--- title: OpenID Connect/OAuth 2 APIs description: PingOne integrates with applications that use standards-compliant protocols by taking on the role of an OpenID Connect provider and OAuth 2 authorization server. In this capacity, PingOne provides the framework for connected applications to access protected HTTP resources. For more information about OpenID Connect and OAuth 2, refer to the OpenID Connect 1.0 spec and the OAuth 2.0 Authorization Framework RFC6749. component: pingone-api page_id: pingone-api:foundations:auth-apis-overview/openid-connect-oauth-2 canonical_url: https://developer.pingidentity.com/pingone-api/foundations/auth-apis-overview/openid-connect-oauth-2.html section_ids: authorize-endpoints: Authorize endpoints token-endpoints: Token endpoints pushed-authorization-request-par-endpoints: Pushed Authorization Request (PAR) endpoints --- # OpenID Connect/OAuth 2 APIs PingOne integrates with applications that use standards-compliant protocols by taking on the role of an OpenID Connect provider and OAuth 2 authorization server. In this capacity, PingOne provides the framework for connected applications to access protected HTTP resources. For more information about OpenID Connect and OAuth 2, refer to the [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) spec and the [OAuth 2.0 Authorization Framework RFC6749](https://tools.ietf.org/html/rfc6749). ## Authorize endpoints The authorize endpoints support the following actions: * The authorize endpoint `/{{envID}}/as/authorize` is used to interact with the end user and obtain an authorization grant. Note that PingOne supports both `GET` and `POST` operations for authorize requests. The supported parameters for an authorize request vary depending on the value of the `response_type` parameter (`code`, `token`, `id_token` or combinations of these three options). * For non-redirect flows, such as with native mobile apps in which the app renders the end user interface, `response_mode` property value is set to `pi.flow`. This setting allows the app to authenticate using the PingOne flows API without needing to handle HTTP redirections. The `pi.flow` value is also used with transaction approval use cases in which strong authentication is required for elevated security for a high-value transaction, or high-risk resource or service. For detailed information about OAuth endpoints from the *PingOne API Reference*, refer to [OpenID Connect/OAuth 2](../../auth/openid-connect-oauth-2.html). ## Token endpoints The token endpoints support the following actions: * The token endpoint `/{{envID}}/as/token` is used by the client to obtain an access token by presenting its authorization grant. * The token introspection endpoint `/{{envID}}/as/introspect` returns the active state of an OAuth 2.0 token and the claims specified in RFC 7662 Section 2.2. * The token revocation endpoint `{{envID}}/as/revoke` revokes the token specified in the request. This operation does not apply to the tokens issued for the PingOne API resource. For detailed information about the token endpoints from the *PingOne API Reference*, refer to [Token](../../auth/openid-connect-oauth-2/token-intro.html). ## Pushed Authorization Request (PAR) endpoints Applications can use a pushed authorization request (PAR) to send their authorization requests directly to PingOne without going through the browser, which safeguards sensitive data from end-user devices. With a PAR, an application can push an authorization request payload to PingOne with a direct back-channel request, which is a more secure method of sending sensitive data, such as personally identifiable information, than sending it with a browser on the front channel. The PAR endpoint accepts the same request parameters as `/{{envID}}/as/authorize`, as well as any additional parameters needed for client authentication. For detailed information about the PAR endpoints from the *PingOne API Reference*, refer to [Pushed Authorization Request](../../auth/openid-connect-oauth-2/par-intro.html).