Child pages
  • UMA Implementer's Guide

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


To achieve resource protection, the protection API offers three endpoints. Alice’s permission is required for the RS resource server to make calls to any of these; hence the RS resource server must present a valid PAT for any of these calls to be allowed:


The protection API is an “offline” type of API, meaning the resource server generally needs to make API calls to the authorization server when Alice does not currently have a session. In practice, this typically requires a way for the resource server to store a longer-lived refresh token persistently so that it can refresh a shorter-lived PAT on an ongoing basis. (For some thoughts on resource server error handling when the PAT is invalid, see the UMA Implementer's Guide this section.)

Here are "offline" use cases for each of the endpoints. None of these situations require Alice's current availability, vs. some other condition for the resource server to make the API call to the protection API.