---
title: Access token validators
description: Access token validators verify the tokens that HTTP client applications submit when they request access to protected resources and associate each token with an identity stored in the directory server.
component: pingdirectory
version: 11.0
page_id: pingdirectory:managing_access_control:pd_ds_access_token_validators
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_access_control/pd_ds_access_token_validators.html
revdate: July 2, 2024
---
# Access token validators
Access token validators verify the tokens that HTTP client applications submit when they request access to protected resources and associate each token with an identity stored in the directory server.
To authenticate to PingDirectory server's HTTP services, clients use OAuth 2 bearer token authentication to present an access token *(tooltip: \
\
A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources.\
\
)* in the HTTP Authorization request header.
To process the incoming access tokens, PingDirectory server uses access token validators, which determine whether to accept an access token and translate it into a set of properties, called claims, which PingDirectory server's HTTP services use to make access control decisions.
Most access tokens identify a user as its subject using the `sub` claim. Access token validators can retrieve the token subject's attributes from the directory using an identity mapper, which correlates the access token subject to an Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\
An open, cross platform protocol used for interacting with directory services.\
\
)* entry.
Access token validators are used by the following services:
* Directory REST API
* SCIM 2
* Delegated Admin
* Consent API
You can configure the PingDirectory server to accept access tokens provided by LDAP clients using the OAUTHBEARER Simple Authentication and Security Layer (SASL) authentication method.