<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Token-Exchange on Sauvik Biswas</title>
    <link>https://sauvikbiswas.com/tags/token-exchange/</link>
    <description>Recent content in Token-Exchange on Sauvik Biswas</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Sat, 27 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://sauvikbiswas.com/tags/token-exchange/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Token Exchange (On-Behalf-Of): Swapping Tokens for Downstream APIs</title>
      <link>https://sauvikbiswas.com/posts/learning-oauth-2-10/</link>
      <pubDate>Sat, 27 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://sauvikbiswas.com/posts/learning-oauth-2-10/</guid>
      <description>&lt;h2 class=&#34;heading&#34; id=&#34;why-resource-binding-alone-is-not-enough&#34;&gt;&#xA;  Why resource binding alone is not enough&#xA;  &lt;a class=&#34;anchor&#34; href=&#34;#why-resource-binding-alone-is-not-enough&#34;&gt;#&lt;/a&gt;&#xA;&lt;/h2&gt;&#xA;&lt;p&gt;&lt;a href=&#34;https://sauvikbiswas.com/posts/learning-oauth-2-09/&#34;&gt;v09&lt;/a&gt; binds each access token to a named API at mint time. The client sends &lt;code&gt;resource&lt;/code&gt; on authorize and token; the auth server sets JWT &lt;code&gt;aud&lt;/code&gt; (or introspection &lt;code&gt;aud&lt;/code&gt;) to that URI. Gated routes on the resource server reject tokens bound to the wrong API.&lt;/p&gt;&#xA;&lt;p&gt;That fixes which API may accept a given token. It does not fix who may present the token, or how a middle tier gets a downstream token without asking the user to log in again.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
