Techniques are provided for granting an application of a first type of identity system, which uses a first type of identity token, access to a second type of identity system, which uses a second type of identity token. An application can make a request to a token exchange system. The request can include a bearer token and a public key of the application. The token exchange system can exchange the bearer token for a Proof-of-Possession token after performing verification steps. A token exchange system can exchange the first token (e.g., bearer token) for the first identity system for the second token (e.g., Proof-of-Possession token) for the second identity system without requiring entry of credentials to access the second identity system.