POST request to the /oauth/token endpoint with the following parameters:
Remember that subject and actor tokens used with Custom Token Exchange can be any token format or type, as long as your Action code can interpret them. You must implement strong validation of the tokens you receive and accept. If you fail to do so, you open yourself up to different attack vectors, such as spoofing or replay attacks, resulting in bad actors being able to authenticate with someone else’s user ID or acting on their behalf in an unauthorized manner.Each
subject_token_type maps to a Custom Token Exchange Profile and is associated with an Action that will be executed to control that transaction.When an actor is set for the transaction, refresh tokens are not issued regardless of requested scopes. The
offline_access scope is excluded from the response. This is by design: delegated tokens should not outlive the immediate exchange, ensuring that each subsequent access request goes through the CTE Action’s authorization logic to re-validate the delegation.Your CTE Action is responsible for securely validating the actor_token by applying the same rigor (e.g., cryptographic signature verification) as you would for the subject_token. When actor_token_type is urn:ietf:params:oauth:token-type:id_token, Auth0 performs this validation automatically.event.request.body in the corresponding Action.
Sample request
Sample request with actor token
When performing a delegated authorization exchange, includeactor_token and actor_token_type: