diff --git a/.github/workflows/test-all.yml b/.github/workflows/test-all.yml
index 02c3ab0326f..8a354b453ac 100644
--- a/.github/workflows/test-all.yml
+++ b/.github/workflows/test-all.yml
@@ -23,7 +23,7 @@ env:
   # the behavior to use the new URLs.
   CHROMEDRIVER_CDNURL: https://googlechromelabs.github.io/
   CHROMEDRIVER_CDNBINARIESURL: https://storage.googleapis.com/chrome-for-testing-public
-  CHROME_VALIDATED_VERSION: linux-132.0.6834.110
+  CHROME_VALIDATED_VERSION: linux-141.0.7390.78
   CHROME_VERSION_MISMATCH_MESSAGE: "The Chrome version doesn't match the previously validated version. Consider updating CHROME_VALIDATED_VERSION in the GitHub workflow if tests pass, or rollback the installed Chrome version if tests fail."
   artifactRetentionDays: 14
   # Bump Node memory limit
diff --git a/.github/workflows/test-changed-auth.yml b/.github/workflows/test-changed-auth.yml
index 2ae77916492..d1fbbe1c714 100644
--- a/.github/workflows/test-changed-auth.yml
+++ b/.github/workflows/test-changed-auth.yml
@@ -23,7 +23,7 @@ env:
   # the behavior to use the new URLs.
   CHROMEDRIVER_CDNURL: https://googlechromelabs.github.io/
   CHROMEDRIVER_CDNBINARIESURL: https://storage.googleapis.com/chrome-for-testing-public
-  CHROME_VALIDATED_VERSION: linux-120.0.6099.71
+  CHROME_VALIDATED_VERSION: linux-137.0.7151.119
   # Bump Node memory limit
   NODE_OPTIONS: "--max_old_space_size=4096"
 
@@ -119,4 +119,4 @@ jobs:
       - name: Run tests on changed packages
         run: yarn test:changed auth
         env:
-          BROWSERS: 'WebkitHeadless'
\ No newline at end of file
+          BROWSERS: 'WebkitHeadless'
diff --git a/common/api-review/auth.api.md b/common/api-review/auth.api.md
index 0c9625a90e9..0976da5172d 100644
--- a/common/api-review/auth.api.md
+++ b/common/api-review/auth.api.md
@@ -94,7 +94,9 @@ export interface Auth {
     onIdTokenChanged(nextOrObserver: NextOrObserver<User | null>, error?: ErrorFn, completed?: CompleteFn): Unsubscribe;
     setPersistence(persistence: Persistence): Promise<void>;
     readonly settings: AuthSettings;
+    setTokenRefreshHandler(tokenRefreshHandler: TokenRefreshHandler): void;
     signOut(): Promise<void>;
+    readonly tenantConfig?: TenantConfig;
     tenantId: string | null;
     updateCurrentUser(user: User | null): Promise<void>;
     useDeviceLanguage(): void;
@@ -316,6 +318,7 @@ export interface Dependencies {
     errorMap?: AuthErrorMap;
     persistence?: Persistence | Persistence[];
     popupRedirectResolver?: PopupRedirectResolver;
+    tenantConfig?: TenantConfig;
 }
 
 // @public
@@ -362,6 +365,9 @@ export interface EmulatorConfig {
 
 export { ErrorFn }
 
+// @public
+export function exchangeToken(auth: Auth, idpConfigId: string, customToken: string): Promise<string>;
+
 // Warning: (ae-forgotten-export) The symbol "BaseOAuthProvider" needs to be exported by the entry point index.d.ts
 //
 // @public
@@ -729,6 +735,12 @@ export class RecaptchaVerifier implements ApplicationVerifierInternal {
     verify(): Promise<string>;
     }
 
+// @public
+export interface RefreshIdpTokenResult {
+    idpConfigId: string;
+    idToken: string;
+}
+
 // @public
 export function reload(user: User): Promise<void>;
 
@@ -795,6 +807,17 @@ export function signInWithRedirect(auth: Auth, provider: AuthProvider, resolver?
 // @public
 export function signOut(auth: Auth): Promise<void>;
 
+// @public
+export interface TenantConfig {
+    location: string;
+    tenantId: string;
+}
+
+// @public
+export interface TokenRefreshHandler {
+    refreshIdpToken(): Promise<RefreshIdpTokenResult>;
+}
+
 // @public
 export interface TotpMultiFactorAssertion extends MultiFactorAssertion {
 }
diff --git a/docs-devsite/_toc.yaml b/docs-devsite/_toc.yaml
index 364d5b992c9..561cc3e217b 100644
--- a/docs-devsite/_toc.yaml
+++ b/docs-devsite/_toc.yaml
@@ -366,8 +366,14 @@ toc:
     path: /docs/reference/js/auth.recaptchaparameters.md
   - title: RecaptchaVerifier
     path: /docs/reference/js/auth.recaptchaverifier.md
+  - title: RefreshIdpTokenResult
+    path: /docs/reference/js/auth.refreshidptokenresult.md
   - title: SAMLAuthProvider
     path: /docs/reference/js/auth.samlauthprovider.md
+  - title: TenantConfig
+    path: /docs/reference/js/auth.tenantconfig.md
+  - title: TokenRefreshHandler
+    path: /docs/reference/js/auth.tokenrefreshhandler.md
   - title: TotpMultiFactorAssertion
     path: /docs/reference/js/auth.totpmultifactorassertion.md
   - title: TotpMultiFactorGenerator
diff --git a/docs-devsite/auth.auth.md b/docs-devsite/auth.auth.md
index cbbc7a9ceb0..1db61201040 100644
--- a/docs-devsite/auth.auth.md
+++ b/docs-devsite/auth.auth.md
@@ -31,6 +31,7 @@ export interface Auth
 |  [languageCode](./auth.auth.md#authlanguagecode) | string \| null | The [Auth](./auth.auth.md#auth_interface) instance's language code. |
 |  [name](./auth.auth.md#authname) | string | The name of the app associated with the <code>Auth</code> service instance. |
 |  [settings](./auth.auth.md#authsettings) | [AuthSettings](./auth.authsettings.md#authsettings_interface) | The [Auth](./auth.auth.md#auth_interface) instance's settings. |
+|  [tenantConfig](./auth.auth.md#authtenantconfig) | [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) | The [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) used to initialize a Regional Auth. This is only present if regional auth is initialized and <code>DefaultConfig.REGIONAL_API_HOST</code> backend endpoint is used. |
 |  [tenantId](./auth.auth.md#authtenantid) | string \| null | The [Auth](./auth.auth.md#auth_interface) instance's tenant ID. |
 
 ## Methods
@@ -42,6 +43,7 @@ export interface Auth
 |  [onAuthStateChanged(nextOrObserver, error, completed)](./auth.auth.md#authonauthstatechanged) | Adds an observer for changes to the user's sign-in state. |
 |  [onIdTokenChanged(nextOrObserver, error, completed)](./auth.auth.md#authonidtokenchanged) | Adds an observer for changes to the signed-in user's ID token. |
 |  [setPersistence(persistence)](./auth.auth.md#authsetpersistence) | Changes the type of persistence on the <code>Auth</code> instance. |
+|  [setTokenRefreshHandler(tokenRefreshHandler)](./auth.auth.md#authsettokenrefreshhandler) | Registers a handler for refreshing third-party identity provider (IDP) tokens.<!-- -->When the Firebase access token is expired, the SDK will automatically invoke the provided handler's <code>refreshIdpToken()</code> method to obtain a new IDP token. This new token will then be exchanged for a fresh Firebase token, streamlining the authentication process. |
 |  [signOut()](./auth.auth.md#authsignout) | Signs out the current user. This does not automatically revoke the user's ID token. |
 |  [updateCurrentUser(user)](./auth.auth.md#authupdatecurrentuser) | Asynchronously sets the provided user as [Auth.currentUser](./auth.auth.md#authcurrentuser) on the [Auth](./auth.auth.md#auth_interface) instance. |
 |  [useDeviceLanguage()](./auth.auth.md#authusedevicelanguage) | Sets the current language to the default device/browser preference. |
@@ -120,6 +122,16 @@ This is used to edit/read configuration related options such as app verification
 readonly settings: AuthSettings;
 ```
 
+## Auth.tenantConfig
+
+The [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) used to initialize a Regional Auth. This is only present if regional auth is initialized and `DefaultConfig.REGIONAL_API_HOST` backend endpoint is used.
+
+<b>Signature:</b>
+
+```typescript
+readonly tenantConfig?: TenantConfig;
+```
+
 ## Auth.tenantId
 
 The [Auth](./auth.auth.md#auth_interface) instance's tenant ID.
@@ -261,6 +273,44 @@ auth.setPersistence(browserSessionPersistence);
 
 ```
 
+## Auth.setTokenRefreshHandler()
+
+Registers a handler for refreshing third-party identity provider (IDP) tokens.
+
+When the Firebase access token is expired, the SDK will automatically invoke the provided handler's `refreshIdpToken()` method to obtain a new IDP token. This new token will then be exchanged for a fresh Firebase token, streamlining the authentication process.
+
+<b>Signature:</b>
+
+```typescript
+setTokenRefreshHandler(tokenRefreshHandler: TokenRefreshHandler): void;
+```
+
+#### Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  tokenRefreshHandler | [TokenRefreshHandler](./auth.tokenrefreshhandler.md#tokenrefreshhandler_interface) | An object that implements the <code>TokenRefreshHandler</code> interface, providing the logic to refresh the IDP token. |
+
+<b>Returns:</b>
+
+void
+
+### Example
+
+
+```javascript
+class TokenRefreshHandlerImpl {
+  refreshIdpToken() {
+    // Logic to fetch a new token from your custom IDP.
+    // Returns a Promise that resolves with a RefreshIdpTokenResult.
+  }
+}
+
+const tokenRefreshHandler = new TokenRefreshHandlerImpl();
+auth.setTokenRefreshHandler(tokenRefreshHandler);
+
+```
+
 ## Auth.signOut()
 
 Signs out the current user. This does not automatically revoke the user's ID token.
diff --git a/docs-devsite/auth.dependencies.md b/docs-devsite/auth.dependencies.md
index 8d212b7aa1d..d5b098cbedd 100644
--- a/docs-devsite/auth.dependencies.md
+++ b/docs-devsite/auth.dependencies.md
@@ -29,6 +29,7 @@ export interface Dependencies
 |  [errorMap](./auth.dependencies.md#dependencieserrormap) | [AuthErrorMap](./auth.autherrormap.md#autherrormap_interface) | Which [AuthErrorMap](./auth.autherrormap.md#autherrormap_interface) to use. |
 |  [persistence](./auth.dependencies.md#dependenciespersistence) | [Persistence](./auth.persistence.md#persistence_interface) \| [Persistence](./auth.persistence.md#persistence_interface)<!-- -->\[\] | Which [Persistence](./auth.persistence.md#persistence_interface) to use. If this is an array, the first <code>Persistence</code> that the device supports is used. The SDK searches for an existing account in order and, if one is found in a secondary <code>Persistence</code>, the account is moved to the primary <code>Persistence</code>.<!-- -->If no persistence is provided, the SDK falls back on [inMemoryPersistence](./auth.md#inmemorypersistence)<!-- -->. |
 |  [popupRedirectResolver](./auth.dependencies.md#dependenciespopupredirectresolver) | [PopupRedirectResolver](./auth.popupredirectresolver.md#popupredirectresolver_interface) | The [PopupRedirectResolver](./auth.popupredirectresolver.md#popupredirectresolver_interface) to use. This value depends on the platform. Options are [browserPopupRedirectResolver](./auth.md#browserpopupredirectresolver) and [cordovaPopupRedirectResolver](./auth.md#cordovapopupredirectresolver)<!-- -->. This field is optional if neither [signInWithPopup()](./auth.md#signinwithpopup_770f816) or [signInWithRedirect()](./auth.md#signinwithredirect_770f816) are being used. |
+|  [tenantConfig](./auth.dependencies.md#dependenciestenantconfig) | [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) | The [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) to use. This dependency is only required if you want to use regional auth which works with <code>DefaultConfig.REGIONAL_API_HOST</code> endpoint. It should not be set otherwise. |
 
 ## Dependencies.errorMap
 
@@ -61,3 +62,13 @@ The [PopupRedirectResolver](./auth.popupredirectresolver.md#popupredirectresolve
 ```typescript
 popupRedirectResolver?: PopupRedirectResolver;
 ```
+
+## Dependencies.tenantConfig
+
+The [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) to use. This dependency is only required if you want to use regional auth which works with `DefaultConfig.REGIONAL_API_HOST` endpoint. It should not be set otherwise.
+
+<b>Signature:</b>
+
+```typescript
+tenantConfig?: TenantConfig;
+```
diff --git a/docs-devsite/auth.md b/docs-devsite/auth.md
index 1b3938ef4eb..36446a9a0fe 100644
--- a/docs-devsite/auth.md
+++ b/docs-devsite/auth.md
@@ -28,6 +28,7 @@ Firebase Authentication
 |  [confirmPasswordReset(auth, oobCode, newPassword)](./auth.md#confirmpasswordreset_749dad8) | Completes the password reset process, given a confirmation code and new password. |
 |  [connectAuthEmulator(auth, url, options)](./auth.md#connectauthemulator_657c7e5) | Changes the [Auth](./auth.auth.md#auth_interface) instance to communicate with the Firebase Auth Emulator, instead of production Firebase Auth services. |
 |  [createUserWithEmailAndPassword(auth, email, password)](./auth.md#createuserwithemailandpassword_21ad33b) | Creates a new user account associated with the specified email address and password. |
+|  [exchangeToken(auth, idpConfigId, customToken)](./auth.md#exchangetoken_b6b1871) | Asynchronously exchanges an OIDC provider's Authorization code or Id Token for a Firebase Token. |
 |  [fetchSignInMethodsForEmail(auth, email)](./auth.md#fetchsigninmethodsforemail_efb3887) | Gets the list of possible sign in methods for the given email address. This method returns an empty list when [Email Enumeration Protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled, irrespective of the number of authentication methods available for the given email. |
 |  [getMultiFactorResolver(auth, error)](./auth.md#getmultifactorresolver_201ba61) | Provides a [MultiFactorResolver](./auth.multifactorresolver.md#multifactorresolver_interface) suitable for completion of a multi-factor flow. |
 |  [getRedirectResult(auth, resolver)](./auth.md#getredirectresult_c35dc1f) | Returns a [UserCredential](./auth.usercredential.md#usercredential_interface) from the redirect-based sign-in flow. |
@@ -137,6 +138,9 @@ Firebase Authentication
 |  [PopupRedirectResolver](./auth.popupredirectresolver.md#popupredirectresolver_interface) | A resolver used for handling DOM specific operations like [signInWithPopup()](./auth.md#signinwithpopup_770f816) or [signInWithRedirect()](./auth.md#signinwithredirect_770f816)<!-- -->. |
 |  [ReactNativeAsyncStorage](./auth.reactnativeasyncstorage.md#reactnativeasyncstorage_interface) | Interface for a supplied <code>AsyncStorage</code>. |
 |  [RecaptchaParameters](./auth.recaptchaparameters.md#recaptchaparameters_interface) | Interface representing reCAPTCHA parameters.<!-- -->See the [reCAPTCHA docs](https://developers.google.com/recaptcha/docs/display#render_param) for the list of accepted parameters. All parameters are accepted except for <code>sitekey</code>: Firebase Auth provisions a reCAPTCHA for each project and will configure the site key upon rendering.<!-- -->For an invisible reCAPTCHA, set the <code>size</code> key to <code>invisible</code>. |
+|  [RefreshIdpTokenResult](./auth.refreshidptokenresult.md#refreshidptokenresult_interface) | The result of a third-party IDP token refresh operation.<!-- -->This object contains the new IDP token and the Idp Config ID of the provider that issued it. |
+|  [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) | The tenant config that can be used to initialize a Regional [Auth](./auth.auth.md#auth_interface) instance. |
+|  [TokenRefreshHandler](./auth.tokenrefreshhandler.md#tokenrefreshhandler_interface) | An interface for handling the refresh of Firebase tokens. |
 |  [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) | The class for asserting ownership of a TOTP second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin)<!-- -->. |
 |  [TotpMultiFactorInfo](./auth.totpmultifactorinfo.md#totpmultifactorinfo_interface) | The subclass of the [MultiFactorInfo](./auth.multifactorinfo.md#multifactorinfo_interface) interface for TOTP second factors. The <code>factorId</code> of this second factor is [FactorId](./auth.md#factorid)<!-- -->.TOTP. |
 |  [User](./auth.user.md#user_interface) | A user account. |
@@ -404,6 +408,34 @@ export declare function createUserWithEmailAndPassword(auth: Auth, email: string
 
 Promise&lt;[UserCredential](./auth.usercredential.md#usercredential_interface)<!-- -->&gt;
 
+### exchangeToken(auth, idpConfigId, customToken) {:#exchangetoken_b6b1871}
+
+Asynchronously exchanges an OIDC provider's Authorization code or Id Token for a Firebase Token.
+
+This method is implemented only for `DefaultConfig.REGIONAL_API_HOST` and requires [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) to be configured in the [Auth](./auth.auth.md#auth_interface) instance used.
+
+Fails with an error if the token is invalid, expired, or not accepted by the Firebase Auth service.
+
+<b>Signature:</b>
+
+```typescript
+export declare function exchangeToken(auth: Auth, idpConfigId: string, customToken: string): Promise<string>;
+```
+
+#### Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  auth | [Auth](./auth.auth.md#auth_interface) | The [Auth](./auth.auth.md#auth_interface) instance. |
+|  idpConfigId | string | The ExternalUserDirectoryId corresponding to the OIDC custom Token. |
+|  customToken | string | The OIDC provider's Authorization code or Id Token to exchange. |
+
+<b>Returns:</b>
+
+Promise&lt;string&gt;
+
+The firebase access token (JWT signed by Firebase Auth).
+
 ### fetchSignInMethodsForEmail(auth, email) {:#fetchsigninmethodsforemail_efb3887}
 
 Gets the list of possible sign in methods for the given email address. This method returns an empty list when [Email Enumeration Protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled, irrespective of the number of authentication methods available for the given email.
diff --git a/docs-devsite/auth.refreshidptokenresult.md b/docs-devsite/auth.refreshidptokenresult.md
new file mode 100644
index 00000000000..6b57b573d42
--- /dev/null
+++ b/docs-devsite/auth.refreshidptokenresult.md
@@ -0,0 +1,48 @@
+Project: /docs/reference/js/_project.yaml
+Book: /docs/reference/_book.yaml
+page_type: reference
+
+{% comment %}
+DO NOT EDIT THIS FILE!
+This is generated by the JS SDK team, and any local changes will be
+overwritten. Changes should be made in the source code at
+https://github.com/firebase/firebase-js-sdk
+{% endcomment %}
+
+# RefreshIdpTokenResult interface
+The result of a third-party IDP token refresh operation.
+
+This object contains the new IDP token and the Idp Config ID of the provider that issued it.
+
+<b>Signature:</b>
+
+```typescript
+export interface RefreshIdpTokenResult 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [idpConfigId](./auth.refreshidptokenresult.md#refreshidptokenresultidpconfigid) | string | The configuration ID of the third-party identity provider. |
+|  [idToken](./auth.refreshidptokenresult.md#refreshidptokenresultidtoken) | string | The new Id Token from the 3rd party Identity Provider. |
+
+## RefreshIdpTokenResult.idpConfigId
+
+The configuration ID of the third-party identity provider.
+
+<b>Signature:</b>
+
+```typescript
+idpConfigId: string;
+```
+
+## RefreshIdpTokenResult.idToken
+
+The new Id Token from the 3rd party Identity Provider.
+
+<b>Signature:</b>
+
+```typescript
+idToken: string;
+```
diff --git a/docs-devsite/auth.tenantconfig.md b/docs-devsite/auth.tenantconfig.md
new file mode 100644
index 00000000000..8ac9d0c7c51
--- /dev/null
+++ b/docs-devsite/auth.tenantconfig.md
@@ -0,0 +1,46 @@
+Project: /docs/reference/js/_project.yaml
+Book: /docs/reference/_book.yaml
+page_type: reference
+
+{% comment %}
+DO NOT EDIT THIS FILE!
+This is generated by the JS SDK team, and any local changes will be
+overwritten. Changes should be made in the source code at
+https://github.com/firebase/firebase-js-sdk
+{% endcomment %}
+
+# TenantConfig interface
+The tenant config that can be used to initialize a Regional [Auth](./auth.auth.md#auth_interface) instance.
+
+<b>Signature:</b>
+
+```typescript
+export interface TenantConfig 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [location](./auth.tenantconfig.md#tenantconfiglocation) | string | Which location to use. |
+|  [tenantId](./auth.tenantconfig.md#tenantconfigtenantid) | string | The tenant Id being used. |
+
+## TenantConfig.location
+
+Which location to use.
+
+<b>Signature:</b>
+
+```typescript
+location: string;
+```
+
+## TenantConfig.tenantId
+
+The tenant Id being used.
+
+<b>Signature:</b>
+
+```typescript
+tenantId: string;
+```
diff --git a/docs-devsite/auth.tokenrefreshhandler.md b/docs-devsite/auth.tokenrefreshhandler.md
new file mode 100644
index 00000000000..ad7bddfefb0
--- /dev/null
+++ b/docs-devsite/auth.tokenrefreshhandler.md
@@ -0,0 +1,43 @@
+Project: /docs/reference/js/_project.yaml
+Book: /docs/reference/_book.yaml
+page_type: reference
+
+{% comment %}
+DO NOT EDIT THIS FILE!
+This is generated by the JS SDK team, and any local changes will be
+overwritten. Changes should be made in the source code at
+https://github.com/firebase/firebase-js-sdk
+{% endcomment %}
+
+# TokenRefreshHandler interface
+An interface for handling the refresh of Firebase tokens.
+
+<b>Signature:</b>
+
+```typescript
+export interface TokenRefreshHandler 
+```
+
+## Methods
+
+|  Method | Description |
+|  --- | --- |
+|  [refreshIdpToken()](./auth.tokenrefreshhandler.md#tokenrefreshhandlerrefreshidptoken) | Refreshes the third-party IDP token.<!-- -->This method should contain the logic to obtain a new, valid IDP token from your identity provider. |
+
+## TokenRefreshHandler.refreshIdpToken()
+
+Refreshes the third-party IDP token.
+
+This method should contain the logic to obtain a new, valid IDP token from your identity provider.
+
+<b>Signature:</b>
+
+```typescript
+refreshIdpToken(): Promise<RefreshIdpTokenResult>;
+```
+<b>Returns:</b>
+
+Promise&lt;[RefreshIdpTokenResult](./auth.refreshidptokenresult.md#refreshidptokenresult_interface)<!-- -->&gt;
+
+A promise that resolves with a `RefreshIdpTokenResult` object containing the new IDP token and its corresponding Idp Config ID.
+
diff --git a/packages/auth/demo/public/index.html b/packages/auth/demo/public/index.html
index 78b14b8dd92..9581513551a 100644
--- a/packages/auth/demo/public/index.html
+++ b/packages/auth/demo/public/index.html
@@ -170,6 +170,13 @@
                 Action Code Settings
               </a>
             </li>
+            <li role="presentation">
+              <a href="#tab-byo-ciam-content"
+                 aria-controls="tab-byo-ciam-content"
+                 data-toggle="tab" role="tab">
+                BYO-CIAM methods
+              </a>
+            </li>
             <li role="presentation" class="visible-xs">
               <a href="#logs-section"
                  aria-controls="logs-section"
@@ -844,6 +851,54 @@
                         id="action-code-settings-reset">Reset</button>
               </form>
             </div>
+            <div class="tab-pane" id="tab-byo-ciam-content">
+              <h2>Sign in with your CIAM token</h2>
+
+              <!-- Initialize Regional Auth -->
+              <div class="group">Initialize Regional Auth</div>
+              <div class="form-group">
+                <label for="tenant-id-input">Tenant ID</label>
+                <input type="text" class="form-control" id="tenant-id-input" placeholder="Enter Tenant ID">
+              </div>
+              <button class="btn btn-primary" id="initialize-regional-auth-btn">Initialize Regional Auth</button>
+              <div id="regional-auth-status"></div>
+              <button class="btn btn-default" id="clear-regional-auth-id-btn">Clear Regional Auth Instance</button>
+              <hr>
+
+              <!-- Set Token Refresh Handler -->
+              <div class="group">Set Token Refresh Handler</div>
+              <button class="btn btn-success" id="set-successful-handler-btn">Set Token Refresh Handler (Success)</button>
+              <button class="btn btn-danger" id="set-failure-handler-btn">Set Token Refresh Handler (Failure)</button>
+              <div id="token-handler-status"></div>
+              <hr>
+
+              <!-- Exchange Token -->
+              <div class="group">Exchange Token</div>
+              <div id="firebase-token-status">No CIAM token found. User not logged in.</div>
+              <input type="text" id="idp-config-id" class="form-control" placeholder="IDP Config ID" />
+              <input type="text" id="byo-ciam-token"
+                     class="form-control" placeholder="Enter CIAM token" />
+              <button class="btn btn-block btn-primary"
+                  id="exchange-token">
+                Exchange Token
+              </button>
+              <pre id="byo-ciam-result"></pre>
+
+              <!-- Auth Interop Methods -->
+              <div class="group">Auth Interop Methods</div>
+              <button class="btn btn-block btn-primary"
+                  id="interop-getToken-btn">
+                getToken
+              </button>
+              <br>
+              <pre id="tokenDisplay"></pre>
+              <button class="btn btn-block btn-primary"
+                  id="interop-getToken-forceRefresh-btn">
+                getToken force refresh
+              </button>
+              <br>
+              <pre id="tokenDisplay-forceRefresh"></pre>
+            </div>
             <div class="tab-pane" id="logs-section">
               <pre class="well logs"></pre>
               <button class="btn btn-xs btn-default pull-right clear-logs">
diff --git a/packages/auth/demo/src/index.js b/packages/auth/demo/src/index.js
index 876a345671a..c73ee02bd72 100644
--- a/packages/auth/demo/src/index.js
+++ b/packages/auth/demo/src/index.js
@@ -22,7 +22,7 @@
  *   package.
  */
 
-import { initializeApp } from '@firebase/app';
+import { initializeApp, _getProvider } from '@firebase/app';
 import {
   applyActionCode,
   browserLocalPersistence,
@@ -74,7 +74,8 @@ import {
   connectAuthEmulator,
   initializeRecaptchaConfig,
   validatePassword,
-  revokeAccessToken
+  revokeAccessToken,
+  exchangeToken
 } from '@firebase/auth';
 
 import { config } from './config';
@@ -95,6 +96,8 @@ const AUTH_EMULATOR_URL = 'http://localhost:9099';
 
 let app = null;
 let auth = null;
+let regionalAuth = null;
+let authInternalProvider = null;
 let currentTab = null;
 let lastUser = null;
 let applicationVerifier = null;
@@ -147,6 +150,92 @@ async function getActiveUserBlocking() {
   }
 }
 
+class RefreshIdpTokenResult {
+  idpConfigId;
+  idToken;
+}
+
+class TokenRefreshHandlerImpl {
+  /**
+   * Opens a popup to get a 3P ID token and Config ID from the user.
+   * @returns {Promise<RefreshIdpTokenResult>} A promise that returns IdpConfigId and 3p IDP Id token.
+   */
+  refreshIdpToken() {
+    return this.promptForTokenAndConfigId();
+  }
+
+  promptForTokenAndConfigId() {
+    return new Promise((resolve, reject) => {
+      let isSubmitted = false;
+      const modalId = 'third-party-token-modal';
+
+      const modalHtml = `
+        <div class="modal fade" id="${modalId}" tabindex="-1" role="dialog" aria-labelledby="tokenModalLabel">
+          <div class="modal-dialog" role="document">
+            <div class="modal-content">
+              <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+                  <span aria-hidden="true">&times;</span>
+                </button>
+                <h4 class="modal-title" id="tokenModalLabel">Enter 3P Token Details</h4>
+              </div>
+              <div class="modal-body">
+                <p>Please enter the third-party token details:</p>
+                <div class="form-group">
+                  <label for="idp-config-id-input-field">IDP Config ID</label>
+                  <input type="text" class="form-control" id="idp-config-id-input-field" placeholder="eg: idp.example.com">
+                </div>
+                <div class="form-group">
+                  <label for="id-token-input-field">ID Token</label>
+                  <input type="text" class="form-control" id="id-token-input-field" placeholder="Paste ID Token here">
+                </div>
+              </div>
+              <div class="modal-footer">
+                <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+                <button type="button" class="btn btn-primary" id="token-submit-btn">Submit</button>
+              </div>
+            </div>
+          </div>
+        </div>
+      `;
+
+      $('body').append(modalHtml);
+      const $modal = $(`#${modalId}`);
+
+      $modal.find('#token-submit-btn').on('click', () => {
+        isSubmitted = true;
+
+        const configId = $modal.find('#idp-config-id-input-field').val();
+        const token = $modal.find('#id-token-input-field').val();
+
+        $modal.modal('hide'); // Hide the modal
+
+        const result = new RefreshIdpTokenResult();
+        result.idpConfigId = configId;
+        result.idToken = token;
+
+        resolve(result);
+      });
+
+      $modal.on('hidden.bs.modal', () => {
+        $modal.remove();
+
+        if (!isSubmitted) {
+          reject(new Error('User cancelled token input.'));
+        }
+      });
+
+      $modal.modal('show');
+    });
+  }
+}
+
+class TokenRefreshHandlerFailureImpl {
+  refreshIdpToken() {
+    return Promise.reject(new Error('Simulated failure to refresh IDP token.'));
+  }
+}
+
 /**
  * Refreshes the current user data in the UI, displaying a user info box if
  * a user is signed in, or removing it.
@@ -1303,6 +1392,7 @@ function onRefreshToken() {
 function onSignOut() {
   setLastUser(auth.currentUser);
   auth.signOut().then(signOut, onAuthError);
+  regionalAuth.signOut();
 }
 
 /**
@@ -1506,6 +1596,154 @@ function onFinalizeSignInWithTotpMultiFactor(event) {
   }, onAuthError);
 }
 
+async function exchangeCIAMToken(idpConfigId, token) {
+  const firebaseToken = await exchangeToken(regionalAuth, idpConfigId, token);
+  return firebaseToken;
+}
+
+function onInitializeRegionalAuthClick() {
+  const tenantId = $('#tenant-id-input').val();
+  if (!tenantId) {
+    alertError('Please enter a Tenant ID.');
+    return;
+  }
+
+  try {
+    const tenantConfig = {
+      location: 'global',
+      tenantId: tenantId
+    };
+
+    const regionalApp = initializeApp(config, `${auth.name}-rgcip`);
+
+    regionalAuth = initializeAuth(regionalApp, {
+      persistence: indexedDBLocalPersistence,
+      popupRedirectResolver: browserPopupRedirectResolver,
+      tenantConfig: tenantConfig
+    });
+    authInternalProvider = _getProvider(regionalApp, 'auth-internal');
+    $('#regional-auth-status').text('✅ regionalAuth is initialized');
+    $('#token-handler-status').text('Token refresh handler is not set.');
+    const handlerType = localStorage.getItem('tokenRefreshHandlerType');
+    if (handlerType === 'success') {
+      onSetSuccessfulHandlerClick();
+    } else if (handlerType === 'failure') {
+      onSetFailureHandlerClick();
+    }
+    const firebaseTokenStatus = document.getElementById(
+      'firebase-token-status'
+    );
+    setTimeout(async () => {
+      const firebaseToken = await regionalAuth.getFirebaseAccessToken();
+      if (firebaseToken) {
+        firebaseTokenStatus.textContent =
+          '✅ Firebase token is set: ' + firebaseToken;
+      } else {
+        firebaseTokenStatus.textContent =
+          'No CIAM token found. User not logged in.';
+      }
+      console.log('firebaseToken after delay: ', firebaseToken);
+    }, 1000);
+    localStorage.setItem('regionalAuthTenantId', tenantId);
+  } catch (error) {
+    onAuthError(error);
+  }
+}
+
+function clearRegionalAuthInstance() {
+  localStorage.removeItem('regionalAuthTenantId');
+  localStorage.removeItem('tokenRefreshHandlerType'); // Clear handler choice
+  $('#tenant-id-input').val('');
+  regionalAuth = null;
+  $('#regional-auth-status').text('regionalAuth is not initialized');
+  $('#token-handler-status').text('Token refresh handler is not set.');
+}
+
+function onExchangeToken(event) {
+  event.preventDefault();
+  if (!validateRegionalAuth()) {
+    return;
+  }
+
+  const byoCiamInput = document.getElementById('byo-ciam-token');
+  const idpConfigId = document.getElementById('idp-config-id');
+  const firebaseTokenStatus = document.getElementById('firebase-token-status');
+
+  firebaseTokenStatus.textContent = 'Exchanging token...';
+
+  exchangeCIAMToken(idpConfigId.value, byoCiamInput.value)
+    .then(response => {
+      firebaseTokenStatus.textContent = '✅ Firebase token is set: ' + response;
+      console.log('Token:', response);
+    })
+    .catch(error => {
+      (firebaseTokenStatus.textContent = 'Error exchanging token: '), error;
+      console.error('Error exchanging token:', error);
+      onAuthError(error);
+    });
+}
+
+function onSetSuccessfulHandlerClick() {
+  if (!validateRegionalAuth()) {
+    return;
+  }
+
+  const tokenRefreshHandler = new TokenRefreshHandlerImpl();
+  regionalAuth.setTokenRefreshHandler(tokenRefreshHandler);
+  localStorage.setItem('tokenRefreshHandlerType', 'success');
+  $('#token-handler-status').text(
+    '✅ Token refresh handler is set to success.'
+  );
+}
+
+function onSetFailureHandlerClick() {
+  if (!validateRegionalAuth()) {
+    return;
+  }
+
+  const tokenRefreshHandler = new TokenRefreshHandlerFailureImpl();
+  regionalAuth.setTokenRefreshHandler(tokenRefreshHandler);
+  localStorage.setItem('tokenRefreshHandlerType', 'failure');
+  $('#token-handler-status').text(
+    '✅ Token refresh handler is set to failure.'
+  );
+}
+
+async function getFirebaseTokenInterop(forceRefresh) {
+  if (!validateRegionalAuth()) {
+    return;
+  }
+  const tokenDisplay = document.getElementById('tokenDisplay');
+  tokenDisplay.textContent = 'Loading token...';
+  try {
+    const authInternal = authInternalProvider.getImmediate();
+    const token = await authInternal.getToken(forceRefresh);
+
+    if (token && token.accessToken) {
+      // The token object has an accessToken property
+      // as per the FirebaseAuthTokenData interface.
+      tokenDisplay.textContent = token.accessToken;
+    } else {
+      tokenDisplay.textContent = 'No token available.';
+    }
+  } catch (error) {
+    console.error('Error getting token:', error);
+    tokenDisplay.textContent = 'Error getting token. See console for details.';
+  }
+}
+
+function validateRegionalAuth() {
+  if (!regionalAuth) {
+    onAuthError({
+      code: 'auth-not-initialized',
+      message:
+        'Regional Auth is not initialized. Please enter a Tenant ID and initialize.'
+    });
+    return false;
+  }
+  return true;
+}
+
 /**
  * Adds a new row to insert an OAuth custom parameter key/value pair.
  * @param {!jQuery.Event} _event The jQuery event object.
@@ -2051,6 +2289,12 @@ function initApp() {
     connectAuthEmulator(auth, AUTH_EMULATOR_URL);
   }
 
+  const persistedTenantId = localStorage.getItem('regionalAuthTenantId');
+  if (persistedTenantId) {
+    $('#tenant-id-input').val(persistedTenantId);
+    onInitializeRegionalAuthClick();
+  }
+
   tempApp = initializeApp(
     {
       apiKey: config.apiKey,
@@ -2391,6 +2635,21 @@ function initApp() {
   $('#enroll-mfa-totp-finalize').click(onFinalizeEnrollWithTotpMultiFactor);
   // Sets tenant for the current auth instance
   $('#set-tenant-btn').click(onSetTenantIdClick);
+
+  // Performs Exchange Token
+  $('#exchange-token').click(onExchangeToken);
+
+  $('#initialize-regional-auth-btn').click(onInitializeRegionalAuthClick);
+  $('#set-successful-handler-btn').click(onSetSuccessfulHandlerClick);
+  $('#set-failure-handler-btn').click(onSetFailureHandlerClick);
+  $('#clear-regional-auth-id-btn').click(clearRegionalAuthInstance);
+
+  $('#interop-getToken-btn').click(() => {
+    getFirebaseTokenInterop(false);
+  });
+  $('#interop-getToken-forceRefresh-btn').click(() => {
+    getFirebaseTokenInterop(true);
+  });
 }
 
 $(initApp);
diff --git a/packages/auth/src/api/authentication/exchange_token.test.ts b/packages/auth/src/api/authentication/exchange_token.test.ts
new file mode 100644
index 00000000000..f89e60f2b67
--- /dev/null
+++ b/packages/auth/src/api/authentication/exchange_token.test.ts
@@ -0,0 +1,106 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { expect, use } from 'chai';
+import chaiAsPromised from 'chai-as-promised';
+
+import {
+  regionalTestAuth,
+  testAuth,
+  TestAuth
+} from '../../../test/helpers/mock_auth';
+import * as mockFetch from '../../../test/helpers/mock_fetch';
+import { mockRegionalEndpointWithParent } from '../../../test/helpers/api/helper';
+import { exchangeToken } from './exchange_token';
+import { HttpHeader, RegionalEndpoint } from '..';
+import { FirebaseError } from '@firebase/util';
+import { ServerError } from '../errors';
+
+use(chaiAsPromised);
+
+describe('api/authentication/exchange_token', () => {
+  let auth: TestAuth;
+  let regionalAuth: TestAuth;
+  const request = {
+    parent: 'test-parent',
+    // eslint-disable-next-line camelcase
+    id_token: 'custom-token'
+  };
+
+  beforeEach(async () => {
+    auth = await testAuth();
+    regionalAuth = await regionalTestAuth();
+    mockFetch.setUp();
+  });
+
+  afterEach(mockFetch.tearDown);
+
+  it('returns accesss token for Regional Auth', async () => {
+    const mock = mockRegionalEndpointWithParent(
+      RegionalEndpoint.EXCHANGE_TOKEN,
+      'test-parent',
+      'test-api-key',
+      { accessToken: 'outbound-token', expiresIn: '1000' }
+    );
+
+    const response = await exchangeToken(regionalAuth, request);
+    expect(response.accessToken).equal('outbound-token');
+    expect(response.expiresIn).equal('1000');
+    expect(mock.calls[0].request).to.eql({
+      parent: 'test-parent',
+      // eslint-disable-next-line camelcase
+      id_token: 'custom-token'
+    });
+    expect(mock.calls[0].method).to.eq('POST');
+    expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
+      'application/json'
+    );
+  });
+
+  it('throws exception for default Auth', async () => {
+    await expect(exchangeToken(auth, request)).to.be.rejectedWith(
+      FirebaseError,
+      'Firebase: Operations not allowed for the auth object initialized. (auth/operation-not-allowed).'
+    );
+  });
+
+  it('should handle errors', async () => {
+    const mock = mockRegionalEndpointWithParent(
+      RegionalEndpoint.EXCHANGE_TOKEN,
+      'test-parent',
+      'test-api-key',
+      {
+        error: {
+          code: 400,
+          message: ServerError.INVALID_CUSTOM_TOKEN,
+          errors: [
+            {
+              message: ServerError.INVALID_CUSTOM_TOKEN
+            }
+          ]
+        }
+      },
+      400
+    );
+
+    await expect(exchangeToken(regionalAuth, request)).to.be.rejectedWith(
+      FirebaseError,
+      '(auth/invalid-custom-token).'
+    );
+    expect(mock.calls[0].request).to.eql(request);
+  });
+});
diff --git a/packages/auth/src/api/authentication/exchange_token.ts b/packages/auth/src/api/authentication/exchange_token.ts
new file mode 100644
index 00000000000..a385fc1699d
--- /dev/null
+++ b/packages/auth/src/api/authentication/exchange_token.ts
@@ -0,0 +1,51 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import {
+  RegionalEndpoint,
+  HttpMethod,
+  _performRegionalApiRequest
+} from '../index';
+import { Auth } from '../../model/public_types';
+
+export interface ExchangeTokenRequest {
+  parent: string;
+  id_token: string;
+}
+
+export interface ExchangeTokenResponse {
+  // The firebase access token (JWT signed by Firebase Auth).
+  accessToken: string;
+  // The time when the access token expires.
+  expiresIn: number;
+}
+
+export async function exchangeToken(
+  auth: Auth,
+  request: ExchangeTokenRequest
+): Promise<ExchangeTokenResponse> {
+  return _performRegionalApiRequest<
+    ExchangeTokenRequest,
+    ExchangeTokenResponse
+  >(
+    auth,
+    HttpMethod.POST,
+    RegionalEndpoint.EXCHANGE_TOKEN,
+    request,
+    {},
+    request.parent
+  );
+}
diff --git a/packages/auth/src/api/index.test.ts b/packages/auth/src/api/index.test.ts
index 02042fce429..f6726625e53 100644
--- a/packages/auth/src/api/index.test.ts
+++ b/packages/auth/src/api/index.test.ts
@@ -24,16 +24,25 @@ import sinonChai from 'sinon-chai';
 import { FirebaseError, getUA } from '@firebase/util';
 import * as utils from '@firebase/util';
 
-import { mockEndpoint } from '../../test/helpers/api/helper';
-import { testAuth, TestAuth } from '../../test/helpers/mock_auth';
+import {
+  mockEndpoint,
+  mockRegionalEndpointWithParent
+} from '../../test/helpers/api/helper';
+import {
+  regionalTestAuth,
+  testAuth,
+  TestAuth
+} from '../../test/helpers/mock_auth';
 import * as mockFetch from '../../test/helpers/mock_fetch';
 import { AuthErrorCode } from '../core/errors';
 import { ConfigInternal } from '../model/auth';
 import {
   _getFinalTarget,
   _performApiRequest,
+  _performRegionalApiRequest,
   DEFAULT_API_TIMEOUT_MS,
   Endpoint,
+  RegionalEndpoint,
   HttpHeader,
   HttpMethod,
   _addTidIfNecessary
@@ -55,9 +64,11 @@ describe('api/_performApiRequest', () => {
   };
 
   let auth: TestAuth;
+  let regionalAuth: TestAuth;
 
   beforeEach(async () => {
     auth = await testAuth();
+    regionalAuth = await regionalTestAuth();
   });
 
   afterEach(() => {
@@ -595,4 +606,123 @@ describe('api/_performApiRequest', () => {
         .and.not.have.property('tenantId');
     });
   });
+
+  context('throws Operation not allowed exception', () => {
+    it('when tenantConfig is initialized and default Endpoint is used', async () => {
+      await expect(
+        _performApiRequest<typeof request, typeof serverResponse>(
+          regionalAuth,
+          HttpMethod.POST,
+          Endpoint.SIGN_UP,
+          request
+        )
+      ).to.be.rejectedWith(
+        FirebaseError,
+        'Firebase: Operations not allowed for the auth object initialized. (auth/operation-not-allowed).'
+      );
+    });
+  });
+});
+
+describe('api/_performRegionalApiRequest', () => {
+  const request = {
+    requestKey: 'request-value'
+  };
+
+  const serverResponse = {
+    responseKey: 'response-value'
+  };
+
+  let auth: TestAuth;
+  let regionalAuth: TestAuth;
+
+  beforeEach(async () => {
+    auth = await testAuth();
+    regionalAuth = await regionalTestAuth();
+  });
+
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  context('with regular requests', () => {
+    beforeEach(mockFetch.setUp);
+    afterEach(mockFetch.tearDown);
+    it('should set the correct request, method and HTTP Headers', async () => {
+      const mock = mockRegionalEndpointWithParent(
+        RegionalEndpoint.EXCHANGE_TOKEN,
+        'test-parent',
+        'test-api-key',
+        serverResponse
+      );
+      const response = await _performRegionalApiRequest<
+        typeof request,
+        typeof serverResponse
+      >(
+        regionalAuth,
+        HttpMethod.POST,
+        RegionalEndpoint.EXCHANGE_TOKEN,
+        request,
+        {},
+        'test-parent'
+      );
+      expect(response).to.eql(serverResponse);
+      expect(mock.calls.length).to.eq(1);
+      expect(mock.calls[0].method).to.eq(HttpMethod.POST);
+      expect(mock.calls[0].request).to.eql(request);
+      expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
+        'application/json'
+      );
+      expect(mock.calls[0].headers!.get(HttpHeader.X_CLIENT_VERSION)).to.eq(
+        'testSDK/0.0.0'
+      );
+      expect(mock.calls[0].fullRequest?.credentials).to.be.undefined;
+    });
+
+    it('should include whatever headers the auth impl attaches', async () => {
+      sinon.stub(regionalAuth, '_getAdditionalHeaders').returns(
+        Promise.resolve({
+          'look-at-me-im-a-header': 'header-value',
+          'anotherheader': 'header-value-2'
+        })
+      );
+
+      const mock = mockRegionalEndpointWithParent(
+        RegionalEndpoint.EXCHANGE_TOKEN,
+        'test-parent',
+        'test-api-key',
+        serverResponse
+      );
+      await _performRegionalApiRequest<typeof request, typeof serverResponse>(
+        regionalAuth,
+        HttpMethod.POST,
+        RegionalEndpoint.EXCHANGE_TOKEN,
+        request,
+        {},
+        'test-parent'
+      );
+      expect(mock.calls[0].headers.get('look-at-me-im-a-header')).to.eq(
+        'header-value'
+      );
+      expect(mock.calls[0].headers.get('anotherheader')).to.eq(
+        'header-value-2'
+      );
+    });
+  });
+
+  context('throws Operation not allowed exception', () => {
+    it('when tenantConfig is not initialized and Regional Endpoint is used', async () => {
+      await expect(
+        _performRegionalApiRequest<typeof request, typeof serverResponse>(
+          auth,
+          HttpMethod.POST,
+          RegionalEndpoint.EXCHANGE_TOKEN,
+          request
+        )
+      ).to.be.rejectedWith(
+        FirebaseError,
+        'Firebase: Operations not allowed for the auth object initialized. (auth/operation-not-allowed).'
+      );
+    });
+  });
 });
diff --git a/packages/auth/src/api/index.ts b/packages/auth/src/api/index.ts
index af9b3c63bf1..fcf7bb13486 100644
--- a/packages/auth/src/api/index.ts
+++ b/packages/auth/src/api/index.ts
@@ -26,6 +26,7 @@ import { AuthErrorCode, NamedErrorParams } from '../core/errors';
 import {
   _createError,
   _errorWithCustomMessage,
+  _operationNotSupportedForInitializedAuthInstance,
   _fail
 } from '../core/util/assert';
 import { Delay } from '../core/util/delay';
@@ -80,6 +81,13 @@ export const enum Endpoint {
   REVOKE_TOKEN = '/v2/accounts:revokeToken'
 }
 
+export const EXCHANGE_TOKEN_PARENT =
+  'projects/${projectId}/locations/${location}/tenants/${tenantId}/idpConfigs/${idpConfigId}';
+
+export const enum RegionalEndpoint {
+  EXCHANGE_TOKEN = ':exchangeOidcToken'
+}
+
 const CookieAuthProxiedEndpoints: string[] = [
   Endpoint.SIGN_IN_WITH_CUSTOM_TOKEN,
   Endpoint.SIGN_IN_WITH_EMAIL_LINK,
@@ -136,10 +144,14 @@ export function _addTidIfNecessary<T extends { tenantId?: string }>(
   return request;
 }
 
-export async function _performApiRequest<T, V>(
+function isRegionalAuthInitialized(auth: Auth): boolean {
+  return !!auth.tenantConfig;
+}
+
+async function performApiRequest<T, V>(
   auth: Auth,
   method: HttpMethod,
-  path: Endpoint,
+  path: string,
   request?: T,
   customErrorMap: Partial<ServerErrorMap<ServerError>> = {}
 ): Promise<V> {
@@ -156,7 +168,7 @@ export async function _performApiRequest<T, V>(
       }
     }
 
-    const query = querystring({
+    const queryParamString = querystring({
       key: auth.config.apiKey,
       ...params
     }).slice(1);
@@ -187,12 +199,45 @@ export async function _performApiRequest<T, V>(
     }
 
     return FetchProvider.fetch()(
-      await _getFinalTarget(auth, auth.config.apiHost, path, query),
+      await _getFinalTarget(auth, auth.config.apiHost, path, queryParamString),
       fetchArgs
     );
   });
 }
 
+export async function _performRegionalApiRequest<T, V>(
+  auth: Auth,
+  method: HttpMethod,
+  path: RegionalEndpoint,
+  request?: T,
+  customErrorMap: Partial<ServerErrorMap<ServerError>> = {},
+  parent?: string
+): Promise<V> {
+  if (!isRegionalAuthInitialized(auth)) {
+    throw _operationNotSupportedForInitializedAuthInstance(auth);
+  }
+  return performApiRequest(
+    auth,
+    method,
+    `${parent}${path}`,
+    request,
+    customErrorMap
+  );
+}
+
+export async function _performApiRequest<T, V>(
+  auth: Auth,
+  method: HttpMethod,
+  path: Endpoint,
+  request?: T,
+  customErrorMap: Partial<ServerErrorMap<ServerError>> = {}
+): Promise<V> {
+  if (isRegionalAuthInitialized(auth)) {
+    throw _operationNotSupportedForInitializedAuthInstance(auth);
+  }
+  return performApiRequest(auth, method, `${path}`, request, customErrorMap);
+}
+
 export async function _performFetchWithErrorHandling<V>(
   auth: Auth,
   customErrorMap: Partial<ServerErrorMap<ServerError>>,
@@ -281,9 +326,9 @@ export async function _getFinalTarget(
   auth: Auth,
   host: string,
   path: string,
-  query: string
+  query?: string
 ): Promise<string> {
-  const base = `${host}${path}?${query}`;
+  const base = query ? `${host}${path}?${query}` : `${host}${path}`;
 
   const authInternal = auth as AuthInternal;
   const finalTarget = authInternal.config.emulator
diff --git a/packages/auth/src/core/auth/auth_impl.test.ts b/packages/auth/src/core/auth/auth_impl.test.ts
index 3aa8623d40e..79c459ce9e1 100644
--- a/packages/auth/src/core/auth/auth_impl.test.ts
+++ b/packages/auth/src/core/auth/auth_impl.test.ts
@@ -28,10 +28,11 @@ import {
   FAKE_APP_CHECK_CONTROLLER_PROVIDER,
   FAKE_HEARTBEAT_CONTROLLER,
   FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+  regionalTestAuth,
   testAuth,
   testUser
 } from '../../../test/helpers/mock_auth';
-import { AuthInternal } from '../../model/auth';
+import { AuthInternal, FirebaseToken } from '../../model/auth';
 import { UserInternal } from '../../model/user';
 import { PersistenceInternal } from '../persistence';
 import { inMemoryPersistence } from '../persistence/in_memory';
@@ -46,8 +47,13 @@ import { mockEndpointWithParams } from '../../../test/helpers/api/helper';
 import { Endpoint, RecaptchaClientType, RecaptchaVersion } from '../../api';
 import * as mockFetch from '../../../test/helpers/mock_fetch';
 import { AuthErrorCode } from '../errors';
-import { PasswordValidationStatus } from '../../model/public_types';
+import * as exchangeTokenModule from '../strategies/exhange_token';
+import {
+  PasswordValidationStatus,
+  TokenRefreshHandler
+} from '../../model/public_types';
 import { PasswordPolicyImpl } from './password_policy_impl';
+import { PersistenceUserManager } from '../persistence/persistence_user_manager';
 
 use(sinonChai);
 use(chaiAsPromised);
@@ -150,6 +156,312 @@ describe('core/auth/auth_impl', () => {
     });
   });
 
+  describe('#updateFirebaseToken', () => {
+    const token: FirebaseToken = {
+      token: 'test-token',
+      expirationTime: 123456789
+    };
+
+    it('sets the field on the auth object', async () => {
+      await auth._updateFirebaseToken(token);
+      expect((auth as any).firebaseToken).to.eql(token);
+    });
+
+    it('calls persistence._set with correct values', async () => {
+      await auth._updateFirebaseToken(token);
+      expect(persistenceStub._set).to.have.been.calledWith(
+        'firebase:persistence-token:api-key:test-app', // key
+        {
+          token: token.token,
+          expirationTime: token.expirationTime
+        }
+      );
+    });
+
+    it('setting to null triggers persistence._remove', async () => {
+      await auth._updateFirebaseToken(null);
+      expect(persistenceStub._remove).to.have.been.calledWith(
+        'firebase:persistence-token:api-key:test-app'
+      );
+    });
+
+    it('orders async updates correctly', async () => {
+      const tokens: FirebaseToken[] = Array.from({ length: 5 }, (_, i) => ({
+        token: `token-${i}`,
+        expirationTime: Date.now() + i
+      }));
+
+      persistenceStub._set.callsFake(() => {
+        return new Promise(resolve => {
+          setTimeout(() => resolve(), 1);
+        });
+      });
+
+      await Promise.all(tokens.map(t => auth._updateFirebaseToken(t)));
+
+      for (let i = 0; i < tokens.length; i++) {
+        expect(persistenceStub._set.getCall(i)).to.have.been.calledWith(
+          'firebase:persistence-token:api-key:test-app',
+          {
+            token: tokens[i].token,
+            expirationTime: tokens[i].expirationTime
+          }
+        );
+      }
+    });
+
+    it('throws if persistence._set fails', async () => {
+      persistenceStub._set.rejects(new Error('fail'));
+      await expect(auth._updateFirebaseToken(token)).to.be.rejectedWith('fail');
+    });
+
+    it('throws if persistence._remove fails', async () => {
+      persistenceStub._remove.rejects(new Error('remove fail'));
+      await expect(auth._updateFirebaseToken(null)).to.be.rejectedWith(
+        'remove fail'
+      );
+    });
+  });
+
+  describe('#_initializeWithPersistence', () => {
+    let mockToken: FirebaseToken;
+    let persistenceManager: any;
+    let subscription: any;
+    let authImpl: AuthImpl;
+
+    beforeEach(() => {
+      mockToken = {
+        token: 'test-token',
+        expirationTime: 123456789
+      };
+
+      persistenceManager = {
+        getFirebaseToken: sinon.stub().resolves(mockToken),
+        getCurrentUser: sinon.stub().resolves(null),
+        setCurrentUser: sinon.stub().resolves(),
+        removeCurrentUser: sinon.stub().resolves(),
+        getPersistence: sinon.stub().returns('LOCAL')
+      };
+
+      subscription = {
+        next: sinon.spy()
+      };
+
+      sinon.stub(PersistenceUserManager, 'create').resolves(persistenceManager);
+
+      authImpl = new AuthImpl(
+        FAKE_APP,
+        FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+        FAKE_APP_CHECK_CONTROLLER_PROVIDER,
+        {
+          apiKey: FAKE_APP.options.apiKey!,
+          apiHost: DefaultConfig.API_HOST,
+          apiScheme: DefaultConfig.API_SCHEME,
+          tokenApiHost: DefaultConfig.TOKEN_API_HOST,
+          clientPlatform: ClientPlatform.BROWSER,
+          sdkClientVersion: 'v'
+        }
+      );
+
+      (authImpl as any).firebaseTokenSubscription = subscription;
+    });
+
+    afterEach(() => {
+      sinon.restore();
+    });
+
+    it('should load the firebaseToken from persistence and set it', async () => {
+      await authImpl._initializeWithPersistence([
+        persistenceStub as PersistenceInternal
+      ]);
+
+      expect(persistenceManager.getFirebaseToken).to.have.been.called;
+      expect((authImpl as any).firebaseToken).to.eql(mockToken);
+      expect(subscription.next).to.have.been.calledWith(mockToken);
+    });
+
+    it('should set firebaseToken to null if getFirebaseToken returns undefined', async () => {
+      persistenceManager.getFirebaseToken.resolves(undefined);
+
+      await authImpl._initializeWithPersistence([
+        persistenceStub as PersistenceInternal
+      ]);
+
+      expect((authImpl as any).firebaseToken).to.be.null;
+      expect(subscription.next).to.have.been.calledWith(null);
+    });
+
+    it('should set firebaseToken to null if getFirebaseToken returns null', async () => {
+      persistenceManager.getFirebaseToken.resolves(null);
+
+      await authImpl._initializeWithPersistence([
+        persistenceStub as PersistenceInternal
+      ]);
+
+      expect((authImpl as any).firebaseToken).to.be.null;
+      expect(subscription.next).to.have.been.calledWith(null);
+    });
+  });
+
+  describe('#setTokenRefreshHandler', () => {
+    it('sets the tokenRefreshHandler on the auth object', () => {
+      const handler: TokenRefreshHandler = {
+        refreshIdpToken: async () => ({ idToken: 'a', idpConfigId: 'b' })
+      };
+      auth.setTokenRefreshHandler(handler);
+      expect((auth as any).tokenRefreshHandler).to.eq(handler);
+    });
+  });
+
+  describe('#getFirebaseAccessToken', () => {
+    let exchangeTokenStub: sinon.SinonStub;
+    let mockToken: FirebaseToken;
+    let expiredMockToken: FirebaseToken;
+    let soonToExpireMockToken: FirebaseToken;
+    let tokenRefreshHandler: TokenRefreshHandler;
+    const tokenKey = `firebase:persistence-token:${FAKE_APP.options.apiKey!}:${
+      FAKE_APP.name
+    }`;
+
+    beforeEach(() => {
+      exchangeTokenStub = sinon
+        .stub(exchangeTokenModule, 'exchangeToken')
+        .resolves();
+
+      mockToken = {
+        token: 'test-token',
+        expirationTime: Date.now() + 300000 // 5 minutes from now
+      };
+      soonToExpireMockToken = {
+        token: 'test-token',
+        expirationTime: Date.now() + 60000 // 1 minutes from now
+      };
+      expiredMockToken = {
+        token: 'expired-test-token',
+        expirationTime: Date.now() - 1000 // 1 second ago
+      };
+      tokenRefreshHandler = {
+        refreshIdpToken: sinon.stub().resolves({
+          idToken: 'new-id-token',
+          idpConfigId: 'test-idp'
+        })
+      };
+      // Reset cached token and persistence before each test
+      (auth as any).firebaseToken = null;
+      persistenceStub._get.withArgs(tokenKey).resolves(null);
+    });
+
+    afterEach(() => {
+      sinon.restore();
+    });
+
+    it('should return the existing token if it is valid', async () => {
+      persistenceStub._get.withArgs(tokenKey).resolves(mockToken as any);
+      const token = await auth.getFirebaseAccessToken();
+      expect(token).to.eql('test-token');
+      expect(exchangeTokenStub).not.to.have.been.called;
+    });
+
+    it('should return null if the token is expired and no token refresh handler is set', async () => {
+      persistenceStub._get.withArgs(tokenKey).resolves(expiredMockToken as any);
+      const token = await auth.getFirebaseAccessToken();
+      expect(token).to.be.null;
+      expect(exchangeTokenStub).not.to.have.been.called;
+      expect(persistenceStub._remove).to.have.been.called;
+    });
+
+    it('should refresh the token if token is expiring in next 1 minute and a token refresh handler is set', async () => {
+      persistenceStub._get
+        .withArgs(tokenKey)
+        .resolves(soonToExpireMockToken as any);
+      auth.setTokenRefreshHandler(tokenRefreshHandler);
+
+      exchangeTokenStub.callsFake(async () => {
+        // When exchangeToken is called, simulate that the new token is persisted.
+        persistenceStub._get.withArgs(tokenKey).resolves(mockToken as any);
+      });
+
+      const token = await auth.getFirebaseAccessToken();
+
+      expect(tokenRefreshHandler.refreshIdpToken).to.have.been.calledOnce;
+      expect(exchangeTokenStub).to.have.been.calledWith(
+        auth,
+        'test-idp',
+        'new-id-token'
+      );
+      expect(token).to.eql('test-token');
+    });
+
+    it('should refresh the token if it is expired and a token refresh handler is set', async () => {
+      persistenceStub._get.withArgs(tokenKey).resolves(expiredMockToken as any);
+      auth.setTokenRefreshHandler(tokenRefreshHandler);
+
+      exchangeTokenStub.callsFake(async () => {
+        // When exchangeToken is called, simulate that the new token is persisted.
+        persistenceStub._get.withArgs(tokenKey).resolves(mockToken as any);
+      });
+
+      const token = await auth.getFirebaseAccessToken();
+
+      expect(tokenRefreshHandler.refreshIdpToken).to.have.been.calledOnce;
+      expect(exchangeTokenStub).to.have.been.calledWith(
+        auth,
+        'test-idp',
+        'new-id-token'
+      );
+      expect(token).to.eql('test-token');
+    });
+
+    it('should force refresh the token when forceRefresh is true', async () => {
+      persistenceStub._get.withArgs(tokenKey).resolves(mockToken as any);
+      auth.setTokenRefreshHandler(tokenRefreshHandler);
+
+      exchangeTokenStub.callsFake(async () => {
+        persistenceStub._get.withArgs(tokenKey).resolves(mockToken as any);
+      });
+
+      await auth.getFirebaseAccessToken(true);
+
+      expect(tokenRefreshHandler.refreshIdpToken).to.have.been.calledOnce;
+      expect(exchangeTokenStub).to.have.been.calledWith(
+        auth,
+        'test-idp',
+        'new-id-token'
+      );
+    });
+
+    it('should return null and log an error if token refresh fails', async () => {
+      const consoleErrorStub = sinon.stub(console, 'error');
+      persistenceStub._get.withArgs(tokenKey).resolves(expiredMockToken as any);
+      (tokenRefreshHandler.refreshIdpToken as sinon.SinonStub).rejects(
+        new Error('refresh failed')
+      );
+      auth.setTokenRefreshHandler(tokenRefreshHandler);
+      const token = await auth.getFirebaseAccessToken();
+      expect(token).to.be.null;
+      expect(consoleErrorStub).to.have.been.calledWith(
+        'Token refresh failed:',
+        sinon.match.instanceOf(Error)
+      );
+      expect(persistenceStub._remove).to.have.been.called;
+    });
+
+    it('should return null and log an error if the refreshed token is invalid', async () => {
+      const consoleErrorStub = sinon.stub(console, 'error');
+      persistenceStub._get.withArgs(tokenKey).resolves(expiredMockToken as any);
+      (tokenRefreshHandler.refreshIdpToken as sinon.SinonStub).resolves({
+        idToken: 'new-id-token'
+      }); // Missing idpConfigId
+      auth.setTokenRefreshHandler(tokenRefreshHandler);
+      const token = await auth.getFirebaseAccessToken();
+      expect(token).to.be.null;
+      expect(consoleErrorStub).to.have.been.calledWith(
+        'Token refresh failed:',
+        sinon.match.instanceOf(FirebaseError)
+      );
+    });
+  });
+
   describe('#signOut', () => {
     it('sets currentUser to null, calls remove', async () => {
       await auth._updateCurrentUser(testUser(auth, 'test'));
@@ -157,6 +469,17 @@ describe('core/auth/auth_impl', () => {
       expect(persistenceStub._remove).to.have.been.called;
       expect(auth.currentUser).to.be.null;
     });
+    it('sets currentUser to null, calls remove', async () => {
+      const regionalAuth = await regionalTestAuth();
+      const token: FirebaseToken = {
+        token: 'test-token',
+        expirationTime: 123456789
+      };
+      await regionalAuth._updateFirebaseToken(token);
+      await regionalAuth.signOut();
+      expect(persistenceStub._remove).to.have.been.called;
+      expect(await regionalAuth.getFirebaseAccessToken()).to.be.null;
+    });
     it('is blocked if a beforeAuthStateChanged callback throws', async () => {
       await auth._updateCurrentUser(testUser(auth, 'test'));
       auth.beforeAuthStateChanged(sinon.stub().throws());
diff --git a/packages/auth/src/core/auth/auth_impl.ts b/packages/auth/src/core/auth/auth_impl.ts
index 4a718702110..4d813b5eed9 100644
--- a/packages/auth/src/core/auth/auth_impl.ts
+++ b/packages/auth/src/core/auth/auth_impl.ts
@@ -36,7 +36,10 @@ import {
   ErrorFn,
   NextFn,
   Unsubscribe,
-  PasswordValidationStatus
+  PasswordValidationStatus,
+  TenantConfig,
+  RefreshIdpTokenResult,
+  TokenRefreshHandler
 } from '../../model/public_types';
 import {
   createSubscribe,
@@ -47,7 +50,7 @@ import {
   Subscribe
 } from '@firebase/util';
 
-import { AuthInternal, ConfigInternal } from '../../model/auth';
+import { AuthInternal, ConfigInternal, FirebaseToken } from '../../model/auth';
 import { PopupRedirectResolverInternal } from '../../model/popup_redirect';
 import { UserInternal } from '../../model/user';
 import {
@@ -83,6 +86,7 @@ import { PasswordPolicyInternal } from '../../model/password_policy';
 import { PasswordPolicyImpl } from './password_policy_impl';
 import { getAccountInfo } from '../../api/account_management/account';
 import { UserImpl } from '../user/user_impl';
+import { exchangeToken } from '../strategies/exhange_token';
 
 interface AsyncAction {
   (): Promise<void>;
@@ -91,21 +95,31 @@ interface AsyncAction {
 export const enum DefaultConfig {
   TOKEN_API_HOST = 'securetoken.googleapis.com',
   API_HOST = 'identitytoolkit.googleapis.com',
-  API_SCHEME = 'https'
+  API_SCHEME = 'https',
+  // TODO(sammansi): Update the endpoint before BYO-CIAM Private Preview Release.
+  REGIONAL_API_HOST = 'identityplatform.googleapis.com/v2beta/'
 }
 
 export class AuthImpl implements AuthInternal, _FirebaseService {
   currentUser: User | null = null;
   emulatorConfig: EmulatorConfig | null = null;
+  private firebaseToken: FirebaseToken | null = null;
+  private tokenRefreshHandler?: TokenRefreshHandler;
   private operations = Promise.resolve();
   private persistenceManager?: PersistenceUserManager;
   private redirectPersistenceManager?: PersistenceUserManager;
   private authStateSubscription = new Subscription<User>(this);
+  private firebaseTokenSubscription = new Subscription<FirebaseToken>(this);
   private idTokenSubscription = new Subscription<User>(this);
   private readonly beforeStateQueue = new AuthMiddlewareQueue(this);
   private redirectUser: UserInternal | null = null;
   private isProactiveRefreshEnabled = false;
   private readonly EXPECTED_PASSWORD_POLICY_SCHEMA_VERSION: number = 1;
+  // 1 minute buffer for expiry
+  // Intended for tokens issued by IdentityPlatform APIs in regionalized Firebase Auth, which can
+  // have expiry as low as 5 minutes. This should provide enough buffer to the Firebase SDKs for
+  // token usage before it expires.
+  private readonly TOKEN_EXPIRATION_BUFFER = 60_000;
 
   // Any network calls will set this to true and prevent subsequent emulator
   // initialization
@@ -125,6 +139,7 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     | undefined = undefined;
   _persistenceManagerAvailable: Promise<void>;
   readonly name: string;
+  readonly tenantConfig?: TenantConfig;
 
   // Tracks the last notified UID for state change listeners to prevent
   // repeated calls to the callbacks. Undefined means it's never been
@@ -139,7 +154,8 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     public readonly app: FirebaseApp,
     private readonly heartbeatServiceProvider: Provider<'heartbeat'>,
     private readonly appCheckServiceProvider: Provider<AppCheckInternalComponentName>,
-    public readonly config: ConfigInternal
+    public readonly config: ConfigInternal,
+    tenantConfig?: TenantConfig
   ) {
     this.name = app.name;
     this.clientVersion = config.sdkClientVersion;
@@ -148,6 +164,7 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     this._persistenceManagerAvailable = new Promise<void>(
       resolve => (this._resolvePersistenceManagerAvailable = resolve)
     );
+    this.tenantConfig = tenantConfig;
   }
 
   _initializeWithPersistence(
@@ -187,6 +204,7 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
       }
 
       await this.initializeCurrentUser(popupRedirectResolver);
+      await this.initializeFirebaseToken();
 
       this.lastNotifiedUid = this.currentUser?.uid || null;
 
@@ -200,6 +218,10 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     return this._initializationPromise;
   }
 
+  setTokenRefreshHandler(tokenRefreshHandler: TokenRefreshHandler): void {
+    this.tokenRefreshHandler = tokenRefreshHandler;
+  }
+
   /**
    * If the persistence is changed in another window, the user manager will let us know
    */
@@ -230,6 +252,41 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     await this._updateCurrentUser(user, /* skipBeforeStateCallbacks */ true);
   }
 
+  async getFirebaseAccessToken(forceRefresh?: boolean): Promise<string | null> {
+    const firebaseAccessToken =
+      (await this.persistenceManager?.getFirebaseToken()) ?? null;
+
+    if (
+      firebaseAccessToken &&
+      this.isFirebaseAccessTokenValid(firebaseAccessToken) &&
+      !forceRefresh
+    ) {
+      this.firebaseToken = firebaseAccessToken;
+      this.firebaseTokenSubscription.next(this.firebaseToken);
+      return firebaseAccessToken.token;
+    }
+
+    if (firebaseAccessToken && this.tokenRefreshHandler) {
+      try {
+        // Awaits for the callback method to execute. The callback method
+        // is responsible for performing the exchangeToken(auth, valid3pIdpToken)
+        const result: RefreshIdpTokenResult =
+          await this.tokenRefreshHandler.refreshIdpToken();
+        _assert(
+          result.idToken && result.idpConfigId,
+          AuthErrorCode.INVALID_CREDENTIAL
+        );
+        await exchangeToken(this, result.idpConfigId, result.idToken);
+        return this.getFirebaseAccessToken(false);
+      } catch (error) {
+        console.error('Token refresh failed:', error);
+      }
+    }
+    // Signs out the user i.e. sets the firebaseToken to null if firebase token is not valid and refresh token handler is not set/ successful.
+    await this.signOut();
+    return null;
+  }
+
   private async initializeCurrentUserFromIdToken(
     idToken: string
   ): Promise<void> {
@@ -395,6 +452,24 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     return this.directlySetCurrentUser(user);
   }
 
+  private isFirebaseAccessTokenValid(
+    firebaseToken: FirebaseToken | null
+  ): boolean {
+    if (!firebaseToken || !firebaseToken.expirationTime) {
+      return false;
+    }
+
+    return (
+      Date.now() < firebaseToken.expirationTime - this.TOKEN_EXPIRATION_BUFFER
+    );
+  }
+
+  private async initializeFirebaseToken(): Promise<void> {
+    this.firebaseToken =
+      (await this.persistenceManager?.getFirebaseToken()) ?? null;
+    this.firebaseTokenSubscription.next(this.firebaseToken);
+  }
+
   useDeviceLanguage(): void {
     this.languageCode = _getUserLanguage();
   }
@@ -449,6 +524,18 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     });
   }
 
+  async _updateFirebaseToken(
+    firebaseToken: FirebaseToken | null
+  ): Promise<void> {
+    this.firebaseToken = firebaseToken;
+    this.firebaseTokenSubscription.next(firebaseToken);
+    if (firebaseToken) {
+      await this.assertedPersistence.setFirebaseToken(firebaseToken);
+    } else {
+      await this.assertedPersistence.removeFirebaseToken();
+    }
+  }
+
   async signOut(): Promise<void> {
     if (_isFirebaseServerApp(this.app)) {
       return Promise.reject(
@@ -461,7 +548,9 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     if (this.redirectPersistenceManager || this._popupRedirectResolver) {
       await this._setRedirectUser(null);
     }
-
+    if (this.tenantConfig) {
+      await this._updateFirebaseToken(null);
+    }
     // Prevent callbacks from being called again in _updateCurrentUser, as
     // they were already called in the first line.
     return this._updateCurrentUser(null, /* skipBeforeStateCallbacks */ true);
@@ -558,6 +647,7 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     return this.registerStateListener(
       this.authStateSubscription,
       nextOrObserver,
+      this.currentUser,
       error,
       completed
     );
@@ -578,6 +668,7 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     return this.registerStateListener(
       this.idTokenSubscription,
       nextOrObserver,
+      this.currentUser,
       error,
       completed
     );
@@ -725,9 +816,10 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     }
   }
 
-  private registerStateListener(
-    subscription: Subscription<User>,
-    nextOrObserver: NextOrObserver<User>,
+  private registerStateListener<T>(
+    subscription: Subscription<T>,
+    nextOrObserver: NextOrObserver<T>,
+    currentValue: T | null,
     error?: ErrorFn,
     completed?: CompleteFn
   ): Unsubscribe {
@@ -752,7 +844,7 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
       if (isUnsubscribed) {
         return;
       }
-      cb(this.currentUser);
+      cb(currentValue);
     });
 
     if (typeof nextOrObserver === 'function') {
diff --git a/packages/auth/src/core/auth/firebase_internal.test.ts b/packages/auth/src/core/auth/firebase_internal.test.ts
index ff5b94b3f4f..5954412364e 100644
--- a/packages/auth/src/core/auth/firebase_internal.test.ts
+++ b/packages/auth/src/core/auth/firebase_internal.test.ts
@@ -18,13 +18,23 @@
 import { FirebaseError } from '@firebase/util';
 import { expect, use } from 'chai';
 import * as sinon from 'sinon';
+import * as mockFetch from '../../../test/helpers/mock_fetch';
+import sinonChai from 'sinon-chai';
 import chaiAsPromised from 'chai-as-promised';
 
-import { testAuth, testUser } from '../../../test/helpers/mock_auth';
+import {
+  regionalTestAuth,
+  regionalTestAuthWithTokenRefreshHandler,
+  testAuth,
+  testUser
+} from '../../../test/helpers/mock_auth';
+import { RegionalEndpoint } from '../../api';
+import { mockRegionalEndpointWithParent } from '../../../test/helpers/api/helper';
 import { AuthInternal } from '../../model/auth';
 import { UserInternal } from '../../model/user';
 import { AuthInterop } from './firebase_internal';
 
+use(sinonChai);
 use(chaiAsPromised);
 
 describe('core/auth/firebase_internal', () => {
@@ -37,6 +47,9 @@ describe('core/auth/firebase_internal', () => {
 
   afterEach(() => {
     sinon.restore();
+    delete (auth as unknown as Record<string, unknown>)[
+      '_initializationPromise'
+    ];
   });
 
   context('getUid', () => {
@@ -215,3 +228,111 @@ describe('core/auth/firebase_internal', () => {
     });
   });
 });
+
+describe('core/auth/firebase_internal - Regional Firebase Auth', () => {
+  let regionalAuth: AuthInternal;
+  let regionalAuthWithRefreshToken: AuthInternal;
+  let regionalAuthInternal: AuthInterop;
+  let regionalAuthWithRefreshTokenInternal: AuthInterop;
+  let now: number;
+  beforeEach(async () => {
+    regionalAuth = await regionalTestAuth();
+    regionalAuthInternal = new AuthInterop(regionalAuth);
+    regionalAuthWithRefreshToken =
+      await regionalTestAuthWithTokenRefreshHandler();
+    regionalAuthWithRefreshTokenInternal = new AuthInterop(
+      regionalAuthWithRefreshToken
+    );
+    now = Date.now();
+    sinon.stub(Date, 'now').returns(now);
+    mockFetch.setUp();
+    mockRegionalEndpointWithParent(
+      RegionalEndpoint.EXCHANGE_TOKEN,
+      'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
+      'test-api-key',
+      { accessToken: 'access-token-new', expiresIn: 10_000 }
+    );
+  });
+
+  afterEach(() => {
+    sinon.restore();
+    mockFetch.tearDown();
+  });
+
+  context('getFirebaseToken', () => {
+    it('returns null if firebase token is undefined', async () => {
+      expect(await regionalAuthInternal.getToken()).to.be.null;
+    });
+
+    it('returns the id token correctly', async () => {
+      await regionalAuth._updateFirebaseToken({
+        token: 'access-token',
+        expirationTime: now + 300_000
+      });
+      expect(await regionalAuthInternal.getToken()).to.eql({
+        accessToken: 'access-token'
+      });
+    });
+
+    it('logs out the the id token expires in next 30 seconds', async () => {
+      expect(await regionalAuthInternal.getToken()).to.be.null;
+    });
+
+    it('logs out if token has expired', async () => {
+      await regionalAuth._updateFirebaseToken({
+        token: 'access-token',
+        expirationTime: now - 5_000
+      });
+      expect(await regionalAuthInternal.getToken()).to.null;
+      const firebaseToken = await regionalAuth.getFirebaseAccessToken();
+      expect(firebaseToken).to.null;
+    });
+
+    it('logs out if token is expiring in next 5 seconds', async () => {
+      await regionalAuth._updateFirebaseToken({
+        token: 'access-token',
+        expirationTime: now + 5_000
+      });
+      expect(await regionalAuthInternal.getToken()).to.null;
+      const firebaseToken = await regionalAuth.getFirebaseAccessToken();
+      expect(firebaseToken).to.null;
+    });
+
+    it('returns refreshIdToken if getToken is called with forceRefresh true', async () => {
+      await regionalAuthWithRefreshToken._updateFirebaseToken({
+        token: 'access-token',
+        expirationTime: now + 30_000
+      });
+      expect(await regionalAuthWithRefreshTokenInternal.getToken(true)).to.eql({
+        accessToken: 'access-token-new'
+      });
+    });
+
+    it('returns refreshIdToken if current idToken is expired', async () => {
+      await regionalAuthWithRefreshToken._updateFirebaseToken({
+        token: 'access-token',
+        expirationTime: now - 5_000
+      });
+      expect(await regionalAuthWithRefreshTokenInternal.getToken()).to.eql({
+        accessToken: 'access-token-new'
+      });
+    });
+
+    it('returns null if current idToken is expired and tokenRefreshHandler is not implemented', async () => {
+      await regionalAuth._updateFirebaseToken({
+        token: 'access-token',
+        expirationTime: now - 5_000
+      });
+      expect(await regionalAuthInternal.getToken()).to.eql(null);
+    });
+  });
+
+  context('getUid', () => {
+    it('throws an error if regionalAuth is initialized', () => {
+      expect(() => regionalAuthInternal.getUid()).to.throw(
+        FirebaseError,
+        'auth/operation-not-allowed'
+      );
+    });
+  });
+});
diff --git a/packages/auth/src/core/auth/firebase_internal.ts b/packages/auth/src/core/auth/firebase_internal.ts
index 4fad0754375..970e99fa4ec 100644
--- a/packages/auth/src/core/auth/firebase_internal.ts
+++ b/packages/auth/src/core/auth/firebase_internal.ts
@@ -28,6 +28,7 @@ interface TokenListener {
 }
 
 export class AuthInterop implements FirebaseAuthInternal {
+  private readonly TOKEN_EXPIRATION_BUFFER = 30_000;
   private readonly internalListeners: Map<TokenListener, Unsubscribe> =
     new Map();
 
@@ -35,6 +36,8 @@ export class AuthInterop implements FirebaseAuthInternal {
 
   getUid(): string | null {
     this.assertAuthConfigured();
+    // getUid() is not available for regional Auth. Returns `OPERATION_NOT_ALLOWED` exception for RegionalAuth.
+    this.assertRegionalAuthConfigured();
     return this.auth.currentUser?.uid || null;
   }
 
@@ -43,6 +46,10 @@ export class AuthInterop implements FirebaseAuthInternal {
   ): Promise<{ accessToken: string } | null> {
     this.assertAuthConfigured();
     await this.auth._initializationPromise;
+    if (this.auth.tenantConfig) {
+      const accessToken = await this.getTokenForRegionalAuth(forceRefresh);
+      return accessToken ? { accessToken } : null;
+    }
     if (!this.auth.currentUser) {
       return null;
     }
@@ -85,6 +92,10 @@ export class AuthInterop implements FirebaseAuthInternal {
     );
   }
 
+  private assertRegionalAuthConfigured(): void {
+    _assert(!this.auth.tenantConfig, AuthErrorCode.OPERATION_NOT_ALLOWED);
+  }
+
   private updateProactiveRefresh(): void {
     if (this.internalListeners.size > 0) {
       this.auth._startProactiveRefresh();
@@ -92,4 +103,12 @@ export class AuthInterop implements FirebaseAuthInternal {
       this.auth._stopProactiveRefresh();
     }
   }
+
+  private async getTokenForRegionalAuth(
+    forceRefresh?: boolean
+  ): Promise<string | null> {
+    const firebaseToken = await this.auth.getFirebaseAccessToken(forceRefresh);
+
+    return firebaseToken;
+  }
 }
diff --git a/packages/auth/src/core/auth/initialize.test.ts b/packages/auth/src/core/auth/initialize.test.ts
index f2d4d24c887..a09efd8f46c 100644
--- a/packages/auth/src/core/auth/initialize.test.ts
+++ b/packages/auth/src/core/auth/initialize.test.ts
@@ -26,6 +26,7 @@ import {
   AuthProvider,
   Persistence as PersistencePublic,
   PopupRedirectResolver,
+  TenantConfig,
   UserCredential
 } from '../../model/public_types';
 import { isNode } from '@firebase/util';
@@ -51,6 +52,7 @@ import { ClientPlatform, _getClientVersion } from '../util/version';
 import { initializeAuth } from './initialize';
 import { registerAuth } from './register';
 import { debugErrorMap, prodErrorMap } from '../errors';
+import { DefaultConfig } from './auth_impl';
 
 describe('core/auth/initialize', () => {
   let fakeApp: FirebaseApp;
@@ -132,6 +134,11 @@ describe('core/auth/initialize', () => {
   const fakePopupRedirectResolver: PopupRedirectResolver =
     FakePopupRedirectResolver;
 
+  const fakeTenantConfig: TenantConfig = {
+    'location': 'us',
+    'tenantId': 'tenant-1'
+  };
+
   before(() => {
     registerAuth(ClientPlatform.BROWSER);
   });
@@ -202,6 +209,15 @@ describe('core/auth/initialize', () => {
       );
     });
 
+    it('should set TenantConfig', async () => {
+      const auth = initializeAuth(fakeApp, {
+        tenantConfig: fakeTenantConfig
+      }) as AuthInternal;
+      await auth._initializationPromise;
+
+      expect(auth.config.apiHost).equal(DefaultConfig.REGIONAL_API_HOST);
+    });
+
     it('should abort initialization if deleted synchronously', async () => {
       const auth = initializeAuth(fakeApp, {
         popupRedirectResolver: fakePopupRedirectResolver
@@ -221,13 +237,15 @@ describe('core/auth/initialize', () => {
       const auth = initializeAuth(fakeApp, {
         errorMap: prodErrorMap,
         persistence: fakeSessionPersistence,
-        popupRedirectResolver: fakePopupRedirectResolver
+        popupRedirectResolver: fakePopupRedirectResolver,
+        tenantConfig: fakeTenantConfig
       });
       expect(
         initializeAuth(fakeApp, {
           errorMap: prodErrorMap,
           persistence: fakeSessionPersistence,
-          popupRedirectResolver: fakePopupRedirectResolver
+          popupRedirectResolver: fakePopupRedirectResolver,
+          tenantConfig: fakeTenantConfig
         })
       ).to.equal(auth);
     });
@@ -264,5 +282,16 @@ describe('core/auth/initialize', () => {
         })
       ).to.throw();
     });
+
+    it('should throw if called again with different params (TenantConfig)', () => {
+      initializeAuth(fakeApp, {
+        tenantConfig: fakeTenantConfig
+      });
+      expect(() =>
+        initializeAuth(fakeApp, {
+          tenantConfig: undefined
+        })
+      ).to.throw();
+    });
   });
 });
diff --git a/packages/auth/src/core/auth/register.ts b/packages/auth/src/core/auth/register.ts
index 4d7688e9804..317d9a5f57c 100644
--- a/packages/auth/src/core/auth/register.ts
+++ b/packages/auth/src/core/auth/register.ts
@@ -68,6 +68,7 @@ export function registerAuth(clientPlatform: ClientPlatform): void {
         const appCheckServiceProvider =
           container.getProvider<'app-check-internal'>('app-check-internal');
         const { apiKey, authDomain } = app.options;
+        const tenantConfig = deps?.tenantConfig;
 
         _assert(
           apiKey && !apiKey.includes(':'),
@@ -79,7 +80,9 @@ export function registerAuth(clientPlatform: ClientPlatform): void {
           apiKey,
           authDomain,
           clientPlatform,
-          apiHost: DefaultConfig.API_HOST,
+          apiHost: tenantConfig?.location
+            ? DefaultConfig.REGIONAL_API_HOST
+            : DefaultConfig.API_HOST,
           tokenApiHost: DefaultConfig.TOKEN_API_HOST,
           apiScheme: DefaultConfig.API_SCHEME,
           sdkClientVersion: _getClientVersion(clientPlatform)
@@ -89,7 +92,8 @@ export function registerAuth(clientPlatform: ClientPlatform): void {
           app,
           heartbeatServiceProvider,
           appCheckServiceProvider,
-          config
+          config,
+          tenantConfig
         );
         _initializeAuthInstance(authInstance, deps);
 
diff --git a/packages/auth/src/core/index.ts b/packages/auth/src/core/index.ts
index 43b1adb4bb9..e3b0e3b55a1 100644
--- a/packages/auth/src/core/index.ts
+++ b/packages/auth/src/core/index.ts
@@ -315,6 +315,7 @@ export {
   sendEmailVerification,
   verifyBeforeUpdateEmail
 } from './strategies/email';
+export { exchangeToken } from './strategies/exhange_token';
 
 // core
 export { ActionCodeURL, parseActionCodeURL } from './action_code_url';
diff --git a/packages/auth/src/core/persistence/persistence_user_manager.ts b/packages/auth/src/core/persistence/persistence_user_manager.ts
index 580aaad3b25..21c230bf9e5 100644
--- a/packages/auth/src/core/persistence/persistence_user_manager.ts
+++ b/packages/auth/src/core/persistence/persistence_user_manager.ts
@@ -16,7 +16,7 @@
  */
 
 import { getAccountInfo } from '../../api/account_management/account';
-import { ApiKey, AppName, AuthInternal } from '../../model/auth';
+import { ApiKey, AppName, AuthInternal, FirebaseToken } from '../../model/auth';
 import { UserInternal } from '../../model/user';
 import { PersistedBlob, PersistenceInternal } from '../persistence';
 import { UserImpl } from '../user/user_impl';
@@ -27,7 +27,8 @@ export const enum KeyName {
   AUTH_USER = 'authUser',
   AUTH_EVENT = 'authEvent',
   REDIRECT_USER = 'redirectUser',
-  PERSISTENCE_USER = 'persistence'
+  PERSISTENCE_USER = 'persistence',
+  PERSISTENCE_TOKEN = 'persistence-token'
 }
 export const enum Namespace {
   PERSISTENCE = 'firebase'
@@ -44,6 +45,7 @@ export function _persistenceKeyName(
 export class PersistenceUserManager {
   private readonly fullUserKey: string;
   private readonly fullPersistenceKey: string;
+  private readonly firebaseTokenPersistenceKey: string;
   private readonly boundEventHandler: () => void;
 
   private constructor(
@@ -58,6 +60,11 @@ export class PersistenceUserManager {
       config.apiKey,
       name
     );
+    this.firebaseTokenPersistenceKey = _persistenceKeyName(
+      KeyName.PERSISTENCE_TOKEN,
+      config.apiKey,
+      name
+    );
     this.boundEventHandler = auth._onStorageEvent.bind(auth);
     this.persistence._addListener(this.fullUserKey, this.boundEventHandler);
   }
@@ -66,6 +73,32 @@ export class PersistenceUserManager {
     return this.persistence._set(this.fullUserKey, user.toJSON());
   }
 
+  setFirebaseToken(firebaseToken: FirebaseToken): Promise<void> {
+    return this.persistence._set(this.firebaseTokenPersistenceKey, {
+      token: firebaseToken.token,
+      expirationTime: firebaseToken.expirationTime
+    });
+  }
+
+  async getFirebaseToken(): Promise<FirebaseToken | null> {
+    const blob = await this.persistence._get<PersistedBlob>(
+      this.firebaseTokenPersistenceKey
+    );
+    if (!blob) {
+      return null;
+    }
+    const token = blob.token as string;
+    const expirationTime = blob.expirationTime as number;
+    return {
+      token,
+      expirationTime
+    };
+  }
+
+  removeFirebaseToken(): Promise<void> {
+    return this.persistence._remove(this.firebaseTokenPersistenceKey);
+  }
+
   async getCurrentUser(): Promise<UserInternal | null> {
     const blob = await this.persistence._get<PersistedBlob | string>(
       this.fullUserKey
diff --git a/packages/auth/src/core/strategies/exchange_token.test.ts b/packages/auth/src/core/strategies/exchange_token.test.ts
new file mode 100644
index 00000000000..e284f26f1d4
--- /dev/null
+++ b/packages/auth/src/core/strategies/exchange_token.test.ts
@@ -0,0 +1,123 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { expect, use } from 'chai';
+import chaiAsPromised from 'chai-as-promised';
+
+import { mockRegionalEndpointWithParent } from '../../../test/helpers/api/helper';
+import {
+  regionalTestAuth,
+  testAuth,
+  TestAuth
+} from '../../../test/helpers/mock_auth';
+import * as sinon from 'sinon';
+import * as mockFetch from '../../../test/helpers/mock_fetch';
+import { HttpHeader, RegionalEndpoint } from '../../api';
+import { exchangeToken } from './exhange_token';
+import { FirebaseError } from '@firebase/util';
+import { ServerError } from '../../api/errors';
+
+use(chaiAsPromised);
+
+describe('core/strategies/exchangeToken', () => {
+  let auth: TestAuth;
+  let regionalAuth: TestAuth;
+  let now: number;
+
+  beforeEach(async () => {
+    auth = await testAuth();
+    regionalAuth = await regionalTestAuth();
+    mockFetch.setUp();
+    now = Date.now();
+    sinon.stub(Date, 'now').returns(now);
+  });
+  afterEach(mockFetch.tearDown);
+  afterEach(() => sinon.restore());
+
+  it('should return a valid access token for Regional Auth', async () => {
+    const mock = mockRegionalEndpointWithParent(
+      RegionalEndpoint.EXCHANGE_TOKEN,
+      'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
+      'test-api-key',
+      { accessToken: 'outbound-token', expiresIn: 10_000 }
+    );
+
+    const accessToken = await exchangeToken(
+      regionalAuth,
+      'idp-config',
+      'custom-token'
+    );
+    expect(accessToken).to.eq('outbound-token');
+    expect(mock.calls[0].request).to.eql({
+      parent:
+        'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
+      // eslint-disable-next-line camelcase
+      id_token: 'custom-token'
+    });
+    expect(mock.calls[0].method).to.eq('POST');
+    expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
+      'application/json'
+    );
+    const firebaseToken = await regionalAuth.getFirebaseAccessToken();
+    expect(firebaseToken).to.equal('outbound-token');
+  });
+
+  it('throws exception for default Auth', async () => {
+    await expect(
+      exchangeToken(auth, 'idp-config', 'custom-token')
+    ).to.be.rejectedWith(
+      FirebaseError,
+      'Firebase: Operations not allowed for the auth object initialized. (auth/operation-not-allowed).'
+    );
+  });
+
+  it('should handle errors', async () => {
+    const mock = mockRegionalEndpointWithParent(
+      RegionalEndpoint.EXCHANGE_TOKEN,
+      'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
+      'test-api-key',
+      {
+        error: {
+          code: 400,
+          message: ServerError.INVALID_CUSTOM_TOKEN,
+          errors: [
+            {
+              message: ServerError.INVALID_CUSTOM_TOKEN
+            }
+          ]
+        }
+      },
+      400
+    );
+
+    await expect(
+      exchangeToken(regionalAuth, 'idp-config', 'custom-token')
+    ).to.be.rejectedWith(FirebaseError, '(auth/invalid-custom-token).');
+    expect(mock.calls[0].request).to.eql({
+      parent:
+        'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
+      // eslint-disable-next-line camelcase
+      id_token: 'custom-token'
+    });
+    expect(mock.calls[0].method).to.eq('POST');
+    expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
+      'application/json'
+    );
+    const accessToken = await regionalAuth.getFirebaseAccessToken();
+    expect(accessToken).is.null;
+  });
+});
diff --git a/packages/auth/src/core/strategies/exhange_token.ts b/packages/auth/src/core/strategies/exhange_token.ts
new file mode 100644
index 00000000000..afbdcd81bff
--- /dev/null
+++ b/packages/auth/src/core/strategies/exhange_token.ts
@@ -0,0 +1,75 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { Auth } from '../../model/public_types';
+import { _isFirebaseServerApp } from '@firebase/app';
+import { exchangeToken as getToken } from '../../api/authentication/exchange_token';
+import { _serverAppCurrentUserOperationNotSupportedError } from '../../core/util/assert';
+import { EXCHANGE_TOKEN_PARENT } from '../../api';
+import { _castAuth } from '../auth/auth_impl';
+
+/**
+ * Asynchronously exchanges an OIDC provider's Authorization code or Id Token
+ * for a Firebase Token.
+ *
+ * @remarks
+ * This method is implemented only for `DefaultConfig.REGIONAL_API_HOST` and
+ * requires {@link TenantConfig} to be configured in the {@link Auth} instance used.
+ *
+ * Fails with an error if the token is invalid, expired, or not accepted by the Firebase Auth service.
+ *
+ * @param auth - The {@link Auth} instance.
+ * @param idpConfigId - The ExternalUserDirectoryId corresponding to the OIDC custom Token.
+ * @param customToken - The OIDC provider's Authorization code or Id Token to exchange.
+ * @returns The firebase access token (JWT signed by Firebase Auth).
+ *
+ * @public
+ */
+export async function exchangeToken(
+  auth: Auth,
+  idpConfigId: string,
+  customToken: string
+): Promise<string> {
+  if (_isFirebaseServerApp(auth.app)) {
+    return Promise.reject(
+      _serverAppCurrentUserOperationNotSupportedError(auth)
+    );
+  }
+  const authInternal = _castAuth(auth);
+  const token = await getToken(authInternal, {
+    parent: buildParent(auth, idpConfigId),
+    // eslint-disable-next-line camelcase
+    id_token: customToken
+  });
+  if (token) {
+    await authInternal._updateFirebaseToken({
+      token: token.accessToken,
+      expirationTime: Date.now() + token.expiresIn * 1000
+    });
+  }
+  return token.accessToken;
+}
+
+function buildParent(auth: Auth, idpConfigId: string): string {
+  return EXCHANGE_TOKEN_PARENT.replace(
+    '${projectId}',
+    auth.app.options.projectId ?? ''
+  )
+    .replace('${location}', auth.tenantConfig?.location ?? '')
+    .replace('${tenantId}', auth.tenantConfig?.tenantId ?? '')
+    .replace('${idpConfigId}', idpConfigId);
+}
diff --git a/packages/auth/src/core/util/assert.ts b/packages/auth/src/core/util/assert.ts
index 51dff0793e2..eb497fba8aa 100644
--- a/packages/auth/src/core/util/assert.ts
+++ b/packages/auth/src/core/util/assert.ts
@@ -112,6 +112,16 @@ export function _serverAppCurrentUserOperationNotSupportedError(
   );
 }
 
+export function _operationNotSupportedForInitializedAuthInstance(
+  auth: Auth
+): FirebaseError {
+  return _errorWithCustomMessage(
+    auth,
+    AuthErrorCode.OPERATION_NOT_ALLOWED,
+    'Operations not allowed for the auth object initialized.'
+  );
+}
+
 export function _assertInstanceOf(
   auth: Auth,
   object: object,
diff --git a/packages/auth/src/model/auth.ts b/packages/auth/src/model/auth.ts
index a88430fd5df..5d77f0f1fa6 100644
--- a/packages/auth/src/model/auth.ts
+++ b/packages/auth/src/model/auth.ts
@@ -23,6 +23,7 @@ import {
   PasswordPolicy,
   PasswordValidationStatus,
   PopupRedirectResolver,
+  TenantConfig,
   User
 } from './public_types';
 import { ErrorFactory } from '@firebase/util';
@@ -56,6 +57,16 @@ export interface ConfigInternal extends Config {
   clientPlatform: ClientPlatform;
 }
 
+/**
+ * @internal
+ */
+export interface FirebaseToken {
+  // The firebase access token (JWT signed by Firebase Auth).
+  readonly token: string;
+  // The time in milliseconds when the access token expires.
+  readonly expirationTime: number;
+}
+
 /**
  * UserInternal and AuthInternal reference each other, so both of them are included in the public typings.
  * In order to exclude them, we mark them as internal explicitly.
@@ -65,6 +76,7 @@ export interface ConfigInternal extends Config {
 export interface AuthInternal extends Auth {
   currentUser: User | null;
   emulatorConfig: EmulatorConfig | null;
+  getFirebaseAccessToken(forceRefresh?: boolean): Promise<string | null>;
   _agentRecaptchaConfig: RecaptchaConfig | null;
   _tenantRecaptchaConfigs: Record<string, RecaptchaConfig>;
   _projectPasswordPolicy: PasswordPolicy | null;
@@ -74,6 +86,7 @@ export interface AuthInternal extends Auth {
   _initializationPromise: Promise<void> | null;
   _persistenceManagerAvailable: Promise<void>;
   _updateCurrentUser(user: UserInternal | null): Promise<void>;
+  _updateFirebaseToken(firebaseToken: FirebaseToken | null): Promise<void>;
 
   _onStorageEvent(): void;
 
@@ -100,6 +113,7 @@ export interface AuthInternal extends Auth {
 
   readonly name: AppName;
   readonly config: ConfigInternal;
+  readonly tenantConfig?: TenantConfig;
   languageCode: string | null;
   tenantId: string | null;
   readonly settings: AuthSettings;
diff --git a/packages/auth/src/model/public_types.ts b/packages/auth/src/model/public_types.ts
index 43942b93d92..4ebce229f12 100644
--- a/packages/auth/src/model/public_types.ts
+++ b/packages/auth/src/model/public_types.ts
@@ -118,6 +118,44 @@ export interface ParsedToken {
  */
 export type NextOrObserver<T> = NextFn<T | null> | Observer<T | null>;
 
+/**
+ * An interface for handling the refresh of Firebase tokens.
+ *
+ * @public
+ */
+export interface TokenRefreshHandler {
+  /**
+   * Refreshes the third-party IDP token.
+   *
+   * This method should contain the logic to obtain a new, valid IDP token from
+   * your identity provider.
+   *
+   * @returns A promise that resolves with a `RefreshIdpTokenResult` object
+   *   containing the new IDP token and its corresponding Idp Config ID.
+   */
+  refreshIdpToken(): Promise<RefreshIdpTokenResult>;
+}
+
+/**
+ * The result of a third-party IDP token refresh operation.
+ *
+ * This object contains the new IDP token and the Idp Config ID of the
+ * provider that issued it.
+ *
+ * @public
+ */
+export interface RefreshIdpTokenResult {
+  /**
+   * The configuration ID of the third-party identity provider.
+   */
+  idpConfigId: string;
+
+  /**
+   * The new Id Token from the 3rd party Identity Provider.
+   */
+  idToken: string;
+}
+
 /**
  * Interface for an `Auth` error.
  *
@@ -183,6 +221,12 @@ export interface Auth {
   readonly name: string;
   /** The {@link Config} used to initialize this instance. */
   readonly config: Config;
+  /**
+   * The {@link TenantConfig} used to initialize a Regional Auth. This is only present
+   * if regional auth is initialized and `DefaultConfig.REGIONAL_API_HOST`
+   * backend endpoint is used.
+   */
+  readonly tenantConfig?: TenantConfig;
   /**
    * Changes the type of persistence on the `Auth` instance.
    *
@@ -204,6 +248,32 @@ export interface Auth {
    * @param persistence - The {@link Persistence} to use.
    */
   setPersistence(persistence: Persistence): Promise<void>;
+  /**
+   * Registers a handler for refreshing third-party identity provider (IDP) tokens.
+   *
+   * When the Firebase access token is expired, the SDK will automatically invoke the
+   * provided handler's `refreshIdpToken()` method to obtain a new IDP token. This new
+   * token will then be exchanged for a fresh Firebase token, streamlining the
+   * authentication process.
+   *
+   * @example
+   * ```javascript
+   * class TokenRefreshHandlerImpl {
+   *   refreshIdpToken() {
+   *     // Logic to fetch a new token from your custom IDP.
+   *     // Returns a Promise that resolves with a RefreshIdpTokenResult.
+   *   }
+   * }
+   *
+   * const tokenRefreshHandler = new TokenRefreshHandlerImpl();
+   * auth.setTokenRefreshHandler(tokenRefreshHandler);
+   * ```
+   *
+   * @param tokenRefreshHandler - An object that implements the `TokenRefreshHandler`
+   *   interface, providing the logic to refresh the IDP token.
+   */
+  setTokenRefreshHandler(tokenRefreshHandler: TokenRefreshHandler): void;
+
   /**
    * The {@link Auth} instance's language code.
    *
@@ -1260,6 +1330,28 @@ export interface Dependencies {
    * Which {@link AuthErrorMap} to use.
    */
   errorMap?: AuthErrorMap;
+  /**
+   * The {@link TenantConfig} to use. This dependency is only required
+   * if you want to use regional auth which works with
+   * `DefaultConfig.REGIONAL_API_HOST` endpoint. It should not be set otherwise.
+   */
+  tenantConfig?: TenantConfig;
+}
+
+/**
+ * The tenant config that can be used to initialize a Regional {@link Auth} instance.
+ *
+ * @public
+ */
+export interface TenantConfig {
+  /**
+   * Which location to use.
+   */
+  location: string;
+  /**
+   * The tenant Id being used.
+   */
+  tenantId: string;
 }
 
 /**
diff --git a/packages/auth/test/helpers/api/helper.ts b/packages/auth/test/helpers/api/helper.ts
index 638310b139e..c1034d682d5 100644
--- a/packages/auth/test/helpers/api/helper.ts
+++ b/packages/auth/test/helpers/api/helper.ts
@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-import { Endpoint } from '../../../src/api';
+import { Endpoint, RegionalEndpoint } from '../../../src/api';
 import { TEST_HOST, TEST_KEY, TEST_SCHEME } from '../mock_auth';
 import { mock, Route } from '../mock_fetch';
 
@@ -55,3 +55,16 @@ export function mockEndpointWithParams(
 ): Route {
   return mock(endpointUrlWithParams(endpoint, params), response, status);
 }
+
+export function mockRegionalEndpointWithParent(
+  endpoint: RegionalEndpoint,
+  parent: string,
+  key: string,
+  response: object,
+  status = 200
+): Route {
+  let url = `${TEST_SCHEME}://${TEST_HOST}${parent}${endpoint}`;
+  url += '?key=';
+  url += key;
+  return mock(url, response, status);
+}
diff --git a/packages/auth/test/helpers/mock_auth.ts b/packages/auth/test/helpers/mock_auth.ts
index e5e30fa1384..9c114331bad 100644
--- a/packages/auth/test/helpers/mock_auth.ts
+++ b/packages/auth/test/helpers/mock_auth.ts
@@ -18,7 +18,11 @@
 import { FirebaseApp } from '@firebase/app';
 import { Provider } from '@firebase/component';
 import { AppCheckTokenResult } from '@firebase/app-check-interop-types';
-import { PopupRedirectResolver } from '../../src/model/public_types';
+import {
+  PopupRedirectResolver,
+  TokenRefreshHandler,
+  RefreshIdpTokenResult
+} from '../../src/model/public_types';
 import { debugErrorMap } from '../../src';
 
 import { AuthImpl } from '../../src/core/auth/auth_impl';
@@ -42,7 +46,9 @@ export interface TestAuth extends AuthImpl {
 
 const FAKE_APP: FirebaseApp = {
   name: 'test-app',
-  options: {},
+  options: {
+    projectId: 'test-project-id'
+  },
   automaticDataCollectionEnabled: false
 };
 
@@ -116,6 +122,63 @@ export async function testAuth(
   return auth;
 }
 
+class TokenRefreshHandlerImpl implements TokenRefreshHandler {
+  async refreshIdpToken(): Promise<RefreshIdpTokenResult> {
+    // Fetch the token for their custom Idp configured...
+    return {
+      idToken: 'new-token', // The new token string
+      idpConfigId: 'idp-config' // The ID for your IdP
+    };
+  }
+}
+
+export async function regionalTestAuthWithTokenRefreshHandler(
+  popupRedirectResolver?: PopupRedirectResolver,
+  persistence = new MockPersistenceLayer(),
+  skipAwaitOnInit?: boolean
+): Promise<TestAuth> {
+  const regionalAuth = await regionalTestAuth(
+    popupRedirectResolver,
+    persistence,
+    skipAwaitOnInit
+  );
+  regionalAuth.setTokenRefreshHandler(new TokenRefreshHandlerImpl());
+  return regionalAuth;
+}
+
+export async function regionalTestAuth(
+  popupRedirectResolver?: PopupRedirectResolver,
+  persistence = new MockPersistenceLayer(),
+  skipAwaitOnInit?: boolean
+): Promise<TestAuth> {
+  const tenantConfig = { 'location': 'us', 'tenantId': 'tenant-1' };
+  const auth: TestAuth = new AuthImpl(
+    FAKE_APP,
+    FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+    FAKE_APP_CHECK_CONTROLLER_PROVIDER,
+    {
+      apiKey: TEST_KEY,
+      authDomain: TEST_AUTH_DOMAIN,
+      apiHost: TEST_HOST,
+      apiScheme: TEST_SCHEME,
+      tokenApiHost: TEST_TOKEN_HOST,
+      clientPlatform: ClientPlatform.BROWSER,
+      sdkClientVersion: 'testSDK/0.0.0'
+    },
+    tenantConfig
+  ) as TestAuth;
+  if (skipAwaitOnInit) {
+    // This is used to verify scenarios where auth flows (like signInWithRedirect) are invoked before auth is fully initialized.
+    // eslint-disable-next-line @typescript-eslint/no-floating-promises
+    auth._initializeWithPersistence([persistence], popupRedirectResolver);
+  } else {
+    await auth._initializeWithPersistence([persistence], popupRedirectResolver);
+  }
+  auth.persistenceLayer = persistence;
+  auth.settings.appVerificationDisabledForTesting = true;
+  return auth;
+}
+
 export function testUser(
   auth: AuthInternal,
   uid: string,