---
title: Configuring an admin token provider
description: Configure a token provider to use when accessing the PingAccess user interface if you have enabled admin UI single sign-on or admin application programming interface (API) OAuth.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_an_admin_token_provider
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_an_admin_token_provider.html
revdate: December 1, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Configuring an admin token provider

Configure a token provider to use when accessing the PingAccess user interface if you have enabled admin UI single sign-on or admin application programming interface (API) *(tooltip: \<div class="paragraph">
\<p>A specification of interactions available for building software to access an application or service.\</p>
\</div>)* OAuth *(tooltip: \<div class="paragraph">
\<p>A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\</p>
\</div>)*.

## About this task

If you do not configure an admin token provider, the system token provider is used for both the PingAccess user interface and for end users.

## Steps

1. Click **Settings**, then go to **Admin Authentication > Admin Token Provider**.

2. In the **Admin Token Provider** section, select **Admin**.

3. In the **Issuer** field, enter the issuer ID.

4. **Optional:** In the **Description** field, enter a description for the token provider.

5. In the **Trusted Certificate Group** list, select a trusted certificate group that PingAccess will use when authenticating to the admin token provider.

6. **Optional:** To configure the connection to use a configured proxy, click **Show Advanced Settings** and select **Use Proxy**.

   For more information about creating proxies, see [Adding proxies](pa_adding_proxies.html).

7. To configure OAuth 2.0 Demonstrating Proof of Possession (DPoP) settings, click **Show Advanced Settings**:

   1. In the **DPoP Type** list, select the level of DPoP support that you want to enable for access token validation:

      * **Off** (default): PingAccess doesn't accept DPoP-bound access tokens, only bearer tokens.

      * **Enabled**: PingAccess accepts both bearer tokens and DPoP-bound access tokens.

      * **Required**: PingAccess doesn't accept bearer tokens, only DPoP-bound access tokens.

   2. To require each DPoP proof to contain a nonce value during validation that was provided by PingAccess when the access token was created, per [RFC 9449 section 9](https://www.rfc-editor.org/rfc/inline-errata/rfc9449.html#:~:text=Next%20Nonce%20Value-,9.%20%20Resource%20Server%2DProvided%20Nonce,-Resource%20servers%20can), select **Require Nonce**.

      This check box is cleared by default.

   3. In the **DPoP Proof Lifetime (SEC.)** field, enter the duration, in seconds, that a DPoP proof should be considered valid after it's issued.

      |   |                                                                                                                                                    |
      | - | -------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | As a security best practice, keep this value low and consistent with the DPoP implementation of your API client. The default value is 120 seconds. |

8. Click **Save**.