Skip to content

agent-to-agent token exchange#6220

Open
susanharper-okta wants to merge 7 commits into
masterfrom
sdh-okta192201-EAA2ATE
Open

agent-to-agent token exchange#6220
susanharper-okta wants to merge 7 commits into
masterfrom
sdh-okta192201-EAA2ATE

Conversation

@susanharper-okta

@susanharper-okta susanharper-okta commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Description:

  • What's changed? new EA guide agent-to-agent token exchange
  • Is this PR related to a Monolith release? yes 2026.6.2

Resolves:

Netlify Preview Link:

@okta-prod-github-app

This comment was marked as outdated.

Sign in to view
@okta-prod-github-app

okta-prod-github-app Bot commented Jun 11, 2026

Copy link
Copy Markdown

Acrolinx score

A minimum Acrolinx Score of 80 is required. The total score is an average of the subscores.
Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.

Article Total score
Required:80		 Word and phrases
(Brand, terms)
Preferred: 80		 Correctness
(Spelling, grammar)
Preferred: 80		 Clarity
(Readability)
Preferred: 80		 Inclusive language
(+ accesibility)
Preferred: 80
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/index.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/agent-to-agent/exchange-idjag-for-token.md 85 100 100 56
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/agent-to-agent/exchange-idjag-for-token2.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/agent-to-agent/exchange-token-for-idjag.md 97 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/agent-to-agent/exchange-token-id-response.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/agent-to-agent/resource-type.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/agent-to-agent/revoke.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/agent-to-agent/token-exchange-flow.md 89 100 100 40
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/authserver/exchange-idjag-for-token.md 84 100 100 52
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/authserver/exchange-idjag-for-token2.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/authserver/exchange-token-for-idjag.md 97 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/authserver/exchange-token-id-response.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/authserver/resource-type.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/authserver/revoke.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/authserver/token-exchange-flow.md 90 100 100 44
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/index.md 82 93 78 71
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/resourceserver/exchange-idjag-for-token.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/resourceserver/exchange-idjag-for-token2.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/resourceserver/exchange-token-for-idjag.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/resourceserver/exchange-token-id-response.md 93 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/resourceserver/resource-type.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/resourceserver/revoke.md 88 100 100 59
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/resourceserver/token-exchange-flow.md 92 100 100 57
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/secret/exchange-idjag-for-token.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/secret/exchange-idjag-for-token2.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/secret/exchange-token-for-idjag.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/secret/exchange-token-id-response.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/secret/resource-type.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/secret/revoke.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/secret/token-exchange-flow.md 92 100 100 52
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/service-account/exchange-idjag-for-token.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/service-account/exchange-idjag-for-token2.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/service-account/exchange-token-for-idjag.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/service-account/exchange-token-id-response.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/service-account/resource-type.md 100 100 100 100
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/service-account/revoke.md 89 100 100 34
packages/@okta/vuepress-site/docs/guides/ai-agent-token-exchange-EA/main/service-account/token-exchange-flow.md 86 100 68 51
packages/@okta/vuepress-site/docs/guides/index.md 87 67 80 78

Successfully checked 38 of 38 documents.
See summary in Content Analysis Dashboard

Reopen the pull request or push new changes to check again.

Depending on the Acrolinx server configuration, the
links expire after some time and you must have a login for the
Acrolinx server to access them again.

jamieguo-okta
jamieguo-okta reviewed Jun 11, 2026
View reviewed changes
Comment thread ...-site/docs/guides/ai-agent-token-exchange-EA/main/agent-to-agent/exchange-token-for-idjag.md
--data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
--data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:id-jag" \
--data-urlencode "audience=https://{yourOktaDomain}/oauth2/{authServerId}" \
--data-urlencode "resource=https://agent2.{yourOktaDomain}" \

@jamieguo-okta jamieguo-okta Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
--data-urlencode "resource=https://agent2.{yourOktaDomain}" \

Comment thread ...-site/docs/guides/ai-agent-token-exchange-EA/main/agent-to-agent/exchange-token-for-idjag.md
@@ -0,0 +1,65 @@
In this step, Agent 2 receives the access token (T3) from Agent 1. Agent 2 validates the request by performing another token exchange, exchanging T3 at the org authorization server for an ID-JAG token (T4). Agent 2 also adds itself to the actor chain. The ID-JAG now reflects Agent 2 as the immediate actor, with Agent 1 in the delegated chain, and the original service client as the origin.

@jamieguo-okta jamieguo-okta Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
In this step, Agent 2 receives the access token (T3) from Agent 1. Agent 2 validates the request by performing another token exchange, exchanging T3 at the org authorization server for an ID-JAG token (T4). Agent 2 also adds itself to the actor chain. The ID-JAG now reflects Agent 2 as the immediate actor, with Agent 1 in the delegated chain, and the original service client as the origin.
In this step, Agent 2 receives the access token (T3) from Agent 1. Agent 2 uses T3 to perform another token exchange, exchanging T3 at the org authorization server for an ID-JAG token (T4). Agent 2 also adds itself to the actor chain. The ID-JAG now reflects Agent 2 as the immediate actor, with Agent 1 in the delegated chain, and the original service client as the origin.

or something along those lines, it's not 'validating' the request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@janethu-okta janethu-okta Awaiting requested review from janethu-okta janethu-okta is a code owner

@grahamsmith-okta grahamsmith-okta Awaiting requested review from grahamsmith-okta grahamsmith-okta is a code owner

@barbaravo-okta barbaravo-okta Awaiting requested review from barbaravo-okta barbaravo-okta is a code owner

@emikhasyak-okta emikhasyak-okta Awaiting requested review from emikhasyak-okta emikhasyak-okta is a code owner

@paulwallace-okta paulwallace-okta Awaiting requested review from paulwallace-okta paulwallace-okta is a code owner

@brentschaus-okta brentschaus-okta Awaiting requested review from brentschaus-okta brentschaus-okta is a code owner

@ishan-krishna-okta ishan-krishna-okta Awaiting requested review from ishan-krishna-okta ishan-krishna-okta is a code owner

1 more reviewer

@jamieguo-okta jamieguo-okta jamieguo-okta left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Work In Progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@susanharper-okta @jamieguo-okta