A pairing token is an access token used for the initial pairing flow. This type of token is designed as a limited access token, is dedicated to a specific task, and is short lived.
A pairing token is created per use case, and the audience of the token targets a specific service, namely the same service that issued the token.
The default expiry of a pairing token is 5 minutes.
The token subject is the same as the subject of the principal who requested the pairing token.
This token is revocable and is expected to be used at most once (i.e., revoked after the first pairing)
The base URL in the extension is mandatory and its goal is to assist services (instead of parsing and cutting the pairing URL to extract it). This is the same as expected to be defined for the request headerX-JFrog-Override-Base-Url
The exchange URL in the extension is mandatory (since the token is signed, this URL can be assumed as trusted)
The pairing URL is optional and is used when establishing two-way trust is needed.
The result of a pairing is the master token. This access token grants the requesting service all the actions it is required to do on the issuing service, based on the given use case. It is usually a strong access token that can be used for several operations.