Token Delegation allows an ORCID member to transfer permissions granted to their own ORCID API client via their integration to another of their systems or to another ORCID member. This allows the other system or other ORCID member to read/write to/from the researchers ORCID records on behalf of the original client depending on the permission granted by the researchers.
How does it work?
An ORCID user grants permission to their organisations client following the standard 3 step OAuth process, including to use ‘openid’ scope as well. Including the 'openid' scope in the request means that when the authorization code is exchanged, an identity token is returned in the token exchange response in addition to the access token.
The id token is then securely passed to the second client (exactly how is decided by the two systems). The second client then exchanges the id token for a new short term access token via a standard token exchange process at the /oauth/token endpoint.
The second client can then use the access token to read and update the record depending on the ORCID scopes used. Tokens are valid for 1 hour, meaning future updates require re-exchanging the id token for a new access token.
See our technical token delegation documentation for more information.