Skip to main content
To use Custom Token Exchange, make a POST request to the /oauth/token endpoint with the following parameters:
Remember that subject and actor tokens used with Custom Token Exchange can be any token format or type, as long as your Action code can interpret them. You must implement strong validation of the tokens you receive and accept. If you fail to do so, you open yourself up to different attack vectors, such as spoofing or replay attacks, resulting in bad actors being able to authenticate with someone else’s user ID or acting on their behalf in an unauthorized manner.Each subject_token_type maps to a Custom Token Exchange Profile and is associated with an Action that will be executed to control that transaction.
When an actor is set for the transaction, refresh tokens are not issued regardless of requested scopes. The offline_access scope is excluded from the response. This is by design: delegated tokens should not outlive the immediate exchange, ensuring that each subsequent access request goes through the CTE Action’s authorization logic to re-validate the delegation.Your CTE Action is responsible for securely validating the actor_token by applying the same rigor (e.g., cryptographic signature verification) as you would for the subject_token. When actor_token_type is urn:ietf:params:oauth:token-type:id_token, Auth0 performs this validation automatically.
Other extension parameters not listed above are included in the event.request.body in the corresponding Action.

Sample request

Sample request with actor token

When performing a delegated authorization exchange, include actor_token and actor_token_type: