Enabling TokenExchange is not working as expected

❌Unsolved❓Question🪲Bugs

Hi! I arrive here after messing on every corner I could find and casting sessions with every major LLM out there.

Use-case: Customer auth / E2E app testing auth
Environment: Zitadel Cloud
Version: v4.9.1
Stack: Typescript / Playwright
What you expected to happen: An impersonation token is retrieved
What went wrong: API responds

Errors.TokenExchange.FeatureDisabled

Errors.TokenExchange.FeatureDisabled

Errors.TokenExchange.FeatureDisabled

Errors.TokenExchange.FeatureDisabled despite the feature looking enabled both in the UI and API

/v2/features/instance

/v2/features/instance

/v2/features/instance

/v2/features/instance response

I'm writing e2e tests for my app and I expect to be able to use impersonation. I enabled it on our cloud instance default settings UI. Org, Project and App do not show this option.

Allow Impersonation

Allow Impersonation

Allow Impersonation

Allow Impersonation was also set in instance default settings Security settings.

I expected this to be enough but the exchange response is consistently returning
{"error":"invalid_request","error_description":"Errors.TokenExchange.FeatureDisabled"}
{"error":"invalid_request","error_description":"Errors.TokenExchange.FeatureDisabled"}
{"error":"invalid_request","error_description":"Errors.TokenExchange.FeatureDisabled"}
{"error":"invalid_request","error_description":"Errors.TokenExchange.FeatureDisabled"} Could this be this error is returned for some other reason?

https://my-instance-id.zitadel.cloud/v2/features/instance

https://my-instance-id.zitadel.cloud/v2/features/instance

https://my-instance-id.zitadel.cloud/v2/features/instance

https://my-instance-id.zitadel.cloud/v2/features/instance gives

{"details":{"sequence":"16","changeDate":"2026-01-13T21:03:10.650582Z","resourceOwner":"XXXXXXXX8666"},..."oidcTokenExchange":{"enabled":true,"source":"SOURCE_INSTANCE"},...}

{"details":{"sequence":"16","changeDate":"2026-01-13T21:03:10.650582Z","resourceOwner":"XXXXXXXX8666"},..."oidcTokenExchange":{"enabled":true,"source":"SOURCE_INSTANCE"},...}

{"details":{"sequence":"16","changeDate":"2026-01-13T21:03:10.650582Z","resourceOwner":"XXXXXXXX8666"},..."oidcTokenExchange":{"enabled":true,"source":"SOURCE_INSTANCE"},...}

{"details":{"sequence":"16","changeDate":"2026-01-13T21:03:10.650582Z","resourceOwner":"XXXXXXXX8666"},..."oidcTokenExchange":{"enabled":true,"source":"SOURCE_INSTANCE"},...}

Which suggests it's enabled at the instance level

Org's features, i.e.

https://my-instance-id.zitadel.cloud/v2/features/organization/XXXXXXXXXXXX202

https://my-instance-id.zitadel.cloud/v2/features/organization/XXXXXXXXXXXX202

https://my-instance-id.zitadel.cloud/v2/features/organization/XXXXXXXXXXXX202

https://my-instance-id.zitadel.cloud/v2/features/organization/XXXXXXXXXXXX202 gitves

{"code":2,"message":"rpc error: code = Unimplemented desc = method GetOrganizationFeatures not implemented"}

{"code":2,"message":"rpc error: code = Unimplemented desc = method GetOrganizationFeatures not implemented"}

{"code":2,"message":"rpc error: code = Unimplemented desc = method GetOrganizationFeatures not implemented"}

{"code":2,"message":"rpc error: code = Unimplemented desc = method GetOrganizationFeatures not implemented"} which I interpret to signal that these feature layer is not availble in cloud instances. Same response for

/v2/features/user/xxxxxxxxxxxxxxxx2838

/v2/features/user/xxxxxxxxxxxxxxxx2838

/v2/features/user/xxxxxxxxxxxxxxxx2838

/v2/features/user/xxxxxxxxxxxxxxxx2838.

Thanks!

Enabling TokenExchange is not working as expected

Similar Threads

Similar Threads

Similar Threads