Exchanges a credential for a Google OAuth 2.0 access token.
The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token.
HTTP request
POST https://sts.googleapis.com/v1beta/token
The URL uses gRPC Transcoding syntax.
Request body
The request body contains data with the following structure:
JSON representation | |
---|---|
{ "grantType": string, "audience": string, "scope": string, "requestedTokenType": string, "subjectToken": string, "subjectTokenType": string, "options": string } |
Fields | |
---|---|
grantType |
Required. The grant type. Must be |
audience |
The full resource name of the identity provider. For example, |
scope |
The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token. |
requestedTokenType |
Required. The type of security token. Must be |
subjectToken |
Required. The input token. This token is a either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT format defined in RFC 7523, and the The following headers are required:
The following payload fields are required. For more information, see RFC 7523, Section 3:
Example header:
Example payload:
If The following parameters are required:
If you are using temporary security credentials provided by AWS, you must also include the header The following example shows a
You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, set If an access token already contains security attributes, you cannot apply additional security attributes. |
subjectTokenType |
Required. An identifier that indicates the type of the security token in the |
options |
A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of |
Response body
If successful, the response body contains data with the following structure:
Response message for v1.token
.
JSON representation | |
---|---|
{ "access_token": string, "issued_token_type": string, "token_type": string, "expires_in": integer } |
Fields | |
---|---|
access_token |
An OAuth 2.0 security token, issued by Google, in response to the token exchange request. Tokens can vary in size, depending in part on the size of mapped claims, up to a maximum of 12288 bytes (12 KB). Google reserves the right to change the token size and the maximum length at any time. |
issued_token_type |
The token type. Always matches the value of |
token_type |
The type of access token. Always has the value |
expires_in |
The amount of time, in seconds, between the time when the access token was issued and the time when the access token will expire. This field is absent when the |