The token endpoint can be used by the client to make a token exchange request to the PingOne authorization server by presenting its authorization grant, its token, and the token type. For a token exchange operation, the grant_type must be set to urn:ietf:params:oauth:grant-type:token-exchange.

The subject_token property value is the gateway credential returned by the PingOne gateway service. For more information, see Gateway Credentials.

The PingOne authorization server’s token endpoint responds to a successful token exchange request by issuing an access token that allows the requesting client access to PingOne resources.

Note: Any valid gateway credential can be exchanged for an access token. The access token returned by the exchange will have a five-minute time to live.

Supported parameters for the token exchange request are:

Property	Description
`subject_token_type`	A string that specifies the type of the security token provided in the `subject_token` property. This is a required property. Options are `pingone_gateway_credential`.
`subject_token`	A string that specifies the security token that represents the identity of the PingFederate cluster (or other client type) that requires access to PingOne services. This is a required property.
`grant_type`	A string that specifies the grant type of the token request. For token exchange, options are `urn:ietf:params:oauth:grant-type:token-exchange`. This is a required property