--- title: Creating policies to validate and authorize the access token description: Create policies to validate the access token and determine authorization requirements. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_creating_policies canonical_url: https://docs.pingidentity.com/pingaccess/9.1/pingaccess_user_interface_reference_guide/pa_creating_policies.html revdate: December 6, 2024 superseded_by: https://docs.pingidentity.com/pingaccess/9.1/pingaccess_user_interface_reference_guide/pa_creating_policies.html section_ids: steps: Steps --- # Creating policies to validate and authorize the access token Create policies to validate the access token and determine authorization requirements. ## Steps 1. In the PingAuthorize Policy Editor, go to the **Policies** tab. 2. Go to the **Global Decision Endpoint** section and create a new policy called `Token Validation`. 3. In the **Rules** section, in the **Combining Algorithm** list, select **Unless one decision is deny, the decision will be permit**. 4. In the **Rules** section, add an **Access token is inactive** rule: 1. In the **Applies to** section, select **Add definitions and targets, or drag from components** and **All requests**. 2. In the **When** section, map the following: 1. Select **All**, then select **TokenActive**, **Equals**, and **False**. 2. Select **Any**, then set **Any Inbound Request** to **is True**, and **Any SCIM or OpenBanking Request** to **is True**. ![Screen capture of an example Access token is inactive rule.](_images/tokenValidationPolicy.png) 5. In the **Statements** section: 1. Add an **Invalid Token** statement: 1. In the **Code** field, enter `denied-reason`. 2. In the **Applies To** field, enter `Deny`. 3. In the **Applies If** field, enter `All decisions in path match`. 4. In the **Payload** field, enter `{"status":401, "message":"invalid_token","detail":"Access token is expired or otherwise invalid"}`. 5. Make sure the **Obligatory** checkbox is selected. 6. Click **Save**.