Token exchange is used when an upstream user token cannot be forwarded directly to a downstream service. This situation occurs when the downstream service requires a different audience, a shorter time-to-live (TTL), or sanitized scopes. Token exchange ensures secure and appropriate token handling between services.

The following table summarizes the key guidelines for implementing token exchange:
Guideline Description
Always use HTTPS All token exchange operations must occur over HTTPS to protect token confidentiality and integrity.
Fail closed If token exchange fails, the system must reject the request rather than fallback to using the original unexchanged token. This prevents unauthorized access.
Scope separation The exchanged token should include only the scopes required by the downstream service. This minimizes privilege exposure and enforces least privilege principles.
For more information about token exchange for PAS for OpenEdge integration, see OAuth mode.