> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange ID-JAG (Cross App Access)

> Exchange an ID-JAG token from a workforce identity provider for a Connected Apps access token using the Cross App Access (XAA) Flow.

This endpoint uses your [Custom Domain](/connected-apps/resources/custom-domains).

The `urn:ietf:params:oauth:grant-type:jwt-bearer` grant type is used to complete a [Cross App Access (XAA) Flow](/connected-apps/guides/cross-app-access) without user interaction. The Connected App presents an ID-JAG token issued by the user's workforce identity provider, and Stytch exchanges it for an access token scoped to the resolved member.

This grant type requires a **confidential** client — public clients are not supported.

Stytch resolves the member from the ID-JAG token's `sub` claim by checking for an OIDC member registration with a matching `provider_subject` on the same connection, falling back to matching the member's `external_id`.

Connected App [**Access Tokens**](/api-reference/b2b/api/connected-apps/tokens/connected-app-access-token-object) are JWTs signed with the project's [JWKS](/api-reference/b2b/api/connected-apps/configuration/get-jwks). Access Token expiry is controlled by the client's `access_token_expiry_minutes` field, which defaults to one hour.

You can validate and examine your access tokens by using the [Token Introspection Endpoint](/api-reference/b2b/api/connected-apps/methods/introspect-token).

Access token JWTs can be validated locally by using a [Stytch Backend SDK](/api-reference/b2b/api/connected-apps/methods/authenticate-access-token-local), or any library that supports the JWT protocol.

<Note>
  Unlike other Stytch API endpoints, this endpoint is not authenticated with a `project_id` and `project_secret` pair. Instead, it is authenticated via the `client_id` and `client_secret` of an active Connected App Client within the current project.
</Note>

This endpoint is an [RFC-6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) compliant token issuing endpoint.

* This endpoint supports passing the `client_id` and `client_secret` within the request body as well as within a [HTTP-Basic Auth](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) header.
* This endpoint supports both `application/json` and `application/x-www-form-urlencoded` content types.

<Info>
  We recommend using the [Custom Domain](/connected-apps/resources/custom-domains) whenever possible. For backwards compatibility reasons, this endpoint is also available at `https://test.stytch.com/v1/public/${projectId}/oauth2/token`.
</Info>

## Body

<ParamField body="client_id" type="string" required>
  The ID of the Connected App client.
</ParamField>

<ParamField body="client_secret" type="string" required>
  The secret of the Connected App client.
</ParamField>

<ParamField body="grant_type" type="string" required>
  Must be `urn:ietf:params:oauth:grant-type:jwt-bearer`.
</ParamField>

<ParamField body="assertion" type="string" required>
  The ID-JAG token issued by the workforce identity provider. This must be a signed JWT with `typ: "oauth-id-jag+jwt"` in the header.
</ParamField>

<ParamField body="scope" type="string">
  A space-delimited list of scopes requested for the access token. Scopes are validated against the member's RBAC roles. Generic scopes like `openid`, `email`, and `profile` are always grantable.
</ParamField>

## Response

<ResponseField name="access_token" type="string">
  The access token granted to the client. Access tokens are JWTs signed with the project's JWKS.
</ResponseField>

<ResponseField name="token_type" type="string">
  The type of the returned access token. Today, this value will always be equal to "bearer".
</ResponseField>

<ResponseField name="expires_in" type="number">
  The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
</ResponseField>

<ResponseField name="scope" type="string">
  The scopes granted in the access token. This may be a subset of the requested scopes if the member's RBAC roles do not permit all requested scopes.
</ResponseField>

<ResponseField name="request_id" type="string">
  Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we
  may ask for this value to help identify a specific API call when helping you debug an issue.
</ResponseField>

<ResponseField name="status_code" type="number">
  The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values
  equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
</ResponseField>

<Panel>
  <RequestExample>
    ```curl theme={null}
    curl --request POST \
      --url https://${projectDomain}/v1/oauth2/token \
      -H 'Content-Type: application/json' \
      -d '{
        "client_id": "${exampleConnectedAppClientID}",
        "client_secret": "${exampleConnectedAppClientSecret}",
        "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6Im9hdXRoLWlkLWphZytqd3QiLCJraWQiOiJrZXktMSJ9..."
      }'

    ```
  </RequestExample>

  <ResponseExample>
    ```json 200 theme={null}
    {
      "access_token": "eyJ...",
      "expires_in": 3600,
      "scope": "openid email profile",
      "token_type": "bearer",
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "status_code": 200
    }
    ```

    ```json 400 theme={null}
    {
      "status_code": 400,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error": "invalid_request",
      "error_description": "ID-JAG token subject does not correspond to an active member"
    }
    ```

    ```json 400 theme={null}
    {
      "status_code": 400,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error": "invalid_grant",
      "error_description": "ID-JAG issuer does not correspond to any configured OIDC connection"
    }
    ```

    ```json 400 theme={null}
    {
      "status_code": 400,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error": "invalid_client",
      "error_description": "jwt-bearer grants require a confidential client"
    }
    ```
  </ResponseExample>
</Panel>
