API access control is often categorized in terms of granularity.

Access control granularity type Description
Coarse-grained Typically describes scenarios in which users or clients are entitled to all or none of particular applications or APIs.
Medium-grained Typically applies to URL-based scenarios in which users or clients are entitled to some pages or resources within applications or APIs.
Fine-grained When applied to the actions a user or client can take on an application page or an API resource, typically implies that action-specific conditions dictate whether the user or client is entitled to take the action. For example, a request to transfer bank funds might be denied if the amount exceeds the average of recent transfers by 20% or more.


For this tutorial, you are the producer of an online game in which players compete with friends to create the funniest meme. When starting a new game, the first player optionally invites other players by their email addresses. To prevent email spam, you must create a policy that blocks a user from starting a new game with other players if the user's email address comes from a generic mail domain.

Game activities are represented using an example Meme Game API.


The Meme Game API is publicly available and does not need to be installed for the PingAuthorize tutorials.


This tutorial teaches you how to configure two fine-grained API access control rules by walking you through the following tasks.

  1. Configure a reverse proxy for the Meme Game API.
  2. Test the reverse proxy.
  3. Add a policy for the Meme Game API's Create Game endpoint.
  4. Test the policy from the Policy Editor.
  5. Test the reverse proxy by making an HTTP request.
  6. Modify the rule for the Meme Game API's Create Game endpoint.

The following sections provide the details for completing these tasks.