---
title: StatelessAccessTokenResolver
description: Configure StatelessAccessTokenResolver to locally resolve and validate stateless access tokens issued by PingAM, without contacting PingAM
component: pinggateway
version: 2026
page_id: pinggateway:reference:StatelessAccessTokenResolver
canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/StatelessAccessTokenResolver.html
revdate: 2025-06-02T18:01:47Z
section_ids:
  StatelessAccessTokenResolver-usage: Usage
  StatelessAccessTokenResolver-properties: Properties
  StatelessAccessTokenResolver-example: Example
  StatelessAccessTokenResolver-moreinfo: More information
---

# StatelessAccessTokenResolver

Locally resolve and validate stateless access tokens issued by AM, without referring to AM.

AM can be configured to secure access tokens by signing or encrypting. The StatelessAccessTokenResolver must be configured for signature or encryption according to the AM configuration.

## Usage

Use this resolver with the `accessTokenResolver` property of OAuth2ResourceServerFilter.

```json
"accessTokenResolver": {
  "type": "StatelessAccessTokenResolver",
  "config": {
    "issuer": configuration expression<string>,
    "secretsProvider": SecretsProvider reference,
    "verificationSecretId": configuration expression<secret-id>, // Use "verificationSecretId" or
    "decryptionSecretId": configuration expression<secret-id>,   // "decryptionSecretId", but not both
    "skewAllowance": configuration expression<duration>
  }
}
```

## Properties

* `"issuer"`: *configuration expression<[string](preface.html#definition-string)>, required*

  URI of the AM instance responsible for issuing access tokens.

* `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required*

  The [SecretsProvider](SecretsProvider.html) to query for passwords and cryptographic keys.

* `"verificationSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required if AM secures access tokens with a signature*

  The secret ID for the secret used to verify the signature of signed access tokens.

  This secret ID must point to a [CryptoKey](../security-guide/keys.html#secret-types).

  Depending on the type of secret store that is used to verify signatures, use the following values:

  * For JwkSetSecretStore, use any non-empty string that conforms to the field convention for [secret-id](preface.html#definition-secretid). The value of the string isn't used.

  * For other types of secret stores:

    * `null`: No signature verification is required.

    * A `kid` as a string: Signature verification is required with the provided `kid`. The StatelessAccessTokenResolver searches for the matching `kid` in the SecretsProvider.

  You can find more information about how signatures are validated in [Validate the signature of signed tokens](../security-guide/keys.html#secret-valid-signature). You can find more information about how each type of secret store resolves named secrets in [Secrets](secrets.html).

  Use either `verificationSecretId` or `decryptionSecretId`, according to the configuration of the token provider in AM. If AM is configured to sign **and** encrypt tokens, encryption takes precedence over signing.

* `"decryptionSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required if AM secures access tokens with encryption*

  The secret ID for the secret used to decrypt the JWT, for confidentiality.

  This secret ID must point to a [CryptoKey](../security-guide/keys.html#secret-types).

  Use either `verificationSecretId` or `decryptionSecretId`, according to the configuration of the token provider in AM. If AM is configured to sign **and** encrypt the token, encryption takes precedence over signing.

- `"skewAllowance"`: *configuration expression<[duration](preface.html#definition-duration)>, optional*

  The duration to add to the validity period of a JWT to allow for clock skew between different servers.

  A `skewAllowance` of 2 minutes affects the validity period as follows:

  * A JWT with an `iat` of 12:00 is valid from 11:58 on the PingGateway clock.

  * A JWT with an `exp` 13:00 is expired after 13:02 on the PingGateway clock.

  Default: To support a zero-trust policy, the skew allowance is by default `zero`.

## Example

For examples of how to set up and use StatelessAccessTokenResolver to resolve signed and encrypted access tokens, refer to [Validating PingAM stateless access tokens](../gateway-guide/oauth2-rs-stateless.html).

## More information

[org.forgerock.openig.filter.oauth2.StatelessAccessTokenResolver](../_attachments/apidocs/org/forgerock/openig/filter/oauth2/StatelessAccessTokenResolver.html)

[OAuth2ResourceServerFilter](OAuth2ResourceServerFilter.html)