OAuth Token Exchange (RFC 8693) is a grant type that lets services swap an existing security token for a new one with a different audience, narrower scope, or delegation context. It covers two core patterns: impersonation (downstream sees only the original user) and delegation (both user and acting service identities are preserved in the token). Key use cases include microservice request chains, AI agent delegation, and cross-domain federation. The post covers how the token endpoint request works, optional parameters like audience and actor tokens, security best practices (scope reduction, client authentication, explicit multi-hop policy, deliberate revocation), and a concrete implementation example using Descope with Skyflow for MCP servers. Delegation is recommended over impersonation in agentic contexts for auditability.
Table of contents
How OAuth Token Exchange worksOAuth Token Exchange impersonation vs. delegationOAuth Token Exchange use casesToken exchange in agentic identityBest practices and security considerationsImplementation example of OAuth Token ExchangeThe value of OAuth Token Exchange in modern identityFAQs about OAuth Token ExchangeSort: