The token endpoint can be used by the client to make a token exchange request to the PingOne authorization server by presenting its authorization grant, its token, and the token type. For a token exchange operation, the grant_type must be set to urn:ietf:params:oauth:grant-type:token-exchange.

The subject_token property value is the gateway credential returned by the PingOne gateway service. For more information, see Gateway Credentials.

The PingOne authorization server’s token endpoint responds to a successful token exchange request by issuing an access token that allows the requesting client access to PingOne resources.

Note: Any valid gateway credential can be exchanged for an access token. The access token returned by the exchange will have a five-minute time to live.

Prerequisites

See OpenID Connect/OAuth 2 and Token for important overview information.
Run Create Gateway Credential to generate a gatewayCredential. Run Read All Gateway Credentials to find an existing credential.

Request model

Property	Type	Required?
`subject_token_type`	String	Required
`subject_token`	String	Required
`grant_type`	String	Required

See the OpenID Connect/OAuth2 data model for full property descriptions.