Updated links

Updated links

Author: tamigoodall

articles/_includes/_create_resource_server.md

@@ -1,6 +1,6 @@
 ## Create the API
 
-Your resource server (API) needs to be configured to verify the Access Token and any claims contained within it. When you create a resource server in your Auth0 dashboard, it utilizes the RS256 signature method by default, meaning that Access Tokens are signed using Auth0's private key for your account. Verification is done using the corresponding public key. You can read more about the [JSON Web Key Set (JWKS)](/jwks) standard and also view the [public key](https://${account.namespace}/.well-known/jwks.json) for your Auth0 account (https://${account.namespace}/.well-known/jwks.json).
+Your resource server (API) needs to be configured to verify the Access Token and any claims contained within it. When you create a resource server in your Auth0 dashboard, it utilizes the RS256 signature method by default, meaning that Access Tokens are signed using Auth0's private key for your account. Verification is done using the corresponding public key. You can read more about the [JSON Web Key Set (JWKS)](/tokens/concepts/jwks) standard and also view the [public key](https://${account.namespace}/.well-known/jwks.json) for your Auth0 account (https://${account.namespace}/.well-known/jwks.json).
 
 You can use any [recommended JWT library](https://jwt.io) to validate the standard claims returned in the token. The following example will demonstrate how to create a resource server API with Node. You can find more information about resource server implementations in the [Access Token documentation](https://auth0.com/docs/api-auth/config/asking-for-access-tokens).
 

articles/api-auth/tutorials/authorization-code-grant-pkce.md

@@ -242,7 +242,7 @@ The response contains `access_token`, `refresh_token`, `id_token`, and `token_ty
 }
 ```
 
-Note that `refresh_token` will only be present in the response if you included the `offline_access` scope AND enabled __Allow Offline Access__ for your API in the Dashboard. For more information about Refresh Tokens and how to use them, see [our documentation](/tokens/refresh-token).
+Note that `refresh_token` will only be present in the response if you included the `offline_access` scope AND enabled __Allow Offline Access__ for your API in the Dashboard. See [Refresh Tokens](/tokens/concepts/refresh-tokens) for more information.
 
 ::: warning
 The Authorization Code flow with PKCE can only be used for Applications whose type is `Native` in the Dashboard.

articles/api-auth/tutorials/authorization-code-grant.md

@@ -121,7 +121,7 @@ The response contains the `access_token`, `refresh_token`, `id_token`, and `toke
 }
 ```
 
-Note that `refresh_token` will only be present in the response if you included the `offline_access` scope AND enabled __Allow Offline Access__ for your API in the Dashboard. For more information about Refresh Tokens and how to use them, see [our documentation](/tokens/refresh-token).
+Note that `refresh_token` will only be present in the response if you included the `offline_access` scope AND enabled __Allow Offline Access__ for your API in the Dashboard. See [Refresh Tokens](/tokens/concepts/refresh-tokens) for more information.
 
 ::: panel-warning Security Warning
 It is important to understand that the Authorization Code flow should only be used in cases such as a Regular Web Application where the Client Secret can be safely stored. In cases such as a Single-Page Application, the Client Secret is available to the application (in the web browser), so the integrity of the Client Secret cannot be maintained. That is why the [Implicit Grant flow](/api-auth/grant/implicit) is more appropriate in that case.

articles/api-auth/tutorials/hybrid-flow.md

@@ -171,7 +171,7 @@ The response contains the `access_token`, `refresh_token`, `id_token`, and `toke
 }
 ```
 
-Note that `refresh_token` will only be present in the response if you included the `offline_access` scope AND enabled __Allow Offline Access__ for your API in the Dashboard. For more information about Refresh Tokens and how to use them, see [our documentation](/tokens/refresh-token).
+Note that `refresh_token` will only be present in the response if you included the `offline_access` scope AND enabled __Allow Offline Access__ for your API in the Dashboard. See [Refresh Tokens](/tokens/concepts/refresh-tokens) for more information.
 
 ::: panel-warning Security Warning
 It is important to understand that the Authorization Code flow should only be used in cases such as a Regular Web Application where the Client Secret can be safely stored. In cases such as a Single-Page Application, the Client Secret is available to the application (in the web browser), so the integrity of the Client Secret cannot be maintained. That is why the [Implicit Flow](/flows/concepts/implicit) is more appropriate in that case.

articles/api/authentication/api-authz/_get-token.md

@@ -581,7 +581,7 @@ Use this endpoint to refresh an <dfn data-key="access-token">Access Token</dfn>
 
 ### More Information
 
-- [Refresh Token](/tokens/refresh-token)
+- [Refresh Tokens](/tokens/concepts/refresh-tokens)
 
 ## Token Exchange for Native Social
 

articles/api/authentication/api-authz/_revoke-refersh-token.md

@@ -72,4 +72,4 @@ For the complete error code reference for this endpoint refer to [Errors > POST
 
 ### More Information
 
-- [Refresh Token](/tokens/refresh-token)
+- [Refresh Tokens](/tokens/concepts/refresh-tokens)

articles/api/info.md

@@ -24,7 +24,7 @@ Some example tasks include:
 
 * getting [tokens](/tokens) during authentication
 * requesting a user's profile using an [Access Token](/tokens/concepts/access-tokens)
-* exchanging [Refresh Tokens](/tokens/refresh-token) for new Access Tokens
+* exchanging [Refresh Tokens](/tokens/concepts/refresh-tokens) for new Access Tokens
 * requesting a challenge for [multi-factor authentication (MFA)](/multifactor-authentication)
 
 <div class="api-info-wrapper">

articles/api/management/v2/get-access-tokens-for-spas.md

@@ -73,7 +73,7 @@ Notice:
 
 #### Response
 
-When we receive our Management API Token, it will be in [JSON Web Token format](/tokens/reference/jwt/jwt-structure). Decoding it and reviewing its contents will reveal the following:
+When we receive our Management API Token, it will be in [JSON Web Token format](/tokens/references/jwt-structure). Decoding it and reviewing its contents will reveal the following:
 
 ```text
 {

articles/applications/reference/grant-types-available.md

@@ -25,7 +25,7 @@ Various grant types are valid when registering Auth0 Applications. These can be
 | `authorization_code` | [Authorization Code Grant](/flows/concepts/auth-code) |
 | `client_credentials` | [Client Credentials Grant](/flows/concepts/client-credentials) |
 | `password` | [Resource Owner Password Grant](/api-auth/grant/password) |
-| `refresh_token` | [Use a Refresh Token](/tokens/refresh-token/current#use-a-refresh-token) |
+| `refresh_token` | [Use Refresh Tokens](/tokens/guides/use-refresh-tokens) |
 |  `urn:ietf:params:oauth:grant-type:device_code` | [Device Authorization Grant](/flows/concepts/device-auth) |
 
 ## Auth0 extension grants

articles/architecture-scenarios/_includes/_authentication/_application-integration.md

@@ -41,7 +41,7 @@ Authentication is the process of determining user identity. The result of authen
 
 * Do we also need an [Access Token](/tokens/concepts/access-tokens) in order to call a shared API?
 * Is your application a single-page application and only requires an [ID Token](/tokens/concepts/id-tokens)? See [Implicit Grant](/api-auth/tutorials/implicit-grant) for more information. 
-* Is your application a native application (mobile or desktop) and/or do you need a [Refresh Token](/tokens/refresh-token/current)? See [Authorization Code Grant with PKCE](/api-auth/tutorials/authorization-code-grant-pkce) for more information. 
+* Is your application a native application (mobile or desktop) and/or do you need a [Refresh Token](/tokens/concepts/refresh-tokens)? See [Authorization Code Grant with PKCE](/api-auth/tutorials/authorization-code-grant-pkce) for more information. 
 
 ::: warning
 Before you go live, you should ensure that **only** the grants that you are using for each application are enabled in your [configuration for your Application](/dashboard/guides/applications/update-grant-types).
@@ -52,7 +52,7 @@ Before you go live, you should ensure that **only** the grants that you are usin
 If all your application needs is the ID Token and the application is browser-based, then you can always use the [implicit grant](/api-auth/tutorials/implicit-grant) to get your ID Token. This is a simple authentication flow and should be supported by your SDK (depending on the language you are developing in).
 
 ::: warning
-If you need a [Refresh Token](/tokens/refresh-token/current) so that you can obtain a new Access Token or ID Token without having to re-authenticate the user, then you must use the [authorization code grant](/api-auth/tutorials/authorization-code-grant).
+If you need a [Refresh Token](/tokens/concepts/refresh-tokens) so that you can obtain a new Access Token or ID Token without having to re-authenticate the user, then you must use the [authorization code grant](/api-auth/tutorials/authorization-code-grant).
 :::
 
 ### Authorization code grant (with or without PKCE)

articles/architecture-scenarios/mobile-api/part-1.md

@@ -25,7 +25,7 @@ useCase:
 
 OAuth 2 provides several grant types for different use cases. In this particular use case, we want to access the API from a mobile application, which will use the [Authorization Code Flow with Proof Key for Code Exchange (PKCE)](/flows/concepts/auth-code-pkce) to do so.
 
-The [Authorization Code Flow](/flows/concepts/auth-code) has some security issues when implemented on native applications. For instance, a malicious attacker can intercept the `authorization_code` returned by Auth0 and exchange it for an [Access Token](/tokens/concepts/access-tokens) (and possibly a <dfn data-key="refresh-token">[Refresh Token](/tokens/refresh-token)</dfn>).
+The [Authorization Code Flow](/flows/concepts/auth-code) has some security issues when implemented on native applications. For instance, a malicious attacker can intercept the `authorization_code` returned by Auth0 and exchange it for an [Access Token](/tokens/concepts/access-tokens) (and possibly a <dfn data-key="refresh-token">[Refresh Token](/tokens/concepts/refresh-tokens)</dfn>).
 
 The Proof Key for Code Exchange (PKCE) (defined in [RFC 7636](https://tools.ietf.org/html/rfc7636)) is a technique used to mitigate this authorization code interception attack.
 

articles/architecture-scenarios/mobile-api/part-3.md

@@ -125,20 +125,20 @@ The response from the Token URL will contain:
 ```
 
 - __access_token__: An Access Token for the API, specified by the `audience`.
-- __refresh_token__: A [Refresh Token](/tokens/refresh-token/current) will only be present if you included the `offline_access` scope AND enabled __Allow Offline Access__ for your API in the Dashboard.
+- __refresh_token__: A [Refresh Token](/tokens/concepts/refresh-tokens) will only be present if you included the `offline_access` scope AND enabled __Allow Offline Access__ for your API in the Dashboard.
 - __id_token__: An ID Token JWT containing user profile information.
 - __token_type__: A string containing the type of token, this will always be a Bearer token.
 - __expires_in__: The amount of seconds until the Access Token expires.
 
 You will need to store the above credentials in local storage for use in calling your API and retrieving the user profile.
 
 ::: note
-[See the implementation in Android.](/architecture-scenarios/application/mobile-api/mobile-implementation-android#store-credentials)
+[See the implementation in Android](/architecture-scenarios/application/mobile-api/mobile-implementation-android#store-credentials).
 :::
 
 ### Get the User Profile
 
-To retrieve the [User Profile](/api/authentication?http#user-profile), your mobile application can decode the [ID Token](/tokens/concepts/id-tokens) using one of the [JWT libraries](https://jwt.io/#libraries-io). This is done by [verifying the signature](/tokens/guides/id-token/validate-id-token#verify-the-signature) and [verifying the claims](/tokens/guides/id-token/validate-id-token#verify-the-claims) of the token. After validating the ID Token, you can access its payload containing the user information:
+To retrieve the [User Profile](/api/authentication?http#user-profile), your mobile application can decode the [ID Token](/tokens/concepts/id-tokens) using one of the [JWT libraries](https://jwt.io/#libraries-io). This is done by [verifying the signature](/tokens/guides/validate-id-token#verify-the-signature) and [verifying the claims](/tokens/guides/validate-id-token#verify-the-claims) of the token. After validating the ID Token, you can access its payload containing the user information:
 
 ```json
 {
@@ -183,7 +183,7 @@ Refresh Tokens must be stored securely by an application since they do not expir
 
 To refresh your Access Token, perform a `POST` request to the `/oauth/token` endpoint using the Refresh Token from your authorization result.
 
-A [Refresh Token](/tokens/refresh-token/current) will only be present if you included the `offline_access` scope in the previous authorization request and  enabled __Allow Offline Access__ for your API in the Dashboard.
+A [Refresh Token](/tokens/concepts/refresh-tokens) will only be present if you included the `offline_access` scope in the previous authorization request and  enabled __Allow Offline Access__ for your API in the Dashboard.
 
 Your request should include:
 

articles/architecture-scenarios/server-api/api-implementation-nodejs.md

@@ -62,7 +62,7 @@ Next, we need to set our dependencies. We will use the following modules:
 
 - **express**: This module adds the [Express web application framework](https://expressjs.com/).
 
-- **jwks-rsa**: This library retrieves RSA signing keys from a [**JWKS** (JSON Web Key Set)](/jwks) endpoint. Using `expressJwtSecret` we can generate a secret provider that will provide the right signing key to `express-jwt` based on the `kid` in the JWT header. For more information refer to the [node-jwks-rsa GitHub repository](https://github.com/auth0/node-jwks-rsa).
+- **jwks-rsa**: This library retrieves RSA signing keys from a [**JWKS** (JSON Web Key Set)](/tokens/concepts/jwks) endpoint. Using `expressJwtSecret` we can generate a secret provider that will provide the right signing key to `express-jwt` based on the `kid` in the JWT header. For more information refer to the [node-jwks-rsa GitHub repository](https://github.com/auth0/node-jwks-rsa).
 
 - **express-jwt**: This module lets you authenticate HTTP requests using JWT tokens in your Node.js applications. It provides several functions that make working with JWTs easier. For more information refer to the [express-jwt GitHub repository](https://github.com/auth0/express-jwt).
 

articles/architecture-scenarios/server-api/part-2.md

@@ -37,7 +37,7 @@ Fill in the required information, and click the **Create** button.
 When you create an API, you must select the algorithm with which your tokens will be signed. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
 
 ::: note
-The signature is part of a JWT. If you are unfamiliar with JWT structure, please see [JSON Web Token Structure](/tokens/reference/jwt/jwt-structure).
+The signature is part of a JWT. If you are unfamiliar with JWT structure, please see [JSON Web Token Structure](/tokens/references/jwt-structure).
 :::
 
 To create the signature, you must take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. That algorithm, which is part of the JWT header, is the one you select for your API: `HS256` or `RS256`.

articles/connections/_call-api.md

@@ -4,4 +4,4 @@ To get the ${idp} Access Token, you must retrieve the full user's profile using
 
 Using the token, you can call ${idp}'s API following ${idp}'s documentation.
 
-Optional: Get a <dfn data-key="refresh-token">[Refresh Token](/tokens/refresh-token/current#get-a-refresh-token)</dfn> from ${idp} to refresh your Access Token once it expires. To ensure your application is secure, pay close attention to the [restrictions on using Refresh Tokens](/tokens/refresh-token/current#restrictions-on-refresh-token-usage).
+Optional: Get a <dfn data-key="refresh-token">[Refresh Token](/tokens/guides/get-refresh-tokens)</dfn> from ${idp} to refresh your Access Token once it expires. To ensure your application is secure, pay close attention to the [restrictions on using Refresh Tokens](/tokens/concepts/refresh-tokens#restrictions-and-limitations).

articles/extensions/authorization-extension/v2/rules.md

@@ -19,7 +19,7 @@ useCase: extensibility-extensions
 
 You can use [rules](/rules) with the Authorization Extension to do things like:
 
-* Add [custom claims](/tokens/jwt-claims#custom-claims) to the issued token
+* Add [custom claims](/tokens/concepts/jwt-claims#custom-claims) to the issued token
 * Determining the user's group membership, <dfn data-key="role">roles</dfn> and permissions
 * Storing the user's groups, roles and permissions info as [part of the `app_metadata`](/extensions/authorization-extension/v2/configuration#persistence)
 * Adding the user's groups, roles and permissions to the [outgoing token](/extensions/authorization-extension/v2/configuration#token-contents) (which can be requested via the `openid groups permissions roles` scope)
@@ -28,7 +28,7 @@ Because the above logic is part of a rule, it will only be executed in the conte
 
 ## Add Custom Claims to the Issued Token
 
-If you'd like to add custom claims to your tokens, you can do so by creating additional [rule](/rules) that allows the Authorization Extension to do so. Custom claims should be [namespaced](/tokens/concepts/claims-namespacing).
+If you'd like to add custom claims to your tokens, you can do so by creating additional [rule](/rules) that allows the Authorization Extension to do so. Custom claims should be [namespaced](/tokens/guides/create-namespaced-custom-claims).
 
 ::: note
 You should [limit the number of claims](/extensions/authorization-extension/v2/configuration#data-limitations) you add to the token.

articles/flows/concepts/device-auth.md

@@ -54,10 +54,10 @@ The easiest way to implement the Device Authorization Flow is to follow our tuto
 
 ## Force device reauthorization
 
-To force the user to reauthorize a device, you must revoke the [Refresh Token](/tokens/refresh-token/current#revoke-a-refresh-token) assigned to the device. To learn how, see [Unlink Devices from Users](/dashboard/guides/users/unlink-user-devices). Note that the device will not be forced to reauthorize until the current Access Token expires and the application tries to use the revoked Refresh Token.
+To force the user to reauthorize a device, you must revoke the [Refresh Token](/tokens/guides/revoke-refresh-tokens) assigned to the device. To learn how, see [Unlink Devices from Users](/dashboard/guides/users/unlink-user-devices). Note that the device will not be forced to reauthorize until the current Access Token expires and the application tries to use the revoked Refresh Token.
 
 ## Keep reading
 
 - Auth0 offers many ways to customize your tokens using [rules](/rules) and [hooks](/hooks).
-- [Tokens used by Auth0](/tokens)
+- [Tokens](/tokens)
 

articles/flows/concepts/implicit.md

@@ -51,13 +51,13 @@ Finally, you can follow our tutorials to use our API endpoints to [Add Login Us
 The Access Token is exposed on the client side. The implicit flow does not return a Refresh Token because the browser cannot keep it private.  
 :::
 
-While SPAs using the Implicit Grant cannot use [Refresh Tokens](/tokens/refresh-token), there are other ways to provide similar functionality. 
+While SPAs using the Implicit Grant cannot use [Refresh Tokens](/tokens/concepts/refresh-tokens), there are other ways to provide similar functionality. 
 
 - Use `prompt=none` when invoking the [/authorize](/api/authentication#implicit-grant) endpoint. The user will not see the login or consent dialogs. For more information, see [Silent Authentication](/api-auth/tutorials/silent-authentication). 
 - Call `/authorize` from a hidden iframe and extract the new [Access Token](/tokens/concepts/access-tokens) from the parent frame. The user will not see the redirects happening.
 
 ## Keep reading
 
 - Auth0 offers many ways to personalize your user's login experience using [rules](/rules) and [hooks](/hooks).
-- [Tokens used by Auth0](/tokens)
+- [Tokens](/tokens)
 - [Which OAuth 2.0 Flow Should I Use?](/api-auth/which-oauth-flow-to-use)