> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Token

> Exchange a pre-existing identity token for an Auth0 token using the Custom Token Exchange grant.

export const ResponseSchema = ({statusCode, type = "{}", children}) => {
  const [open, setOpen] = useState(false);
  return <div className="border border-gray-100 dark:border-gray-800 rounded-lg mb-3 overflow-hidden">
      <div className={`flex items-center gap-2.5 px-4 py-2.5 cursor-pointer select-none ${open ? "bg-gray-50 dark:bg-gray-800" : ""}`} onClick={() => setOpen(!open)}>
        {statusCode && <span className="border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 font-mono text-xs px-1.5 py-0.5 rounded">
            {statusCode.startsWith("default") ? "default" : statusCode}
          </span>}
        <span className="text-gray-500 dark:text-gray-400 text-sm font-mono">
          {type}
        </span>
        <span className="text-gray-400 dark:text-gray-500 text-sm italic">
          application/json
        </span>
        <svg className={`ml-auto opacity-50 transition-transform duration-200 ${open ? "rotate-180" : ""}`} width="16" height="16" viewBox="0 0 16 16" fill="none">
          <path d="M4 6l4 4 4-4" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round" />
        </svg>
      </div>
      {open && <div className="px-4 pt-1 pb-3 border-t border-gray-100 dark:border-gray-800">
          {children}
        </div>}
    </div>;
};

## Endpoint

`POST /oauth/token`

Custom Token Exchange (CTE) provides a mechanism for applications to exchange pre-existing identity tokens for Auth0 tokens by invoking the `/oauth/token` endpoint, adhering to the specifications of [RFC 8693](https://datatracker.ietf.org/doc/html/rfc8693). This functionality is instrumental in addressing advanced integration requirements, such as exchanging existing Auth0 tokens to access another audience on behalf of the same user, facilitating the integration of external identity providers, or enabling seamless user migration into the Auth0 platform. The exchange process is fully governable, as developers can control its details using their custom logic running in a dedicated Auth0 Action for the associated use case.

<Note>
  Custom Token Exchange is currently available in Early Access. By using this feature, you agree to the applicable Free Trial terms in [Okta’s Master Subscription Agreement](https://www.okta.com/legal/). It is your responsibility to securely validate the user's `subject_token`. See the [User Guide](https://auth0.com/docs/authenticate/custom-token-exchange) for more details.
</Note>

### Remarks

* The scopes issued to the application may differ from the scopes requested. In this case, a scope parameter will be included in the response JSON. Scopes are filtered out as explained in [API Access Policies for Applications](https://auth0.com/docs/ja-jp/get-started/apis/api-access-policies-for-applications)

* The `subject_token_type` must correspond to an existing Custom Token Exchange Profile and an associated [Action](https://auth0.com/docs/customize/actions).

* For non-confidential applications that cannot keep the Client Secret safe (for example, native apps), the endpoint supports passing no Client Secret but the application itself must have the property `tokenEndpointAuthMethod` set to `none`. You can do this either from the UI (**Dashboard > Applications > Application Settings**) or using the Management API.

* You have to [Enable Custom Token Exchange for your application](https://auth0.com//docs/authenticate/custom-token-exchange/configure-custom-token-exchange#enable-custom-token-exchange-for-your-application). To learn more, read the [Custom Token Exchange documentation](https://auth0.com/docs/authenticate/custom-token-exchange).

* `actor_token` and `actor_token_type` must both be present or both absent. Providing only one returns a `400` error with code `invalid_request`.

* When `actor_token` is present, refresh tokens are not issued. The `offline_access` scope is excluded from the response.

* MFA is not compatible with transactions where an actor is set via `setActor()`. If MFA is required and the Custom Token Exchange Action sets an actor, the request returns a `400` error: `MFA is not supported using actor_token with the requested token exchange profile.`

* When the Action calls `setActor()`, issued access tokens and ID tokens include an `act` claim representing the [delegation chain](/docs/secure/call-apis-on-users-behalf/on-behalf-of-token-exchange#the-act-claim). The `act` claim is also included in the userinfo response.

## Headers

<ParamField header="DPoP" type="string">
  A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
</ParamField>

<ParamField header="auth0-forwarded-for" type="string">
  End-user IP as a string value. Set this if you want Suspicious IP Throttling protection to work in server-side scenarios.
</ParamField>

## Body Parameters

<ParamField body="grant_type" type="string" required>
  Denotes the flow you are using. For Custom Token Exchange, use `urn:ietf:params:oauth:grant-type:token-exchange`.

  Allowed values: `urn:ietf:params:oauth:grant-type:token-exchange`
</ParamField>

<ParamField body="subject_token_type" type="string" required>
  The type of the subject token. For Custom Token Exchange, this can be any URI scoped under your own ownership, such as `http://acme.com/legacy-token` or `urn:acme:legacy-token`. The following namespaces are reserved and cannot be used: `http://auth0.com`, `https://auth0.com`, `http://okta.com`, `https://okta.com`, `urn:ietf`, `urn:auth0`, `urn:okta`.
</ParamField>

<ParamField body="subject_token" type="string" required>
  The subject token, which your action should validate and use to identify the user.
</ParamField>

<ParamField body="client_id" type="string" required>
  Your application's Client ID. As for other grant types, you can also pass the client ID in the Authorization header using HTTP Basic Auth.
</ParamField>

<ParamField body="client_secret" type="string">
  (Optional) Your application's Client Secret. As for other grant types, you can also pass the client secret in the Authorization header using HTTP Basic Auth. Other alternatives are also available as explained in [Auth0 Authentication API reference docs](https://auth0.com/docs/api/authentication#authentication-methods). Because Custom Token Exchange can be used by public applications, read [Attack Protection](https://auth0.com/docs/authenticate/custom-token-exchange/cte-attack-protection) to implement additional security.
</ParamField>

<ParamField body="audience" type="string">
  (Optional) The unique identifier of the target API you want to access. The default tenant audience will be used when not present, as configured in [Tenant Settings](https://auth0.com/docs/get-started/tenant-settings).
</ParamField>

<ParamField body="resource" type="string">
  (Optional) The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to `audience` when the tenant's [Resource Parameter Compatibility Profile](https://auth0.com/docs/get-started/tenant-settings#settings-advanced) is set to `compatibility`.
</ParamField>

<ParamField body="scope" type="string">
  (Optional) The OAuth2 scope parameter.
</ParamField>

<ParamField body="organization" type="string">
  (Optional) The organization or identifier with which you want the request to be associated. Alternatively, you can specify an organization name if [Use Organization Names in Authentication API](https://auth0.com/docs/manage-users/organizations/configure-organizations/use-org-name-authentication-api) is specified.
</ParamField>

<ParamField body="actor_token" type="string">
  (Optional) A token identifying the actor performing delegation on behalf of the subject user. Must be provided together with `actor_token_type`. When present, refresh tokens will not be issued.
</ParamField>

<ParamField body="actor_token_type" type="string">
  (Optional) The type of the actor token. Must be provided together with `actor_token`. For Auth0 ID tokens, use `urn:ietf:params:oauth:token-type:id_token` for automatic server-side validation (signature, expiry, issuer, user lookup). For other values, follow the same namespace restrictions as `subject_token_type`.
</ParamField>

## Response Schema

<ResponseSchema>
  <ResponseField name="access_token" type="string">
    The access token.
  </ResponseField>

  <ResponseField name="refresh_token" type="string">
    The refresh token.
  </ResponseField>

  <ResponseField name="id_token" type="string">
    The ID token.
  </ResponseField>

  <ResponseField name="token_type" type="string">
    The type of token.
  </ResponseField>

  <ResponseField name="issued_token_type" type="string">
    The issued token type.
  </ResponseField>

  <ResponseField name="expires_in" type="integer">
    The access token lifetime in seconds.
  </ResponseField>
</ResponseSchema>

## Response Messages

| Status | Description         |
| ------ | ------------------- |
| 200    | Successful response |