> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Token Exchange for Native Social

> Exchange a native social token (such as Apple or Google) for Auth0 tokens using the token exchange grant.

export const ResponseSchema = ({statusCode, type = "{}", children}) => {
  const [open, setOpen] = useState(false);
  return <div className="border border-gray-100 dark:border-gray-800 rounded-lg mb-3 overflow-hidden">
      <div className={`flex items-center gap-2.5 px-4 py-2.5 cursor-pointer select-none ${open ? "bg-gray-50 dark:bg-gray-800" : ""}`} onClick={() => setOpen(!open)}>
        {statusCode && <span className="border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 font-mono text-xs px-1.5 py-0.5 rounded">
            {statusCode.startsWith("default") ? "default" : statusCode}
          </span>}
        <span className="text-gray-500 dark:text-gray-400 text-sm font-mono">
          {type}
        </span>
        <span className="text-gray-400 dark:text-gray-500 text-sm italic">
          application/json
        </span>
        <svg className={`ml-auto opacity-50 transition-transform duration-200 ${open ? "rotate-180" : ""}`} width="16" height="16" viewBox="0 0 16 16" fill="none">
          <path d="M4 6l4 4 4-4" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round" />
        </svg>
      </div>
      {open && <div className="px-4 pt-1 pb-3 border-t border-gray-100 dark:border-gray-800">
          {children}
        </div>}
    </div>;
};

## Endpoint

`POST /oauth/token`

<Note>
  This flow is intended for use with native social interactions **only**. Use of this flow outside of a native social setting is highly discouraged.
</Note>

When a non-browser-based solution (such as a mobile platform's SDK) authenticates the user, the authentication will commonly result in artifacts being returned to application code. In such situations, this grant type allows for the Auth0 platform to accept artifacts from trusted sources and issue tokens in response. In this way, apps making use of non-browser-based authentication mechanisms (as are common in native apps) can still retrieve Auth0 tokens without asking for further user interaction.

Artifacts returned by this flow (and the contents thereof) will be determined by the `subject_token_type` and the tenant's configuration settings.

## Remarks

* The scopes issued to the application may differ from the requested scopes. In this case, a `scope` parameter will be included in the response JSON.
* If you don't request specific scopes, all scopes defined for the audience will be returned due to the implied trust to the application in this grant. You can customize the scopes returned in a rule. To learn more, read [Calling APIs from Highly Trusted Applications](https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow).

## Learn More

* [Add Sign In with Apple to Native iOS Apps](https://auth0.com/docs/authenticate/identity-providers/social-identity-providers/apple-native)
* [iOS Swift - Sign In with Apple Quickstart](https://auth0.com/docs/quickstart/native/ios-swift)

## Headers

<ParamField header="DPoP" type="string">
  A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
</ParamField>

## Body Parameters

<ParamField body="auth0-forwarded-for" type="string">
  End user IP as a string value. Set this if you want brute-force protection to work in server-side scenarios. To learn more about how and when to use this header, read [Using resource owner password from server-side](/api-auth/tutorials/using-resource-owner-password-from-server-side).
</ParamField>

<ParamField body="grant_type" type="string" required>
  Denotes the flow you are using. For Token Exchange for Native Social, use `urn:ietf:params:oauth:grant-type:token-exchange`.
</ParamField>

<ParamField body="subject_token" type="string" required>
  Externally-issued identity artifact representing the user.
</ParamField>

<ParamField body="subject_token_type" type="string" required>
  Identifier that indicates the type of `subject_token`.
</ParamField>

<ParamField body="client_id" type="string" required>
  Your application's Client ID.
</ParamField>

<ParamField body="audience" type="string">
  The unique identifier of the target API you want to access.
</ParamField>

<ParamField body="resource" type="string">
  The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to `audience` when the tenant's [Resource Parameter Compatibility Profile](https://auth0.com/docs/get-started/tenant-settings#settings-advanced) is set to `compatibility`.
</ParamField>

<ParamField body="scope" type="string">
  String value of the different scopes the application is requesting. Multiple scopes are separated with whitespace.
</ParamField>

<ParamField body="user_profile" type="object">
  Optional element used for native iOS interactions for which profile updates can occur. Expected parameter value will be JSON in the form of: `{ name: { firstName: 'John', lastName: 'Smith' }}`.

  <Expandable title="properties">
    <ParamField body="name" type="object" />
  </Expandable>
</ParamField>

## Response Schema

<ResponseSchema statusCode="200">
  <ResponseField name="access_token" type="string">
    The issued access token.
  </ResponseField>

  <ResponseField name="id_token" type="string">
    The issued ID token.
  </ResponseField>

  <ResponseField name="refresh_token" type="string">
    The issued refresh token.
  </ResponseField>

  <ResponseField name="token_type" type="string">
    The type of token issued.
  </ResponseField>

  <ResponseField name="expires_in" type="integer">
    The access token lifetime in seconds.
  </ResponseField>
</ResponseSchema>

<ResponseSchema statusCode="default error">
  <ResponseField name="error" type="string">
    Error code.
  </ResponseField>

  <ResponseField name="error_description" type="string">
    Error description.
  </ResponseField>
</ResponseSchema>

## Response Messages

| Status  | Description         |
| ------- | ------------------- |
| 200     | Successful response |
| default | Unexpected error    |
