refactor: improve code style and add comprehensive tests

- Simplify optional field handling with walrus operator
- Update README examples to match existing style patterns
- Add 27 parameterized unit tests for get_token_by_exchange_profile
- Cover all validation paths, error cases, and edge cases
- All tests passing (27/27)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: btiernay

README.md

@@ -136,25 +136,22 @@ async def main():
         client_secret="<AUTH0_CLIENT_SECRET>",
     ))
 
-    # The subject_token_type must match a Token Exchange Profile configured in Auth0
     custom_token = "..."  # Your custom token from legacy system or external source
 
     result = await api_client.get_token_by_exchange_profile(
         subject_token=custom_token,
-        subject_token_type="urn:example:custom-token",  # Your custom token type URI
+        subject_token_type="urn:example:custom-token",
         audience="https://api.example.com",
         scope="openid profile read:data"
     )
 
     # Result contains access_token, expires_at, and optionally id_token, refresh_token
-    print(f"Access Token: {result['access_token']}")
-    print(f"Expires At: {result['expires_at']}")
-    if "id_token" in result:
-        print(f"ID Token: {result['id_token']}")
 
 asyncio.run(main())
 ```
 
+The `subject_token_type` must match a Token Exchange Profile configured in Auth0.
+
 #### Custom Parameters
 
 You can pass custom parameters to your Auth0 Action using the `extra` parameter:

src/auth0_api_python/api_client.py

@@ -682,23 +682,17 @@ async def get_token_by_exchange_profile(
                 except (TypeError, ValueError):
                     raise ApiError("invalid_response", "expires_in is not an integer.", 502)
 
-                # Build response (match JS SDK structure)
+                # Build response with required fields
                 result = {
                     "access_token": access_token,
                     "expires_at": int(time.time()) + expires_in,
                 }
 
-                # Add optional fields if present (conditional spreading like JS)
-                if "scope" in token_response and token_response["scope"]:
-                    result["scope"] = token_response["scope"]
-                if "id_token" in token_response and token_response["id_token"]:
-                    result["id_token"] = token_response["id_token"]
-                if "refresh_token" in token_response and token_response["refresh_token"]:
-                    result["refresh_token"] = token_response["refresh_token"]
-                if "token_type" in token_response and token_response["token_type"]:
-                    result["token_type"] = token_response["token_type"]
-                if "issued_token_type" in token_response and token_response["issued_token_type"]:
-                    result["issued_token_type"] = token_response["issued_token_type"]
+                # Add optional fields if present
+                optional_fields = ["scope", "id_token", "refresh_token", "token_type", "issued_token_type"]
+                for field in optional_fields:
+                    if value := token_response.get(field):
+                        result[field] = value
 
                 return result
 

tests/test_api_client.py

@@ -12,6 +12,7 @@
 from auth0_api_python.errors import (
     ApiError,
     GetAccessTokenForConnectionError,
+    GetTokenByExchangeProfileError,
     InvalidAuthSchemeError,
     InvalidDpopProofError,
     MissingAuthorizationError,
@@ -1901,3 +1902,318 @@ async def test_get_access_token_for_connection_expires_in_not_integer(httpx_mock
         assert err.value.code == "invalid_response"
         assert "expires_in" in str(err.value).lower()
         assert err.value.status_code == 502
+
+
+# ===== Custom Token Exchange Tests =====
+
+
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_success(httpx_mock: HTTPXMock):
+    """Test successful token exchange via profile."""
+    httpx_mock.add_response(
+        method="GET",
+        url="https://auth0.local/.well-known/openid-configuration",
+        json={"token_endpoint": "https://auth0.local/oauth/token"}
+    )
+    httpx_mock.add_response(
+        method="POST",
+        url="https://auth0.local/oauth/token",
+        json={
+            "access_token": "exchanged_token",
+            "expires_in": 3600,
+            "scope": "openid profile",
+            "id_token": "id_token_value",
+            "refresh_token": "refresh_token_value",
+            "token_type": "Bearer",
+            "issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
+        }
+    )
+
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience",
+        client_id="cid",
+        client_secret="csecret"
+    ))
+
+    result = await api_client.get_token_by_exchange_profile(
+        subject_token="custom-token-123",
+        subject_token_type="urn:example:custom-token",
+        audience="https://api.example.com",
+        scope="openid profile"
+    )
+
+    assert result["access_token"] == "exchanged_token"
+    assert result["scope"] == "openid profile"
+    assert result["id_token"] == "id_token_value"
+    assert result["refresh_token"] == "refresh_token_value"
+    assert result["token_type"] == "Bearer"
+    assert result["issued_token_type"] == "urn:ietf:params:oauth:token-type:access_token"
+    assert isinstance(result["expires_at"], int)
+
+    # Verify request parameters
+    request = httpx_mock.get_requests()[-1]
+    form_data = urllib.parse.parse_qs(request.content.decode())
+    assert form_data["grant_type"] == ["urn:ietf:params:oauth:grant-type:token-exchange"]
+    assert form_data["subject_token"] == ["custom-token-123"]
+    assert form_data["subject_token_type"] == ["urn:example:custom-token"]
+    assert form_data["audience"] == ["https://api.example.com"]
+
+
+@pytest.mark.parametrize("missing_field,field_name", [
+    ("", "subject_token"),
+    (None, "subject_token"),
+])
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_missing_required(missing_field, field_name):
+    """Test that missing required parameters raise error."""
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience",
+        client_id="cid",
+        client_secret="csecret"
+    ))
+
+    kwargs = {
+        "subject_token": "token" if field_name != "subject_token" else missing_field,
+        "subject_token_type": "urn:example:type" if field_name != "subject_token_type" else missing_field,
+    }
+
+    with pytest.raises(MissingRequiredArgumentError):
+        await api_client.get_token_by_exchange_profile(**kwargs)
+
+
+@pytest.mark.parametrize("invalid_token,expected_error,expected_msg", [
+    ("  token", GetTokenByExchangeProfileError, "leading or trailing whitespace"),
+    ("token  ", GetTokenByExchangeProfileError, "leading or trailing whitespace"),
+    ("   ", GetTokenByExchangeProfileError, "blank or whitespace"),
+    ("Bearer token123", GetTokenByExchangeProfileError, "'Bearer ' prefix"),
+    ("bearer token123", GetTokenByExchangeProfileError, "'Bearer ' prefix"),
+    ("BEARER token123", GetTokenByExchangeProfileError, "'Bearer ' prefix"),
+])
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_invalid_subject_token(invalid_token, expected_error, expected_msg):
+    """Test subject token validation."""
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience",
+        client_id="cid",
+        client_secret="csecret"
+    ))
+
+    with pytest.raises(expected_error) as err:
+        await api_client.get_token_by_exchange_profile(
+            subject_token=invalid_token,
+            subject_token_type="urn:example:type"
+        )
+    assert expected_msg.lower() in str(err.value).lower()
+
+
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_missing_client_credentials():
+    """Test that missing client credentials raises error."""
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience"
+    ))
+
+    with pytest.raises(GetTokenByExchangeProfileError) as err:
+        await api_client.get_token_by_exchange_profile(
+            subject_token="token",
+            subject_token_type="urn:example:type"
+        )
+    assert "client credentials" in str(err.value).lower()
+
+
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_with_extra_params(httpx_mock: HTTPXMock):
+    """Test token exchange with extra parameters."""
+    httpx_mock.add_response(
+        method="GET",
+        url="https://auth0.local/.well-known/openid-configuration",
+        json={"token_endpoint": "https://auth0.local/oauth/token"}
+    )
+    httpx_mock.add_response(
+        method="POST",
+        url="https://auth0.local/oauth/token",
+        json={"access_token": "token", "expires_in": 3600}
+    )
+
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience",
+        client_id="cid",
+        client_secret="csecret"
+    ))
+
+    await api_client.get_token_by_exchange_profile(
+        subject_token="token",
+        subject_token_type="urn:example:type",
+        extra={
+            "device_id": "dev123",
+            "roles": ["admin", "user"]
+        }
+    )
+
+    request = httpx_mock.get_requests()[-1]
+    form_data = urllib.parse.parse_qs(request.content.decode())
+    assert form_data["device_id"] == ["dev123"]
+    assert form_data["roles"] == ["admin", "user"]
+
+
+@pytest.mark.parametrize("denied_param", [
+    "grant_type", "client_id", "client_secret", "subject_token",
+    "subject_token_type", "audience", "scope", "connection"
+])
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_extra_params_denylist(httpx_mock: HTTPXMock, denied_param):
+    """Test that denylisted extra parameters are silently ignored."""
+    httpx_mock.add_response(
+        method="GET",
+        url="https://auth0.local/.well-known/openid-configuration",
+        json={"token_endpoint": "https://auth0.local/oauth/token"}
+    )
+    httpx_mock.add_response(
+        method="POST",
+        url="https://auth0.local/oauth/token",
+        json={"access_token": "token", "expires_in": 3600}
+    )
+
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience",
+        client_id="cid",
+        client_secret="csecret"
+    ))
+
+    await api_client.get_token_by_exchange_profile(
+        subject_token="token",
+        subject_token_type="urn:example:type",
+        extra={denied_param: "should_be_ignored", "allowed_param": "value"}
+    )
+
+    request = httpx_mock.get_requests()[-1]
+    form_data = urllib.parse.parse_qs(request.content.decode())
+    assert "allowed_param" in form_data
+    # Denylisted param should not override the original value
+    assert form_data["subject_token"] == ["token"]
+
+
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_extra_array_size_limit(httpx_mock: HTTPXMock):
+    """Test that extra array parameters enforce size limit."""
+    httpx_mock.add_response(
+        method="GET",
+        url="https://auth0.local/.well-known/openid-configuration",
+        json={"token_endpoint": "https://auth0.local/oauth/token"}
+    )
+
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience",
+        client_id="cid",
+        client_secret="csecret"
+    ))
+
+    with pytest.raises(GetTokenByExchangeProfileError) as err:
+        await api_client.get_token_by_exchange_profile(
+            subject_token="token",
+            subject_token_type="urn:example:type",
+            extra={"large_array": [f"item{i}" for i in range(21)]}
+        )
+    assert "exceeds maximum array size" in str(err.value)
+    assert "20" in str(err.value)
+
+
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_api_error(httpx_mock: HTTPXMock):
+    """Test handling of API errors from token endpoint."""
+    httpx_mock.add_response(
+        method="GET",
+        url="https://auth0.local/.well-known/openid-configuration",
+        json={"token_endpoint": "https://auth0.local/oauth/token"}
+    )
+    httpx_mock.add_response(
+        method="POST",
+        url="https://auth0.local/oauth/token",
+        status_code=400,
+        json={"error": "invalid_grant", "error_description": "Invalid subject token"}
+    )
+
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience",
+        client_id="cid",
+        client_secret="csecret"
+    ))
+
+    with pytest.raises(ApiError) as err:
+        await api_client.get_token_by_exchange_profile(
+            subject_token="token",
+            subject_token_type="urn:example:type"
+        )
+    assert err.value.code == "invalid_grant"
+    assert err.value.status_code == 400
+
+
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_timeout(httpx_mock: HTTPXMock):
+    """Test timeout handling."""
+    httpx_mock.add_response(
+        method="GET",
+        url="https://auth0.local/.well-known/openid-configuration",
+        json={"token_endpoint": "https://auth0.local/oauth/token"}
+    )
+    httpx_mock.add_exception(httpx.TimeoutException("timeout"), method="POST")
+
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience",
+        client_id="cid",
+        client_secret="csecret"
+    ))
+
+    with pytest.raises(ApiError) as err:
+        await api_client.get_token_by_exchange_profile(
+            subject_token="token",
+            subject_token_type="urn:example:type"
+        )
+    assert err.value.code == "timeout_error"
+    assert err.value.status_code == 504
+
+
+@pytest.mark.parametrize("response_data,error_msg", [
+    ({}, "missing or invalid access_token"),
+    ({"access_token": ""}, "missing or invalid access_token"),
+    ({"access_token": None}, "missing or invalid access_token"),
+    ({"access_token": 123}, "missing or invalid access_token"),
+    ({"access_token": "token", "expires_in": "invalid"}, "expires_in is not an integer"),
+])
+@pytest.mark.asyncio
+async def test_get_token_by_exchange_profile_invalid_response(httpx_mock: HTTPXMock, response_data, error_msg):
+    """Test handling of invalid token endpoint responses."""
+    httpx_mock.add_response(
+        method="GET",
+        url="https://auth0.local/.well-known/openid-configuration",
+        json={"token_endpoint": "https://auth0.local/oauth/token"}
+    )
+    httpx_mock.add_response(
+        method="POST",
+        url="https://auth0.local/oauth/token",
+        json=response_data
+    )
+
+    api_client = ApiClient(ApiClientOptions(
+        domain="auth0.local",
+        audience="my-audience",
+        client_id="cid",
+        client_secret="csecret"
+    ))
+
+    with pytest.raises(ApiError) as err:
+        await api_client.get_token_by_exchange_profile(
+            subject_token="token",
+            subject_token_type="urn:example:type"
+        )
+    assert error_msg.lower() in str(err.value).lower()
+    assert err.value.status_code == 502