sub and email claims map to a Tesouro identity, when to issue one token shape versus the other, and how to add users beyond the primary controller — see the Users guide.
Token exchange for user impersonation
Tesouro supports OAuth 2.0 Token Exchange (RFC 8693). Your application exchanges a user JWT from your OIDC provider for a Tesouro access token scoped to that user.Request
Response
Your JWT must include the user’s unique identifier in the
sub claim and their email in the
email claim.Users can only be impersonated within their assigned application context. Cross-application
impersonation is prevented.
Widget authentication
For embedded widgets, your backend generates a widget token — an encrypted JWE (RFC 7516) that securely wraps the user’s identity and OAuth credentials. This token is passed to the widget on the frontend. Your backend must provide:- The user’s identity (ID and email)
- The applicant’s organization reference — your opaque, stable identifier for the business the applicant belongs to
- Your OAuth client credentials
- A token expiration that matches your security requirements
Widget token generation
Tesouro provides
TESOURO_CLIENT_ID, TESOURO_CLIENT_SECRET, and TESOURO_WIDGET_SECRET
(exactly 32 bytes) during onboarding.organization_reference is required. Pass your opaque, stable identifier for the business or
organization the applicant belongs to. Tesouro uses it to group applications under that
organization — including before the applicant has a Tesouro user — so the widget can resolve the
correct application status at load time. Resolve this value on your backend; never accept it from
the browser.