TL;DR: Token procedure examples show how token endpoint logic can alter OAuth and OpenID Connect responses across AuthZEN-based issuance decisions, external IdP token exchange, opaque-to-JWT exchange, and refresh-time extensions, according to Curity. The governance question is no longer token format alone, but where policy, delegation, and lifetime decisions sit in the identity flow.
At a glance
What this is: Token procedures are token-endpoint extensions that change how OAuth and OpenID Connect flows issue, exchange, or refresh tokens.
Why it matters: They matter because IAM teams need to know where policy decisions, delegation boundaries, and token lifetime controls are being enforced across human, workload, and API access paths.
👉 Read Curity's example implementations of token procedures for OAuth and OpenID Connect
Context
Token procedures are the part of an OAuth or OpenID Connect implementation that modifies token issuance or token exchange behaviour at the token endpoint. In practice, they sit at a control point that can add policy checks, transform token formats, or influence whether a token is refreshed, exchanged, or issued at all. For identity teams, that makes them relevant to access governance, not just protocol plumbing.
The governance issue is that token handling often becomes fragmented across authentication, authorisation, federation, and downstream API enforcement. Once token logic is extended with procedure plugins, teams need to understand which decisions are being made centrally, which are inherited from an external identity provider, and which are being deferred to runtime policy. That matters for OAuth, OpenID Connect, and NHI-adjacent service access patterns alike.
Key questions
Q: How should security teams govern token exchange in federated identity flows?
A: Security teams should treat token exchange as a trust decision, not a protocol convenience. They need explicit validation of issuer, audience, and delegation lineage before minting a new token. Without those checks, a valid inbound token can become an overbroad local credential with weaker provenance than the original assertion.
Q: When does refresh token design become a governance problem?
A: Refresh token design becomes a governance problem when renewal outlives the access conditions that justified it. If role changes, partner offboarding, or risk elevation do not narrow refresh behaviour, the token lifecycle continues after trust should have been reduced. At that point, renewal is extending exposure rather than preserving usability.
Q: What do IAM teams get wrong about opaque token to JWT exchange?
A: Teams often focus on format conversion and miss the trust boundary. Converting an opaque token into a JWT does not itself improve security. The key question is whether the exchange step validates who issued the incoming token, who it is meant for, and whether the downstream audience should accept the new token at all.
Q: How can organisations tell whether token procedures are too permissive?
A: A token procedure is probably too permissive if it can issue, exchange, or refresh access without a clear policy owner and an audit trail that explains why the decision was made. Another warning sign is when downstream systems assume token semantics are stable even though the token endpoint can rewrite them.
Technical breakdown
Token endpoint procedures and response rewriting
Token procedures intercept the response path at the token endpoint and can alter what the issuer returns. That may include changing claims, converting an opaque access token into a JWT, or applying refresh-time logic before a token is reissued. The architectural implication is that the token becomes a policy-shaped artefact rather than a fixed output of authentication alone. This is useful when different consumers need different token forms, but it also raises traceability questions because the issued token no longer reflects only the original authentication event.
Practical implication: document which parts of token contents are being rewritten so downstream services do not treat transformed tokens as equivalent to original issuer output.
Token exchange with external identity providers
Token exchange lets one token be swapped for another, often so a system can accept an externally issued JWT and turn it into a token usable inside a local ecosystem. This is a common federation pattern when trust has to span identity domains without reauthenticating the subject from scratch. The security boundary moves from the first issuer to the exchange policy, because the system now decides whether an inbound token is sufficient evidence to mint a new one. That makes token provenance and audience checking central controls, not optional details.
Practical implication: validate issuer, audience, and token lineage before allowing exchange, especially where partner or brokered identity is involved.
Refresh procedures and long-lived token behaviour
Refresh procedures extend the lifecycle of a token without forcing repeated full authentication, which is convenient but governance-sensitive. If refresh handling is too permissive, long-lived access can persist after the original context has changed, even when the user, workload, or external identity should no longer be trusted in the same way. The technical challenge is less about token renewal mechanics and more about preserving the ability to revoke or narrow access when the risk posture changes. In identity terms, refresh logic is lifecycle control, not just session convenience.
Practical implication: tie refresh rules to explicit lifecycle and revocation events so token renewal cannot outlast the access conditions that justified it.
NHI Mgmt Group analysis
Token procedures turn the token endpoint into a governance decision point. Once issuance, exchange, and refresh logic are adjustable, the identity platform is no longer only authenticating subjects. It is also deciding how trust is shaped, narrowed, or translated across contexts. That matters because downstream services often assume token semantics are stable, when in fact a procedure may have transformed the token before it ever arrived at the API.
Token exchange is a federation control, not a formatting convenience. The hard problem is not converting one token type into another. The hard problem is deciding which issuer, audience, and delegation chain deserve to be trusted across identity domains. Practitioners should treat token exchange as a boundary policy question, because weak provenance checks create a broader trust surface than the protocol name suggests.
Long-lived refresh logic creates lifecycle debt when access context changes. A token procedure that extends access can preserve convenience, but it also extends the period during which outdated trust assumptions remain active. That is especially relevant when human, workload, and partner access are all being renewed through similar mechanics. Identity governance teams should view refresh design as a lifecycle control problem, not a protocol tweak.
Token procedures make policy placement as important as policy content. The same rule can have different security outcomes depending on whether it is enforced at the issuer, the exchange step, or the refresh path. This is why identity architects need to map where decisions happen, not just what the decisions say. The practitioner conclusion is simple: govern the control point, not only the token.
From our research:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to the State of Secrets Sprawl 2026.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers, according to the State of Secrets Sprawl 2026.
- For a wider view of credential lifecycle failures, see Guide to the Secret Sprawl Challenge for the control patterns that stop secrets from living longer than the trust they represent.
What this signals
Token procedures are becoming a policy layer inside the identity runtime. As organisations extend token exchange and refresh logic, the practical question shifts from whether a token exists to who can reshape it and under what conditions. Teams that operate OAuth and OpenID Connect at scale should expect more demand for auditability across exchange steps, claim rewriting, and refresh triggers, especially where workload identity and partner federation intersect.
Policy placement will matter more than policy intent. A rule that looks sound on paper can still create excess access if it is enforced at the wrong point in the token path. That is why identity programmes should map token procedures alongside their lifecycle controls and keep a clear view of where trust is being created, transformed, or extended.
Long-lived access is still the real risk signal. The State of Secrets Sprawl 2026 shows that 64% of valid secrets leaked in 2022 remain exploitable today, which is a lifecycle problem as much as a detection problem. If your token procedures can refresh access without a revocation-aware control loop, you are extending the same exposure pattern in a different form.
For practitioners
- Map every token procedure to a control owner Document whether issuance, exchange, claim transformation, and refresh logic are owned by identity engineering, platform teams, or application teams. Clear ownership is the only way to keep policy changes auditable across OAuth and OpenID Connect flows.
- Separate token format changes from trust decisions Treat opaque-to-JWT conversion as a different control from issuer and audience validation. Downstream services should not infer trust from token shape alone, especially when a procedure can rewrite the response at the token endpoint.
- Bind refresh rules to lifecycle events Revocation, role change, partner offboarding, and risk elevation should all narrow or stop refresh behaviour. If the token can be renewed after the original access rationale has expired, the lifecycle model is too loose.
- Review exchange policy before federation expands When external identity providers are allowed into token exchange flows, require explicit checks for issuer, audience, and delegation lineage. This is the point where cross-domain trust either stays constrained or becomes permissive by default.
Key takeaways
- Token procedures shift control from static token issuance to runtime policy enforcement, which changes how identity teams should think about trust.
- Token exchange and refresh logic are lifecycle controls, not convenience features, because they determine how long delegated access remains valid.
- Practitioners need explicit ownership, provenance checks, and revocation-aware refresh rules before token procedures can be considered governed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Token procedures affect how access is granted and transformed at runtime. |
| NIST Zero Trust (SP 800-207) | SC-7 | Token exchange and response rewriting sit inside trust-boundary enforcement. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Refresh logic extends credential lifetime and can create standing access. |
Tie token renewal to revocation-aware lifecycle controls and shorten renewal paths where possible.
Key terms
- Token Procedure: A token procedure is a programmable step that changes how an OAuth or OpenID Connect token is issued, exchanged, or refreshed. It can add policy checks, rewrite claims, or alter token lifetime, which makes it a governance control point as much as a technical extension.
- Token Exchange: Token exchange is the process of swapping one token for another so a subject can move across identity domains or application contexts. In practice, the security value depends on strict validation of issuer, audience, and delegation lineage before the new token is minted.
- Refresh Logic: Refresh logic governs when and how an access token can be renewed without repeating full authentication. It is a lifecycle control because it determines how long access can persist after the original trust conditions have changed.
- Opaque Token: An opaque token is a bearer token whose internal contents are not readable by the client. It usually relies on introspection or backend validation, which means security depends on the issuer and the receiving service sharing a trusted validation path.
What's in the full article
Curity's full article covers the operational detail this post intentionally leaves for the source:
- Example implementations of token procedure plugins across multiple OAuth and OpenID Connect flows.
- The mechanics of issuing or rewriting tokens at the token endpoint for different integration patterns.
- Implementation detail for exchanging opaque tokens into JWTs and handling external IdP-issued JWTs.
- An AuthZEN PDP example that shows how token issuance decisions can be tied to policy checks.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-01-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org