/oauth/token-exchangeImplements RFC 8693 token exchange standard, supporting delegation chains with subject_token and actor_token, exchanging original JWT for a restricted access token for downstream services. Used for NHI Workload identity delegation scenarios. See RFC 8693 (OAuth 2.0 Token Exchange).
| Name | In | Type | Required | Default | Example | Constraints | Description |
|---|---|---|---|---|---|---|---|
grant_type |
formData |
string |
Yes | enum: `urn:ietf:params:oauth:grant-type:token-exchange` | Grant type | ||
subject_token |
formData |
string |
Yes | Subject token (JWT) | |||
actor_token |
formData |
string |
No | Actor token (JWT) | |||
scope |
formData |
string |
No | Requested scope | |||
client_id |
formData |
string |
No | Client ID |
| Status | Description | Schema |
|---|---|---|
| 200 | Exchanged access token (contains access_token, token_type, expires_in, scope) | dto.OAuthTokenResponse |
| 400 | invalid_scope: Requested scope is invalid or out of range. See RFC 8693. | dto.OAuthErrorResponse |
| 401 | invalid_token: subject_token is invalid or expired | dto.OAuthErrorResponse |
| 500 | server_error: Internal error in token exchange service | dto.OAuthErrorResponse |
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
actions |
array of string |
No | ['["list_accounts"', '"read_balances"]'] |
Operation | |
constraints |
object |
No | Extension constraints | ||
data_types |
array of string |
No | ['["account_details"', '"balances"]'] |
Data type | |
identifier |
string |
No | account-12345 |
Identifier | |
locations |
array of string |
No | ['["https://example.com/accounts"]'] |
Location | |
type |
string |
No | account_information |
Grant type |
OAuth standard error response
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
error |
string |
No | invalid_request |
Error code | |
error_description |
string |
No | Missing required parameter |
Error description | |
error_uri |
string |
No | https://docs.example.com/errors |
Error URI | |
state |
string |
No | state-123 |
Status |
OAuth token response
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
access_token |
string |
No | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... |
Access token | |
authorization_details |
array of |
No | RAR authorization details | ||
dpop_access_token_bound |
boolean |
No | Access token DPoP binding confirmation (RFC 9449) | ||
dpop_signing_alg |
string |
No | DPoP signing algorithm (RFC 9449) | ||
expires_in |
integer |
No | 3600 |
Expires in seconds | |
id_token |
string |
No | eyJhbGci... |
OIDC ID token | |
refresh_token |
string |
No | rt_abc123 |
Refresh token | |
scope |
string |
No | openid profile email |
Scope | |
token_type |
string |
No | Bearer |
Token type |