Exchange Auth

POST 
/api/auth-exchange

Exchanges an external JWT token (verified via the organization's configured JWKS URI) for Webrix Connect credentials.

This endpoint enables programmatic token generation for users authenticated by your identity provider (Okta, Keycloak, etc.).

Prerequisites

1. Configure your SSO provider (Okta or Keycloak) in Admin Settings with a JWKS URI
2. Generate an API token with the connect:exchange-auth scope (or connect:write / all which include it)

How it works

1. Your application authenticates a user with your identity provider and obtains a JWT
2. Send the JWT in the Authorization: Bearer <jwt> header along with your API key in the x-api-key header
3. Webrix verifies the JWT against the configured JWKS URI
4. If valid, Webrix issues Connect credentials (access token, refresh token, etc.) with the original JWT stored as the id_token

The JWT must contain a sub, email, or client_id claim to identify the user.

Request

Responses

200

JWT verified and credentials issued successfully

400

Bad request (empty JWT, missing claims, or JWKS URI not configured)

401

Missing or invalid Authorization header or API key

403

API key does not have the required scope

500

Internal server error