--- title: Defining the access token attribute contract description: On the Access Token Attribute Contract tab, define the attribute contract for the access tokens issued by this access token management (ATM) instance. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_defining_access_token_attribute_contract canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_defining_access_token_attribute_contract.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 10, 2024 section_ids: about-this-task: About this task steps: Steps result: Result: --- # Defining the access token attribute contract On the **Access Token Attribute Contract** tab, define the attribute contract for the access tokens issued by this access token management (ATM) instance. ## About this task You must enter at least one attribute. For auditing purposes, an attribute can be chosen as the subject. ## Steps 1. Go to **Applications > OAuth > Access Token Management** and select your instance, or click **Create New Instance**. 2. On the **Access Token Attribute Contract** tab use the **Extend the Contract** field and the **Add** button to add one or more attributes. To always return this array in a token response, select the **Multi-Valued** checkbox. For JSON web token (JWT) bearer access tokens, you can extend the attribute contract with the following attributes. | Attribute | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `iss` | Adds the Issuer claim (`iss`) to the access token.When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the value specified on the **Access Token Attribute Contract** tab overrides any **Issuer Claim Value** defined on the **Instance Configuration** tab. | | `aud` | Adds the Audience claim (`aud`) to the access token.When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the value you specify on the **Access Token Attribute Contract** tab overrides any **Audience Claim Value** defined on the **Instance Configuration** tab. | | `exp` | Extends the value of the Expire claim (`exp`) by the specified value in minutes. Define the Expire claim with the Token Lifetime setting in the Instance Configuration tab. | | The **Client ID Claim Name** field value, the **Scope Claim Name** field value, or the **Access Grant GUID Claim Name** field value defined on the **Instance Configuration** tab of this ATM instance. | When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the values defined in the **Access Token Attribute Contract** tab override the value of the client ID, the scope, or the persistent access grant GUID. | 3. Select an attribute from the **Subject Attribute Name** list. ### Result: When recording OAuth transactions in the audit log, PingFederate populates the subject field with values from this attribute specifically for token introspection and token validation using the `validate_bearer` grant type.