fix: new instructions for MRRT

pmalouin · pmalouin · commit aa5b0471a923 · 2025-11-13T15:25:29.000-05:00
diff --git a/call-apis-on-users-behalf/others-api/langchain-react-spa-js/README.md b/call-apis-on-users-behalf/others-api/langchain-react-spa-js/README.md
@@ -131,51 +131,10 @@ Auth0's Token Vault enables the LangGraph API to exchange a SPA's access token f
 5. **Define a Multi-Resource Refresh Token policy for your SPA Application**
     - After your SPA Application has been granted access to the My Account API, you will also need to leverage the [Multi-Resource Refresh Token](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token) feature, where the refresh token delivered to your SPA will allow it to obtain an access token to call My Account API.
     - This will require defining a new [refresh token policy](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token/configure-and-implement-multi-resource-refresh-token) for your SPA Application where the `audience` is `https://<your auth0 domain>/me/` and the `scope` should include at least the `"create:me:connected_accounts"` scope.
-    - The documentation page explains how to achieve this using various tools, but here is an example showing how to do it with `curl`:
-
-```shell
-curl --request PATCH \
-  --url 'https://{yourDomain}/api/v2/clients/{yourClientId}' \
-  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
-  --header 'content-type: application/json' \
-  --data '{
-  "refresh_token": {
-    "expiration_type": "expiring",
-    "rotation_type": "rotating",
-    "token_lifetime": 31557600,
-    "idle_token_lifetime": 2592000,
-    "leeway": 0,
-    "infinite_token_lifetime": false,
-    "infinite_idle_token_lifetime": false,
-    "policies": [
-      {
-        "audience": "https://{yourDomain}/me/",
-        "scope": [
-          "create:me:connected_accounts"
-        ]
-      }
-    ]
-  }
-}'
-```
-Where:
-- `{yourDomain}` is your Auth0 domain (e.g., `dev-abc123.us.auth0.com`).
-- `{yourClientId}` is the Client ID of your SPA application.
-- `{yourMgmtApiAccessToken}` is a Management API access token with the `update:clients` scope.
--
-<details>
-
-<summary>How to get a Management API Token from the Dashboard</summary>
-
-To create a token exchange profile, you need a Management API access token with the appropriate scopes.
-
-The quickest way to get a token for testing is from the Auth0 Dashboard:
-* Navigate to Applications > APIs in your Auth0 Dashboard
-* Select Auth0 Management API
-* Click on the API Explorer tab
-* Copy the displayed token
-
-</details>
+    - Setup steps:
+       - In your Auth0 Dashboard, go to Applications, and open the Settings for your SPA application created at step 1.
+       - Under the "Multi-Resource Refresh Token" section, click "Edit Configuration".
+       - Enable MRRT for "Auth0 My Account API".
 
 6. **Configure a Social Connection for Google in Auth0**:
     - Make sure to enable the "Use for Connected Accounts with Token Vault" toggle
diff --git a/call-apis-on-users-behalf/others-api/vercel-react-spa-js/README.md b/call-apis-on-users-behalf/others-api/vercel-react-spa-js/README.md
@@ -84,7 +84,10 @@ You will need the following prerequisites to run this app:
 5. Define a Multi-Resource Refresh Token policy for your SPA Application:
     - After your SPA Application has been granted access to the My Account API, you will also need to leverage the [Multi-Resource Refresh Token](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token) feature, where the refresh token delivered to your SPA will allow it to obtain an access token to call My Account API.
     - This will require defining a new [refresh token policy](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token/configure-and-implement-multi-resource-refresh-token) for your SPA Application where the `audience` is `https://<your auth0 domain>/me/` and the `scope` should include at least the `"create:me:connected_accounts"` scope.
-    - The documentation page explains how to achieve this using various tools, but here is an example showing how to do it with `curl`:
+    - Setup steps:
+        - In your Auth0 Dashboard, go to Applications, and open the Settings for your SPA application created at step 1.
+        - Under the "Multi-Resource Refresh Token" section, click "Edit Configuration".
+        - Enable MRRT for "Auth0 My Account API".
 
 ```shell
 curl --request PATCH \
