Before configuring your PingAccess deployment to protect an API:

  • PingAccess must be installed and running. See Installing and Uninstalling PingAccess for the full procedure.
  • You must have a configured token provider. The procedures vary depending on the token provider. For more information, see:
  • You must have installed a sideband client on the API gateway that serves the API you want to protect. For more information, contact Ping professional services.


After you have completed the following steps, your API is protected.

  1. Configure a virtual host – A virtual host represents the API you will protect and contains information about its location.
  2. Configure a rule – Rules control who can access what content under what circumstances.
  3. Configure an identity mapping – An identity mapping lets you share identity information with the protected API as headers.
  4. Configure an application – An application joins the other pieces together, giving users access to the API according to the configured rules.
  5. Configure a resource – A resource specifies an API endpoint and the methods that can be used to access it.