---
title: Resource Attributes
description: PingOne access tokens are signed JWTs (JSON Web Tokens) that include identity claims about and attributes of the requestor, usually a user identity. The resource attributes service lets you customize the content of access tokens by adding custom attributes and their values. This is a great way to convey additional information about the user to applications. Custom attributes have a cumulative length constraint of 16 Kb. Refer to Custom attributes in Schemas for more information.
component: pingone-api
page_id: pingone-api:platform:resources/resource-attributes
canonical_url: https://developer.pingidentity.com/pingone-api/platform/resources/resource-attributes.html
section_ids:
  advanced-resource-attribute-mapping: Advanced resource attribute mapping
  resource-attributes-data-model: Resource attributes data model
  advanced-resource-attribute-mapping-events-generated: Advanced resource attribute mapping events generated
  response-codes: Response codes
---

# Resource Attributes

PingOne access tokens are signed JWTs (JSON Web Tokens) that include identity claims about and attributes of the requestor, usually a user identity. The resource attributes service lets you customize the content of access tokens by adding custom attributes and their values. This is a great way to convey additional information about the user to applications. Custom attributes have a cumulative length constraint of 16 Kb. Refer to [Custom attributes](../schemas.html) in Schemas for more information.

Resource attributes are essentially custom identity claims associated with a resource. For example, suppose the `clothing.preferences` resource with scope `sizes` provides "clothing size" user claims in the token. By default, the `sizes` scope does not include a t-shirt size user claim. To include the `user.tshirtSize` user attribute as a user claim in the token, a resource attribute entity can be created that associates the `tshirtSize` attribute with the `clothing.preferences` resource. Then, for token requests to `clothing.preferences` with scope `sizes`, the `tshirtSize` user claim is included in the token. If the attribute is `multiValued`, then the claim will be an array of values. The following diagram shows the workflow:

![Resource attributes custom identity claims](../../_images/p1_ResourceAttribute.svg)

For information about an access token's core claims, refer to [Access token claims](../../foundations/authentication-concepts/access-tokens-and-id-tokens.html). A token's core identity claims cannot be modified or deleted.

## Advanced resource attribute mapping

You can use PingOne's expression language for advanced attribute mappings of a custom resource or the OpenID Connect resource. The supported expression language is an augmentation of SpEL. SpEL is a powerful expression language used for querying and manipulating an object graph at runtime.

|   |                                                                                                                                                                                                    |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For more information about PingOne's expression language, refer to [PingOne's expression language](https://docs.pingidentity.com/pingone/pingone_expression_language/p1_expression_language.html). |

## Resource attributes data model

| Property   | Type    | Required? | Mutable?  | Description                                                                                                                                                                                                                                                                                                                                                                                                       |
| ---------- | ------- | --------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `idToken`  | Boolean | Optional  | Mutable   | A boolean that specifies whether the attribute mapping should be available in the ID Token. This property is applicable only when the application's `protocol` property is `OPENID_CONNECT`. If omitted, the default is `true`. Note that the `idToken` and `userInfo` properties cannot both be set to `false`. At least one of these properties must have a value of `true`.                                    |
| `userInfo` | Boolean | Optional  | Mutable   | A boolean that specifies whether the attribute mapping should be available through the `/as/userinfo` endpoint. This property is applicable only when the application's `protocol` property is `OPENID_CONNECT`. If omitted, the default is `true`. Note that the `idToken` and `userInfo` properties cannot both be set to `false`. At least one of these properties must have a value of `true`.                |
| `name`     | String  | Required  | Mutable   | A string that specifies the name of the custom resource attribute to be included in the access token. The following are reserved names and cannot be used. These reserved names are applicable only when the resource's type property is `OPENID_CONNECT`:\* acr\* amr\* aud\* auth\_time\* client\_id\* env\* exp\* iat\* iss\* jti\* org\* p1.\* (any name starting with the `p1.` prefix)\* scope\* sid\* sub  |
| `required` | Boolean | Optional  | Mutable   | Indicates whether the attribute is required for the resource. Defaults to `false` if unspecified.                                                                                                                                                                                                                                                                                                                 |
| `type`     | String  | Optional  | Read-only | A string that specifies the type of resource attribute. Options are:\* `CORE`: The claim is required and cannot not be removed.\* `CUSTOM`: The claim is not a `CORE` attribute. All created attributes are of this type.\* `PREDEFINED`: A designation for predefined OIDC resource attributes such as `given_name`. These attributes cannot be removed; however, they can be modified.                          |
| `value`    | String  | Required  | Mutable   | A string that specifies the value of the custom resource attribute. This value can be a placeholder that references an attribute in the user schema, expressed as `"${user.path.to.value}"`, or it can be a static string. Placeholders must be valid, enabled attributes in the environment's user schema. Examples fo valid values are: `"${user.email}"`, `"${user.name.family}"`, and `"myClaimValueString"`. |

## Advanced resource attribute mapping events generated

Refer to [Audit Reporting Events](../audit-activities.html#audit-reporting-events) for the events generated.

## Response codes

| Code | Message                                  |
| ---- | ---------------------------------------- |
| 200  | Successful operation.                    |
| 201  | Successfully created.                    |
| 204  | Successfully removed. No content.        |
| 400  | The request could not be completed.      |
| 401  | You do not have access to this resource. |
| 404  | The requested resource was not found.    |

> **Collapse: Related topics**
>
> * [Access services through scopes and roles](../../foundations/pingone-roles-scopes-and-permissions/access-services-through-scopes-and-roles.html)
>
> * [Add a custom claim to an access token](../../workflow-library/introduction.html#add-a-custom-claim-to-an-access-token)