PingOne Platform APIs

NONE (Public Client) Setup

Authentication requirements for the token endpoint are set by the application’s tokenEndpointAuthMethod property. When the application’s tokenEndpointAuthMethod is set to NONE, the request requires the client_id property value and does not require an Authorization header.

For a PKCE authorization request, the token request must include the code_verifier parameter:

curl -X POST \
  'https://auth.pingone.com/${{envID}}/as/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d `grant_type=authorization_code&code={{authCode}}&client_id={{appID}}&redirect_uri={{redirect_uri}}&code_verifier={{codeVerifier}}'

Key points

  • No client secret - credentials cannot be stored securely

  • Application type: NATIVE_APP or SINGLE_PAGE_APP

  • MUST use PKCE (code_challenge/code_verifier)

  • pkceEnforcement: S256_REQUIRED enforces SHA-256 PKCE

  • Suitable for JavaScript apps, iOS/Android apps

The following workflow shows the application configuration to complete a sign-on flow using the NONE client authentication method. Run in Postman