---
title: Defining token exchange processor policies
description: To exchange security tokens, the OAuth authorization server needs at least one token exchange processor policy.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_defining_token_exchange_processor_policies
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_defining_token_exchange_processor_policies.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: April 3, 2026
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
---

# Defining token exchange processor policies

To exchange security tokens, the OAuth authorization server needs at least one token exchange processor policy.

## Before you begin

Before you define a token exchange processor policy, create the necessary token processor instances. Learn more in [Managing token processors](pf_managing_token_processors.html).

## About this task

In the PingFederate admin console, go to the **Token Exchange Processor Policy Management** page to define token exchange processor policies.

## Steps

1. Go to **Applications > Token Exchange > Processor Policies**.

2. Click **Add Processor Policy**.

3. On the **Manage Processor Policy** tab, enter the policy **ID** and **Name**. To require both a subject token and an actor token in client token exchange requests, select the **Actor Token Required** checkbox. Click **Next**.

4. On the **Attribute Contract** tab, add attributes to the attribute contract as needed. Click **Next**.

5. On the **Token Processor Mapping** tab, map a token processor to each subject token type, or each combination of subject token type and actor token type:

   1. Click **Map New Token Processor**.

   2. On the **Token Types** tab, in the **Subject Token Processor** list, select the instance.

   3. In the **Subject Token Type** field, enter the identifier.

   4. If an actor token processor is required, in the **Actor Token Processor** list, select the instance.

   5. In the **Actor Token Type** field, enter the identifier. Click **Next**.

   6. On the **Attribute Sources & User Lookup** tab, add additional attribute sources for contract fulfillment as needed. Click **Next**.

   7. On the **Contract Fulfillment** tab, select the **Source** and **Value** for each attribute. Click **Next**.

   8. On the **Issuance Criteria** tab, specify conditions that attributes must satisfy for PingFederate to exchange the token. Click **Next**.

   9. On the **Summary** tab, review the token processor mapping. Click **Done**.

6. On the **Summary** tab, review the policy. Click **Done**.

7. To make the new token exchange processor policy the default policy, click **Set as Default** on the corresponding row in the table.

8. Click **Save**.