diff --git a/pkg/op/mock/crypto.mock.go b/pkg/op/mock/crypto.mock.go
new file mode 100644
index 0000000..4564e26
--- /dev/null
+++ b/pkg/op/mock/crypto.mock.go
@@ -0,0 +1,64 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Crypto)
+
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockCrypto is a mock of Crypto interface.
+type MockCrypto struct {
+	ctrl     *gomock.Controller
+	recorder *MockCryptoMockRecorder
+}
+
+// MockCryptoMockRecorder is the mock recorder for MockCrypto.
+type MockCryptoMockRecorder struct {
+	mock *MockCrypto
+}
+
+// NewMockCrypto creates a new mock instance.
+func NewMockCrypto(ctrl *gomock.Controller) *MockCrypto {
+	mock := &MockCrypto{ctrl: ctrl}
+	mock.recorder = &MockCryptoMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockCrypto) EXPECT() *MockCryptoMockRecorder {
+	return m.recorder
+}
+
+// Decrypt mocks base method.
+func (m *MockCrypto) Decrypt(arg0 string) (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Decrypt", arg0)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Decrypt indicates an expected call of Decrypt.
+func (mr *MockCryptoMockRecorder) Decrypt(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Decrypt", reflect.TypeOf((*MockCrypto)(nil).Decrypt), arg0)
+}
+
+// Encrypt mocks base method.
+func (m *MockCrypto) Encrypt(arg0 string) (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Encrypt", arg0)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Encrypt indicates an expected call of Encrypt.
+func (mr *MockCryptoMockRecorder) Encrypt(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Encrypt", reflect.TypeOf((*MockCrypto)(nil).Encrypt), arg0)
+}
diff --git a/pkg/op/mock/exchanger.mock.go b/pkg/op/mock/exchanger.mock.go
new file mode 100644
index 0000000..e5ad158
--- /dev/null
+++ b/pkg/op/mock/exchanger.mock.go
@@ -0,0 +1,220 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Exchanger)
+
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	context "context"
+	slog "log/slog"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+	http "github.com/zitadel/oidc/v3/pkg/http"
+	op "github.com/zitadel/oidc/v3/pkg/op"
+)
+
+// MockExchanger is a mock of Exchanger interface.
+type MockExchanger struct {
+	ctrl     *gomock.Controller
+	recorder *MockExchangerMockRecorder
+}
+
+// MockExchangerMockRecorder is the mock recorder for MockExchanger.
+type MockExchangerMockRecorder struct {
+	mock *MockExchanger
+}
+
+// NewMockExchanger creates a new mock instance.
+func NewMockExchanger(ctrl *gomock.Controller) *MockExchanger {
+	mock := &MockExchanger{ctrl: ctrl}
+	mock.recorder = &MockExchangerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockExchanger) EXPECT() *MockExchangerMockRecorder {
+	return m.recorder
+}
+
+// AccessTokenVerifier mocks base method.
+func (m *MockExchanger) AccessTokenVerifier(arg0 context.Context) *op.AccessTokenVerifier {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AccessTokenVerifier", arg0)
+	ret0, _ := ret[0].(*op.AccessTokenVerifier)
+	return ret0
+}
+
+// AccessTokenVerifier indicates an expected call of AccessTokenVerifier.
+func (mr *MockExchangerMockRecorder) AccessTokenVerifier(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AccessTokenVerifier", reflect.TypeOf((*MockExchanger)(nil).AccessTokenVerifier), arg0)
+}
+
+// AuthMethodPostSupported mocks base method.
+func (m *MockExchanger) AuthMethodPostSupported() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AuthMethodPostSupported")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// AuthMethodPostSupported indicates an expected call of AuthMethodPostSupported.
+func (mr *MockExchangerMockRecorder) AuthMethodPostSupported() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthMethodPostSupported", reflect.TypeOf((*MockExchanger)(nil).AuthMethodPostSupported))
+}
+
+// AuthMethodPrivateKeyJWTSupported mocks base method.
+func (m *MockExchanger) AuthMethodPrivateKeyJWTSupported() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AuthMethodPrivateKeyJWTSupported")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// AuthMethodPrivateKeyJWTSupported indicates an expected call of AuthMethodPrivateKeyJWTSupported.
+func (mr *MockExchangerMockRecorder) AuthMethodPrivateKeyJWTSupported() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthMethodPrivateKeyJWTSupported", reflect.TypeOf((*MockExchanger)(nil).AuthMethodPrivateKeyJWTSupported))
+}
+
+// Crypto mocks base method.
+func (m *MockExchanger) Crypto() op.Crypto {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Crypto")
+	ret0, _ := ret[0].(op.Crypto)
+	return ret0
+}
+
+// Crypto indicates an expected call of Crypto.
+func (mr *MockExchangerMockRecorder) Crypto() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Crypto", reflect.TypeOf((*MockExchanger)(nil).Crypto))
+}
+
+// Decoder mocks base method.
+func (m *MockExchanger) Decoder() http.Decoder {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Decoder")
+	ret0, _ := ret[0].(http.Decoder)
+	return ret0
+}
+
+// Decoder indicates an expected call of Decoder.
+func (mr *MockExchangerMockRecorder) Decoder() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Decoder", reflect.TypeOf((*MockExchanger)(nil).Decoder))
+}
+
+// GrantTypeClientCredentialsSupported mocks base method.
+func (m *MockExchanger) GrantTypeClientCredentialsSupported() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GrantTypeClientCredentialsSupported")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// GrantTypeClientCredentialsSupported indicates an expected call of GrantTypeClientCredentialsSupported.
+func (mr *MockExchangerMockRecorder) GrantTypeClientCredentialsSupported() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeClientCredentialsSupported", reflect.TypeOf((*MockExchanger)(nil).GrantTypeClientCredentialsSupported))
+}
+
+// GrantTypeDeviceCodeSupported mocks base method.
+func (m *MockExchanger) GrantTypeDeviceCodeSupported() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GrantTypeDeviceCodeSupported")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// GrantTypeDeviceCodeSupported indicates an expected call of GrantTypeDeviceCodeSupported.
+func (mr *MockExchangerMockRecorder) GrantTypeDeviceCodeSupported() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeDeviceCodeSupported", reflect.TypeOf((*MockExchanger)(nil).GrantTypeDeviceCodeSupported))
+}
+
+// GrantTypeJWTAuthorizationSupported mocks base method.
+func (m *MockExchanger) GrantTypeJWTAuthorizationSupported() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GrantTypeJWTAuthorizationSupported")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// GrantTypeJWTAuthorizationSupported indicates an expected call of GrantTypeJWTAuthorizationSupported.
+func (mr *MockExchangerMockRecorder) GrantTypeJWTAuthorizationSupported() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeJWTAuthorizationSupported", reflect.TypeOf((*MockExchanger)(nil).GrantTypeJWTAuthorizationSupported))
+}
+
+// GrantTypeRefreshTokenSupported mocks base method.
+func (m *MockExchanger) GrantTypeRefreshTokenSupported() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GrantTypeRefreshTokenSupported")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// GrantTypeRefreshTokenSupported indicates an expected call of GrantTypeRefreshTokenSupported.
+func (mr *MockExchangerMockRecorder) GrantTypeRefreshTokenSupported() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeRefreshTokenSupported", reflect.TypeOf((*MockExchanger)(nil).GrantTypeRefreshTokenSupported))
+}
+
+// GrantTypeTokenExchangeSupported mocks base method.
+func (m *MockExchanger) GrantTypeTokenExchangeSupported() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GrantTypeTokenExchangeSupported")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// GrantTypeTokenExchangeSupported indicates an expected call of GrantTypeTokenExchangeSupported.
+func (mr *MockExchangerMockRecorder) GrantTypeTokenExchangeSupported() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeTokenExchangeSupported", reflect.TypeOf((*MockExchanger)(nil).GrantTypeTokenExchangeSupported))
+}
+
+// IDTokenHintVerifier mocks base method.
+func (m *MockExchanger) IDTokenHintVerifier(arg0 context.Context) *op.IDTokenHintVerifier {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "IDTokenHintVerifier", arg0)
+	ret0, _ := ret[0].(*op.IDTokenHintVerifier)
+	return ret0
+}
+
+// IDTokenHintVerifier indicates an expected call of IDTokenHintVerifier.
+func (mr *MockExchangerMockRecorder) IDTokenHintVerifier(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IDTokenHintVerifier", reflect.TypeOf((*MockExchanger)(nil).IDTokenHintVerifier), arg0)
+}
+
+// Logger mocks base method.
+func (m *MockExchanger) Logger() *slog.Logger {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Logger")
+	ret0, _ := ret[0].(*slog.Logger)
+	return ret0
+}
+
+// Logger indicates an expected call of Logger.
+func (mr *MockExchangerMockRecorder) Logger() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Logger", reflect.TypeOf((*MockExchanger)(nil).Logger))
+}
+
+// Storage mocks base method.
+func (m *MockExchanger) Storage() op.Storage {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Storage")
+	ret0, _ := ret[0].(op.Storage)
+	return ret0
+}
+
+// Storage indicates an expected call of Storage.
+func (mr *MockExchangerMockRecorder) Storage() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Storage", reflect.TypeOf((*MockExchanger)(nil).Storage))
+}
diff --git a/pkg/op/mock/generate.go b/pkg/op/mock/generate.go
index e5cab3e..58d72aa 100644
--- a/pkg/op/mock/generate.go
+++ b/pkg/op/mock/generate.go
@@ -9,3 +9,7 @@ package mock
 //go:generate mockgen -package mock -destination ./discovery.mock.go github.com/zitadel/oidc/v3/pkg/op DiscoverStorage
 //go:generate mockgen -package mock -destination ./signer.mock.go github.com/zitadel/oidc/v3/pkg/op SigningKey,Key
 //go:generate mockgen -package mock -destination ./key.mock.go github.com/zitadel/oidc/v3/pkg/op KeyProvider
+//go:generate mockgen -package mock -destination ./exchanger.mock.go github.com/zitadel/oidc/v3/pkg/op Exchanger
+//go:generate mockgen -package mock -destination ./tokenexchangeverifierstorage.mock.go github.com/zitadel/oidc/v3/pkg/op TokenExchangeTokensVerifierStorage
+//go:generate mockgen -package mock -destination ./crypto.mock.go github.com/zitadel/oidc/v3/pkg/op Crypto
+//go:generate mockgen -package mock -destination ./token_refresh.mock.go github.com/zitadel/oidc/v3/pkg/op RefreshTokenRequest
diff --git a/pkg/op/mock/token_refresh.mock.go b/pkg/op/mock/token_refresh.mock.go
new file mode 100644
index 0000000..4415c79
--- /dev/null
+++ b/pkg/op/mock/token_refresh.mock.go
@@ -0,0 +1,131 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: RefreshTokenRequest)
+
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	reflect "reflect"
+	time "time"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockRefreshTokenRequest is a mock of RefreshTokenRequest interface.
+type MockRefreshTokenRequest struct {
+	ctrl     *gomock.Controller
+	recorder *MockRefreshTokenRequestMockRecorder
+}
+
+// MockRefreshTokenRequestMockRecorder is the mock recorder for MockRefreshTokenRequest.
+type MockRefreshTokenRequestMockRecorder struct {
+	mock *MockRefreshTokenRequest
+}
+
+// NewMockRefreshTokenRequest creates a new mock instance.
+func NewMockRefreshTokenRequest(ctrl *gomock.Controller) *MockRefreshTokenRequest {
+	mock := &MockRefreshTokenRequest{ctrl: ctrl}
+	mock.recorder = &MockRefreshTokenRequestMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockRefreshTokenRequest) EXPECT() *MockRefreshTokenRequestMockRecorder {
+	return m.recorder
+}
+
+// GetAMR mocks base method.
+func (m *MockRefreshTokenRequest) GetAMR() []string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAMR")
+	ret0, _ := ret[0].([]string)
+	return ret0
+}
+
+// GetAMR indicates an expected call of GetAMR.
+func (mr *MockRefreshTokenRequestMockRecorder) GetAMR() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAMR", reflect.TypeOf((*MockRefreshTokenRequest)(nil).GetAMR))
+}
+
+// GetAudience mocks base method.
+func (m *MockRefreshTokenRequest) GetAudience() []string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAudience")
+	ret0, _ := ret[0].([]string)
+	return ret0
+}
+
+// GetAudience indicates an expected call of GetAudience.
+func (mr *MockRefreshTokenRequestMockRecorder) GetAudience() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAudience", reflect.TypeOf((*MockRefreshTokenRequest)(nil).GetAudience))
+}
+
+// GetAuthTime mocks base method.
+func (m *MockRefreshTokenRequest) GetAuthTime() time.Time {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAuthTime")
+	ret0, _ := ret[0].(time.Time)
+	return ret0
+}
+
+// GetAuthTime indicates an expected call of GetAuthTime.
+func (mr *MockRefreshTokenRequestMockRecorder) GetAuthTime() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAuthTime", reflect.TypeOf((*MockRefreshTokenRequest)(nil).GetAuthTime))
+}
+
+// GetClientID mocks base method.
+func (m *MockRefreshTokenRequest) GetClientID() string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetClientID")
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// GetClientID indicates an expected call of GetClientID.
+func (mr *MockRefreshTokenRequestMockRecorder) GetClientID() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClientID", reflect.TypeOf((*MockRefreshTokenRequest)(nil).GetClientID))
+}
+
+// GetScopes mocks base method.
+func (m *MockRefreshTokenRequest) GetScopes() []string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetScopes")
+	ret0, _ := ret[0].([]string)
+	return ret0
+}
+
+// GetScopes indicates an expected call of GetScopes.
+func (mr *MockRefreshTokenRequestMockRecorder) GetScopes() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetScopes", reflect.TypeOf((*MockRefreshTokenRequest)(nil).GetScopes))
+}
+
+// GetSubject mocks base method.
+func (m *MockRefreshTokenRequest) GetSubject() string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetSubject")
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// GetSubject indicates an expected call of GetSubject.
+func (mr *MockRefreshTokenRequestMockRecorder) GetSubject() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSubject", reflect.TypeOf((*MockRefreshTokenRequest)(nil).GetSubject))
+}
+
+// SetCurrentScopes mocks base method.
+func (m *MockRefreshTokenRequest) SetCurrentScopes(arg0 []string) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetCurrentScopes", arg0)
+}
+
+// SetCurrentScopes indicates an expected call of SetCurrentScopes.
+func (mr *MockRefreshTokenRequestMockRecorder) SetCurrentScopes(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetCurrentScopes", reflect.TypeOf((*MockRefreshTokenRequest)(nil).SetCurrentScopes), arg0)
+}
diff --git a/pkg/op/mock/tokenexchangeverifierstorage.mock.go b/pkg/op/mock/tokenexchangeverifierstorage.mock.go
new file mode 100644
index 0000000..1870269
--- /dev/null
+++ b/pkg/op/mock/tokenexchangeverifierstorage.mock.go
@@ -0,0 +1,70 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: TokenExchangeTokensVerifierStorage)
+
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	context "context"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+	oidc "github.com/zitadel/oidc/v3/pkg/oidc"
+)
+
+// MockTokenExchangeTokensVerifierStorage is a mock of TokenExchangeTokensVerifierStorage interface.
+type MockTokenExchangeTokensVerifierStorage struct {
+	ctrl     *gomock.Controller
+	recorder *MockTokenExchangeTokensVerifierStorageMockRecorder
+}
+
+// MockTokenExchangeTokensVerifierStorageMockRecorder is the mock recorder for MockTokenExchangeTokensVerifierStorage.
+type MockTokenExchangeTokensVerifierStorageMockRecorder struct {
+	mock *MockTokenExchangeTokensVerifierStorage
+}
+
+// NewMockTokenExchangeTokensVerifierStorage creates a new mock instance.
+func NewMockTokenExchangeTokensVerifierStorage(ctrl *gomock.Controller) *MockTokenExchangeTokensVerifierStorage {
+	mock := &MockTokenExchangeTokensVerifierStorage{ctrl: ctrl}
+	mock.recorder = &MockTokenExchangeTokensVerifierStorageMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockTokenExchangeTokensVerifierStorage) EXPECT() *MockTokenExchangeTokensVerifierStorageMockRecorder {
+	return m.recorder
+}
+
+// VerifyExchangeActorToken mocks base method.
+func (m *MockTokenExchangeTokensVerifierStorage) VerifyExchangeActorToken(arg0 context.Context, arg1 string, arg2 oidc.TokenType) (string, string, map[string]interface{}, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "VerifyExchangeActorToken", arg0, arg1, arg2)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(string)
+	ret2, _ := ret[2].(map[string]interface{})
+	ret3, _ := ret[3].(error)
+	return ret0, ret1, ret2, ret3
+}
+
+// VerifyExchangeActorToken indicates an expected call of VerifyExchangeActorToken.
+func (mr *MockTokenExchangeTokensVerifierStorageMockRecorder) VerifyExchangeActorToken(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyExchangeActorToken", reflect.TypeOf((*MockTokenExchangeTokensVerifierStorage)(nil).VerifyExchangeActorToken), arg0, arg1, arg2)
+}
+
+// VerifyExchangeSubjectToken mocks base method.
+func (m *MockTokenExchangeTokensVerifierStorage) VerifyExchangeSubjectToken(arg0 context.Context, arg1 string, arg2 oidc.TokenType) (string, string, map[string]interface{}, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "VerifyExchangeSubjectToken", arg0, arg1, arg2)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(string)
+	ret2, _ := ret[2].(map[string]interface{})
+	ret3, _ := ret[3].(error)
+	return ret0, ret1, ret2, ret3
+}
+
+// VerifyExchangeSubjectToken indicates an expected call of VerifyExchangeSubjectToken.
+func (mr *MockTokenExchangeTokensVerifierStorageMockRecorder) VerifyExchangeSubjectToken(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyExchangeSubjectToken", reflect.TypeOf((*MockTokenExchangeTokensVerifierStorage)(nil).VerifyExchangeSubjectToken), arg0, arg1, arg2)
+}
diff --git a/pkg/op/token_exchange.go b/pkg/op/token_exchange.go
index fcb4468..d198418 100644
--- a/pkg/op/token_exchange.go
+++ b/pkg/op/token_exchange.go
@@ -310,7 +310,9 @@ func GetTokenIDAndSubjectFromToken(
 		if !ok {
 			break
 		}
-		claims = accessTokenClaims.Claims
+		if accessTokenClaims != nil {
+			claims = accessTokenClaims.Claims
+		}
 	case oidc.RefreshTokenType:
 		refreshTokenRequest, err := exchanger.Storage().TokenRequestByRefreshToken(ctx, token)
 		if err != nil {
@@ -323,8 +325,11 @@ func GetTokenIDAndSubjectFromToken(
 		if err != nil {
 			break
 		}
-
-		tokenIDOrToken, subject, claims, ok = token, idTokenClaims.Subject, idTokenClaims.Claims, true
+		if idTokenClaims != nil {
+			claims = idTokenClaims.Claims
+			subject = idTokenClaims.Subject
+		}
+		tokenIDOrToken, ok = token, true
 	}
 
 	if !ok {
diff --git a/pkg/op/token_exchange_test.go b/pkg/op/token_exchange_test.go
new file mode 100644
index 0000000..2946af8
--- /dev/null
+++ b/pkg/op/token_exchange_test.go
@@ -0,0 +1,276 @@
+package op_test
+
+import (
+	"context"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/go-jose/go-jose/v4"
+	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/op/mock"
+)
+
+func TestGetTokenIDAndSubjectFromToken(t *testing.T) {
+	tests := []struct {
+		name string
+
+		// args
+		ctx       context.Context
+		token     string
+		tokenType oidc.TokenType
+		isActor   bool
+		exchanger op.Exchanger
+
+		wantReturn []interface{}
+	}{
+		{
+			name: "empty strings, nil and false if fails verify token actor",
+			ctx:  context.Background(),
+			token: func() string {
+				tkn, err := op.NewAESCrypto([32]byte{0x01}).Encrypt("test:test:test")
+				require.NoError(t, err)
+				return tkn
+			}(),
+			tokenType: oidc.TokenType("unsupported_token_type"),
+			isActor:   true,
+			exchanger: func() op.Exchanger {
+				type mStorage struct {
+					op.Storage
+					op.TokenExchangeTokensVerifierStorage
+				}
+
+				verifier := mock.NewMockTokenExchangeTokensVerifierStorage(gomock.NewController(t))
+				verifier.
+					EXPECT().
+					VerifyExchangeActorToken(gomock.Any(), gomock.Any(), oidc.TokenType("unsupported_token_type")).
+					Return("", "", nil, errors.New("actor verify error"))
+				ms := mStorage{TokenExchangeTokensVerifierStorage: verifier}
+				ex := mock.NewMockExchanger(gomock.NewController(t))
+				ex.EXPECT().Storage().Return(ms)
+
+				return ex
+			}(),
+			wantReturn: []interface{}{"", "", map[string]interface{}(nil), false},
+		},
+		{
+			name: "empty strings, nil and false if fails verify token exchange subject",
+			ctx:  context.Background(),
+			token: func() string {
+				tkn, err := op.NewAESCrypto([32]byte{0x01}).Encrypt("test:test:test")
+				require.NoError(t, err)
+				return tkn
+			}(),
+			tokenType: oidc.TokenType("unsupported_token_type"),
+			isActor:   false,
+			exchanger: func() op.Exchanger {
+				type mStorage struct {
+					op.Storage
+					op.TokenExchangeTokensVerifierStorage
+				}
+
+				verifier := mock.NewMockTokenExchangeTokensVerifierStorage(gomock.NewController(t))
+				verifier.
+					EXPECT().
+					VerifyExchangeSubjectToken(gomock.Any(), gomock.Any(), oidc.TokenType("unsupported_token_type")).
+					Return("", "", nil, errors.New("actor verify error"))
+				ms := mStorage{TokenExchangeTokensVerifierStorage: verifier}
+				ex := mock.NewMockExchanger(gomock.NewController(t))
+				ex.EXPECT().Storage().Return(ms)
+
+				return ex
+			}(),
+			wantReturn: []interface{}{"", "", map[string]interface{}(nil), false},
+		},
+		{
+			name: "empty strings, nil and false if exchanger storage is not TokenExchangeTokenVerifierStorage",
+			ctx:  context.Background(),
+			token: func() string {
+				tkn, err := op.NewAESCrypto([32]byte{0x01}).Encrypt("test:test:test")
+				require.NoError(t, err)
+				return tkn
+			}(),
+			tokenType: oidc.TokenType("unsupported_token_type"),
+			isActor:   false,
+			exchanger: func() op.Exchanger {
+				type mStorage struct {
+					op.Storage
+				}
+
+				ms := mStorage{}
+				ex := mock.NewMockExchanger(gomock.NewController(t))
+				ex.EXPECT().Storage().Return(ms)
+
+				return ex
+			}(),
+			wantReturn: []interface{}{"", "", map[string]interface{}(nil), false},
+		},
+		{
+			name: "tokenId subject nil claims and true if success decrypt AccessTokenType",
+			ctx:  context.Background(),
+			token: func() string {
+				tkn, err := op.NewAESCrypto([32]byte{0x01}).Encrypt("test:test")
+				require.NoError(t, err)
+				return tkn
+			}(),
+			tokenType: oidc.AccessTokenType,
+			isActor:   true,
+			exchanger: func() op.Exchanger {
+				ex := mock.NewMockExchanger(gomock.NewController(t))
+				ex.EXPECT().Crypto().Return(op.NewAESCrypto([32]byte{0x001}))
+				return ex
+			}(),
+			wantReturn: []interface{}{"test", "test", map[string]interface{}(nil), true},
+		},
+		{
+			name: "tokenId subject claims and true if success verify AccessTokenType claims",
+			ctx:  context.Background(),
+			// jwt.io sample token for RS256 with some extra claims
+			token:     "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiY2RlZiJ9.eyJqdGkiOiJ0ZXN0Iiwic3ViIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlLCJpYXQiOjE3NDI4OTA4NjksImV4cCI6Mjc0Mjg5MDg2OSwiaXNzIjoiaXNzdWVyIn0.MpR3s7zrvwHUnis7Sc9C1-dZnDsXAsssJcdDWJY5cfhR7bXpwJs87GsUkdP-kVc1S3MDZg0Dl0ITLbAeu70Ix5E65o9wlUQM2QB2Nc3O16zWIWkHH9xhKf5mW-s1JRtNDqsy5hypl6S2l9zNSXSLhj96lMxyi4-4qfX2wsI8XN9sQk7oEgZt_Lcl-xiJtqZOKKyfA0zRqOCOPruaAIUJc5bo3dxmDRs9dILP1F7LYkarIH_DXDzOmqRT4UfHVdg7ZH2-yluXQvk24dFwtC2Vm9jut1Ecdihm4vBjvyokuPNw_5RC3nxlk14BPBcgsBNR9NVVo5SV6ATGI-9Uq2TR-Q",
+			tokenType: oidc.AccessTokenType,
+			isActor:   true,
+			exchanger: func() op.Exchanger {
+				c := mock.NewMockCrypto(gomock.NewController(t))
+				c.EXPECT().
+					Decrypt(gomock.Any()).
+					Return("", errors.New("decrypt_error"))
+
+				ex := mock.NewMockExchanger(gomock.NewController(t))
+				ex.EXPECT().Crypto().Return(c)
+
+				mockKey := mock.NewMockKey(gomock.NewController(t))
+				mockKey.EXPECT().ID().Return("abcdef")
+				mockKey.EXPECT().Algorithm().Return(jose.RS256)
+				mockKey.EXPECT().Use().Return("sig")
+				mockKey.EXPECT().Key().Return(getPublicKey())
+
+				kStorage := mock.NewMockStorage(gomock.NewController(t))
+				kStorage.EXPECT().KeySet(gomock.Any()).Return([]op.Key{mockKey}, nil)
+				v := op.AccessTokenVerifier(oidc.Verifier{
+					Issuer:            "issuer",
+					SupportedSignAlgs: []string{string(jose.RS256)},
+					KeySet: &op.OpenIDKeySet{
+						Storage: kStorage,
+					},
+					Offset: 5000 * time.Minute,
+				})
+				ex.EXPECT().AccessTokenVerifier(gomock.Any()).Return(&v)
+				return ex
+			}(),
+			wantReturn: []interface{}{"test", "1234567890", map[string]interface{}{
+				"admin": true,
+				"exp":   float64(2742890869),
+				"iat":   float64(1742890869),
+				"iss":   "issuer",
+				"name":  "John Doe",
+				"jti":   "test",
+				"sub":   "1234567890",
+			}, true},
+		},
+		{
+			name: "token subject and nil claims if success handling refresh token type",
+			ctx:  context.Background(),
+			// jwt.io sample token for RS256 with some extra claims
+			token:     "test",
+			tokenType: oidc.RefreshTokenType,
+			isActor:   true,
+			exchanger: func() op.Exchanger {
+				rt := mock.NewMockRefreshTokenRequest(gomock.NewController(t))
+				rt.EXPECT().GetSubject().Return("1234567890")
+				st := mock.NewMockStorage(gomock.NewController(t))
+				st.EXPECT().
+					TokenRequestByRefreshToken(gomock.Any(), "test").
+					Return(rt, nil)
+				ex := mock.NewMockExchanger(gomock.NewController(t))
+				ex.EXPECT().Storage().Return(st)
+				return ex
+			}(),
+			wantReturn: []interface{}{"test", "1234567890", map[string]interface{}(nil), true},
+		},
+		{
+			name: "token subject and tokenclaims if success handling id token type",
+			ctx:  context.Background(),
+			// jwt.io sample token for RS256 with some extra claims
+			token:     "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiY2RlZiJ9.eyJqdGkiOiJ0ZXN0Iiwic3ViIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlLCJpYXQiOjE3NDI4OTA4NjksImV4cCI6Mjc0Mjg5MDg2OSwiaXNzIjoiaXNzdWVyIn0.MpR3s7zrvwHUnis7Sc9C1-dZnDsXAsssJcdDWJY5cfhR7bXpwJs87GsUkdP-kVc1S3MDZg0Dl0ITLbAeu70Ix5E65o9wlUQM2QB2Nc3O16zWIWkHH9xhKf5mW-s1JRtNDqsy5hypl6S2l9zNSXSLhj96lMxyi4-4qfX2wsI8XN9sQk7oEgZt_Lcl-xiJtqZOKKyfA0zRqOCOPruaAIUJc5bo3dxmDRs9dILP1F7LYkarIH_DXDzOmqRT4UfHVdg7ZH2-yluXQvk24dFwtC2Vm9jut1Ecdihm4vBjvyokuPNw_5RC3nxlk14BPBcgsBNR9NVVo5SV6ATGI-9Uq2TR-Q",
+			tokenType: oidc.IDTokenType,
+			isActor:   true,
+			exchanger: func() op.Exchanger {
+				mockKey := mock.NewMockKey(gomock.NewController(t))
+				mockKey.EXPECT().ID().Return("abcdef")
+				mockKey.EXPECT().Algorithm().Return(jose.RS256)
+				mockKey.EXPECT().Use().Return("sig")
+				mockKey.EXPECT().Key().Return(getPublicKey())
+
+				kStorage := mock.NewMockStorage(gomock.NewController(t))
+				kStorage.EXPECT().KeySet(gomock.Any()).Return([]op.Key{mockKey}, nil)
+				v := &op.IDTokenHintVerifier{
+					Issuer:            "issuer",
+					SupportedSignAlgs: []string{string(jose.RS256)},
+					KeySet: &op.OpenIDKeySet{
+						Storage: kStorage,
+					},
+					Offset: 5000 * time.Minute,
+				}
+				ex := mock.NewMockExchanger(gomock.NewController(t))
+				ex.EXPECT().IDTokenHintVerifier(gomock.Any()).Return(v)
+				return ex
+			}(),
+			wantReturn: []interface{}{
+				"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiY2RlZiJ9.eyJqdGkiOiJ0ZXN0Iiwic3ViIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlLCJpYXQiOjE3NDI4OTA4NjksImV4cCI6Mjc0Mjg5MDg2OSwiaXNzIjoiaXNzdWVyIn0.MpR3s7zrvwHUnis7Sc9C1-dZnDsXAsssJcdDWJY5cfhR7bXpwJs87GsUkdP-kVc1S3MDZg0Dl0ITLbAeu70Ix5E65o9wlUQM2QB2Nc3O16zWIWkHH9xhKf5mW-s1JRtNDqsy5hypl6S2l9zNSXSLhj96lMxyi4-4qfX2wsI8XN9sQk7oEgZt_Lcl-xiJtqZOKKyfA0zRqOCOPruaAIUJc5bo3dxmDRs9dILP1F7LYkarIH_DXDzOmqRT4UfHVdg7ZH2-yluXQvk24dFwtC2Vm9jut1Ecdihm4vBjvyokuPNw_5RC3nxlk14BPBcgsBNR9NVVo5SV6ATGI-9Uq2TR-Q",
+				"1234567890",
+				map[string]interface{}{
+					"admin": true,
+					"exp":   float64(2742890869),
+					"iat":   float64(1742890869),
+					"iss":   "issuer",
+					"name":  "John Doe",
+					"jti":   "test",
+					"sub":   "1234567890",
+				},
+				true,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tokenIdOrToken, subject, claims, ok := op.GetTokenIDAndSubjectFromToken(
+				tt.ctx,
+				tt.exchanger,
+				tt.token,
+				tt.tokenType,
+				tt.isActor,
+			)
+
+			assert.Equal(t, tt.wantReturn[0].(string), tokenIdOrToken)
+			assert.Equal(t, tt.wantReturn[1].(string), subject)
+			assert.Equal(t, tt.wantReturn[2], claims)
+			assert.Equal(t, tt.wantReturn[3].(bool), ok)
+		})
+	}
+}
+
+func getPublicKey() *rsa.PublicKey {
+	// jwt.io sample public key for RS256
+	spkiPem := `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
+4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
++qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
+kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
+0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
+cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
+mwIDAQAB
+-----END PUBLIC KEY-----`
+	spkiBlock, _ := pem.Decode([]byte(spkiPem))
+	var spkiKey *rsa.PublicKey
+	pubInterface, _ := x509.ParsePKIXPublicKey(spkiBlock.Bytes)
+	spkiKey = pubInterface.(*rsa.PublicKey)
+	return spkiKey
+}