OAuth 2.0

Token Exchange — Delegation

Demonstrating RFC 8693 Token Exchange for delegation. A frontend passes a token to an API, which exchanges it to call a downstream service, building a chain of custody using nested 'act' claims.

RFC 8693

POST https://api.example.com/payments/checkout200

The user (Alice) initiates an action from the Frontend Application. The Frontend sends a standard OAuth 2.0 Access Token to the Payment API.

1 / 4

speed

Step 1: POST /checkout

Request / response

POSThttps://api.example.com/payments/checkout

AuthorizationOAuth?

Bearer eyJ0eXAiOiJhdCtqd3QiLCJhbGciOiJIUzI1NiJ9...

Content-Type?

application/json

Body

{
  "cart_id": "12345"
}

Frontend Access Tokenat+jwt

Header

{"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"at+jwt",
"alg":"HS256"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://auth.example.com",
"sub"?Subject — who or what the token is about:"alice",
"aud"?Audience — which party should accept this token:"payment_api",
"exp"?Expiration — Unix timestamp after which the token is invalid:1562266216,
"iat"?Issued At — Unix timestamp when the token was created:1562262616
}

sig: mock_sig…