---
title: Validating PingAM stateless access tokens
description: The StatelessAccessTokenResolver confirms that stateless access tokens provided by AM are well-formed, have a valid issuer, have the expected access token name, and have a valid signature.
component: pinggateway
version: 2026
page_id: pinggateway:gateway-guide:oauth2-rs-stateless
canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/oauth2-rs-stateless.html
revdate: 2025-04-01T17:53:34Z
---

# Validating PingAM stateless access tokens

The StatelessAccessTokenResolver confirms that stateless access tokens provided by AM are well-formed, have a valid issuer, have the expected access token name, and have a valid signature.

After the StatelessAccessTokenResolver resolves an access token, the OAuth2ResourceServerFilter checks that the token is within the expiry time, and that it provides the required scopes. For more information, refer to [StatelessAccessTokenResolver](../reference/StatelessAccessTokenResolver.html).

The following pages show how to validate signed and encrypted access tokens:

* [With JwkSetSecretStore and PingAM](oauth2-rs-stateless-signed-sat.html)

* [Signed PingAM tokens with KeyStoreSecretStore](oauth2-rs-stateless-signed-ksss.html)

* [Encrypted PingAM tokens with KeyStoreSecretStore](oauth2-rs-stateless-encrypted.html)