Skip to content


TokenX is NAIS' own implementation of OAuth 2.0 Token Exchange.

This allows internal applications to act on behalf of a citizen that originally authenticated with ID-porten, while maintaining the zero trust security model between applications throughout a request chain.

NAIS provides support for declarative registration and configuration of TokenX resources. These cover two distinct use cases:

Consume an API

To consume an API secured with TokenX on behalf of a citizen, you'll need to exchange their token for a new token.

The new token preserves the citizen's identity context and is only valid for the specific API you want to access.

graph LR
  Consumer["User / Consumer API"] --"request with\ncitizen token"--> Application[Your app]
  Application --1. exchange \ncitizen token---> TokenX
  TokenX --2. return new token\nfor Other API---> Application
  Application --3. use new token---> Other["Other API"]

🎯 Learn how to consume an internal API on behalf of a citizen

Secure your API

To secure your API with TokenX, you'll need to grant consumers access to your application.

Once configured, your consumers can exchange a token with TokenX to consume your API.

Your application code must verify inbound requests by validating the included tokens.

🎯 Learn how to secure your API with TokenX