POST /v1/tokens/exchange
Service: identity · operationId: (none)
RFC 8693 token exchange — swap a WorkOS user access token for an identity-signed user token
Required scopes
(no scope declared — review service config)
Request body
{
"type": "object",
"properties": {
"grant_type": {
"type": "string",
"enum": [
"urn:ietf:params:oauth:grant-type:token-exchange"
]
},
"subject_token": {
"type": "string",
"minLength": 1,
"description": "WorkOS-issued access token"
},
"subject_token_type": {
"type": "string",
"enum": [
"urn:ietf:params:oauth:token-type:access_token"
],
"description": "RFC 8693 token type — only access_token supported"
},
"audience": {
"type": "string",
"minLength": 1,
"description": "Target service for the minted token"
},
"scope": {
"type": "string",
"description": "Space-separated requested scopes"
}
},
"required": [
"grant_type",
"subject_token",
"audience"
]
}Responses
200 Token exchanged
{
"type": "object",
"properties": {
"access_token": {
"type": "string",
"description": "Signed JWT"
},
"token_type": {
"type": "string",
"enum": [
"Bearer"
]
},
"expires_in": {
"type": "integer",
"description": "Token lifetime in seconds"
},
"scope": {
"type": "string",
"description": "Space-separated granted scopes"
}
},
"required": [
"access_token",
"token_type",
"expires_in",
"scope"
]
}400 Invalid request
{
"type": "object",
"properties": {
"error": {
"type": "string",
"description": "OAuth 2 error code"
},
"error_description": {
"type": "string",
"description": "Human-readable error message"
}
},
"required": [
"error",
"error_description"
]
}401 Invalid client credentials or invalid subject_token
{
"type": "object",
"properties": {
"error": {
"type": "string",
"description": "OAuth 2 error code"
},
"error_description": {
"type": "string",
"description": "Human-readable error message"
}
},
"required": [
"error",
"error_description"
]
}403 Audience or scope not allowed for this client
{
"type": "object",
"properties": {
"error": {
"type": "string",
"description": "OAuth 2 error code"
},
"error_description": {
"type": "string",
"description": "Human-readable error message"
}
},
"required": [
"error",
"error_description"
]
}Example
curl -X POST https://identity.platform.loop.health/v1/tokens/exchange \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{ ... }'Related
services/identity— service overview- All endpoints — directory across services
- Auth model — how scopes are enforced