Security Token Service API

Name: Security Token Service API API
Brand: Security Token Service API
Availability: InStock

✓ Official Vendor SpecIdentity AuthAuthenticationoauth21 EndpointsREST

For Agents

Exchange external (AWS, Azure, OIDC, SAML) credentials or Google credentials for a short-lived Google Cloud access token via workload identity federation.

Quickstart

Get started with Security Token Service API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"exchange a credential for a google cloud access token"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Security Token Service API API.

Exchange a third-party OIDC ID token for a Google federated access token

Mint short-lived Google Cloud tokens from AWS or Azure workload credentials

Generate scoped access tokens for impersonating service accounts via workload identity federation

Issue down-scoped tokens limited to specific Cloud Storage buckets or resources

GET STARTED

Start building with Security Token Service API API

Explore with Jentic

View OpenAPI Document

Use Cases

Patterns agents use Security Token Service API API for, with concrete tasks.

★ Workload Identity Federation from AWS

Allow workloads running on AWS EC2 or EKS to call Google Cloud APIs without distributing service-account JSON keys. The workload signs an AWS GetCallerIdentity request, posts it as a subject token to the STS token endpoint, and receives a federated Google access token scoped to an impersonated service account. This eliminates the long-lived key rotation burden and is the Google-recommended pattern for cross-cloud authentication.

POST /v1/token with grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_token_type=urn:ietf:params:aws:token-type:aws4_request, and an AWS-signed subject token to receive a federated Google access token.

OIDC Identity Federation for CI/CD

Let GitHub Actions, GitLab CI, or any OIDC-issuing CI provider obtain Google Cloud credentials at job runtime. The CI runner presents its OIDC ID token to the STS endpoint, which validates the issuer against a workload identity pool provider and returns a Google access token. Eliminates secrets stored in CI variables and supports per-job credential scoping.

Exchange a GitHub Actions OIDC token for a Google access token by calling /v1/token with subject_token_type=urn:ietf:params:oauth:token-type:jwt and the workload identity pool audience.

Downscoped Tokens for Multi-Tenant Storage

Issue per-request access tokens that are restricted to a single Cloud Storage bucket or object prefix using Credential Access Boundary. A backend exchanges its broad service-account token for a downscoped token at the STS endpoint and hands the narrowly-scoped token to a client. Reduces blast radius when delegating storage access to untrusted code paths.

Call /v1/token with grant_type=urn:ietf:params:oauth:grant-type:token-exchange and an options field containing an accessBoundary that limits the returned token to a specific GCS bucket.

Agent Credential Brokerage via Jentic

An AI agent operating across cloud providers needs to call Google Cloud APIs but holds only AWS or OIDC credentials. Through Jentic, the agent invokes the STS token-exchange operation with its native credential, receives a short-lived Google access token, and uses it to call downstream Google APIs (Storage, BigQuery, Vertex AI). Jentic isolates the broker credential and caches the resulting token until expiry.

Through Jentic, search 'exchange aws token for google access token', load the STS token operation, and execute it with the agent's AWS subject token to obtain a federated Google credential.

Key Endpoints

1 endpoints — google security token service exchanges google or third-party credentials for short-lived oauth 2.

METHOD

PATH

DESCRIPTION

POST

/v1/token

Exchange a credential for a Google-issued OAuth 2.0 access token

POST

/v1/token

Exchange a credential for a Google-issued OAuth 2.0 access token

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Subject tokens (AWS signatures, OIDC JWTs, SAML assertions) are stored encrypted in the Jentic vault. Agents call the STS exchange operation through Jentic and receive a short-lived Google access token in the response — the broker credential never enters the agent's context.

Intent-based discovery

Agents search by intent (e.g. 'exchange aws credential for google token') and Jentic returns the STS token-exchange operation with its full input schema, including grant_type, subject_token_type, and audience fields.

Time to first call

Direct STS integration: 1-3 days to wire up the workload identity pool, audience strings, and token caching. Through Jentic: under 30 minutes — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Identity and Access Management (IAM) API

IAM defines the service accounts and workload identity pools that STS exchanges tokens against

Use the IAM API to create service accounts and workload identity pool providers; use STS to actually mint federated tokens at runtime.

Alternative

IAM Service Account Credentials API

Generate access tokens, ID tokens, and signed JWTs for service accounts directly without an external subject token

Choose IAM Credentials when you already hold a Google service-account credential and need to impersonate another service account; choose STS when starting from a non-Google credential.

Complementary

Google OAuth 2.0 API

Standard OAuth 2.0 endpoints for human-user token issuance and revocation

Use OAuth 2.0 for end-user delegated flows; use STS for workload-to-workload federation without a human in the loop.

Complementary

Cloud Identity API

Manage user, group, and device identity in a Google Workspace or Cloud Identity tenant

Pair with STS when federating workload tokens that must respect group-based IAM policies defined in Cloud Identity.

FAQs

Specific to using Security Token Service API API through Jentic.

What authentication does the Security Token Service API use?

The STS endpoint itself is unauthenticated for the token-exchange call but requires a valid subject token (an OIDC JWT, AWS GetCallerIdentity signature, or SAML assertion) in the request body. The endpoint validates that subject token against a configured workload identity pool provider before issuing a Google access token. Through Jentic, the subject credential is held in the encrypted vault and never exposed to the agent context.

Can I exchange an AWS IAM credential for a Google access token with the Security Token Service API?

Yes. POST to /v1/token with grant_type=urn:ietf:params:oauth:grant-type:token-exchange and subject_token_type=urn:ietf:params:aws:token-type:aws4_request, passing a signed AWS GetCallerIdentity request as the subject token. Google validates the signature against the configured AWS workload identity pool provider and returns a federated access token.

What are the rate limits for the Security Token Service API?

Google does not publish a fixed quota for the STS token endpoint, but it is governed by the standard Google Cloud per-project quota system and generally allows several hundred token exchanges per second per project. Tokens are typically valid for one hour, so caching the returned access token until near expiry is the recommended pattern rather than calling /v1/token on every request.

How do I set up workload identity federation through Jentic?

Search Jentic for 'exchange aws credential for google token' or 'oidc token exchange google', load the schema for POST /v1/token, and execute it with your subject_token and audience. Jentic returns the federated access_token which you then pass as a Bearer token to any downstream Google Cloud API call. Get started at https://app.jentic.com/sign-up.

Is the Security Token Service API free?

Yes, the STS token-exchange endpoint itself is free to call. You only pay for the downstream Google Cloud services that the returned access token is used to invoke (Cloud Storage, BigQuery, Compute Engine, etc.) at their normal rates.

Does the Security Token Service API support SAML 2.0 assertions?

Yes. Set subject_token_type=urn:ietf:params:oauth:token-type:saml2 and pass a base64-encoded SAML assertion as the subject_token. The workload identity pool provider must be configured with the SAML IdP's metadata before exchange will succeed.