--- title: "User Access Token" slug: "user-access-token-1" updated: 2025-06-29T14:12:38Z published: 2025-07-08T10:10:03Z stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.plainid.io/llms.txt > Use this file to discover all available pages before exploring further. # User Access Token Get/api/runtime/token/v3 The User Access Token API call is an open-ended question for a specific user, returning the list of allowed Assets and their associated actions for a specific application. The API presents a generic request based primarily on the Identity and will return all requested Assets and Actions that are configured for this user in a single token. This API enables the scope to cache the list of authorized Assets for a user within the Application session, thus reducing the overall performance involved in enforcing access. ### Notice When accessing the Authorization APIs, the URL base/prefix, according to your PlainID PDP Location**United States Cloud PDP** - `https://tenant-name.us1.plainid.io`**Canadian Cloud PDP** - `https://tenant-name.ca1.plainid.io`**European Cloud PDP** - `https://tenant-name.eu1.plainid.io`**Local PAA** - `https://your-paa.acme.local` For more information on which Asset Types to use with your PAA or Cloud PDP, refer to [Managing Asset Types](https://docs.plainid.io/docs/managing-asset-types). ### cURL Sample Guidelines In order for the relevant parameters to appear in the cURL sample, you can input the values in the interactive API console on the right under the Try It\* or the Code Sample tabs. They will then appear in the cURL sample in the correct format to use in your API tool. *\*Try It function coming soon.* Header parametersX-Client-Idstring Client ID of the Scope The clientId is **required**, ensure that it is defined either in the header as `X-Client-Id` or in the body as `clientId`. X-Client-Secretstring Client Secret ID of the Scope. You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to [Setting up an Authentication Method](https://docs.plainid.io/v1/docs/managing-scope-authentication#setting-up-an-authentication-method-in-the-scope) for more information. Query parametersentityIdstring Unique identifier of the Identity clientIdstring Client ID of the Scope The Client ID is **required**, ensure that it is defined either in the header as `X-Client-Id` or in the body as `clientId`. clientSecretstring Client Secret ID of the Scope. You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to [Setting up an Authentication Method](https://docs.plainid.io/v1/docs/managing-scope-authentication#setting-up-an-authentication-method-in-the-scope) for more information. entityTypeIdstring Identity Template ID remoteIPstring IP address to be used when validating a Policy. Ensure that your IP Ranges are correct based on an [IP calculator](https://www.ipaddressguide.com/cidr). If not defined, the IP considered in the calculation is taken from the X-Forwarded-For (Request header). includeIdentitystring Show/hide the Identity Attribute of the Identity in the response. includeAssetAttributesstring Show/hide the Asset Attribute of the Assets in the response. resourceTypesarray of Because the full payload of the response can be very large, this parameter enables you to decrease the payload size by including a list of Asset Types and their attributes, that will return in the response. If not specified, all resources from all resource types will be included. Responses200 OK 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error 501 Not Implemented