Token Exchange
Exchange Keycloak username/password for an access token. Use the returned access_token in the Authorization header.
The token exchange endpoint (POST /auth/token) lets you obtain a Keycloak access token by sending username and password. Use the returned access_token in the Authorization: Bearer <token> header for subsequent API calls.
When it works
- AUTH_MODE=keycloak — Token exchange is the primary way to get a JWT.
- AUTH_MODE=both — Token exchange is used for Keycloak-backed users; other JWT validation paths may apply for legacy configurations.
If token exchange returns 400, the server is likely not configured for Keycloak-backed login; confirm AUTH_MODE and Keycloak connectivity with your platform operator.
Flow
- User credentials are sent to Keycloak (password grant).
- Keycloak validates and returns an access token (and optionally refresh token).
- The API forwards the Keycloak response. Use
access_tokeninAuthorization: Bearer <access_token>. - The API validates Keycloak JWTs via JWKS. The user must exist in the Payment Reconciler DB and be assigned to the tenant/environment. See Users for provisioning.
Request parameters
Parameters
username(string)required
Keycloak username (usually email).
password(string)required
Keycloak password.