Subscribe to the Non-Human & AI Identity Journal

Token Procedure

A token procedure is a programmable step that changes how an OAuth or OpenID Connect token is issued, exchanged, or refreshed. It can add policy checks, rewrite claims, or alter token lifetime, which makes it a governance control point as much as a technical extension.

Expanded Definition

A token procedure is not the token itself, but the programmable logic that governs how an OAuth 2.0 or OpenID Connect token is issued, exchanged, refreshed, or conditionally modified. In NHI security, that makes it a control layer for trust decisions, not just an implementation detail. A procedure may add policy checks before issuance, reduce token lifetime, narrow claims, or block refresh when the workload context no longer looks valid. This is why token procedures overlap with governance and runtime authorization, especially in service-to-service and agent-to-tool flows.

Definitions vary across vendors because some platforms treat these as authentication hooks, while others frame them as token transformation, token exchange, or policy enforcement points. The standards baseline is clearer in OAuth 2.0 and OpenID Connect, but the operational pattern is still evolving in agentic systems and NHI platforms. NIST Cybersecurity Framework 2.0 is a useful external anchor for treating token procedures as part of access governance and continuous protection, not as a one-time login event. A token procedure is most often confused with a static token setting, when the actual behavior is dynamic and policy-driven at issuance or renewal time.

For standards context, see NIST Cybersecurity Framework 2.0.

Examples and Use Cases

Implementing token procedures rigorously often introduces latency and complexity, requiring organisations to weigh stronger governance against tighter integration overhead and more failure modes.

  • An API gateway calls a policy service before minting a short-lived service token for a backend workflow.
  • An identity broker rewrites claims so an AI agent receives only the minimum scopes needed for a single tool invocation.
  • A refresh flow is denied when device posture, workload context, or source network no longer meets policy.
  • A token exchange step converts a broad user token into a constrained NHI token for downstream automation.
  • A post-incident revocation procedure invalidates tokens associated with a compromised CI/CD runner or integration account.

These patterns show up in real incidents such as the Salesloft OAuth token breach, where token handling became the attack path rather than a background control. They are also closely related to the broader Guide to the Secret Sprawl Challenge, because exposed tokens are often treated like ordinary secrets instead of governed access artifacts.

For protocol structure, OAuth 2.0 token exchange concepts are commonly implemented through standards-based patterns rather than ad hoc logic, although no single standard governs every vendor’s procedure model yet.

Why It Matters in NHI Security

Token procedures matter because they determine whether a token behaves like a tightly bounded capability or a reusable credential that outlives its intended purpose. NHIMG research shows that 44% of NHI tokens are exposed in the wild, and 91% of former employee tokens remain active after offboarding, which turns weak token handling into a direct operational risk. A poorly designed procedure can accidentally widen claims, extend lifetime, or let refresh continue after the underlying workload should have lost access. That creates a gap between policy intent and actual privilege.

This is especially important in agentic AI, where an autonomous software entity may chain multiple tool calls under one session and inherit permissions that were never meant to persist. Token procedures should therefore be reviewed as part of lifecycle governance, incident response, and access review, not only during initial architecture design. The State of Secrets Sprawl 2026 also underscores how easily token-like credentials escape into tickets, chats, and repos, while The 2025 State of NHIs and Secrets in Cybersecurity documents the scale of exposed and stale NHI tokens. Organisations typically encounter the consequences only after a breach, failed offboarding, or overbroad automation event, at which point token procedure review becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Token lifecycle and scope control are core NHI governance concerns.
NIST CSF 2.0 PR.AA-05 Identity proofing and access governance cover token issuance decisions.
NIST Zero Trust (SP 800-207) PEP Token procedures act as policy enforcement points in zero trust flows.

Treat token procedures as access controls and review them for least-privilege enforcement.