--- title: Troubleshooting API Access Management description: The following resources can help you solve issues with API Access Management. component: pingone page_id: pingone:authorization_using_pingone_authorize:p1az_aam_troubleshooting_api_access_management canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_aam_troubleshooting_api_access_management.html revdate: September 3, 2025 section_ids: solutions: Solutions api-client-http-5xx-errors: API client HTTP 5xx errors api-client-http-404-errors: API client HTTP 404 errors api-client-http-401-errors: API client HTTP 401 errors other-api-client-http-4xx-errors: Other API client HTTP 4xx errors trouble-audit-log: Viewing API Access Management events in your PingOne environment audit log about-this-task: About this task steps: Steps trouble-recent-decisions: Viewing recent decisions for the API Access Management decision endpoint --- # Troubleshooting API Access Management The following resources can help you solve issues with API Access Management. ## Solutions ### API client HTTP 5xx errors * Likely cause The API gateway might return HTTP 502 when there is misconfiguration or miscommunication between the Ping Identity gateway integration kit and the HTTP Access Policy Service in PingOne Authorize. * How to troubleshoot The gateway integration kit logs warning messages to the API gateway error log when it encounters problems communicating with PingOne Authorize. For more information, see the integration kit documentation for your API gateway: [Troubleshooting Kong Gateway integration with PingOne Authorize](p1az_troubleshooting_kong_integration.html) ### API client HTTP 404 errors * Likely cause The API gateway might return HTTP 404 to API clients when PingOne cannot match an API client's request to any of the Base URLs configured for an API service. * How to troubleshoot PingOne Authorize produces events in your PingOne environment audit log to aid in troubleshooting HTTP 4xx errors. Learn more in [Viewing API Access Management events in your PingOne environment audit log](#trouble-audit-log). * Details The PingOne environment audit log will provide more detailed information. For example: `No API server defines policy for the URL`. The error message lists the URL sent by the API client to the API gateway. For example: `https://localhost:8443/meme-game/api/v1/users/user.0/answers`. * How to fix Go to **Authorization > API Services**. Check the Base URL settings for the API service in question. If necessary, create an API service. Ensure that the Base URL for the API service matches the beginning of the URLs used by API clients when making requests for the API service through the API gateway. ### API client HTTP 401 errors * Likely causes The API gateway returns HTTP 401 to API clients when the API client's request cannot be authenticated or doesn't satisfy basic access control checks for an API service. For example, the API client attempts to invoke APIs in API service A using an OAuth Access Token issued for API service B. Or, the API client is using an old OAuth Access Token that has since expired. * How to troubleshoot PingOne Authorize produces events in your PingOne environment audit log to aid in troubleshooting HTTP 4xx errors. Learn more in [Viewing API Access Management events in your PingOne environment audit log](#trouble-audit-log). * Details The PingOne environment audit log provides more detailed information. For example: ``` Request to the URL "https://example.com" denied due to an invalid OAuth access token. ``` The `WWW-authenticate` HTTP response header contains more information, such as `Token expired` or `Invalid audience`. * How to fix Ensure that API clients properly manage their OAuth Access Tokens, including refreshing them or obtaining new tokens as necessary before tokens expire. ### Other API client HTTP 4xx errors * Likely causes The API gateway returns other HTTP 4xx errors to API clients when the API client's request doesn't satisfy access control rules configured for the API service or its API Operations in PingOne Authorize. For example, the API client attempts to invoke an API Operation that requires the user to be a member of a particular group in PingOne, but the user is not a member of that group. * How to troubleshoot PingOne Authorize produces events in your PingOne environment audit log in order to aid in troubleshooting HTTP 4xx errors. Learn more in [Viewing API Access Management events in your PingOne environment audit log](#trouble-audit-log). You can trace recent authorization decisions to understand which access rules were not satisfied. Learn more in [Viewing recent decisions for the API Access Management decision endpoint](#trouble-recent-decisions). * Details The PingOne environment audit log provides more detailed information. For example: ``` Request to the URL "https://example.com" denied by policy evaluation. ``` The Recent Decisions visualization contains more information, including which rule wasn't satisfied and which attribute values were compared during policy evaluation. For more information, see [Examining recent decisions](p1az_recent_decisions.html). * How to fix Ensure that API Operation access rules are properly configured to meet your application requirements. For group-based access control, ensure that the user is a member of one of the required groups. Also, ensure that the API client has been delegated authorization by a user, such as obtaining an OAuth Access Token using OAuth Code Flow. ## Viewing API Access Management events in your PingOne environment audit log Review audit activities in PingOne to verify that the API Access Management service is working properly or to troubleshoot any configuration problems. ### About this task When you make API requests to test configuration of API gateways, API Services, and resource operations, you can review runtime activity logs to ensure components are working correctly and to diagnose configuration problems. You can also check HTTP Access Policy management logs to review the status of actions performed on API Services. ### Steps 1. In PingOne, go to **Monitoring > Audit**. 2. [Run an audit report](../monitoring/p1_running_audit_report.html) to show HTTP Access Policy events: 1. For **Filter Type**, select **Event Type**. 2. For **Filter**, select the following options: * **HTTP Request Policy Evaluated** * **HTTP Response Policy Evaluated** 3. Click **Run**. 3. In the **Activities** table, in the **Details** column, click **View** to examine details for HTTP Access Policy events. | Parameter | Description | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | API server resources | The API server name and ID. Also the name and a link to the matched API operation.This information is contained in the `resources` field. | | Gateway resources | The name and ID of the gateway that authenticated to the API, your environment ID, and a link to the gateway in the management API.This information is contained in the `actors.client` field. | | Result | The status is either `SUCCESS` or `FAILED`. The description provides an explanation for the success or failure. | | Policy evaluation result | Evaluation result codes and messages:- `POLICY_EVALUATION_SUCCEEDED`: The request was evaluated successfully to produce a permit or deny decision. The message further explains the decision. - `POLICY_EVALUATION_FAILED`: The request failed because of a policy evaluation error. - `INVALID_GATEWAY_REQUEST`: The authorization plugin sent an invalid request to PingOne. - `NO_POLICY_FOUND`: No matching API server was found to define the policy for the operation. - `UNEXPECTED_ERROR`: An error occurred that doesn't fall under one of the other result codes.The HTTP response status code is also provided. | | Authorization decision | The decision returned by the decision service for HTTP request events:- `PERMIT` - `DENY` - `NOT_APPLICABLE` - `INDETERMINATE` | 4. Run another audit report to show API Service events: 1. For **Filter Type**, select **Event Type**. 2. For **Filter**, select the following options: * **API Service Created** * **API Service Deleted** * **API Service Deployed** * **API Service Updated** 3. Click **Run**. 5. In the **Activities** table, in the **Details** column, click **View** to examine details for API Service events. | Parameter | Description | | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | Actors | The client that performed the action. Also, the environment ID, the name and ID of the signed-on user, and a link to the user in the management API. | | Action | The type of action performed and a brief description. | | Resources | The type, ID, and name of the API Service. Also, the environment ID and a link to the API Service in the management API. | | Result | The status is either `SUCCESS` or `FAILED`. The description provides an explanation for the success or failure. | ## Viewing recent decisions for the API Access Management decision endpoint Trace recent authorization decisions to help troubleshoot problems with API Access Management rules and policies. To help with troubleshooting, examine recent decisions for the decision endpoint associated with your API service. For more information, see [Examining recent decisions](p1az_recent_decisions.html).