---
title: "User Access Token"
slug: "user-access-token"
updated: 2026-03-22T16:44:26Z
published: 2026-03-22T16:44:26Z
stale: true
---
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plainid.io/llms.txt
> Use this file to discover all available pages before exploring further.
# User Access Token
Post/api/runtime/token/v3
The User Access Token API call is an open-ended question for a specific user, returning the list of allowed Assets and their associated actions for a specific application. The API presents a generic request based primarily on the Identity and will return all requested Assets and Actions that are configured for this user in a single token. This API enables the scope to cache the list of authorized Assets for a user within the Application session, thus reducing the overall performance involved in enforcing access.
### Notice
When accessing the Authorization APIs, the URL base/prefix, according to your PlainID PDP Location**United States Cloud PDP** - `https://tenant-name.us1.plainid.io`**Canadian Cloud PDP** - `https://tenant-name.ca1.plainid.io`**European Cloud PDP** - `https://tenant-name.eu1.plainid.io`
For more information on which Asset Types to use with your PAA or Cloud PDP, refer to [Managing Asset Types](https://docs.plainid.io/docs/managing-asset-types).
### Important note about headers
Refer to the headers below to modify your cURL sample. Check if the following headers are in the sample, if not, ensure you add it to your cURL sample before pasting into your API tool.
### Headers
*Required
| Header | Value | cURL Line |
| --- | --- | --- |
| Accept | `application/json` | `'accept: application/json'` |
| Content-Type | `application/json` | `'content-type: application/json'` |
### cURL Sample Guidelines
In order for the relevant parameters to appear in the cURL sample, you can input the values in the interactive API console on the right under the Try It\* or the Code Sample tabs. They will then appear in the cURL sample in the correct format to use in your API tool. *\*Try It function coming soon.*
Header parametersX-Client-Idstring
Client ID of the Scope The clientId is **required**, ensure that it is defined either in the header as `X-Client-Id` or in the body as `clientId`.
X-Client-Secretstring
Client Secret ID of the Scope. You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to [Setting up an Authentication Method](https://docs.plainid.io/v1/docs/managing-scope-authentication#setting-up-an-authentication-method-in-the-scope) for more information.
Body parametersUser Access Token
```json
{
"entityId": "angela_bell",
"clientId": "[ClientID]",
"clientSecret": "[ClientSecret]",
"entityTypeId": "Application_Users",
"assetList": [
{
"template": "Orders",
"path": "/orders",
"assetAttributes": {
"order_type": [
"credit card"
],
"customer_type": [
"private"
]
}
}
],
"entityAttributes": {
"region": [
"US"
]
},
"contextData": {
"branch_id": [
512
]
},
"environment": {
"code": [
"T221"
]
},
"additionalIdentities": [
{
"entityId": "agentA",
"entityTypeId": "Agents",
"entityAttributes": {
"agent_classification": [
"Sensitive"
]
}
},
{
"entityId": "appA",
"entityTypeId": "Applications",
"entityAttributes": {
"app_classification": [
"Confidential"
]
}
}
],
"remoteIp": "192.168.0.1",
"timeZoneOffset": 0.0,
"resourceTypes": [
{
"name": "resource_01_name",
"attributeList": [
"price",
"color"
],
"actions": [
"edit",
"view"
]
}
],
"includeContext": false,
"includeAccessPolicy": false,
"includeAccessPolicyId": false,
"includeAssetAttributes": false,
"includeIdentity": false,
"accessTokenFormat": "JSON",
"useCache": true,
"combinedMultiValue": false,
"assetContext": [
{
"key": "",
"resourceType": "Account",
"path": "",
"action": "ACCESS",
"assetAttributes": {
"accountCategory": [
"Premium"
]
}
}
],
"useOptimizedAssetContextResponse": false,
"operationalFilters": [
{
"filterType": "identitySourcesFilterByIDs",
"filterProperties": {
"filterAction": "INCLUDE",
"objectsList": [
"sourceID_123",
"sourceID_456"
]
}
},
{
"filterType": "identitySourcesFilterByIDs",
"filterProperties": {
"filterAction": "EXCLUDE",
"objectsList": [
"sourceID_789"
]
}
}
],
"skipUnneededOrUnavailableIdentitySources": false,
"includePartialIdentitySourcesIndication": false,
"failOnCalculatedAttributesErrors": true
}
```
Expand Allobject entityIdstring Required
Unique identifier of the Identity
Min length1
clientIdstring Required
Client ID of the Scope The Client ID is **required**, ensure that it is defined either in the header as `X-Client-Id` or in the body as `clientId`.
Min length1
clientSecretstring
Client Secret ID of the Scope. You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to [Setting up an Authentication Method](https://docs.plainid.io/v1/docs/managing-scope-authentication#setting-up-an-authentication-method-in-the-scope) for more information.
Min length1
entityTypeIdstring
Identity Template ID
Min length1
entityAttributesobject
List of Identity Attributes and their values.
If not defined, Dynamic groups based on virtual attributes will not be considered in the Access Decision.
string Array
contextDataobject
Identity Context data for this request.
When specifying this parameter, you are requesting information based on a specific parameter and its value.
For example, Location where the contextData equals a specific branch.
If not defined, Dynamic groups based on context data will not be considered in the Access Decision.
string Array
environmentobject
Environmental parameters need to be defined in policies as request. (in Asset rules or Conditions) and also sent in the authorization request. Only the Assets that match what will be sent in the request will come back.
If not defined, parametes based on emviromental data will not be considered in the Access Decision.
string Array
additionalIdentities Array of object
A list of additional Identities to be considered in the Access Decision. If all identities are defined in this parameter, the root-level `entityId`, `entityTypeId`, and `entityAttributes` parameters can be omitted.
object entityIdstring
Unique identifier of the Identity (e.g. UID)
entityTypeIdstring
Identity Template ID
entityAttributesobject
List of Identity Attributes and their values.
string Array
remoteIpstring (ipv4)
IP address to be used when validating a Policy. Ensure that your IP Ranges are correct based on an [IP calculator](https://www.ipaddressguide.com/cidr).
If not defined, the IP considered in the calculation is taken from the X-Forwarded-For (Request header).
Min length1
timeZoneOffsetnumber
To define the offset from UTC time zone. Used in Time Condition.
Default0.0Example-12.0
assetList Array of object
Contains a list of the Asset's unique identifier and attributes
object templatestring
Asset Template ID
pathstring
Asset Unique Identifier
assetAttributesobject attribute_1 Array of string string
attribute_2 Array of string string
resourceTypes Array of object
This parameter enables you to decrease the payload size by including a list of Asset Types, their Attributes, and/or associated Actions, which also return in the response. If not specified, all resources from all Resource Types will be included. Ensure you are sending either `resourceTypes` or `allResourceTypes` in the request. Sending both will result in an error.
object namestring Required
The name of the Resource Type is the Asset Template ID. This can be found in the Asset Type Settings.
attributeList Array of string
A list of Attributes. This can be found in the Asset Type Settings. The list of Attributes are applied on each resourceType in the request, and if applicable, will be part of the response. If no Attributes are specified, Attributes are ***not*** included in the response,. Ensure that the `includeAssetAttributes` parameter is set to `true` for the `attributeList` parameter to work. If set to `false`, Attributes are not returned.
string
actions Array of string
The name of the Action/s. This can be found in the Asset Type Settings. The list of Actions are applied on each `resourceType` in the request, and if applicable, will be part of the response. If no Actions are specified, all Actions for each `resourceType` are included in the response.
string
allResourceTypesobject (allResourceTypesInput)
This parameter enables you to decrease the payload size by including a list of Asset Types, their Attributes, and/or associated Actions, which also return in the response. If not specified, all resources from all Resource Types will be included. Ensure you are sending either `allResourceTypes` or `resourceTypes` in the request. Sending both will result in an error.
attributeList Array of string
A list of Attributes. This can be found in the Asset Type Settings. The list of Attributes are applied on each `resourceType` in the request, and if applicable, will be part of the response. If no Attributes are specified, all Attributes for each resourceType are included in the response. Ensure that the `includeAssetAttributes` parameter is set to `true` for the `attributeList` parameter to work. If set to `false`, Attributes are not returned.
string
actions Array of string
The name of the Action/s. This can be found in the Asset Type Settings. The list of Actions are applied on each `resourceType` in the request, and if applicable, will be part of the response. If no Actions are specified, all Actions for each `resourceType` are included in the response.
string
includeContextboolean
Show/hide the context data in the response.
Defaultfalse
includeAccessPolicyboolean
Show/hide the name of the Policy in the response that has granted the specified access.
Defaultfalse
includeAccessPolicyIdboolean
Show/hide the external id of the Policy in the response that granted the specified access.
Defaultfalse
includeAssetAttributesboolean
Show/hide the Asset Attribute of the Assets in the response. If using the `attributeList` in the `resourceType` or `allResourceTypes` parameters, ensure that this parameter is set to `true`.
Defaultfalse
includeIdentityboolean
Show/hide the Identity Attribute of the Identity in the response.
Defaultfalse
accessTokenFormatstring
Determines the format of the response – whether `JSON`, `JWT`, or `StandardJWT`.
Default"JSON/JWT"
useCacheboolean
The Attribute will determine if the response will consider the cache settings or override the cache and preforming full calculation.
Defaulttrue
combinedMultiValueboolean
Determines the evaluation of Identity Attributes relationship in access decision.
Defaultfalse
assetContext Array of object (assetContextRequestItem)
Specifies contextual asset data (e.g., resourceType, path, action) to refine authorization decisions based on asset relationships and classifications.See our article on [Working with Asset Context](https://docs.plainid.io/apidocs/working-with-assetcontext) for more information.
object keystring
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
resourceTypestring Required
pathstring
actionstring
assetAttributesobject attribute_1 Array of string string
attribute_2 Array of string string
useOptimizedAssetContextResponseboolean
Determines the Asset Context response structure. See our article on [Working with Asset Context](https://docs.plainid.io/apidocs/working-with-assetcontext) for more information.
Defaultfalse
operationalFilters Array of object
These operational filters should affect the Runtime behavior and results by applying additional filtering which is not directly related to Authorization logic.
object #content#OneOfidentitySourcesFilterByIDsobject (identitySourcesFilterByIDs)filterTypestring Required
filterPropertiesobject filterActionstring RequiredValid values[
"INCLUDE",
"EXCLUDE"
]
objectsList Array of string Requiredstring
Input your sourceID/s here. For information on the sourceID parameter and where to locate it, check out [Managing Attribute Sources](https://docs.plainid.io/v1/docs/managing-attribute-sources) in the PlainID documentation.
skipUnneededOrUnavailableIdentitySourcesboolean
The Attribute will determine if the calculation will skip unneeded or unavailable Identity sources. Refer to the [Authorization API](https://docs.plainid.io/v1-api/apidocs/authorization-apis) article for more information.
Defaultfalse
includePartialIdentitySourcesIndicationboolean
Show/hide additionalResponseInfo in the response.
Defaultfalse
failOnCalculatedAttributesErrorsboolean
Fail request when Attribute calculation fails.
Defaulttrue
includeTotalCounterboolean
Indicates whether a counter of the total authorized resources will be added to the response
Defaultfalse
includeDetailedCountersboolean
Indicates whether the response includes a detailed counters object, showing the total number of resources for the specified ResourceType, broken down by action.
Defaultfalse
includeResponseDataboolean
Required if `includeDetailedCounters` is true. If `includeResponseData` is true, it returns Response Data. If false, it returns a response with counters only.
Defaulttrue
Responses200Default Response
```json
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"contextData": {
"attribute": [
"ex1",
"ex2"
]
}
}
```
includeAccessPolicy
```json
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"permission": "Manage consumers accounts in branch",
"permissionId": "p1",
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"permission": "Manage consumers accounts in branch",
"permissionId": "p1",
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"permission": "Manage consumers accounts in branch",
"permissionId": "p1",
"action": "View"
}
]
}
]
}
],
"contextData": null
}
```
includeAssetAttributes - False
```json
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"contextData": null
}
```
includeIdentity
```json
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"identity": {
"type": "02a89b66-0a15-4b8e-be6d-84cb99da9b13",
"typeName": "User",
"attributes": {
"First_Name": [
"Araldo"
],
"uid": [
"xB724129"
],
"User_Branch": [
"San Jose"
],
"Last_Name": [
"Baudou"
],
"ID": [
"xB724129"
],
"title": [
"Teller"
],
"User_Type": [
"Internal"
]
}
},
"contextData": null
}
```
includeContext
```json
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"contextData": {
"partner_id": "724f9f9b-af24-42fc-b97d-b399042ef00d"
}
}
```
Expand AllAnyOftokenResponseobject (tokenResponse)tokenValidityinteger
response Array of object object access Array of object object pathstring
attributesobject
resourceTypestring
actions Array of object object actionstring
permissionstring
permissionIdstring
permissionMetadataobject (permissionMetadata)
Additional response metadata. This response is only returned when the `includeAccessPolicy` is set to true, and when the `permissionMetadata` object contains one or more properties.
countersobject
Access token response authorized resources counters
totalAuthorizedResourcesinteger
Total count of authorized resources
byResourceType Array of object
An array of counters for each resource type
object resourceTypestring
Resource type name
totalinteger
A counter for resource type
byActions Array of object
An array of counters for each resource type action
object actionstring
Resource type action name
countinteger
A counter for resource type action
contextDataobject attribute Array of string string
identityobject (identityResponse) typestring
typeNamestring
attributesobject
additionalIdentities Array of object (identityResponse) object typestring
typeNamestring
attributesobject
additionalResponseInfoobject (additionalResponseInfoResponse) identitySourcesobject skipped Array of object (identitySourceInfo) object sourceIdstring
sourceNamestring
messagestring
attributes Array of string string
failed Array of object (identitySourceInfo) object sourceIdstring
sourceNamestring
messagestring
attributes Array of string string
assetContextTokenResponseobject (assetContextTokenResponse)data Array of object object assetContextobject AnyOfassetContextResponseItemobject (assetContextResponseItem)
assetContextMergedResponseItemobject (assetContextMergedResponseItem)resources Array of object (assetContextResponseItem) object AnyOfobjectobjectkeystring
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
objectobjectresourceTypestring
pathstring
actionstring
assetAttributesobject attribute_1 Array of string string
attribute_2 Array of string string
outputobject accessResponseobject (tokenResponse) tokenValidityinteger
response Array of object object access Array of object object pathstring
attributesobject
resourceTypestring
actions Array of object object actionstring
permissionstring
permissionIdstring
permissionMetadataobject (permissionMetadata)
Additional response metadata. This response is only returned when the `includeAccessPolicy` is set to true, and when the `permissionMetadata` object contains one or more properties.
countersobject
Access token response authorized resources counters
totalAuthorizedResourcesinteger
Total count of authorized resources
byResourceType Array of object
An array of counters for each resource type
object resourceTypestring
Resource type name
totalinteger
A counter for resource type
byActions Array of object
An array of counters for each resource type action
object actionstring
Resource type action name
countinteger
A counter for resource type action
contextDataobject attribute Array of string string
identityobject (identityResponse) typestring
typeNamestring
attributesobject
additionalIdentities Array of object (identityResponse) object typestring
typeNamestring
attributesobject
additionalResponseInfoobject (additionalResponseInfoResponse) identitySourcesobject skipped Array of object (identitySourceInfo) object sourceIdstring
sourceNamestring
messagestring
attributes Array of string string
failed Array of object (identitySourceInfo) object sourceIdstring
sourceNamestring
messagestring
attributes Array of string string
errorstring
400
Bad Request
400 Bad Request
```json
{
"bank_users1 is not a valid identity type": null
}
```
object
401
Unauthorized
401 Unauthorized - MissingSecret
```json
{
"Missing secret": null
}
```
object
403
Forbidden
403 Forbidden - InvalidSecret
```json
{
"Invalid secret": null
}
```
object
500
Internal Server Error
500 - Request
```json
{
"Asset provider is missing in config": "Accounts"
}
```
object
501
Example response
generic_error_skeleton
```json
{
"errors": [
{
"id": "XXXX",
"code": "YYYY",
"name": "ZZZZ",
"message": "Invalid request"
}
]
}
```
Expand Allobject errors Array of object (GenericError) Min items1object idstring Min length1
codestring Min length1
namestring Min length1
messagestring Min length1