Skip to main content
Token Exchange

Your users already signed in. Now let your agents use that.

Your app authenticates with Google, Auth0, Azure AD. Your agents need tokens that actually work with Civic. Token Exchange bridges the gap: one API call turns any provider's token into a Civic token with guardrails, audit trails, and instant revocation built in.

Open the dashboardSee how it works
federated-exchange.ts
// from Google login — no second auth needed
const civicToken = await exchangeToken({
subjectToken: googleIdToken,
subjectTokenType: "id_token",
clientId: process.env.CIVIC_CLIENT_ID,
})
// waiting...
RFC 8693 · Token Exchange
ready

Five providers. Five token formats. Zero interoperability.

Your users sign in with Google. Your internal tools use Auth0. Your enterprise clients demand Azure AD. Now your agent needs to act across all of them. Good luck wiring that by hand.

GoogleID Token (RS256)

Scopes vary per API. Refresh tokens silently expire after 7 days of inactivity.

Auth0Access Token (RS256)

Audience mismatch between tenants. Token format changes across API versions.

Azure ADJWT v2.0

Tenant-specific JWKS endpoints. Token validation differs for personal vs org accounts.

OktaAccess Token

Custom authorization servers issue incompatible tokens. CORS blocks client-side exchange.

Your custom IdP¯\_(ツ)_/¯

No standard. No JWKS. No one remembers how the signing keys were generated.

Every provider is a different format, a different endpoint, a different set of gotchas. Token Exchange makes them all speak the same language.

Configure. Exchange. Secure.

dashboard-config.json
1{
2 "issuer": "https://accounts.google.com",
3 "audience": "1234567890-abc.apps.googleusercontent.com",
4 "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
5 "acceptedAlgorithms": ["RS256"],
6 "defaultScopes": "openid email",
7 "maxTokenTtl": 3600
8}

Two exchange flows. One unified token.

Civic Token Exchange

Delegate with less

Already have a Civic token? Exchange it for one with fewer permissions. Hand your agent a token that can read email but not send it. The agent physically can't exceed its grant.

  • Scope reduction for agent delegation
  • Least-privilege tokens for automated tasks
  • Time-limited tokens for batch jobs

Federated Token Exchange

Bring any provider

Your users signed in with Google or Auth0. Exchange that token for a Civic token. The user gets mapped to a Civic account automatically. No re-authentication, no friction.

  • Unified auth across multiple identity providers
  • Gradual migration from legacy providers to Civic
  • Enterprise SSO integration (Azure AD, Okta)

What this actually gives you

Unified identity layer

5 providers, 1 token format. Every external identity maps to a stable Civic account. Your agent code never branches on provider type.

Agent-safe delegation

Exchange a full-access token for a scoped one. Your agent gets exactly the permissions it needs and nothing more. Least privilege by default.

Zero-friction migration

Users keep signing in with Google or Auth0. Behind the scenes, they get Civic tokens. Migrate your auth layer without touching a single login screen.

Bridge your auth to Civic.

Configure a provider, exchange a token, and your agents are secured. Takes 5 minutes.

Open the dashboardRead the docs