May 26 2025 by Giuseppe Graziano
The Token Exchange feature has been available in Keycloak for a long time, but only as a preview feature. With the release of Keycloak 26.2, we’re happy to share that Standard Token Exchange is now officially supported and fully compliant with OAuth 2.0 Token Exchange (RFC 8693).
Token Exchange is a mechanism that allows a client to exchange one token for another. In the context of Keycloak, this means a client can exchange a token originally issued for another client and receive a new token issued specifically for itself.
Token Exchange is especially helpful in these scenarios:
When a token was issued for one service but needs to be used to access another, Token Exchange can issue a new token with the appropriate audience.
If a client needs to access a service with more limited permissions, it can exchange its token for one with reduced or more specific scopes.
β Official support (no longer a preview feature)
π Compliance with RFC 8693 (OAuth 2.0 Token Exchange)
π±οΈ Simple configuration via the Admin Console (just a switch in client settings)
π‘οΈ Integration with Client Policies to enforce custom rules. You can restrict exchanges to specific clients, or deny exchanges based on requested scopes.
If you’re using Keycloak 26.2 or later, there’s nothing extra to enable. Token Exchange is ready to use, just open the client settings in the admin console and enable the dedicated switch.
If you’re still using the preview feature of token exchange, check the migration guide and the comparison to understand the differences and plan your migration.
π For full setup instructions and configuration details, refer to the official documentation.
Weβre continuing to expand Token Exchange support with future enhancements such as:
π Exchanging tokens issued by external identity providers
π€ Using token exchange to impersonate users
Stay tuned for updates in upcoming releases.
Weβd love to hear what you think about this feature and how we can improve it. Feedback and contributions from the community are always welcome.