Implementing RFC 8693 Token Exchange in AgentGateway: A Complete Tutorial AgentGateway, the Rust-based agentic AI proxy from the AI Agent Infrastructure Foundation (AAIF), now supports RFC 8693 OAuth 2.0 Token Exchange to securely delegate user identity to AI agents and downstream services. The feature, introduced in the July 12, 2026 release, allows the gateway to exchange a user's broad-scoped token for a fresh, scoped, short-lived credential before it reaches the agent, preventing token leakage and impersonation. A tutorial demonstrates end-to-end setup with Keycloak as the identity provider. In agentic AI systems, one of the most challenging security problems is the identity boundary : how do you safely delegate user identity to an agent, and then from that agent to downstream services that each require different credentials? The naive approach: passing a user's broad-scoped IdP token through every hop, is a security disaster. That token likely grants access to dozens of services, contains sensitive claims, and was never meant to leave the user's browser. If an agent sees that token, it can impersonate the user anywhere. As Christian Posta wrote in the AgentGateway blog https://agentgateway.dev/blog/2026-07-12-agentgateway-token-exchange-jwt-assertion-entra-obo/ : "Shielding AI agents from sensitive MCP / API credentials secrets, API keys, tokens, etc is the prevailing best practice." Token exchange solves this by replacing the user's original token with a fresh, scoped, short-lived credential before it reaches the agent. The user's identity is preserved sub claim , but the token's audience, scope, and lifetime are reshaped for the specific downstream service. In this tutorial, I walk through how to implement token exchange in AgentGateway https://agentgateway.dev , the Rust-based agentic AI proxy from the AI Agent Infrastructure Foundation AAIF , using RFC 8693 OAuth 2.0 Token Exchange and the built-in backendAuth.oauthTokenExchange policy. By the end, you will have a working end-to-end setup where: Agents act on behalf of users. When a user invokes an agent that calls multiple downstream services MCP servers, APIs, databases , each service needs to know: sub claim Passing the user's original IdP token to every service fails all four: act claim Without gateway-managed exchange, as Posta notes, "you get N credential stores and zero consistent audit: exactly the leak surface" you want to avoid. RFC 8693 defines a standard OAuth 2.0 grant type urn:ietf:params:oauth:grant-type:token-exchange that lets a client the gateway exchange one security token the user's JWT for another a downstream-scoped JWT . The gateway becomes the security boundary: User JWT broad, long-lived ↓ AgentGateway exchanges at IdP ↓ Downstream JWT scoped, short-lived, audience-specific ↓ Upstream service The upstream service never sees the user's original token. It only sees a token minted specifically for it, with the correct audience and minimal scopes. As of the July 12, 2026 release https://agentgateway.dev/blog/2026-07-12-agentgateway-token-exchange-jwt-assertion-entra-obo/ , AgentGateway supports three exchange mechanisms under backendAuth.oauthTokenExchange : | Grant | Spec | Subject Parameter | Typical IdP | |---|---|---|---| Token exchange default | RFC 8693 | subject token | Keycloak, Okta, ZITADEL, Auth0 | JWT bearer | RFC 7523 | assertion | Keycloak JWT Authorization Grant | Entra OBO | Microsoft's jwt-bearer variant | assertion | Microsoft Entra ID | This tutorial focuses on the RFC 8693 token exchange grant with Keycloak as the IdP. I cover the JWT bearer and Entra OBO approaches at the end. Before starting, ensure you have: rustc = 1.91.1 check with rustc --version Here is what I built: requester-client /exchange with Authorization: Bearer