Management/Projects

External Token

Descope's External Token feature enables hybrid authentication by allowing you to keep using your existing token format and infrastructure while leveraging Descope Flows for identity orchestration.

This allows you to modernize authentication with Descope without overhauling your token validation or authorization mechanisms. Your backend can continue using tokens in formats like Firebase, Supabase, or custom formats, while Descope handles the authentication flow.

How It Works

At the end of a Descope Flow, a configured token connector automatically generates a custom external token that integrates seamlessly with your current backend setup—whether it's a legacy system, API gateway, or existing session logic.

External token swimlane diagram

The external token is included in the authentication response alongside Descope's session tokens, allowing your application to use either token format as needed.

Setup

Step 1: Configure Token Connector

Configure an External Token connector in the Descope Console.

Descope provides several prebuilt connectors that generate tokens compatible with specific platforms:

  • Firebase — Generate Firebase-compatible tokens
  • Supabase — Generate Supabase-compatible tokens
  • Generic HTTP Token — Generate tokens in a custom format for your existing backend or API infrastructure

For detailed connector configuration, see the External Token connector guides.

Step 2: Enable the Connector

  1. Navigate to your project's settings under Session Management
  2. Locate the External Token section
  3. Select the connector you configured in Step 1

External token connector selection in project settings

Once enabled, the external token will be automatically included in all authentication responses when flows run.

Authentication Response

When a flow completes, the authentication response includes the external token in the externalToken field:

{
  "cookieDomain": "",
  "cookieExpiration": 0,
  "cookieMaxAge": 0,
  "cookiePath": "/",
  "externalToken": "EXTERNAL_TOKEN",
  "firstSeen": false,
  "idpResponse": null,
  "refreshJwt": "DESCOPE_REFRESH_TOKEN",
  "sessionExpiration": 1750879215,
  "sessionJwt": "DESCOPE_SESSION_TOKEN",
  "user": {}
}

Your backend can use the externalToken field to integrate with existing services that expect tokens in your current format.

To use a different connector for a specific flow while maintaining a project-level default, see Unique External Token for a Flow.

Was this helpful?

Project Dashboards

Learn how to use the Descope Project Dashboards to monitor user activity, tenant metrics, operations & security, and flow analytics.

Multi-Region Support

Learn how to use Descope with multi-regional support

On this page