Exchange an OAuth Token
POST/sts/v1/oauth2/token
Use this operation to exchange an access token (JWT) issued by an external identity provider for an access token (JWT) issued by Confluent.This enables the use of external identities to access Confluent Cloud APIs.
Request
Responses
- 200
- 400
- 429
- 500
access token used to access public control plane api
Bad Request
Response Headers
The unique identifier for the API request.
Rate Limit Exceeded
Response Headers
The unique identifier for the API request.
The maximum number of requests you're permitted to make per time period.
The number of requests remaining in the current rate limit window.
The relative time in seconds until the current rate-limit window resets.
Important: This differs from Github and Twitter's same-named header which uses UTC epoch seconds. We use relative time to avoid client/server time synchronization issues.
The number of seconds to wait until the rate limit window resets. Only sent when the rate limit is reached.
Oops, something went wrong!
Response Headers
The unique identifier for the API request.
OpenAPI definition (YAML)
paths:
/sts/v1/oauth2/token:
post:
description: '[](#section/Versioning/API-Lifecycle-Policy)
Use this operation to exchange an access token (JWT) issued by an external identity provider for
an access token (JWT) issued by Confluent.This enables the use of external identities
to access Confluent Cloud APIs.
'
requestBody:
content:
application/x-www-form-urlencoded:
schema:
allOf:
- type: object
description: token exchange request parameters
properties:
api_version:
type: string
enum:
- sts/v1
description: APIVersion defines the schema version of this representation of a resource.
readOnly: true
kind:
type: string
description: Kind defines the object this REST resource represents.
readOnly: true
enum:
- TokenExchangeRequest
id:
description: ID is the "natural identifier" for an object within its scope/namespace;
it is normally unique across time but not space. That is, you can assume that the
ID will not be reclaimed and reused after an object is deleted ("time"); however,
it may collide with IDs for other object `kinds` or objects of the same `kind` within
a different scope/namespace ("space").
type: string
maxLength: 255
readOnly: true
example: dlz-f3a90de
metadata:
allOf:
- description: ObjectMeta is metadata that all persisted resources must have, which
includes all objects users must create.
required:
- self
properties:
self:
description: Self is a Uniform Resource Locator (URL) at which an object can
be addressed. This URL encodes the service location, API version, and other
particulars necessary to locate the resource at a point in time
type: string
format: uri
readOnly: true
example: https://api.confluent.cloud/v2/kafka-clusters/lkc-f3a90de
resource_name:
description: Resource Name is a Uniform Resource Identifier (URI) that is globally
unique across space and time. It is represented as a Confluent Resource Name
type: string
format: uri
readOnly: true
example: crn://confluent.cloud/kafka=lkc-f3a90de
created_at:
type: string
format: date-time
example: '2006-01-02T15:04:05-07:00'
readOnly: true
description: The date and time at which this object was created. It is represented
in RFC3339 format and is in UTC.
updated_at:
type: string
format: date-time
example: '2006-01-02T15:04:05-07:00'
readOnly: true
description: The date and time at which this object was last updated. It is
represented in RFC3339 format and is in UTC.
deleted_at:
type: string
format: date-time
example: '2006-01-02T15:04:05-07:00'
readOnly: true
description: The date and time at which this object was (or will be) deleted.
It is represented in RFC3339 format and is in UTC.
readOnly: true
title: ObjectMeta
- properties:
self:
example: https://api.confluent.cloud/sts/v1/token-exchange-requests/ter-12345
resource_name:
example: crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/token-exchange-request=ter-12345
grant_type:
type: string
description: 'The grant type. Must be urn:ietf:params:oauth:grant-type:token-exchange,
which indicates a token exchange.
'
example: urn:ietf:params:oauth:grant-type:token-exchange
enum:
- urn:ietf:params:oauth:grant-type:token-exchange
subject_token:
type: string
description: Confluent Cloud only accepts JSON Web Token (JWT) access tokens from
customer identity provider
example: test_jwt_token
identity_pool_id:
type: string
description: 'Identity pool is a group of external identities that are assigned a
certain level of access based on policy
'
example: pool_1
subject_token_type:
type: string
description: 'An identifier for the type of requested security token. Supported values
is urn:ietf:params:oauth:token-type:jwt.
'
example: urn:ietf:params:oauth:token-type:jwt
enum:
- urn:ietf:params:oauth:token-type:jwt
requested_token_type:
type: string
description: 'An identifier for the type of requested security token.
Supported values is urn:ietf:params:oauth:token-type:access_token.
'
example: urn:ietf:params:oauth:token-type:access_token
enum:
- urn:ietf:params:oauth:token-type:access_token
expires_in:
type: integer
format: int32
description: 'The amount of time, in seconds, between the time when the access token
was issued
and the time when the access token will expire
'
default: 900
maximum: 900
title: sts.v1.TokenExchangeRequest
- type: object
required:
- subject_token
- grant_type
- identity_pool_id
- subject_token_type
- requested_token_type
x-lifecycle-stage: General Availability
x-self-access: true
x-name: sts.v1.OauthToken
operationId: exchangeStsV1OauthToken
tags:
- OAuth Tokens (sts/v1)
responses:
'200':
description: 'access token used to access public control plane api
'
content:
application/json:
schema:
type: object
description: token exchange response
required:
- access_token
- issued_token_type
- token_type
- expires_in
properties:
access_token:
type: string
description: 'An JWT access token, issued by Confluent, in response to the token exchange
request.
Client application could use the access token to access confluent public api
'
issued_token_type:
type: string
description: The token type. Always matches the value of requested_token_type from
the request.
example: urn:ietf:params:oauth:token-type:access_token
enum:
- urn:ietf:params:oauth:token-type:access_token
token_type:
type: string
description: Indicates the token type value. The only type that Confluent supports
is Bearer
example: Bearer
enum:
- Bearer
expires_in:
type: integer
format: int32
description: The length of time, in seconds, that the access token is valid.
example: 3600
title: sts.v1.TokenExchangeReply
'400':
description: Bad Request
headers:
X-Request-Id:
schema:
type: string
description: The unique identifier for the API request.
content:
application/json:
schema:
type: object
description: Provides information about problems encountered while performing an operation.
required:
- errors
properties:
errors:
description: List of errors which caused this operation to fail
type: array
items:
type: object
description: Describes a particular error encountered while performing an operation.
properties:
id:
description: A unique identifier for this particular occurrence of the problem.
type: string
maxLength: 255
status:
description: The HTTP status code applicable to this problem, expressed as a
string value.
type: string
code:
description: An application-specific error code, expressed as a string value.
type: string
title:
description: A short, human-readable summary of the problem. It **SHOULD NOT**
change from occurrence to occurrence of the problem, except for purposes of
localization.
type: string
detail:
description: A human-readable explanation specific to this occurrence of the
problem.
type: string
source:
type: object
description: If this error was caused by a particular part of the API request,
the source will point to the query string parameter or request body property
that caused it.
properties:
pointer:
description: A JSON Pointer [RFC6901] to the associated entity in the request
document [e.g. "/spec" for a spec object, or "/spec/title" for a specific
field].
type: string
parameter:
description: A string indicating which query parameter caused the error.
type: string
error_code:
type: integer
format: int32
message:
type: string
nullable: true
additionalProperties: false
title: Error
uniqueItems: true
title: Failure
example:
errors:
- id: ed42afdc-f0d5-4c0d-b428-9fc6ed6e279d
status: '400'
code: invalid_filter
title: Invalid Filter
detail: The 'delorean' resource can't be filtered by 'num_doors'
source:
parameter: num_doors
'429':
description: Rate Limit Exceeded
headers:
X-Request-Id:
schema:
type: string
description: The unique identifier for the API request.
X-RateLimit-Limit:
schema:
type: integer
description: The maximum number of requests you're permitted to make per time period.
X-RateLimit-Remaining:
schema:
type: integer
description: The number of requests remaining in the current rate limit window.
X-RateLimit-Reset:
schema:
type: integer
description: "The relative time in seconds until the current rate-limit window resets. \
\ \n \n**Important:** This differs from Github and Twitter's same-named header which\
\ uses UTC epoch seconds. We use relative time to avoid client/server time synchronization\
\ issues."
Retry-After:
schema:
type: integer
description: The number of seconds to wait until the rate limit window resets. Only sent
when the rate limit is reached.
'500':
description: Oops, something went wrong!
headers:
X-Request-Id:
schema:
type: string
description: The unique identifier for the API request.
content:
application/json:
schema:
type: object
description: Provides information about problems encountered while performing an operation.
required:
- errors
properties:
errors:
description: List of errors which caused this operation to fail
type: array
items:
type: object
description: Describes a particular error encountered while performing an operation.
properties:
id:
description: A unique identifier for this particular occurrence of the problem.
type: string
maxLength: 255
status:
description: The HTTP status code applicable to this problem, expressed as a
string value.
type: string
code:
description: An application-specific error code, expressed as a string value.
type: string
title:
description: A short, human-readable summary of the problem. It **SHOULD NOT**
change from occurrence to occurrence of the problem, except for purposes of
localization.
type: string
detail:
description: A human-readable explanation specific to this occurrence of the
problem.
type: string
source:
type: object
description: If this error was caused by a particular part of the API request,
the source will point to the query string parameter or request body property
that caused it.
properties:
pointer:
description: A JSON Pointer [RFC6901] to the associated entity in the request
document [e.g. "/spec" for a spec object, or "/spec/title" for a specific
field].
type: string
parameter:
description: A string indicating which query parameter caused the error.
type: string
error_code:
type: integer
format: int32
message:
type: string
nullable: true
additionalProperties: false
title: Error
uniqueItems: true
title: Failure
example:
errors:
- id: ed42afdc-f0d5-4c0d-b428-9fc6ed6e279d
status: '500'
code: out_of_gas
title: DeLorean Out Of Gas
detail: The DeLorean has run out of gas, but Doc Brown will fill 'er up for you asap
servers:
- url: https://api.confluent.cloud
description: Confluent Cloud API