--- title: Customizing access tokens description: Customize the content of access tokens by adding custom resource attributes and application permissions to the token in PingOne. component: pingone page_id: pingone:applications:p1_customize_access_token canonical_url: https://docs.pingidentity.com/pingone/applications/p1_customize_access_token.html revdate: January 10, 2025 section_ids: steps: Steps --- # Customizing access tokens With PingOne, you can customize the content of access tokens by adding custom resource attributes and application permissions to the token. Use customized access tokens to convey additional information about token holders to applications. | | | | - | ----------------------------------------------------------------------------------------------- | | | You can't customize tokens for the two default resources:- OpenID Connect (OIDC) - PingOne API | ## Steps 1. In the PingOne admin console, go to **Applications > Resources** and browse or search for the resource that you want to edit. 2. Click the resource entry to open the details panel for the resource. 3. On the **Attributes** tab, click the **Pencil** icon ([icon: pencil, set=fa]) to add custom attributes. 1. Click **[icon: plus, set=fa]Add**. 2. Enter the following: * **Attributes**: Enter the attribute value for the resource, such as `sub`. * **PingOne mappings**: Select an attribute in the list, such as `User ID`. | | | | - | --------------------------------------------------------------------------------------------------------------- | | | Learn more about configuring the access token time to live (TTL) in [Editing a resource](p1_editresource.html). | 3. (Optional) Select the **Required** checkbox to make the attribute required. * For any attributes except the `sub` attribute If it can't find a value for an attribute set as required, PingOne doesn't issue an access token for the resource and instead issues an error message in the token response. * For the `sub` attribute The following table lists how PingOne handles the `sub` attribute based on whether it's set as required and what grant type the application is using: | `sub` set as required? | Application grant type | If PingOne can't find an attribute mapping value? | | ---------------------- | --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | | Yes | Any grant type requiring user interaction, such as authorization code | PingOne doesn't issue an access token for the resource and instead issues an error message in the token response. | | Yes | Client credentials | PingOne doesn't issue an access token for the resource and instead issues an error message in the token response. | | No | Any grant type requiring user interaction | PingOne populates the `sub` attribute with the PingOne user ID of the authenticated user. | | No | Client credentials | PingOne returns an access token without including the `sub` attribute. | 4. Continue adding attributes as needed. 4. To include application permissions in access tokens created for this resource, on the **Permissions** tab, click the **Include user permissions in Access Token** toggle. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To enable the **Permissions** tab, add PingOne Authorize to your environment.Learn more about defining application permissions in [Adding application permissions](p1_add_application_permissions.html). | The `p1.permissions` claim in the access token will include permissions for the authenticated user. 5. Click **Save**.