Skip to main content
POST
/
api
/
sys
/
users
/
exchange
{
  "token": "<string>",
  "token_type": "<string>",
  "expires_in": 123,
  "refresh_token": "<string>",
  "400 Bad Request": {},
  "401 Unauthorized": {}
}

Exchange JWT

Converts a one-time JWT — issued during sign-up, email verification, password reset, or magic-link flows — into a standard bearer token and refresh token pair. The portal calls this immediately after any server-side operation that returns a raw JWT, so the customer is signed in without ever entering their password.
This endpoint is intended for server-issued JWTs passed back to the client (e.g. as part of a sign-up response). It is not for exchanging a customer’s email and password — use POST /api/token for credential-based sign-in.

Authentication

No authentication required. The JWT in the token parameter acts as the credential.

Query Parameters

token
string
required
The short-lived JWT to exchange. URL-encode this value. Obtained from server-side flows such as the sign-up response (Token field) or a magic-link email.
validForInMinutes
number
required
Lifetime of the issued bearer token in minutes. The portal passes 1440 (24 hours) for standard sign-in sessions.

Response

token
string
Bearer token to include in the Authorization header of all subsequent authenticated requests.
token_type
string
Token scheme. Always bearer.
expires_in
number
Lifetime of the bearer token in seconds.
refresh_token
string
Token used to obtain a new bearer token after it expires without requiring the customer to re-authenticate.

Examples

Exchange a JWT after sign-up

POST /api/sys/users/exchange?token=eyJhbGciOiJSUzI1NiJ9...&validForInMinutes=1440

{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "bearer",
  "expires_in": 86400,
  "refresh_token": "7kMpQxRtZn2"
}

TypeScript Integration

import endpoints from '@/api/endpoints'
import { ExchangedToken } from '@/states/useAuthContext'

// `rawJwt` is the `Token` field returned by e.g. the sign-up endpoint
const response = await httpClient.post<ExchangedToken>(endpoints.system.auth.login(rawJwt))

if (response.data.token) {
  await saveSession({
    tokenResponse: {
      access_token: response.data.token,
      token_type: response.data.token_type,
      expires_in: response.data.expires_in,
      refresh_token: response.data.refresh_token,
    },
  })
}
The endpoint key endpoints.system.auth.login(token) builds the URL as: 
/api/sys/users/exchange?token=${encodeURIComponent(token)}&validForInMinutes=1440

Usage in Portal

ContextSource file
Magic-link / email-verification sign-insrc/states/useAuthContext.tsx (exchangeToken)
Sign-up flow — embedded checkout (/checkout)src/views/checkout/SignupUserPage.tsx
Sign-up flow — public checkout (/join)src/views/public/checkout/components/SignupForm.tsx

Error Responses

400 Bad Request
error
The token parameter is missing, malformed, or has already been used. The JWT issued by Nexudus flows is single-use and expires quickly.
401 Unauthorized
error
The JWT signature is invalid or it was issued for a different Nexudus space.
MethodEndpointDescription
POST/api/tokenExchange a customer’s email and password for a bearer token
POST/api/sys/users/token/refreshObtain a new bearer token using a refresh token
GET/api/sys/users/impersonateIssue an impersonation token for a specific customer
POST/api/sys/users/startPasswordResetTrigger the password-reset email (returns a JWT for this flow)
POST/api/sys/users/completePasswordResetComplete password reset and exchange the resulting JWT