QFind anything/
API Reference

Token Exchange

Exchange Keycloak username/password for an access token. Use the returned access_token in the Authorization header.

The token exchange endpoint (POST /auth/token) lets you obtain a Keycloak access token by sending username and password. Use the returned access_token in the Authorization: Bearer <token> header for subsequent API calls.

When it works

  • AUTH_MODE=keycloak — Token exchange is the primary way to get a JWT.
  • AUTH_MODE=both — Token exchange is used for Keycloak-backed users; other JWT validation paths may apply for legacy configurations.

If token exchange returns 400, the server is likely not configured for Keycloak-backed login; confirm AUTH_MODE and Keycloak connectivity with your platform operator.

Flow

  1. User credentials are sent to Keycloak (password grant).
  2. Keycloak validates and returns an access token (and optionally refresh token).
  3. The API forwards the Keycloak response. Use access_token in Authorization: Bearer <access_token>.
  4. The API validates Keycloak JWTs via JWKS. The user must exist in the Payment Reconciler DB and be assigned to the tenant/environment. See Users for provisioning.

Request parameters

Parameters

username(string)required

Keycloak username (usually email).

password(string)required

Keycloak password.