API Access Management in PingOne Authorize works with the integration kit in your API gateway, using the best practices of OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server. to manage API access control across these distributed systems. API Access Management integrates with your API gateway to seamlessly provide policy-based access control for your HTTP APIs.

Token and user management

An API service in PingOne Authorize groups related API operations into a protection domain that clients access with a single OAuth token. When you define an API service, you can use PingOne to issue access tokens and manage users for the API service, or you can use external providers, such as PingFederate and PingDirectory.

PingOne token provider

If PingOne is issuing tokens and managing users for the API service, you can use a built-in set of access control rules that are tightly integrated with PingOne. You can also define custom access control policies that handle more complex authorization scenarios.

Optionally, you can configure your API gateway to include validated access token claims in the decision request. PingOne Authorize will verify that the audience claim matches the audience value configured for the API service’s resource.

External token providers

If you use external providers to issue tokens and manage users for the API service, you can define custom access control policies, but you can’t use built-in API Access Management rules. You must configure your API gateway to validate access tokens and pass verified claims to PingOne in the inbound request.


Token validation by external providers is currently supported only for Apigee gateway integrations. PingOne Authorize relies on your API gateway for token validation and does not verify any matching claims.

With external providers, PingOne Authorize doesn’t include the userContext object in decision requests. This object provides information about PingOne users only and doesn’t resolve user identity information from external directories.


You can use the subject claim in the decision request’s PingOne.API Access Management.Identity.Access Token parameter to resolve user identity information from an external service for use in attributes, services, and custom policies.

Access control policies

To control access to your APIs, you can define basic rules and custom policies. Basic rules grant access based on authorized scopes and user membership in groups. For more information about basic rules, see Defining operations for protected actions.

For more complex access control scenarios, you can define custom policies in the API Access Management policy tree. For more information, see Adding custom policies for API services and operations.


Each API service has a system-owned decision endpoint that provides an environment for managing and deploying authorization policies relevant to the API service. The decision endpoint is created when you deploy the API service for the first time, and it has the same name as the API service. For more information, see Deploying an API service.