Exchange an identity provider-signed token for a State Backed token

POST /tokens

Once you have configured at least one identity provider (by posting to /idps) and at least one token provider (by posting to /token-providers), you can exchange any identity provider token for a token generated by one of your token providers.

This allows you to have completely secure, end-to-end authorization with your State Backed machine instances without any server-side code while using your identity provider of choice.

This endpoint should generally conform to



Exchange an identity provider-signed token for a State Backed token.

  • grant_type string Required

    The type of grant being requested

    Value is urn:ietf:params:oauth:grant-type:token-exchange.

  • audience string Required

    Identifies the token provider service to use to generate the token.

    Must be of the form:<your-org-id>/<token-provider-service-id>

    Where your-org-id can be found via smply orgs list and token-provider-service-id is the service that you passed in your post to /token-providers.

  • The type of token being requested

    Value is urn:ietf:params:oauth:token-type:access_token.

  • subject_token string Required

    A JWT signed by one of your configured identity providers (based on configurations posted to /idps)


  • 200

    Your State Backed token

    Hide response attributes Show response attributes object
POST /tokens
curl \
 -X POST \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&'
Request example
  "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
  "audience": "",
  "requested_token-type": "urn:ietf:params:oauth:token-type:access_token",
  "subject_token": "string"
Response examples (200)
  "access_token": "string",
  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
  "token_type": "Bearer"