Token Exchange Grant Type is Missing from the OAuth2.0 Metadata URL
May 28, 2026
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview
This article provide an explanation regarding why the token-exchange grant type is missing from the OAuth2.0 Metadata URL.
Applies To
- Okta Classic Engine
- Okta Identity Engine (OIE)
- OAuth 2.0 On-Behalf-Of Token Exchange
Cause
The JSON response of the OAuth2.0 Metadata URL will not contain the token-exchange grant type by default.
NOTE: The "grant_types_supported" array will not include: "urn:ietf:params:oauth:grant-type:token-exchange".
Solution
NOTE: The token-exchange grant type (and functionality) is only applicable while using a Custom Authorization Server.
Additional details:
- The client_id of a Native OIDC application type or an OAuth2.0 Service application (with the grant type enabled) must be appended to the metadata URL.
- If the token exchange grant type is enabled, then the following value will be included in the "grant_types_supported" array: "urn:ietf:params:oauth:grant-type:token-exchange".
- Ensure that the "token-exchange" grant type is enabled in the application's settings.
- Append the client_id of the OIDC application as a query parameter at the end of the Metadata URL.
Example:
curl -i -X GET \
'https://{oktadomainName}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server?client_id=string'
Related References
- Retrieve the OAuth 2.0 metadata
- OAuth 2.0 On-Behalf-Of Token Exchange
- Create OpenID Connect app integrations
