--- title: Configuring OAuth 2.0 token exchange description: PingOne supports OAuth 2.0 token exchange as an extension of OAuth 2.0, exchanging one security token for another token. component: pingone page_id: pingone:use_cases:p1_oauth_2_token_exchange canonical_url: https://docs.pingidentity.com/pingone/use_cases/p1_oauth_2_token_exchange.html revdate: February 25, 2026 section_ids: how-it-works: How it works what-youll-do: What you'll do before-you-begin: Before you begin --- # Configuring OAuth 2.0 token exchange PingOne supports OAuth 2.0 token exchange, allowing an application to exchange a security token it already has for an access token to access a custom resource. Learn more about the [RFC 8693 - OAuth 2.0 Token Exchange specification](https://datatracker.ietf.org/doc/html/rfc8693) in the Internet Engineering Task Force (IETF) documentation. OAuth 2.0 token exchange enhances security by restricting the scope or audience of a token and provides a seamless user experience without requiring reauthentication when accessing multiple resources. PingOne supports many OAuth 2.0 token exchange use cases, including the following examples: * Impersonation: Allows an application to act as the user. The access token represents the user's identity, and the custom resource handles the request as if it came from the user. * Delegation: Allows an application to act on behalf of a user. The access token contains information about the user (*subject*) and the application performing the action (*actor*) on the user's behalf. * Machine-to-machine interaction: Enables server-to-server communication and shields downstream resources from the original upstream caller. ## How it works OAuth 2.0 token exchange allows an application (client) in PingOne to send a token request when accessing protected resources where the application: * Uses the token exchange grant type. * Provides the required subject token and optional actor token as inputs. * The subject token is the original security token and identifies the entity (user or application) for which the new token is being requested. * The actor token provides additional information. For example, it can represent the entity making the request on behalf of the subject, such as in delegation scenarios. * Specifies the type of input tokens and output token. ## What you'll do To enable token exchange in PingOne, you can set up the following use cases: * [Impersonation](p1_oauth_2_token_exchange_impersonation.html): Set up an application to act as the user and retrieve information from a custom resource. * [Delegation](p1_oauth_2_token_exchange_delegation.html): Set up an application to act on behalf of the user when retrieving information from a custom resource. * [Machine-to-machine interaction](p1_oauth_2_token_exchange_machine_to_machine.html): Set up a backend application to retrieve information from a custom resource, which then retrieves additional information from another resource without exposing that call to the application. ## Before you begin To configure any of the OAuth 2.0 token exchange use cases, you'll need: * A PingOne organization. Learn more in [Starting a PingOne trial](../getting_started_with_pingone/p1_start_a_p1_trial.html). * A PingOne environment with the PingOne SSO service added.