ForgeRock Developer Experience

Access resources using ForgeRock Token Vault

After you complete the set up of the ForgeRock Token Vault successfully, you can use the ForgeRock SDK for JavaScript or any HTTP or fetch library to request protected resources.

With the exception of refreshing tokens, and configuration of the token storage mechanism, using the ForgeRock SDK for JavaScript with the ForgeRock Token Vault is almost entirely transparent.

The ForgeRock Token Vault manages token lifecycle automatically. If you enable refresh tokens in your OAuth 2.0 client, the ForgeRock Token Vault automatically refreshes access tokens.

Request tokens

Use the TokenManager class from the SDK as usual to request tokens and have them safely stored within the Token Vault Proxy:

import { TokenManager } from '@forgerock/javascript-sdk';

const tokens = TokenManager.getTokens();

console.log(tokens); // Refresh & Access Token values will be redacted

You can verify the tokens are stored under the origin of the Token Vault Proxy, not the origin of your main app, by using the developer tools in your browser.

The response your app and the SDK receive contains redacted values. This is expected behavior and increases security.

For example:

    "accessToken": "REDACTED",
    "idToken": "eyJ0eXAiOiJKV1QiLCJra...7r8soMCk8A7QdQpg",
    "refreshToken": "REDACTED",
    "tokenExpiry": 1690712227226,

Make requests

Use the native fetch API or any HTTP request library that emits a fetch event.

For example, you could use the HttpClient module provided in the ForgeRock SDK for JavaScript.

The Token Vault Interceptor routes any of these requests that matches its configuration through the Token Vault Proxy so that the relevant tokens get attached before reaching your resource server.

Revoke tokens

To remove tokens and log the user out, use the FRUser class as usual:

import { FRUser } from '@forgerock/javascript-sdk';


This destroys the user’s session, revokes tokens on the server, and removes tokens from the Token Vault Proxy.

Use convenience methods

The tokenVaultStore object provides some convenience functions for use in your apps.

These methods are useful as your main app does not have any direct access to the tokens in the ForgeRock Token Vault.

The has method

Use the has method to determine whether the ForgeRock Token Vault has relevant tokens stored.

The method returns an object with a hasTokens property and a boolean value. It does not return the tokens.

const tokenVaultStore =;

const { hasTokens } = tokenVaultStore.has();

console.log(hasTokens); // logs `true` or `false`

This method reflects the presence of tokens but does not validate those tokens. They may have expired or were revoked by the server.

To validate the tokens use the UserManager.getCurrentUser method. You can consider the tokens valid if the method returns user data.

The refresh method

Use the refresh method to manually request that the ForgeRock Token Vault refreshes its tokens.

The ForgeRock Token Vault attempts to refresh tokens automatically when required, but you can use this refresh method to force a refresh of the tokens, if needed.

The method returns an object with a refreshTokens property with a boolean value.

const tokenVaultStore =;

const { refreshTokens } = tokenVaultStore.refresh();

console.log(refreshTokens); // logs `true` or `false`
Copyright © 2010-2024 ForgeRock, all rights reserved.