One goal of basing the PAAP on HTTP is to enable an agent, which runs in an HTTP environment, to use concepts and code libraries that are already at its disposal.


The PAAP uses custom status codes and headers for some functions. To avoid potential conflicts, all custom status codes were designed after consulting the Hypertext Transfer Protocol (HTTP) Status Code Registry.

PAAP headers use the following prefix:


In this context, vnd represents a vendor extension, and pi represents Ping Identity.

An agent typically sits in front of a web application or another protected resource on the web server or load balancer, such as Apache or Microsoft IIS. Agents use the PAAP to communicate with a PingAccess server, version 3.0 or later.

Most responsibilities reside with PingAccess in this model. The intent of the PAAP is to shield agents from configuration and processing details and to maintain policies centrally in PingAccess. This means that agents don't need to know about the signing and encryption keys used by PingAccess or PingFederate.

The PAAP protocol enables you to version and upgrade agents and PingAccess independently of one another.