---
title: Remote proxy authentication methods
description: Configure bearer (OAuth 2.0) or basic authentication for PingIDM remote proxy connections, with a full configuration properties reference
component: pingoneaic
page_id: pingoneaic:idm-objects:remote-proxy-authentication-methods
canonical_url: https://docs.pingidentity.com/pingoneaic/idm-objects/remote-proxy-authentication-methods.html
llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
keywords: ["Data Object Model", "Synchronization"]
section_ids:
  remote-proxy-bearer-auth: Bearer authentication (OAuth 2.0)
  remote-proxy-basic-auth: Basic authentication
  remote-proxy-config-ref: Configuration properties reference
---

# Remote proxy authentication methods

The remote proxy supports two authentication methods:

* [Bearer authentication (OAuth 2.0)](#remote-proxy-bearer-auth)

* [Basic authentication](#remote-proxy-basic-auth)

## Bearer authentication (OAuth 2.0)

Use for Advanced Identity Cloud tenant-to-tenant connections.

```json
{
  "enabled": true,
  "authType": "bearer",
  "instanceUrl": "https://<receiving-tenant-env-fqdn>/openidm/",
  "clientId": "idmprovisioning",
  "clientSecret": "&{esv.idmprovisioning.client.secret}", (1)
  "scope": ["fr:idm:*"],
  "tokenEndpoint": "https://<receiving-tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token",
  "tokenEndpointAuthMethod": "client_secret_post",
  "scopeDelimiter": " "
}
```

|       |                                                                                            |
| ----- | ------------------------------------------------------------------------------------------ |
| **1** | Use an [ESV secret](../tenants/esvs.html) for `clientSecret` instead of a plaintext value. |

|   |                                                                                                                                                    |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | After creating the ESV, [restart](../tenants/esvs-manage-api.html#esv_api_endpoints) Advanced Identity Cloud services so the placeholder resolves. |

Required properties: `authType`, `clientId`, `clientSecret`, `instanceUrl`, `tokenEndpoint`, `tokenEndpointAuthMethod`, and `scope`.

## Basic authentication

Use for connecting to self-managed PingIDM instances.

```json
{
  "enabled": true,
  "authType": "basic",
  "instanceUrl": "https://idm.example.com:8443/openidm/",
  "userName": "openidm-admin",
  "password": "openidm-admin"
}
```

Required properties: `authType`, `userName`, `instanceUrl`, and `password`.

## Configuration properties reference

**External IDM proxy configuration properties**

| Property                  | Required          | Description                                                                                       |
| ------------------------- | ----------------- | ------------------------------------------------------------------------------------------------- |
| `enabled`                 | No                | Enable or disable the proxy. Default is `true`.                                                   |
| `authType`                | Yes               | Authentication method: `basic` or `bearer`.                                                       |
| `instanceUrl`             | Yes               | Receiving instance URL. Must end with a trailing slash (`/`).                                     |
| `scope`                   | Yes (bearer only) | OAuth 2.0 scopes, for example `["fr:idm:*"]`.                                                     |
| `scopeDelimiter`          | No                | Scope delimiter. Default is a space.                                                              |
| `userName`                | Yes (basic only)  | Username for basic auth.                                                                          |
| `password`                | Yes (basic only)  | Password for basic auth.                                                                          |
| `clientId`                | Yes (bearer only) | OAuth 2.0 client ID.                                                                              |
| `clientSecret`            | Yes (bearer only) | OAuth 2.0 client secret. Use an [ESV secret](../tenants/esvs.html) rather than a plaintext value. |
| `tokenEndpoint`           | Yes (bearer only) | OAuth 2.0 token endpoint URL.                                                                     |
| `tokenEndpointAuthMethod` | Yes (bearer only) | Must be `client_secret_post`.                                                                     |

|   |                                                                                                                                                                       |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For any request forwarded to the receiving tenant or instance that includes an `X-Requested-With` header, the remote proxy sets the header value to `RemoteIDMProxy`. |
