Token Exchange
Exchange an OIDC id_token issued by a configured external provider for a nominative Prisme access token, without any browser redirect. Intended for native/mobile or headless clients that already authenticated against their IdP. Loosely follows RFC 8693.
The target provider must have config.allowTokenExchange = true. The subject_token signature is verified against the provider JWKS and its aud claim must match the provider client_id (and iss the configured issuer when set). The user is then matched or provisioned exactly like the browser callback (POST /v2/login/callback).
Body
Slug of the configured external auth provider.
The id_token (JWT) issued by the external provider.
Token type, per RFC 8693. Only urn:ietf:params:oauth:token-type:id_token is supported.
Optional, for RFC 8693 compatibility. When provided must be urn:ietf:params:oauth:grant-type:token-exchange.
Optional session expiration in seconds
Response
Success Response
Name
"foo@prisme.ai"
pending, validated, deactivated totp, none, * Name
Profile picture URL
Organization membership info (only returned when includeOrgMembership is set)
Unique id