API ReferenceapiidentityPOST /v1/tokens/exchange

POST /v1/tokens/exchange

Service: identity · operationId: (none)

RFC 8693 token exchange — swap a WorkOS user access token for an identity-signed user token

Required scopes

(no scope declared — review service config)

Request body

{
  "type": "object",
  "properties": {
    "grant_type": {
      "type": "string",
      "enum": [
        "urn:ietf:params:oauth:grant-type:token-exchange"
      ]
    },
    "subject_token": {
      "type": "string",
      "minLength": 1,
      "description": "WorkOS-issued access token"
    },
    "subject_token_type": {
      "type": "string",
      "enum": [
        "urn:ietf:params:oauth:token-type:access_token"
      ],
      "description": "RFC 8693 token type — only access_token supported"
    },
    "audience": {
      "type": "string",
      "minLength": 1,
      "description": "Target service for the minted token"
    },
    "scope": {
      "type": "string",
      "description": "Space-separated requested scopes"
    }
  },
  "required": [
    "grant_type",
    "subject_token",
    "audience"
  ]
}

Responses

200 Token exchanged

{
  "type": "object",
  "properties": {
    "access_token": {
      "type": "string",
      "description": "Signed JWT"
    },
    "token_type": {
      "type": "string",
      "enum": [
        "Bearer"
      ]
    },
    "expires_in": {
      "type": "integer",
      "description": "Token lifetime in seconds"
    },
    "scope": {
      "type": "string",
      "description": "Space-separated granted scopes"
    }
  },
  "required": [
    "access_token",
    "token_type",
    "expires_in",
    "scope"
  ]
}

400 Invalid request

{
  "type": "object",
  "properties": {
    "error": {
      "type": "string",
      "description": "OAuth 2 error code"
    },
    "error_description": {
      "type": "string",
      "description": "Human-readable error message"
    }
  },
  "required": [
    "error",
    "error_description"
  ]
}

401 Invalid client credentials or invalid subject_token

{
  "type": "object",
  "properties": {
    "error": {
      "type": "string",
      "description": "OAuth 2 error code"
    },
    "error_description": {
      "type": "string",
      "description": "Human-readable error message"
    }
  },
  "required": [
    "error",
    "error_description"
  ]
}

403 Audience or scope not allowed for this client

{
  "type": "object",
  "properties": {
    "error": {
      "type": "string",
      "description": "OAuth 2 error code"
    },
    "error_description": {
      "type": "string",
      "description": "Human-readable error message"
    }
  },
  "required": [
    "error",
    "error_description"
  ]
}

Example

curl -X POST https://identity.platform.loop.health/v1/tokens/exchange \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ ... }'