A managed API service enables PingOne Authorize to recognize requests for your API and instructs the API gateway to allow access from authorized clients only and block access from unauthorized clients.

An API service definition includes a pointer to the API and to the specific parts of the API you want to protect. The definition also specifies whether directory services and access token validation are managed by PingOne or managed externally.

  1. Go to Authorize > API Services.
  2. Click the + icon next to API Services to add an API service.
  3. For the Name, enter a name that identifies the API service.

    The name must be unique across all API services and resources.

  4. Enter one or more Base URLs for the API represented by the API service.

    You can enter multiple URLs to support aliases for the same service, such as a vanity URL in addition to the domain URL. To add another URL, click + Add Base URL. URLs must be valid.

    Screen capture showing the Name, Base URLs, and Decision Endpoint fields and directory and token source options in the New API Service window in PingOne.
  5. For the Decision Endpoint, select the endpoint where custom policies for this API service and any custom operations under this API service will be published.
  6. Select a user directory and token source:
    • PingOne SSO: PingOne manages user directory services and access token validation for the API service. This is the default option.
    • External Services: The API gateway manages access token validation services through external providers, such as PingFederate. This requires you to configure your API gateway to pass validated token claims to PingOne in decision requests.

    After you save the API service, you can’t change whether the directory and token source is managed by PingOne or by external providers.

  7. Click Save.

    If you selected External Services in step 6, PingOne Authorize is now configured to recognize the API.

    If you selected PingOne SSO in step 6, complete steps 8 - 11.

  8. After PingOne creates the resource associated with the API service, click Done.

    The resource establishes a relationship between the API service and PingOne in order to define the audience for the API service’s access token.

  9. On the Advanced tab, click Configure Scopes, and then click + Add Scope.
    Screen capture of the API Services Advanced tab in PingOne.
  10. Click the Name field and select the scope for your API service.

    The scope defines which resources an API client can access. An application requests a scope for the resource associated with an API service in order to set the audience for the access token. By default, the scope name matches the API service name, with spaces replaced by hyphens.

    Screen capture showing the scope name in Configure Scopes on the API Services Advanced tab in PingOne.
  11. Click Save.

    PingOne Authorize is now configured to recognize the API.

  • If PingOne is managing user directory and access token validation services for the protected API service, add a PingOne application that is allowed to access the protected API service. To allow access, grant the application the same scope that you configured for the API service. For more information, see Editing scopes for an application.
  • Define operations for protected API actions.