The API first needs to receive the access token from the client as it was provided per the "Use a Token" section of this guide.

A request from a client would look similar to the following:

Authorization: Bearer AAA...ZZZ

In order to fulfill the request, the API first extracts the access token from the authorization header, then queries the token endpoint of the PingFederate AS to validate the token:

POST https://localhost:9031/as/token.oauth2 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Authorization: Basic cnNfY2xpZW50OjJGZWRlcmF0ZQ==

A successful response to this message will result in a 200 OK HTTP response and a JSON structure in the body of the response similar to the following:

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

  "access_token": { "role":"all_access" },

The resource server can then use this information to make an authorization decision and allow or deny the web request.