logto/.changeset/funny-goats-tap.md

@logto/console	@logto/core	@logto/phrases	@logto/schemas
minor	minor	minor	minor

Add personal access token (PAT)

Personal access tokens (PATs) provide a secure way for users to grant access tokens without using their credentials and interactive sign-in.

You can create a PAT by going to the user's detail page in Console or using the Management API POST /users/:userId/personal-access-tokens.

To use a PAT, call the token exchange endpoint POST /oidc/token with the following parameters:

1. grant_type: REQUIRED. The value of this parameter must be urn:ietf:params:oauth:grant-type:token-exchange indicates that a token exchange is being performed.
2. resource: OPTIONAL. The resource indicator, the same as other token requests.
3. scope: OPTIONAL. The requested scopes, the same as other token requests.
4. subject_token: REQUIRED. The user's PAT.
5. subject_token_type: REQUIRED. The type of the security token provided in the subject_token parameter. The value of this parameter must be urn:logto:token-type:personal_access_token.
6. client_id: REQUIRED. The client identifier of the client application that is making the request, the returned access token will contain this client_id claim.

And the response will be a JSON object with the following properties:

1. access_token: REQUIRED. The access token of the user, which is the same as other token requests like authorization_code or refresh_token.
2. issued_token_type: REQUIRED. The type of the issued token. The value of this parameter must be urn:ietf:params:oauth:token-type:access_token.
3. token_type: REQUIRED. The type of the token. The value of this parameter must be Bearer.
4. expires_in: REQUIRED. The lifetime in seconds of the access token.
5. scope: OPTIONAL. The scopes of the access token.