Autional Autional
API Reference GitHub autional.com →

POST /oauth/token-exchange

Implements RFC 8693 token exchange standard, supporting delegation chains with subject_token and actor_token, exchanging original JWT for a restricted access token for downstream services. Used for NHI Workload identity delegation scenarios. See RFC 8693 (OAuth 2.0 Token Exchange).

OAuth None application/x-www-form-urlencoded

Request Parameters

NameInTypeRequiredDefaultExampleConstraintsDescription
grant_type formData string Yes enum: `urn:ietf:params:oauth:grant-type:token-exchange` Grant type
subject_token formData string Yes Subject token (JWT)
actor_token formData string No Actor token (JWT)
scope formData string No Requested scope
client_id formData string No Client ID

Responses

StatusDescriptionSchema
200Exchanged access token (contains access_token, token_type, expires_in, scope)dto.OAuthTokenResponse
400invalid_scope: Requested scope is invalid or out of range. See RFC 8693.dto.OAuthErrorResponse
401invalid_token: subject_token is invalid or expireddto.OAuthErrorResponse
500server_error: Internal error in token exchange servicedto.OAuthErrorResponse

Referenced Schemas

dto.AuthorizationDetailDTO

FieldTypeRequiredExampleConstraintsDescription
actions array of

string

No ['["list_accounts"', '"read_balances"]'] Operation
constraints object No Extension constraints
data_types array of

string

No ['["account_details"', '"balances"]'] Data type
identifier string No account-12345 Identifier
locations array of

string

No ['["https://example.com/accounts"]'] Location
type string No account_information Grant type

dto.OAuthErrorResponse

OAuth standard error response

FieldTypeRequiredExampleConstraintsDescription
error string No invalid_request Error code
error_description string No Missing required parameter Error description
error_uri string No https://docs.example.com/errors Error URI
state string No state-123 Status

dto.OAuthTokenResponse

OAuth token response

FieldTypeRequiredExampleConstraintsDescription
access_token string No eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... Access token
authorization_details array of

See dto.AuthorizationDetailDTO

No RAR authorization details
dpop_access_token_bound boolean No Access token DPoP binding confirmation (RFC 9449)
dpop_signing_alg string No DPoP signing algorithm (RFC 9449)
expires_in integer No 3600 Expires in seconds
id_token string No eyJhbGci... OIDC ID token
refresh_token string No rt_abc123 Refresh token
scope string No openid profile email Scope
token_type string No Bearer Token type