [**session token**](/docs/secure/tokens/session-tokens) that identifies and persists the anonymous session.
* An [**access token**](/docs/secure/tokens/access-tokens) that the user can present to your [resource servers (APIs)](/docs/get-started/apis).

Subsequent calls that include the session token continue the same session for the same `user_id`, so all activity is traceable to a single origin.
Using the access token, anonymous users can call any of your existing APIs.

```mermaid actions={false} theme={null}
sequenceDiagram
  participant app as SPA/APP
  participant idp as Auth0
  participant rs as Resource Server
  note over app: User Browses the site and <br> we decide to start <br> storing information about them.
  app ->> idp: POST /anonymous/token<br>{language: EN, country: US, order_id: PO123}
  idp ->> app: Session Token, Access Token<br>sub: anon@1234-5678-90
  note over app: User buys something anonymously.
  app ->>+ rs: POST /purchase<br> Authorization: Bearer <Access Token>
  rs ->> rs: Purchase order PO123 created<br>user_id: anon@1234-5678-90
  rs ->>- app: HTTP 200 OK
  note over app: User retrieves their anonymous purchases
  app ->> rs: GET /purchase<br> Authorization: Bearer <Access Token>
  rs ->> app: HTTP 200 OK {purchases: ["PO123"]}
```

```json Anonymous session data of user anon@1234-5678-90 theme={null}
{
  "user_id": "anon@1234-5678-90",
  "session_id": "sess_456",
  "metadata": {
    "language": "EN",
    "country": "US",
    "purchase": "P0123"
  }
}
```

### Transfer anonymous sessions data to user's metadata

When a user who has an anonymous session decides to log in or sign up, your application passes the `anonymous_session_token` to the `/authorize` endpoint using a cookie or an HTTP header.

```javascript cookie example theme={null}
// No extra code needed — cookie is sent automatically
await auth0.loginWithRedirect();
```

```javascript authorize endpoint example theme={null}
GET /authorize?
  client_id: YOUR_CLIENT_ID&
  redirect_uri: https://YOUR_ClIENT_URL/callback&
  response_type: code&
  scope: openid&
  Auth0-Anonymous-Session: eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0...
```

```mermaid actions={false} theme={null}
sequenceDiagram
  participant app as SPA/APP
  participant idp as Auth0
  participant rs as Resource Server
  note over app: User has been browsing the site
  anonymously and now logs in.
  app ->>+ idp: POST /authorize?client_id=xxx...
  Cookie: auth0_anon=eJY...
  idp ->> idp: Run post-login actions, includes anonymous_session data
  (language, country, order_id)
  idp ->> idp: api.idToken.addCustomClaim('original_uid', event.anonymous_session.user_id)
  idp ->>- app: Access Token, ID Token (with original_uid claim), auth0 cookie
  app ->>+ rs: Get /purchase?user:anon@1234-5678-90
  rs ->> rs: Purchase order PO123 created by
  user_id: anon@1234-5678-90
  rs ->>- app: HTTP 200 OK {purchase_orders: ["PO123"]}
```

Auth0 makes the anonymous session data available in your [`pre-user-registration`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/pre-user-registration-trigger)  and [`post-login`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger) Actions triggers using the `event.anonymous_session` object.

```json anonymous session object theme={null}
{
  "anonymous_session": {
    "user_id": "anon@1234-5678-90",
    "session_id": "sess_123",
    "created_at": "2026-05-14T10:30:00Z",
    "metadata": {
      "language": "en",
      "country": "US",
      "order_id": "PO123"
}
}
}
```

To learn more about anonymous sessions with Actions, read [Anonymous Sessions Use Cases](/docs/manage-users/sessions/anonymous-sessions/anonymous-sessions-use-cases).

### End the anonymous session after transfer

Anonymous sessions are not automatically invalidated when a user authenticates. To end the session use the `/anonymous/logout` endpoint:

```javascript wrap lines theme={null}
// In your application, after successful login
if (wasAnonymousSession) {
  await fetch('https://YOUR_DOMAIN/anonymous/logout', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    credentials: 'include', // Send cookies
    body: JSON.stringify({ client_id: 'YOUR_CLIENT_ID' }),
  });
}
```

## Best practices

Here are some best practices for anonymous sessions:

* Configure appropriate [anonymous session lifetimes](/docs/manage-users/sessions/anonymous-sessions/configure-anonymous-sessions#configure-anonymous-sessions-in-your-auth0-tenant) to avoid losing a user's anonymous session data; Auth0 recommends a lifetime of 30 days or longer.

* Select anonymous session's [JSON Web Encryption (JWE)](/docs/manage-users/sessions/anonymous-sessions/configure-anonymous-sessions#configure-anonymous-sessions-in-your-auth0-tenant) encryption to ensure that potential attackers cannot see the contents of the session.

* Restrict what anonymous `anon@` users can do in your API.

* Validate tokens and sanitize metadata, never trust metadata or tokens from clients without server-side validation.

* Cache [access tokens](/docs/secure/tokens/access-tokens) since they can be reused until they expire.

* Batch and minimize [metadata updates](/docs/manage-users/sessions/anonymous-sessions/configure-anonymous-sessions#update-the-session-with-metadata). Avoid frequent metadata updates.

## Limitations

* [Password reset](/docs/customize/actions/explore-triggers/password-reset-triggers#password-reset-triggers) flows are not supported by anonymous sessions.
* [Device Code](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow) is not supported because the authentication request and the actual login happen on different devices.
* [Client-Initiated Backchannel Authentication (CIBA)](/docs/get-started/applications/configure-client-initiated-backchannel-authentication) is not supported because the authentication request and confirmation happen on different devices.
* [Custom token exchange](/docs/authenticate/custom-token-exchange/cte-example-use-cases) is not supported due to the nature of the transactions (for example, impersonation), which creates a likelihood of attributing anonymous data to the wrong user.
* [Refresh token exchange](/docs/secure/call-apis-on-users-behalf/token-vault/configure-token-vault#configure-token-exchange) is not supported by anonymous sessions because the user is already logged in if they had a refresh token.

## Learn more

* [Configure Anonymous Sessions](/docs/manage-users/sessions/anonymous-sessions/configure-anonymous-sessions) Learn how to configure anonymous sessions.
* [Anonymous Sessions Use Cases](/docs/manage-users/sessions/anonymous-sessions/anonymous-sessions-use-cases) Learn about anonymous sessions use cases.
