SpyBara
Go Premium

Reference 2026-06-05 06:45 UTC to 2026-06-09 06:34 UTC

1 file changed +2 −1. View all changes and history on the product overview
2026
Wed 17 18:02 Tue 16 21:57 Fri 12 00:01 Wed 10 15:48 Tue 9 06:34 Fri 5 06:45 Thu 4 06:52 Tue 2 06:51
Details

24| ---------------------- | -------- | ------------------------------------------------------------------------------------------------ |24| ---------------------- | -------- | ------------------------------------------------------------------------------------------------ |

25| `grant_type` | Yes | Must be `urn:ietf:params:oauth:grant-type:token-exchange`. |25| `grant_type` | Yes | Must be `urn:ietf:params:oauth:grant-type:token-exchange`. |

26| `subject_token_type` | Yes | Supports `urn:ietf:params:oauth:token-type:jwt` and `urn:ietf:params:oauth:token-type:id_token`. |26| `subject_token_type` | Yes | Supports `urn:ietf:params:oauth:token-type:jwt` and `urn:ietf:params:oauth:token-type:id_token`. |

27| `subject_token` | Yes | The externally issued OIDC JWT from your Workload Identity Provider. |27| `subject_token` | Yes | The externally issued OIDC JWT or SPIFFE JWT-SVID from your Workload Identity Provider. |

28| `identity_provider_id` | Yes | The OpenAI Workload Identity Provider ID configured for the external issuer. |28| `identity_provider_id` | Yes | The OpenAI Workload Identity Provider ID configured for the external issuer. |

29| `service_account_id` | Yes | The OpenAI service account ID to resolve against the matching service account mapping. |29| `service_account_id` | Yes | The OpenAI service account ID to resolve against the matching service account mapping. |

30 30 

91- Each organization can create at most 50 Workload Identity Providers. Each Workload Identity Provider can have at most 50 service account mappings.91- Each organization can create at most 50 Workload Identity Providers. Each Workload Identity Provider can have at most 50 service account mappings.

92- Workload identity access tokens aren't accepted by these endpoints: `DELETE /v1/models/{id}` and `POST /v1/images/request_audit`.92- Workload identity access tokens aren't accepted by these endpoints: `DELETE /v1/models/{id}` and `POST /v1/images/request_audit`.

93- Arbitrary OIDC issuer endpoints other than the providers documented in the [setup guides](https://developers.openai.com/api/docs/guides/workload-identity-federation) aren't supported yet.93- Arbitrary OIDC issuer endpoints other than the providers documented in the [setup guides](https://developers.openai.com/api/docs/guides/workload-identity-federation) aren't supported yet.

94- SPIFFE support is limited to JWT-SVID subject tokens. X.509-SVIDs aren't supported by this token exchange endpoint.