> ## Documentation Index > Fetch the complete documentation index at: https://docs.hanko.io/llms.txt > Use this file to discover all available pages before exploring further. # Exchange one time token for session > Provide a one time token (e.g. obtained through the [thirdparty callback](#tag/Third-Party/operation/thirdPartyCallback)) to retrieve a session JWT as cookie and/or via `X-Auth-Token` header. ## OpenAPI ````yaml openapi-public post /token openapi: 3.0.0 info: version: 1.2.0 title: Hanko Public API description: > ## Introduction This is the OpenAPI specification for the [Hanko Public API](https://github.com/teamhanko/hanko/blob/main/backend/README.md#basic-usage). ## Authentication The API uses [JSON Web Tokens](https://www.rfc-editor.org/rfc/rfc7519.html) (JWTs) for authentication. JWTs are verified using [JSON Web Keys](https://www.rfc-editor.org/rfc/rfc7517) (JWK). JWKs can be [configured](https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#all-available-config-options) through the `secrets.keys` options. The API also publishes public cryptographic keys as a [JWK set](https://www.rfc-editor.org/rfc/rfc7517#section-2) through the `.well-known/jwks.json` endpoint to enable clients to verify token signatures. JWTs must be provided on requests to protected endpoints using one of the following schemes: ### CookieAuth **Security Scheme Type**: `API Key` **Cookie parameter name**: `hanko` The JWT must be provided in a Cookie with the name `hanko`. ### BearerTokenAuth **Security Scheme Type**: `http` **HTTP Authorization Scheme**: `Bearer` **Bearer format**: `JWT` The JWT must be provided in an HTTP Authorization header with bearer type: `Authorization: Bearer `. ## Cross-Origin Resource Sharing Cross-Origin Resource Sharing (CORS) can be currently [configured](https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#all-available-config-options) for public endpoints via the `server.public.cors` options. --- contact: email: developers@hanko.io license: name: AGPL-3.0-or-later url: https://www.gnu.org/licenses/agpl-3.0.txt servers: - url: https://{tenant_id}.hanko.io variables: tenant_id: default: '' description: The (UU)ID of a tenant. Replace the default value with your tenant ID. security: [] externalDocs: description: More about Hanko url: https://github.com/teamhanko/hanko paths: /token: post: tags: - Token summary: Exchange one time token for session description: > Provide a one time token (e.g. obtained through the [thirdparty callback](#tag/Third-Party/operation/thirdPartyCallback)) to retrieve a session JWT as cookie and/or via `X-Auth-Token` header. operationId: token requestBody: content: application/json: schema: type: object properties: value: type: string format: base64url responses: '200': description: Successful token exchange headers: X-Auth-Token: description: > Present only on successful exchange and when enabled via [configuration](https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#hanko-backend-config) option `session.enable_auth_token_header` for purposes of cross-domain communication between client and Hanko API. schema: $ref: '#/components/schemas/X-Auth-Token' X-Session-Lifetime: description: | Contains the seconds until the session expires. schema: $ref: '#/components/schemas/X-Session-Lifetime' Set-Cookie: description: > Present only on successful exchange. Contains the JSON Web Token (JWT) that must be provided to protected endpoints. Cookie attributes (e.g. domain) can be set via [configuration](https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#hanko-backend-config) option `session.cookie`. schema: $ref: '#/components/schemas/CookieSession' content: application/json: schema: type: object properties: user_id: description: >- The ID of the user on whose behalf the token was exchanged. allOf: - $ref: '#/components/schemas/UUID4' '400': $ref: '#/components/responses/BadRequest' '404': $ref: '#/components/responses/NotFound' '422': $ref: '#/components/responses/unprocessableEntity' '429': $ref: '#/components/responses/TooManyRequests' deprecated: true components: schemas: X-Auth-Token: description: > Enable via [configuration](https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#hanko-backend-config) option `session.enable_auth_token_header` for purposes of cross-domain communication between client and Hanko API. type: string format: JWT externalDocs: url: >- https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#hanko-backend-config X-Session-Lifetime: description: | Contains the seconds until the session expires. type: number CookieSession: type: string description: >- Value `` is a [JSON Web Token](https://www.rfc-editor.org/rfc/rfc7519.html) example: hanko=; Path=/; HttpOnly UUID4: type: string format: uuid4 example: c339547d-e17d-4ba7-8a1d-b3d5a4d17c1c Error: type: object required: - code - message properties: code: type: integer format: int32 message: type: string responses: BadRequest: description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' example: code: 400 message: Bad Request NotFound: description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' example: code: 404 message: Not found unprocessableEntity: description: Unprocessable Entity content: application/json: schema: $ref: '#/components/schemas/Error' example: code: 422 message: Unprocessable Entity TooManyRequests: description: Too Many Requests content: application/json: schema: $ref: '#/components/schemas/Error' example: code: 429 message: Too Many Requests ````