---
title: API Access Management
description: API Access Management in PingOne Authorize integrates with your API gateway to secure your APIs with centralized access control policies.
component: pingone
page_id: pingone:authorization_using_pingone_authorize:p1_az_api_access_management
canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1_az_api_access_management.html
revdate: December 2, 2025
keywords: ["access control;API access"]
section_ids:
  key-components: Key components
  getting-started: Getting started
  p1_aam_wf_p1sso: Using API Access Management with PingOne SSO as the token source
  before-you-begin: Before you begin
  steps: Steps
  choose-from: Choose from:
  p1_aam_wf_ext: Using API Access Management with an external token source
  before-you-begin-2: Before you begin
  steps-2: Steps
---

# API Access Management

API Access Management in PingOne Authorize integrates with your API gateway to secure your APIs with centralized access control policies.

You can control access to your APIs based on a number of factors, such as:

* Access token scopes

* User characteristics such as location, time zone, and full or part-time employee status

* An allow list of IP addresses

Use [built-in rules](p1az_add_api_service_operations.html) to get started with access control and [custom policies](p1az_adding_custom_policies_for_api_services_and_operations.html) for more complex access management scenarios. [Statements](p1az_policy_statements.html) enable you to include, modify, or exclude content in API requests and responses.

## Key components

An [API service](p1az_api_services.html) is a logical container in PingOne Authorize that represents a related set of API operations you want to protect. API Access Management rejects requests that don't match any API service's base URL.

As a basic form of access control, API Access Management validates tokens issued by PingOne SSO and external token sources such as PingOne Advanced Identity Cloud and PingOne Advanced Services. API Access Management rejects requests without a valid access token. Learn more about access control with external token sources in [External OAuth servers in PingOne Authorize](p1_az_external_oauth_servers.html).

An [API gateway](p1az_api_gateways.html) is the bridge between your protected API and PingOne Authorize. A PingOne Authorize integration kit works alongside your API gateway to intercept incoming API calls and enforce your authorization policies. Ping Identity provides [integration kits](https://marketplace.pingone.com/browse?products=authorize\&contentType=integrations) for the following popular third-party gateways:

* [Amazon Web Services](p1_az_amazon_web_services_integration.html)

* [Apigee](p1az_apigee_integration.html)

* [Kong Gateway](p1az_kong_gateway_integration.html)

* [Kong Konnect](p1_az_kong_konnect_integration.html)

Learn more about API Access Management components and the decision request flow in [How API Access Management works](p1az_introduction.html#section_lvy_vgt_zsb).

|   |                                                                                                                 |
| - | --------------------------------------------------------------------------------------------------------------- |
|   | API Access Management works with HTTP APIs and OAuth 2.0 applications, but doesn't work with SAML applications. |

## Getting started

Follow these high-level steps to configure API Access Management components. The process varies based on whether access tokens are issued by PingOne SSO or an external token source. ​

* PingOne SSO

* External token source

### Using API Access Management with PingOne SSO as the token source

#### Before you begin

Make sure your PingOne environment includes PingOne SSO and PingOne Authorize.

#### Steps

1. [Define an API service](p1az_add_api_service.html) that represents your protected APIs.

2. Add an [API gateway](p1az_api_gateways.html) in PingOne that represents your gateway.

3. [Configure an integration kit](p1az_api_gateway_is.html) to connect your API gateway to PingOne.

4. Develop access control rules and policies for protected API operations:

   ##### Choose from:

   * [Use built-in access control rules](p1az_add_api_service_operations.html).

   * [Define custom policies](p1az_adding_custom_policies_for_api_services_and_operations.html).

5. [Add an application](../applications/p1_applications_add_applications.html) in PingOne that represents an API client.

6. Use the client application to make a request to the protected API.

   The request is routed through your API gateway and the integration kit, and then PingOne Authorize evaluates relevant policies and returns an authorization decision that permits or denies access to the requested API resource.

7. To validate the process, [examine recent decisions](p1az_recent_decisions.html) and the [audit log](p1az_monitoring_decision_endpoint_events.html).

### Using API Access Management with an external token source

#### Before you begin

* Make sure your PingOne environment includes PingOne Authorize.

* Ensure that your token source issues access tokens that meet API Access Management requirements. Learn more in [External OAuth servers](p1_az_external_oauth_servers.html).

#### Steps

1. In the system that issues tokens, create an OAuth 2.0 client application.

   In the next steps, you'll need the following information from the token issuer:

   * Token issuer identifier

   * JWKS endpoint URI or JWKS document

   * Token audience

2. In PingOne, [add an external OAuth server](p1_az_adding_external_oauth_servers.html) that represents your token issuer.

3. [Define an API service](p1az_add_api_service.html) that represents your protected APIs.

   Select **External OAuth Server** as the access token source.

4. Add an [API gateway](p1az_api_gateways.html) in PingOne that represents your gateway.

5. [Configure an integration kit](p1az_api_gateway_is.html) to connect your API gateway to PingOne.

6. [Develop custom policies](p1az_adding_custom_policies_for_api_services_and_operations.html) for protected API operations.

   |   |                                                                                                                                                                                                            |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You can use built-in attributes based on access token claims in your policies. Learn more about these attributes in [Access token-related attributes](p1_az_built_in_attributes.html#p1-token-attributes). |

7. Use the client application to make a request to the protected API.

   The request is routed through your API gateway and the integration kit, and then PingOne Authorize evaluates relevant policies and returns an authorization decision that permits or denies access to the requested API resource.

8. To validate the process, [examine recent decisions](p1az_recent_decisions.html) and the [audit log](p1az_monitoring_decision_endpoint_events.html).