Skip to main content
User token authentication lets your application act on behalf of a specific user. It connects to a dedicated OIDC application (such as Nail It or another VSP), and the resulting token is scoped to that user’s permissions only. This flow has two parts: token exchange for API access, and widget tokens for embedded UI components. For the conceptual model — what a user is, how sub and email claims map to a Tesouro identity, when to issue one token shape versus the other, and how to add users beyond the primary controller — see the Users guide.

Token exchange for user impersonation

Tesouro supports OAuth 2.0 Token Exchange (RFC 8693). Your application exchanges a user JWT from your OIDC provider for a Tesouro access token scoped to that user.
Request
Response
Your JWT must include the user’s unique identifier in the sub claim and their email in the email claim.
Users can only be impersonated within their assigned application context. Cross-application impersonation is prevented.

Widget authentication

For embedded widgets, your backend generates a widget token — an encrypted JWE (RFC 7516) that securely wraps the user’s identity and OAuth credentials. This token is passed to the widget on the frontend. Your backend must provide:
  • The user’s identity (ID and email)
  • The applicant’s organization reference — your opaque, stable identifier for the business the applicant belongs to
  • Your OAuth client credentials
  • A token expiration that matches your security requirements
Widget token generation
Tesouro provides TESOURO_CLIENT_ID, TESOURO_CLIENT_SECRET, and TESOURO_WIDGET_SECRET (exactly 32 bytes) during onboarding.
organization_reference is required. Pass your opaque, stable identifier for the business or organization the applicant belongs to. Tesouro uses it to group applications under that organization — including before the applicant has a Tesouro user — so the widget can resolve the correct application status at load time. Resolve this value on your backend; never accept it from the browser.