Token exchange

OAuth 2.0 Token Exchange is an extension to OAuth 2.0 that allows IBM Security Verify SaaS to act as a Security Token Service. This mechanism allows trusted services or clients to obtain and exchange tokens securely. Token exchange is particularly useful when a service or application needs to acquire a different type of token or a token with specific privileges to access to resource or perform an action. Learn about the concepts here if this is the first time you are exploring OAuth 2.0 Token Exchange or need a refresher.

You can explore this further with a few example guides.

Admin configuration

To use token exchange, you will need to minimally create an OAuth client instance either as an application or STS client. In addition, custom tokens can be defined. Before diving into the guides, the following sections will help you navigate the admin console.

Token types

At the heart of token exchange are the security token types that are used. Verify supports the following token types out-of-the-box:

  • urn:ietf:params:oauth:token-type:access_token is the identifier used for the access token issued by the Verify tenant.
  • urn:ietf:params:oauth:token-type:refresh_token is the identifier used for the refresh token issued by the Verify tenant.
  • urn:ietf:params:oauth:token-type:id_token is the identifier used for the OIDC ID token issued by the Verify tenant.
  • urn:x-oath:params:oauth:token-type:device-secret is the identifier used for the actor token used in the Native App SSO flow.

In addition to this, Verify supports the creation of a custom JSON Web Token (JWT) type. This can be used to exchange third-party issued tokens for Verify tokens.


Application clients

You can enable the token exchange grant flow in an application using the OpenID Connect app connector. You can find this connector in the application catalog.


Applications provide more flexibility to choose different grant types and configure user entitlements for access control.

STS clients

If you need a simpler client that has requires no specific user entitlements and is only expected to use the OAuth 2.0 Token Exchange grant flow, you can create an STS client. For example, an API gateway or service that needs to exchange a token can use a STS client.



Several guides are available as sub-topics and you can view them at a glance here.


The impersonation mode for token exchange is described here.

Exchange external user token for access tokenExchange a third-party issued identity token (JWT) for a Verify tenant-issued access token.


Vivek Shankar, IBM Security