--- title: Accessing the PingOne Advanced Services admin console and administrative API description: Introductory information about the PingOne Advanced Services administrative API and instructions on configuring access to it. component: pingoneadvancedservices page_id: pingoneadvancedservices:task_summary_table:p1as_platform_admin_api canonical_url: https://docs.pingidentity.com/pingoneadvancedservices/task_summary_table/p1as_platform_admin_api.html revdate: January 29, 2026 section_ids: _admin_console: Accessing the admin console steps: Steps _platform_api_config: Configuring access to the administrative API _auth_code_flow: Authenticate using an authorization code flow assign_roles: Assigning users the appropriate roles steps-2: Steps signon_app: Signing on to an application to get an access token steps-3: Steps use_token: Using the token to authenticate steps-4: Steps _client_cred_flow: Authenticate using a client credentials flow creating-an-oidc-application: Creating an OIDC application steps-5: Steps generating-a-token: Generating a token steps-6: Steps restrict_access: Restricting access to the application steps-7: Steps interactive_api: Using the API interactive documentation before-you-begin: Before you begin steps-8: Steps steps-9: Steps --- # Accessing the PingOne Advanced Services admin console and administrative API You can use the PingOne Advanced Services admin console or a REST-based API to perform many tasks yourself instead of submitting a service request. For example, you can create and update virtual hosts yourself through the admin console or the administrative API. Learn more about virtual hosts in [Creating and updating virtual hosts](p1as_platform_virtual_hosts.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You must be using the appropriate platform version to access the admin console and administrative API. The administrative API functionality was introduced in platform version 2.0.0, which was released in December 2024, and the administrative console was introduced in platform version 2.2.0, which was released in March 2026. | To access the admin console: * Ensure that you have the appropriate roles assigned. Learn more about the roles available in [User access control roles](p1as_platform_mng_admins.html#p1as_admin_role_mappings). Learn how to assign these roles in [Assigning users the appropriate roles](#assign_roles) * Take these steps to [access the admin console](#_admin_console). To access the administrative API: * Ensure that you have the appropriate roles assigned. Learn more about the roles available in [User access control roles](p1as_platform_mng_admins.html#p1as_admin_role_mappings). Learn how to assign these roles in [Assigning users the appropriate roles](#assign_roles) * Take these steps to [configure access to the API](#_platform_api_config). | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | All administrative API events are logged. These logs include information about each event, the date and time it occurred, and information that identifies the users involved. Learn more about event logs in [Monitoring and logging](../monitoring_and_logging/p1as_monitoring_logging.html). | ## Accessing the admin console To complete platform self-service tasks, access the admin console. ### Steps 1. Go to the following URL: https\://self-service.``.``.ping.cloud 2. When prompted, enter your username and password. The admin console displays. 3. The toolbar at the top of the page indicates which environment is selected. Ensure you're working in the right environment by selecting it in the list. 4. Note the following: * The **Self-service** section of the sidebar helps you navigate between self-service tasks. ![An image of the self-service menu, which displays in the sidebar.](_images/UIMenu.png) * Each page contains resource icons that indicate status: * Blue indicates creating * Green indicates complete * Yellow indicates updating * Red indicates an error ## Configuring access to the administrative API The API requires a JWT Bearer token for authenticating requests. This token can be retrieved using either an authorization code flow or a client credentials flow. ### Authenticate using an authorization code flow The API supports the authorization code flow, which gets access tokens by securely redirecting users to the authorization server for authentication. To set this up, you'll need to: 1. Ensure users are [assigned the appropriate PingOne Advanced Services user access control roles](#assign_roles). 2. [Sign on to an application to get an access token](#signon_app). 3. [Use the token to authenticate](#use_token) and access the API using Swagger UI, or command-line tools, such as Postman or cURL. #### Assigning users the appropriate roles If you're using the PingOne platform: #### Steps 1. In the user profile, add a custom attribute. Learn more about adding these attributes in [Add custom attributes to a user](https://docs.pingidentity.com/pingone/pingone_tutorials/p1_add_custom_attributes_to_a_user.html) in the PingOne documentation. 2. Select the appropriate PingOne Advanced Services roles for the user and click **Save**. You can find a complete list of available roles in [User access control roles](p1as_platform_mng_admins.html#p1as_admin_role_mappings). If you're using the CAP, Ping Identity manages the roles and permissions your administrators are assigned. Submit an [Elevate Admin](p1as_pf_elevate_admin.html) service request and specify which roles and permissions users should have. #### Signing on to an application to get an access token To get a token: #### Steps 1. Go to the PingOne Advanced Services login URL: https\://self-service-api.\-\.\.ping.cloud/api/v1/auth/login/\ Valid values for the application are "self-service", "pingaccess", "pingfederate", "opensearch", and "argocd". 2. Enter your credentials and click **Submit**. If authentication is successful, you're redirected to the **Success** page and a **Copy Token** button displays. 3. Click **Copy Token** to copy the token to your clipboard. #### Using the token to authenticate If you're using the API interactive documentation: #### Steps 1. Go to the respective API docs URL. 2. Click **Authorize**. 3. Paste the token into the input field and click **Authorize** and then **Close**. All requests made from the interactive documentation will be authenticated. If you're using command-line tools, such as Postman or cURL, query the API directly and include the bearer token in the headers. For example, `{"Authorization": "Bearer "}` You can also use the interactive documentation to explore the API endpoints, view documentation for the API, and experiment with API calls. You can make API calls from an interactive user interface, custom applications, or from command-line tools. Learn more about this interactive documentation in [Using the API interactive documentation](p1as_platform_interactive_api.html). ### Authenticate using a client credentials flow This API also supports the client credentials flow, which is designed for machine-to-machine (M2M) interactions, where an application needs to access resources without involving a user. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This type of flow can only be used if your PingOne environment is connected to your PingOne Advanced Services environment and both are correctly configured. Learn more about setting up this connection in [Using the PingOne platform](p1as_platform_mng_admins.html#_using_pingone). | To set this up, you'll need to: 1. Create an OIDC application. 2. Generate a token. To ensure that only administrators can generate access tokens, restrict access to the application that you created. Learn more about this process in [Restricting access to the application](#restrict_access). #### Creating an OIDC application Start by creating an OpenID Connect (OIDC) application in PingOne. #### Steps 1. Go to **Applications** > **Resources**. 2. Click the **[icon: plus, set=fa]**icon. 3. Create the resource by completing these fields: * **Resource name**: A unique identifier for the resource. * **Description** (optional): A brief characterization of the resource that helps identify it. 4. Click **Next**. 5. On the **Attributes** page, click **Add** to add a new attribute. 6. Create an attribute labeled `name`. Click the **Gear** icon to open the expression builder and enter a hardcoded name, such as `OrchestrationTool`. This is the name that will display with the tokens in the application logs. Learn more in [Using the expression builder](https://docs.pingidentity.com/pingone/pingone_expression_language/p1_use_expression_builder.html) in the PingOne documentation. 7. Create an attribute labeled `groups`. Click the **Gear** icon to open the expression builder and enter the appropriate user access control roles. Set the values to a hardcoded list of valid roles. For example, {"dev-tls-admin", "prod-tls-audit"}. Learn more about these roles and permissions in [User access control roles](p1as_platform_mng_admins.html#p1as_admin_role_mappings). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PingOne Advanced Services attributes must be set up for them to display in the list. Learn more about adding this attribute in [Creating custom user attributes](p1as_platform_mng_admins.html#p1as_custom_attributes). | 8. Click **Next**. 9. On the **Scopes** page, add a new scope to map the role to the new application. Click **Add Scope** and complete the following fields: * **Scope name**: A unique identifier for the scope. * **Description** (optional): A brief description of the scope that helps identify it. 10. Click **Save**. 11. Now, add the OIDC application. Go to **Applications > Applications**. 12. Click the **[icon: plus, set=fa]**icon. 13. Complete the following fields: * **Application name**: A unique identifier for the application. * **Description** (optional): A brief characterization of the application that helps identify it. * **Icon** (optional): A graphic representation of the application. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format. 14. In the list of available application types, select **OIDC Web App**. Click **Save**. 15. On the **Configuration** tab, click the **Pencil** icon to edit the configuration. * Change the **Response Type** to none by clearing all the options. * Change the **Grant Type** to **Client Credentials**. 16. Click **Save**. 17. On the **Resources** tab, click the **Pencil** icon to add the scope you added in step 8 to the application. 18. Click **Save** and click the toggle at the top of the details panel to enable the application. #### Generating a token Access the new application in the PingOne admin console to generate an access token. #### Steps 1. Follow the steps outlined in [Getting an access token](https://docs.pingidentity.com/pingone/applications/p1_getaccesstoken.html) in the PingOne documentation. 2. Include the bearer token in the headers. For example, `{"Authorization": "Bearer "}` You can also use the interactive documentation to explore the API endpoints, view documentation for the API, and experiment with API calls. You can make API calls from an interactive user interface, custom applications, or from command-line tools. Learn more about this interactive documentation in [Using the API interactive documentation](p1as_platform_interactive_api.html). #### Restricting access to the application To ensure that only administrators can generate access tokens, restrict access to the application that you created. #### Steps 1. Select the application, click the **Access** tab, and then the **Pencil** icon. 2. Select the **Admin Only Access** checkbox and click **Save**. ## Using the API interactive documentation The API includes interactive documentation for both developers and non-developers to explore the API endpoints, view documentation for the API, and experiment with API calls. Built on Swagger UI, this interactive tool makes it easy for you to visualize, interact with, and test the APIs within a browser. You can make API calls from an interactive user interface, custom applications, or from command line tools such as cURL. ### Before you begin Ensure you have access to the administrative API. Learn more in [Accessing the admin console and administrative API](#). To access the administrative API documentation: ### Steps 1. Start a web browser. 2. Go to the URL: https\://self-service-api.\-\.\.ping.cloud/docs | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The API is also documented in the OpenAPI Specification, previously known as the Swagger Specification. Go to: https\://self-service-api.\-\.\.ping.cloud/api/v1/openapi.json. | To test an administrative API: ### Steps 1. Select a section of the administrative API you would like to explore. For example, **/hostnames**. 2. Expand the method you want to use. For example, **GET /hostnames**. 3. Enter required parameters, if any. For more information, see **Schema Models** under the selected API endpoint. 4. Click **Try it out**. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You will be prompted to sign on using an access token for OAuth authentication. The role assigned to the respective administrative accounts affects the access to the requested API. | If the request completes successfully, the administrative API returns the **Request URL**, the **Response Body**, the **Response Code**, and the **Response Headers**.