Subscribe to the Non-Human & AI Identity Journal

Delegated token exchange

A pattern in which an application does not store long-lived third-party credentials but instead exchanges an existing authenticated token for a short-lived access token at runtime. This reduces secret custody risk, but it still depends on correct scope design and revocation discipline.

Expanded Definition

Delegated token exchange is a runtime pattern used in IAM and NHI architectures when an application presents an already authenticated token and receives a short-lived access token scoped for a downstream action. In practice, this is closely associated with token federation, on-behalf-of flows, and the principle that the application should not custody long-lived third-party credentials. Standards language varies across vendors, so the implementation details differ, but the security intent is consistent: reduce durable secret exposure while preserving delegated access. For a standards-oriented view of identity lifecycle and access control outcomes, see the NIST Cybersecurity Framework 2.0.

The critical distinction is that token exchange is not the same as “just using OAuth.” It adds a deliberate trust boundary: the original token proves an upstream identity or authorization context, while the exchanged token narrows what the target system may do and for how long. The most common misapplication is treating exchanged tokens as automatically safe, which occurs when teams skip audience restriction, over-broaden scopes, or fail to define revocation paths for the downstream token.

Examples and Use Cases

Implementing delegated token exchange rigorously often introduces added policy complexity, requiring organisations to weigh reduced secret custody risk against stricter scope design, token audience mapping, and revocation handling.

  • A SaaS integration accepts a user or workload token, exchanges it for a short-lived API token, and uses that token only for one downstream tenant action.
  • A CI/CD pipeline avoids storing third-party cloud credentials by exchanging its workload identity for ephemeral deployment permissions during the release window.
  • An internal service broker proxies requests to a partner platform by exchanging an upstream token for a narrowly scoped token with a limited audience.
  • A support automation agent uses delegated access to fetch records only after a caller context is validated, then discards the token immediately after use.
  • Security teams investigate whether token exchange is masking secret sprawl, using incidents like the Salesloft OAuth token breach and the Guide to the Secret Sprawl Challenge to distinguish ephemeral delegation from stored credentials.

External guidance on ephemeral identity, trust boundaries, and token handling is also reflected in the NIST Cybersecurity Framework 2.0, even when no single standard uses the exact same phrase for the pattern.

Why It Matters in NHI Security

Delegated token exchange matters because it can significantly reduce the number of long-lived secrets an application must hold, which lowers blast radius when systems are compromised. NHI Management Group research shows that 64% of valid secrets leaked in 2022 are still valid and exploitable today, which underscores why “temporary” credentialing must be paired with actual expiry and revocation discipline. That is also why token exchange cannot be treated as a cosmetic control; if scopes are too broad or downstream tokens persist too long, the pattern merely relocates the risk. The same logic appears in NHI breach analysis such as the JetBrains GitHub plugin token exposure and the Dropbox Sign breach, where token or secret misuse became an access multiplier.

Practitioners should also note that delegated token exchange interacts with lifecycle governance: offboarding, service decommissioning, and partner revocation all need to invalidate trust chains, not just passwords. Organisations typically encounter the operational consequences only after a partner compromise, token replay event, or downstream privilege abuse, at which point delegated token exchange becomes unavoidable to trace and contain.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Token exchange reduces stored secrets but still depends on secure token handling.
NIST CSF 2.0 PR.AC-4 Delegated access must enforce least privilege across identity and sessions.
NIST Zero Trust (SP 800-207) SC-7 Token exchange supports zero trust by constraining trust to each transaction.

Treat each exchange as a fresh authorization decision with strict audience and policy checks.