# Retrieve a user's enterprise SSO identity and associated token secret (if token storage is enabled).

**GET /api/users/{userId}/sso-identities/{ssoConnectorId}**

This API retrieves the user's enterprise SSO identity and associated token set record from the Logto Secret Vault. The token set will only be available if token storage is enabled for the corresponding SSO connector.


## Servers
- Logto endpoint address.: https://[tenant_id].logto.app (Logto endpoint address.)


## Authentication methods
- O auth2


## Parameters

#### Path parameters
- **userId** (string)
  The unique identifier of the user.
- **ssoConnectorId** (string)
  The unique identifier of the sso connector.

#### Query parameters
- **includeTokenSecret** (string)
  Whether to include the token secret in the response. Defaults to false. Token storage must be supported and enabled by the connector to return the token secret.


## Responses
### 200: Returns the user's enterprise SSO identity and associated token secret.

#### Body Parameters: application/json (object)
- **ssoIdentity** (object)
  The user's enterprise SSO identity.
- **tokenSecret** (object)
  The desensitized token set secret associated with the user's SSO identity.
This field is included only if the `includeTokenSecret` query parameter is provided and the corresponding connector has token storage enabled.

### 400: Bad Request

### 401: Unauthorized

### 403: Forbidden

### 404: User enterprise SSO identity not found.


[Powered by Bump.sh](https://bump.sh)