Flows/Actions

Unique External Token for a Flow (Beta)

To add external tokens on a project level and define a default external token connector, follow this guide.

Descope's External Token feature enables hybrid authentication by allowing you to keep using your existing token format and infrastructure, while still leveraging Descope Flows for identity orchestration. At the end of a Descope Flow, you can generate a custom external token that integrates seamlessly into your current backend setup—whether it's a legacy system, API gateway, or existing session logic. This allows you to modernize authentication with Descope without overhauling your token validation or authorization mechanisms.

Configure Token Connector

The first step to setting up an External Token is to configure an External Token connector in the Descope Console. Descope provides several prebuilt connectors that generate tokens compatible with specific platforms such as Firebase or Supabase. Alternatively, you can use the Generic HTTP Token connector to generate tokens in a custom format that works with your existing backend or API infrastructure.

Follow our External Token connector guides for connector configuration.

Enabling the Connector in a Flow

If a connector is added on a project level, it will be used as the default external token for the Descope project. A unique external token connector can be configured for every flow.

To select a unique connector to be used at the end of a flow:

  1. Enter the flow editor for the flow you want to change the external token connector.

  2. Select the End action in the flow editor.

  3. Select a connector under External Token Connector that will be used to generate an external token.

External token connector selection in flow editor

Multiple external token connectors of each type can be created. For example, you can generate external tokens for different Firebase projects depending on which flow is run.

The flow will now generate an external token using the connector that was selected. Here is an example of a post authentication response with an external token included:

{
  "cookieDomain": "",
  "cookieExpiration": 0,
  "cookieMaxAge": 0,
  "cookiePath": "/",
  "externalToken": "SUPABASE_TOKEN",
  "firstSeen": false,
  "idpResponse": null,
  "refreshJwt": "DESCOPE_REFRESH_TOKEN",
  "sessionExpiration": 1750879215,
  "sessionJwt": "DESCOPE_SESSION_TOKEN",
  "user": {}
}

If an external token connector has been selected in the Descope Project Settings, it will remain the default connector used for generating external tokens in the project.

Was this helpful?

Scriptlets

When you're designing a flow and need to run a custom JS code.

User Invite

This doc will show you how to invite users within a flow.

On this page