--- title: STS token contracts description: Similar to an adapter contract for broswer-based single sign-on (SSO), A security token service (STS) token-processor or token-generator contract represents an agreement between the PingFederate server and an external application in the context of a web services transaction. component: pingfederate version: 13.1 page_id: pingfederate:introduction_to_pingfederate:pf_sts_token_contract canonical_url: https://docs.pingidentity.com/pingfederate/13.1/introduction_to_pingfederate/pf_sts_token_contract.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: extended-token-generator-contract: Extended token generator contract --- # STS token contracts Similar to an adapter contract for broswer-based single sign-on (SSO), A security token service (STS) token-processor or token-generator contract represents an agreement between the PingFederate server and an external application in the context of a web services transaction. In concert with the attribute contract between partners, token contracts specify the transfer of attributes, consisting of a list of case-sensitive attribute names. On the identity provider (IdP) side of a federation, PingFederate receives token-processor attributes. For more information, see [Token processors and generators](pf_token_proc_and_gen.html) and [Managing token processors](../administrators_reference_guide/pf_managing_token_processors.html). On the service provider (SP) side, a token generator requires token-generator contract attributes to pass identify information from the token to the web service client application. Each security domain requires at least one token generator type. Then a token-generator instance must be configured for each target application. For more information, see [Managing token generators](../administrators_reference_guide/help_tokengeneratortasklet_tokenpluginmgmtstate.html). If several target applications are controlled by the same security context and can receive the same set of attributes for the user, you would deploy a token generator type and configure a token generator instance for each target application. For more information, see [Managing SP token generator mappings](../administrators_reference_guide/help_wstrusttokengenerationtasklet_wstrusttokengeneratormappingstate.html). ## Extended token generator contract When PingFederate deploys a token-generator type, it creates token-generator contracts. When developed, these token generators are "hard-wired" to look up or set a specific set of attributes. After deployment, your attribute requirements might change. To streamline adjustment of token-generator contracts, PingFederate allows an administrator to add additional attributes to the token-generator instance through the administrative console. These adjustments are called extended token-generator contracts.