Exchange OIDC token for self-service JWT

Validates an ID token from the tenant's configured OIDC provider (e.g. eSignet) and returns a self-service JWT bound to the matching entity. Token issuer is pre-validated against the tenant config before any JWKS fetch (SSRF mitigation). JWKS origin must match the configured authority.

Request

Method: POST
Path: /api/auth/oidc/exchange

Authentication: Not required

Request Body

Content Type: application/json

Schema: See component schemas below

Responses

200 - Exchanged

400 - Invalid token format or OIDC not configured

401 - Token verification failed or no matching record

404 - No matching beneficiary

502 - Failed to fetch OIDC discovery or JWKS origin mismatch

Examples

cURL

curl -X POST \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  http://localhost:3000/api/auth/oidc/exchange \
  -d '{"example": "data"}'

JavaScript

const response = await fetch('http://localhost:3000/api/auth/oidc/exchange', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer ' + token,
  },
  body: JSON.stringify({
    // Request data
  }),
});

const data = await response.json();
console.log(data);

This documentation is automatically generated from the OpenAPI specification.

Request​

Request Body​

Responses​

200 - Exchanged​

400 - Invalid token format or OIDC not configured​

401 - Token verification failed or no matching record​

404 - No matching beneficiary​

502 - Failed to fetch OIDC discovery or JWKS origin mismatch​

Examples​

cURL​

JavaScript​