--- title: Managing access token mappings description: In this required configuration, map attributes to be requested from the OAuth resource server into the access token and the token attribute contract. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_managing_access_token_mappings canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_managing_access_token_mappings.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: May 13, 2026 page_aliases: ["help_accesstokenmappingtasklet_oauthuserkey2accesstokenmappingstate.adoc"] section_ids: about-this-task: About this task steps: Steps related-links: Related links --- # Managing access token mappings In this required configuration, map attributes to be requested from the OAuth resource server into the access token and the token attribute contract. ## About this task When mapping a default context, define how PingFederate maps values into the attributes based on the persistent-grant `USER_KEY`, and any extended attributes defined in **System > OAuth Settings > Authorization Server Settings**. PingFederate acts as an OAuth authorization server. When a specific context is selected, you can map attributes from the selected context, specifically the chosen IdP adapter instance, Password Credential Validator instance, or authentication policy contract, into the access tokens. You can also map attributes from an IdP connection with an OAuth attribute mapping configuration or an authentication policy contract mapping configuration. You can configure a mapping for clients using the client credential grant type. The mapping used at runtime depends on the authentication context of the original grant. If the authentication context results in a match, PingFederate uses that specific mapping. Otherwise, it uses the default mapping for the applicable access token manager instance. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The **Access Token Mapping** window becomes available after at least one access token manager (ATM) instance has been configured in **Applications > OAuth > Access Token Management**. | ## Steps 1. In the PingFederate admin console, go to **Applications > OAuth > Access Token Mappings**. | Action | Steps | | ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Create a mapping | Select the source of the attributes from the **Context** list and the target ATM instance from the **Access Token Manager** list, and then click **Add Mapping**. | | Modify an existing mapping | Select it by its name under **Mappings**. | | Remove an existing mapping or to cancel the removal request | Click **Delete** or **Undelete** under **Action**. Before removing an existing mapping from your configuration, ensure that it is not used by your OAuth use cases. | ## Related links * [Mapping OAuth attributes](../introduction_to_pingfederate/pf_mapp_oauth_attri.html)