Exchange ID-JAG (Cross App Access)

curl --request POST \
  --url https://${projectDomain}/v1/oauth2/token \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "${exampleConnectedAppClientID}",
    "client_secret": "${exampleConnectedAppClientSecret}",
    "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6Im9hdXRoLWlkLWphZytqd3QiLCJraWQiOiJrZXktMSJ9..."
  }'

{
  "access_token": "eyJ...",
  "expires_in": 3600,
  "scope": "openid email profile",
  "token_type": "bearer",
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "status_code": 200
}

curl --request POST \
  --url https://${projectDomain}/v1/oauth2/token \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "${exampleConnectedAppClientID}",
    "client_secret": "${exampleConnectedAppClientSecret}",
    "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6Im9hdXRoLWlkLWphZytqd3QiLCJraWQiOiJrZXktMSJ9..."
  }'

{
  "access_token": "eyJ...",
  "expires_in": 3600,
  "scope": "openid email profile",
  "token_type": "bearer",
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "status_code": 200
}

curl --request POST \
  --url https://${projectDomain}/v1/oauth2/token \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "${exampleConnectedAppClientID}",
    "client_secret": "${exampleConnectedAppClientSecret}",
    "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6Im9hdXRoLWlkLWphZytqd3QiLCJraWQiOiJrZXktMSJ9..."
  }'

{
  "access_token": "eyJ...",
  "expires_in": 3600,
  "scope": "openid email profile",
  "token_type": "bearer",
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "status_code": 200
}

POST

oauth2

token

curl --request POST \
  --url https://${projectDomain}/v1/oauth2/token \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "${exampleConnectedAppClientID}",
    "client_secret": "${exampleConnectedAppClientSecret}",
    "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6Im9hdXRoLWlkLWphZytqd3QiLCJraWQiOiJrZXktMSJ9..."
  }'

{
  "access_token": "eyJ...",
  "expires_in": 3600,
  "scope": "openid email profile",
  "token_type": "bearer",
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "status_code": 200
}

This endpoint uses your Custom Domain. The urn:ietf:params:oauth:grant-type:jwt-bearer grant type is used to complete a Cross App Access (XAA) Flow without user interaction. The Connected App presents an ID-JAG token issued by the user’s workforce identity provider, and Stytch exchanges it for an access token scoped to the resolved member. This grant type requires a confidential client — public clients are not supported. Stytch resolves the member from the ID-JAG token’s sub claim by checking for an OIDC member registration with a matching provider_subject on the same connection, falling back to matching the member’s external_id. Connected App Access Tokens are JWTs signed with the project’s JWKS. Access Token expiry is controlled by the client’s access_token_expiry_minutes field, which defaults to one hour. You can validate and examine your access tokens by using the Token Introspection Endpoint. Access token JWTs can be validated locally by using a Stytch Backend SDK, or any library that supports the JWT protocol.

Unlike other Stytch API endpoints, this endpoint is not authenticated with a project_id and project_secret pair. Instead, it is authenticated via the client_id and client_secret of an active Connected App Client within the current project.

This endpoint is an RFC-6749 compliant token issuing endpoint.

This endpoint supports passing the client_id and client_secret within the request body as well as within a HTTP-Basic Auth header.
This endpoint supports both application/json and application/x-www-form-urlencoded content types.

We recommend using the Custom Domain whenever possible. For backwards compatibility reasons, this endpoint is also available at https://test.stytch.com/v1/public/${projectId}/oauth2/token.

Body

client_id

string

required

The ID of the Connected App client.

client_secret

string

required

The secret of the Connected App client.

grant_type

string

required

Must be urn:ietf:params:oauth:grant-type:jwt-bearer.

assertion

string

required

The ID-JAG token issued by the workforce identity provider. This must be a signed JWT with typ: "oauth-id-jag+jwt" in the header.

scope

string

A space-delimited list of scopes requested for the access token. Scopes are validated against the member’s RBAC roles. Generic scopes like openid, email, and profile are always grantable.

Response

access_token

string

The access token granted to the client. Access tokens are JWTs signed with the project’s JWKS.

token_type

string

The type of the returned access token. Today, this value will always be equal to “bearer”.

expires_in

number

The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.

scope

string

The scopes granted in the access token. This may be a subset of the requested scopes if the member’s RBAC roles do not permit all requested scopes.

request_id

string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code

number

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

⌘I

​Body

​Response

Body

Response