chore: add changeset (#6492)

.changeset/funny-goats-tap.md

@@ -0,0 +1,29 @@
+---
+"@logto/console": minor
+"@logto/core": minor
+"@logto/phrases": minor
+"@logto/schemas": minor
+---
+
+Add personal access token (PAT)
+
+Personal access tokens (PATs) provide a secure way for users to grant access tokens without using their credentials and interactive sign-in.
+
+You can create a PAT by going to the user's detail page in Console or using the Management API `POST /users/:userId/personal-access-tokens`.
+
+To use a PAT, call the token exchange endpoint `POST /oidc/token` with the following parameters:
+
+1. `grant_type`: REQUIRED. The value of this parameter must be `urn:ietf:params:oauth:grant-type:token-exchange` indicates that a token exchange is being performed.
+2. `resource`: OPTIONAL. The resource indicator, the same as other token requests.
+3. `scope`: OPTIONAL. The requested scopes, the same as other token requests.
+4. `subject_token`: REQUIRED. The user's PAT.
+5. `subject_token_type`: REQUIRED. The type of the security token provided in the `subject_token` parameter. The value of this parameter must be `urn:logto:token-type:personal_access_token`.
+6. `client_id`: REQUIRED. The client identifier of the client application that is making the request, the returned access token will contain this client_id claim.
+
+And the response will be a JSON object with the following properties:
+
+1. `access_token`: REQUIRED. The access token of the user, which is the same as other token requests like `authorization_code` or `refresh_token`.
+2. `issued_token_type`: REQUIRED. The type of the issued token. The value of this parameter must be `urn:ietf:params:oauth:token-type:access_token`.
+3. `token_type`: REQUIRED. The type of the token. The value of this parameter must be `Bearer`.
+4. `expires_in`: REQUIRED. The lifetime in seconds of the access token.
+5. `scope`: OPTIONAL. The scopes of the access token.