Before you connect to an HTTP service, you can add attributes that store values for service settings, such as the endpoint URL for an HTTP request. Storing settings as attributes is useful if the values are dynamic or if you want to use different values during testing. For example, during testing, you can override a production REST API used in an HTTP service with a test API.


If the service requires OAuth 2.0 Client Credentials authentication, you must add an attribute that stores the external service’s client secret before you configure service settings. You can also add attributes that store other client credentials, such as the client ID and token endpoint.

After you finish configuring the service, test the service connection. To make the service response available in policies, add attributes that resolve against the service and process the response to extract required values.

Add a service, configure the following service settings, and then configure general settings to finish the service connection.

HTTP Settings

HTTP service requests can send and receive text, JSON, and XML content.

Screen capture showing the Service Type, URL, HTTP Method, Body, and Authentication HTTP service settings.
HTTP settings
Setting Description


The URL for the REST endpoint that the decision point accesses in the HTTP request.

To include an attribute anywhere in the URL, wrap the full name of the attribute in double curly brackets.


Because there is no URL encoding in service settings, use a PingOne expression language (SpEL) processor in the attribute definition to perform URL encoding.

For example, you can use a SpEL processor similar to this in the attribute resolver:


HTTP Method

The action performed in the HTTP request. Options are GET, POST, PUT, DELETE, and HEAD.

Content Type

The media type of the content in the HTTP request. Options are application/json, application/xml, text/html, and text.


The body to send with the HTTP request. You can include attributes anywhere in the body, with no escaping, by wrapping the full name of the attribute in double curly brackets.


The HTTP authentication method for the authorization header sent with the HTTP request. HTTP authentication methods are described in detail below.


You can configure HTTP headers to use additional authentication mechanisms. For example, you have full control over the Authorization header and other headers.

HTTP authentication methods

To authenticate HTTP service requests, you can use no authentication, basic authentication with a username and password, a bearer token, or the OAuth 2.0 Client Credentials flow.


With this method, no authorization header is sent with the HTTP request. This is the default option.


For basic authentication, provide a username and password.

Screen capture showing the Username and Password settings for Basic authentication.
Bearer Token

For bearer authentication with a static token, select an attribute that stores the authorization token to send with the HTTP request.

Screen capture showing the Token selection list for Bearer Token authentication.
OAuth 2.0 (Client Credentials)

For authentication with the OAuth 2.0 Client Credentials flow, configure client credentials to exchange for an access token.

Screen capture showing the Token Endpoint, Scope, Client Id, and Client Secret settings for OAuth 2.0 Client Credentials authentication.

PingOne Authorize manages the authentication process as follows:

  1. PingOne Authorize requests an access token from the external service by sending client credentials, including any scopes, in a POST request to the authorization server’s token endpoint. Credentials are sent in the request body.
  2. The authorization server validates the client credentials and provides an access token, which PingOne Authorize caches and refreshes automatically.
  3. In an HTTP service request, PingOne Authorize provides the access token in the authorization header, authenticates with the HTTP service, and retrieves requested information from the service.

Before you configure the following settings, add an attribute that stores the client secret. You can also add attributes that store other client credentials.

  • Token Endpoint: The token endpoint URL for the authorization server that grants an access token. For example, https://{domain}/oauth*/token.
  • Scope: The scopes to request in the access token. Scopes are optional and can be used to limit the permissions of a token in the connected service. Separate scopes with commas and no spaces.
  • Client Id: Enter the external service’s unique client identifier, or select an attribute that stores this value.
  • Client Secret: Select an attribute that stores the external service’s client secret.


You can send any number of custom header key-value pairs with a request. To make the header dynamic, select an attribute for the header value.

Screen capture showing the Key and Value HTTP service header settings.

To add a header:

  1. Click + Header.
  2. Enter the header Key.

    The key is a fixed string.

  3. For the header Value, enter a constant value or click Switch to attribute button. to select an attribute.

SSL/TLS Certificate Settings

Certificate validation in PingOne Authorize allows you to enable or disable SSL and TLS certificates when connecting to SSL or TLS-based services.

Screen capture showing the Certificate Validation list in SSL/TLS certificate settings for HTTP services.

SSL and TLS certificate settings apply when validating the certificate or certificate chain sent from the server. The following Certificate Validation options are available:

  • On: Performs TLS validation when connecting to the service. Select this option when you connect to a service that has a certificate issued from a valid certificate authority. This setting is enabled by default.
  • Off: Skips server certificate validation and allows initiation of the connection without validation.

Value processors

You can define value processors to transform data returned by the HTTP service. For more information, see Processors.