--- title: Grant-management endpoint description: Resource owners use the grant-management endpoint to view, and optionally revoke, the persistent access grants they have made. component: pingfederate version: 13.1 page_id: pingfederate:developers_reference_guide:pf_grant_manage_endpoint canonical_url: https://docs.pingidentity.com/pingfederate/13.1/developers_reference_guide/pf_grant_manage_endpoint.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: endpoints-asgrants-oauth2-and-asoauth_access_grants-ping: "Endpoints: /as/grants.oauth2 and /as/oauth_access_grants.ping" --- # Grant-management endpoint Resource owners use the grant-management endpoint to view, and optionally revoke, the persistent access grants they have made. Two grant-management endpoints are provided. One is for use with parameters. This endpoint is not part of the OAuth specification, but many OAuth providers offer a similar function. Grants associated with the `USER_KEY` of the authenticated user are displayed. The same attribute mappings from the authentication source to `USER_KEY`, which are used for the authorization endpoint, are used here to look up the user's existing grants. ## Endpoints: /as/grants.oauth2 and /as/oauth\_access\_grants.ping The following table describes the available parameters for the `/as/grants.oauth2` endpoint. Use only one of them as needed. | Parameter | Description | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `idp` or `PartnerIdpId` | Indicates the entity ID of the connection ID of the identity provider (IdP) with whom to initiate browser single sign-on (SSO) for user authentication. | | `pfidpadapterid` | Indicates the IdP adapter instance ID of the adapter to use for user authentication. This parameter may be overridden by policy based on authentication selection configuration. For example, the OAuth Scope Authentication Selector could enforce the use of a given adapter based on client-requested scopes. | If no recent user attributes are found for the session context, the user is redirected to `/as/oauth_access_grants.ping` to initiate the authentication process, which behaves in the same way as the authorization endpoint.