An agent typically sits in front of a web application or other protected resource on the web server or load balancer, such as Apache or Microsoft IIS.

PAAP is HTTP-based and utilizes a few custom status codes and headers. One goal of basing the protocol on HTTP is to enable an agent, which runs in an HTTP environment, to use concepts and code libraries already at its disposal to do its job.

The majority of the responsibilities reside within PingAccess. The intent of this protocol is to make the agent a relatively dumb agent, largely shielded from the configuration and processing details, and to maintain policies centrally in PingAccess. This means that agents do not need to know about the signing and encryption keys used by PingAccess or PingFederate. By following this model, the protocol allows agents and PingAccess to be versioned and upgraded independently of one another.

The protocol described here is supported by PingAccess 3.0 and later.


The prefix “vnd-pi-” was chosen for the PAAP protocol headers defined in this document. In this context, “vnd” indicates a vendor extension, and “pi” represents Ping Identity. Custom status codes were selected after consulting the Hypertext Transfer Protocol (HTTP) Status Code Registry with the intention of avoiding any conflicts.