The token endpoint can be used by the client to make a token exchange request to the PingOne authorization server by presenting its authorization grant, its token, and the token type. For a token exchange operation, the grant_type must be set to urn:ietf:params:oauth:grant-type:token-exchange.

The subject_token property value is the gateway credential returned by the PingOne gateway service. For more information, see Gateway Credentials.

The PingOne authorization server’s token endpoint responds to a successful token exchange request by issuing an access token that allows the requesting client access to PingOne resources.

Supported parameters for the token exchange request are:

Property Description
subject_token_type A string that specifies the type of the security token provided in the subject_token property. This is a required property. Options are pingone_gateway_credential.
subject_token A string that specifies the security token that represents the identity of the PingFederate cluster (or other client type) that requires access to PingOne services. This is a required property.
grant_type A string that specifies the grant type of the token request. For token exchange, options are urn:ietf:params:oauth:grant-type:token-exchange. This is a required property