The User Access Token API call is an open-ended question for a specific user, returning the list of allowed Assets and their associated actions for a specific application. The API presents a generic request based primarily on the Identity and will return all requested Assets and Actions that are configured for this user in a single token. This API enables the scope to cache the list of authorized Assets for a user within the Application session, thus reducing the overall performance involved in enforcing access.
Notice
When accessing the Authorization APIs, the URL base/prefix, according to your PlainID PDP LocationFor more information on which Asset Types to use with your PAA or Cloud PDP, refer to Managing Asset Types.
Important note about headers
Refer to the headers below to modify your cURL sample. Check if the following headers are in the sample, if not, ensure you add it to your cURL sample before pasting into your API tool.
Headers
*Required| Header | Value | cURL Line |
|---|---|---|
| Content-Type | `application/json` | `-H 'Content-Type: application/json' ` |
cURL Sample Guidelines
In order for the relevant parameters to appear in the cURL sample, you can input the values in the interactive API console on the right. They will then appear in the cURL sample on the bottom of the page in the correct format.
Client ID of the Scope
The clientId is required, ensure that it is defined either in the header as X-Client-Id or in the body as clientId.
Client Secret ID of the Scope.
You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to Setting up an Authentication Method for more information.
{
"entityId": "angela_bell",
"clientId": "[ClientID]",
"clientSecret": "[ClientSecret]",
"entityTypeId": "Application_Users",
"assetList": [
{
"template": "Orders",
"path": "/orders",
"assetAttributes": {
"order_type": [
"credit card"
],
"customer_type": [
"private"
]
}
}
],
"entityAttributes": {
"region": [
"US"
]
},
"contextData": {
"branch_id": [
"512"
]
},
"environment": {
"code": [
"T221"
]
},
"remoteIp": "192.168.0.1",
"timeZoneOffset": 0.0,
"resourceTypes": [
{
"name": "resource_01_name",
"attributeList": [
"price",
"color"
],
"actions": [
"edit",
"view"
]
}
],
"includeContext": false,
"includeAccessPolicy": false,
"includeAccessPolicyId": false,
"includeAssetAttributes": false,
"includeIdentity": false,
"accessTokenFormat": "JSON",
"useCache": true,
"combinedMultiValue": false,
"assetContext": [
{
"key": "",
"resourceType": "Account",
"path": "",
"action": "ACCESS",
"assetAttributes": {
"accountCategory": [
"Premium"
]
}
}
],
"useOptimizedAssetContextResponse": false,
"operationalFilters": [
{
"filterType": "identitySourcesFilterByIDs",
"filterProperties": {
"filterAction": "INCLUDE",
"objectsList": [
"sourceID_123",
"sourceID_456"
]
}
},
{
"filterType": "identitySourcesFilterByIDs",
"filterProperties": {
"filterAction": "EXCLUDE",
"objectsList": [
"sourceID_789"
]
}
}
],
"skipUnneededOrUnavailableIdentitySources": false,
"includePartialIdentitySourcesIndication": false,
"failOnCalculatedAttributesErrors": true
}Unique identifier of the Identity
Client ID of the Scope
The Client ID is required, ensure that it is defined either in the header as X-Client-Id or in the body as clientId.
Client Secret ID of the Scope.
You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to Setting up an Authentication Method for more information.
Identity Template ID
List of Identity Attributes and their values.
If not defined, Dynamic groups based on virtual attributes will not be considered in the Access Decision.
Identity Context data for this request.
When specifying this parameter, you are requesting information based on a specific parameter and its value.
For example, Location where the contextData equals a specific branch.
If not defined, Dynamic groups based on context data will not be considered in the Access Decision.
Environmental parameters need to be defined in policies as request.
If not defined, parametes based on emviromental data will not be considered in the Access Decision.
IP address to be used when validating a Policy. Ensure that your IP Ranges are correct based on an IP calculator.
If not defined, the IP considered in the calculation is taken from the X-Forwarded-For (Request header).
To define the offset from UTC time zone. Used in Time Condition.
Contains a list of the Asset's unique identifier and attributes
Asset Template ID
Asset Unique Identifier
This parameter enables you to decrease the payload size by including a list of Asset Types, their Attributes, and/or associated Actions, which also return in the response. If not specified, all resources from all Resource Types will be included. Ensure you are sending either resourceTypes or allResourceTypes in the request. Sending both will result in an error.
The name of the Resource Type is the Asset Template ID. This can be found in the Asset Type Settings.
A list of Attributes. This can be found in the Asset Type Settings. The list of Attributes are applied on each resourceType in the request, and if applicable, will be part of the response. If no Attributes are specified, Attributes are not included in the response,.
Ensure that the includeAssetAttributes parameter is set to true for the attributeList parameter to work. If set to false, Attributes are not returned.
The name of the Action/s. This can be found in the Asset Type Settings. The list of Actions are applied on each resourceType in the request, and if applicable, will be part of the response. If no Actions are specified, all Actions for each resourceType are included in the response.
This parameter enables you to decrease the payload size by including a list of Asset Types, their Attributes, and/or associated Actions, which also return in the response. If not specified, all resources from all Resource Types will be included. Ensure you are sending either allResourceTypes or resourceTypes in the request. Sending both will result in an error.
A list of Attributes. This can be found in the Asset Type Settings. The list of Attributes are applied on each resourceType in the request, and if applicable, will be part of the response. If no Attributes are specified, all Attributes for each resourceType are included in the response.
Ensure that the includeAssetAttributes parameter is set to true for the attributeList parameter to work. If set to false, Attributes are not returned.
The name of the Action/s. This can be found in the Asset Type Settings. The list of Actions are applied on each resourceType in the request, and if applicable, will be part of the response. If no Actions are specified, all Actions for each resourceType are included in the response.
Show/hide the context data in the response.
Show/hide the name of the Policy in the response that has granted the specified access.
Show/hide the external id of the Policy in the response that granted the specified access.
Show/hide the Asset Attribute of the Assets in the response. If using the attributeList in the resourceType or allResourceTypes parameters, ensure that this parameter is set to true.
Show/hide the Identity Attribute of the Identity in the response.
Determines the format of the response – whether JSON, JWT, or StandardJWT.
The Attribute will determine if the response will consider the cache settings or override the cache and preforming full calculation.
Determines the evaluation of Identity Attributes relationship in access decision.
Specifies contextual asset data (e.g., resourceType, path, action) to refine authorization decisions based on asset relationships and classifications.See our article on Working with Asset Context for more information.
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
Determines the Asset Context response structure. See our article on Working with Asset Context for more information.
These operational filters should affect the Runtime behavior and results by applying additional filtering which is not directly related to Authorization logic.
Input your sourceID/s here. For information on the sourceID parameter and where to locate it, check out Managing Attribute Sources in the PlainID documentation.
The Attribute will determine if the calculation will skip unneeded or unavailable Identity sources. Refer to the Authorization API article for more information.
Show/hide additionalResponseInfo in the response.
Fail request when Attribute calculation fails.
Indicates whether a counter of the total authorized resources will be added to the response
Indicates whether the response includes a detailed counters object, showing the total number of resources for the specified ResourceType, broken down by action.
Required if includeDetailedCounters is true. If includeResponseData is true, it returns Response Data. If false, it returns a response with counters only.
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"contextData": null
}{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"permission": "Manage consumers accounts in branch",
"permissionId": "p1",
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"permission": "Manage consumers accounts in branch",
"permissionId": "p1",
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"permission": "Manage consumers accounts in branch",
"permissionId": "p1",
"action": "View"
}
]
}
]
}
],
"contextData": null
}{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"contextData": null
}{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"identity": {
"type": "02a89b66-0a15-4b8e-be6d-84cb99da9b13",
"typeName": "User",
"attributes": {
"First_Name": [
"Araldo"
],
"uid": [
"xB724129"
],
"User_Branch": [
"San Jose"
],
"Last_Name": [
"Baudou"
],
"ID": [
"xB724129"
],
"title": [
"Teller"
],
"User_Type": [
"Internal"
]
}
},
"contextData": null
}{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"contextData": {
"partner_id": "724f9f9b-af24-42fc-b97d-b399042ef00d"
}
}Additional response metadata. This response is only returned when the includeAccessPolicy is set to true, and when the permissionMetadata object contains one or more properties.
Access token response authorized resources counters
Total count of authorized resources
An array of counters for each resource type
Resource type name
A counter for resource type
An array of counters for each resource type action
Resource type action name
A counter for resource type action
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
Additional response metadata. This response is only returned when the includeAccessPolicy is set to true, and when the permissionMetadata object contains one or more properties.
Access token response authorized resources counters
Total count of authorized resources
An array of counters for each resource type
Resource type name
A counter for resource type
An array of counters for each resource type action
Resource type action name
A counter for resource type action
Bad Request
{
"bank_users1 is not a valid identity type": null
}Unauthorized
{
"Missing secret": null
}Forbidden
{
"Invalid secret": null
}Internal Server Error
{
"Asset provider is missing in config": "Accounts"
}Example response
{
"errors": [
{
"id": "XXXX",
"code": "YYYY",
"message": "Invalid request"
}
]
}