Specifically, access token validators translate an access token into a data structure that constitutes part of the input for policy processing.

To authenticate to PingDataGovernance Server's HTTP services, clients use OAuth 2 bearer token authentication to present an access token in the HTTP Authorization Request header. To process the incoming access tokens, PingDataGovernance Server uses access token validators, which determine whether to accept an access token and translate it into a set of properties, called claims.

Most access tokens identify a user, also called the token owner, as its subject. Access token validators can retrieve the token owner's attributes from the user store using a related component called a token resource lookup method. The user data obtained by a token resource lookup method is sent to the policy decision point (PDP) so that policies can determine whether to authorize the request.