Skip to main content
POST
Exchange JWT

Exchange JWT

Converts a one-time JWT — issued during sign-up, email verification, password reset, or magic-link flows — into a standard bearer token and refresh token pair. The portal calls this immediately after any server-side operation that returns a raw JWT, so the customer is signed in without ever entering their password.
This endpoint is intended for server-issued JWTs passed back to the client (e.g. as part of a sign-up response). It is not for exchanging a customer’s email and password — use POST /api/token for credential-based sign-in.

Authentication

No authentication required. The JWT in the token parameter acts as the credential.

Query Parameters

token
string
required
The short-lived JWT to exchange. URL-encode this value. Obtained from server-side flows such as the sign-up response (Token field) or a magic-link email.
validForInMinutes
number
required
Lifetime of the issued bearer token in minutes. The portal passes 1440 (24 hours) for standard sign-in sessions.

Response

token
string
Bearer token to include in the Authorization header of all subsequent authenticated requests.
token_type
string
Token scheme. Always bearer.
expires_in
number
Lifetime of the bearer token in seconds.
refresh_token
string
Token used to obtain a new bearer token after it expires without requiring the customer to re-authenticate.

Examples

Exchange a JWT after sign-up

TypeScript Integration

The endpoint key endpoints.system.auth.login(token) builds the URL as:

Usage in Portal

Use Cases

Authenticating API requests on behalf of a customer

After a server-side flow (sign-up, email verification, password reset, or magic link) issues a JWT, exchange it for a bearer token to make authenticated API requests on the customer’s behalf:
The returned access_token is valid for the duration specified in expires_in (default 24 hours). Use POST /api/token with grant_type=refresh_token to renew it before expiration.

Error Responses

400 Bad Request
error
The token parameter is missing, malformed, or has already been used. The JWT issued by Nexudus flows is single-use and expires quickly.
401 Unauthorized
error
The JWT signature is invalid or it was issued for a different Nexudus space.