Service Tokens
Authenticate a trusted internal service using a pre-issued service account token.
Service accounts are named, auditable identities for trusted internal services. An admin creates a service account with a fixed set of allowed scopes and the resulting JWT is issued once. The service uses that JWT to exchange for short-lived access tokens.
Unlike client credentials, service accounts are tied to a specific named identity (not just a client), support multi-application audience bindings, and can be individually revoked by rotating the service account's JTI.
Endpoint
| Token exchange | POST https://auth.xeonr.io/api/v1/oauth/token |
Creating a service account
Service accounts are created by an admin via the Xeonr Auth UI. On creation, a JWT is returned once — store it securely as it cannot be retrieved again.
The service account has:
- A stable
id(e.g.sa_a1b2c3d4) - An
application_idthat owns it - A list of allowed
scopes - Optional
application_bindingsfor multi-app token audiences
Exchanging for an access token
Use the pre-issued JWT as an assertion to get a short-lived access token:
POST /api/v1/oauth/token HTTP/1.1
Host: auth.xeonr.io
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJ...
&scope=my-app%3AreadParameters:
| Parameter | Required | Description |
|---|---|---|
grant_type | Yes | urn:ietf:params:oauth:grant-type:jwt-bearer |
assertion | Yes | The service account JWT issued at creation |
scope | No | Subset of the service account's allowed scopes |
Response:
{
"access_token": "eyJ...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "my-app:read"
}Access tokens are valid for 3600 seconds. There are no refresh tokens — exchange the assertion again when the token expires.
Revocation
Rotating the service account's JTI via the Xeonr Auth UI immediately invalidates all previously issued access tokens from that service account. Disabling the service account prevents any further token exchanges.