What is the fastest way to get started with Ping Identity?

The fastest way to get started is by signing up for a PingOne trial account. This provides immediate access to the cloud platform, allowing you to configure environments and applications without on-premises setup.

Do I need to install any software to use Ping Identity APIs?

For cloud-based PingOne APIs, no local software installation is required beyond standard development tools (like curl or an HTTP client). For on-premises products like PingFederate or PingDirectory, server software installation is necessary.

How do I get my Client ID and Client Secret?

After creating an application within your PingOne environment in the Admin Console, the Client ID and Client Secret are generated and displayed in the application's configuration settings. The Client Secret is typically shown only once upon creation.

What is an 'environment' in PingOne?

An environment in PingOne is a logical container that isolates configurations for different stages of development, such as development, staging, or production. This helps manage and test identity settings separately.

Which authentication flow should I use for my first API call?

For a machine-to-machine application making its first API call, the Client Credentials grant type (part of OAuth 2.0) is generally the simplest and most direct method to obtain an access token.

My API call is returning a 401 Unauthorized error. What should I check?

A 401 Unauthorized error often indicates issues with your Client ID or Client Secret. Verify that both are correct and that their base64 encoding (for the Authorization header) is accurate. Also, check for expired access tokens if it's not the initial token request.

Where can I find Ping Identity's API documentation?

The comprehensive API documentation for PingOne and other Ping Identity products is available on the Ping Identity Developer Documentation portal, specifically the PingOne Platform API Reference for cloud services.

Ping Identity Getting Started: Account Setup & First Request (2026)

Ping Identity getting started involves a sequence of steps to establish a functional identity and access management (IAM) environment. This process typically includes account registration, configuring core services like PingFederate or PingOne, and securing access credentials. Developers then use these credentials to authenticate and authorize users and applications against Ping Identity's platform, enabling secure digital interactions.

Getting started overview

Getting started with Ping Identity involves establishing an account, configuring core identity services, and integrating applications using standard protocols. Ping Identity offers both cloud-based solutions, such as PingOne, and on-premises deployments, including PingFederate and PingDirectory. The initial setup varies depending on the chosen product and deployment model.

For cloud-native integrations, the PingOne platform provides a streamlined path to configure identity services, create applications, and manage user access. On-premises deployments typically require server setup, database configuration, and manual integration with existing enterprise infrastructure. This guide focuses on the streamlined process for cloud-based services, specifically PingOne, for a quicker initial experience.

A typical getting started workflow includes:

Creating a PingOne account.
Setting up an environment within PingOne.
Registering an application and obtaining client credentials.
Making a test API call to verify configuration.

Understanding fundamental identity management concepts, such as OAuth 2.0 and OpenID Connect (OIDC), is beneficial for effective integration. OIDC builds on OAuth 2.0 to provide identity verification, allowing clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user. The OpenID Connect specification details these interactions.

Create an account and get keys

To begin using Ping Identity, you typically start by creating a PingOne account. This process establishes your organization's tenant within the PingOne cloud platform.

Account Creation

Navigate to the Ping Identity website and locate the option to sign up for a trial or contact sales to initiate an account setup.
Follow the prompts to provide organizational details, administrator contact information, and desired region for your PingOne environment.
Once your account is provisioned, you will receive an email with instructions to activate your administrator account and set a password.
Log in to the PingOne Admin Console using your new credentials.

Environment and Application Setup

Within the PingOne Admin Console, you will set up your first environment and register an application:

Create an Environment: An environment isolates configurations for different use cases (e.g., development, staging, production). From the Admin Console, select Environments and then Add Environment. Provide a name and description for your environment. Refer to the PingOne environments documentation for guidance.
Register an Application: To enable your application to interact with PingOne for authentication and authorization, you must register it.

In your selected environment, navigate to Applications and click Add Application.
Choose the appropriate application type (e.g., Web App, Native App, Machine to Machine). For a first API request, a Machine to Machine application using the Client Credentials Flow is often the simplest.
Provide a name for your application and configure its settings. For Machine to Machine applications, ensure the Client Credentials grant type is enabled.

Obtain Client Credentials: After registering your application, PingOne generates a Client ID and a Client Secret. These are your API keys for programmatic access.

Locate these credentials in the application's configuration details within the PingOne Admin Console.
Important: The Client Secret is typically shown only once upon creation. Copy and store it securely immediately. If lost, you will need to regenerate it, invalidating the old secret.

For more detailed step-by-step instructions on setting up applications, consult the PingOne Applications documentation.

Your first request

With your PingOne environment and application configured, and your Client ID and Client Secret obtained, you can now make your first API request to retrieve an access token. This token will then be used to access protected resources or perform identity operations.

1. Obtain an Access Token (Client Credentials Flow)

For a Machine to Machine application, you will use the Client Credentials grant type to request an access token from PingOne's token endpoint. This involves making a POST request to your environment's token URL.

Request Details:

Method: POST
URL: https://auth.pingone.com/{environmentID}/as/token (Replace {environmentID} with your actual PingOne environment ID, found in the environment settings in the Admin Console).
Headers:
- Content-Type: application/x-www-form-urlencoded
- Authorization: Basic {base64EncodedClientIdAndSecret} (The {base64EncodedClientIdAndSecret} is the base64 encoding of {client_id}:{client_secret}).
Body (x-www-form-urlencoded):
- grant_type=client_credentials
- scope=openid profile (or other scopes relevant to your application's needs)

Example using curl:

export PINGONE_ENV_ID="YOUR_ENVIRONMENT_ID"
export CLIENT_ID="YOUR_CLIENT_ID"
export CLIENT_SECRET="YOUR_CLIENT_SECRET"

# Base64 encode client_id:client_secret
export BASE64_AUTH=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)

curl -X POST \
  "https://auth.pingone.com/$PINGONE_ENV_ID/as/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic $BASE64_AUTH" \
  -d "grant_type=client_credentials&scope=openid profile"

Expected Response (JSON):

{
  "access_token": "eyJraWQiOiJ...",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "openid profile"
}

The access_token is the Bearer token you will use for subsequent authenticated API calls.

2. Make an Authenticated API Call (Example)

Once you have an access token, you can use it to call PingOne APIs that require authentication. As an example, you might call the PingOne API to list users or manage groups, depending on the scopes granted to your application.

Request Details (example: List Users API):

Method: GET
URL: https://api.pingone.com/v1/environments/{environmentID}/users
Headers:
- Authorization: Bearer {access_token} (Replace {access_token} with the token received in the previous step).

Example using curl:

export ACCESS_TOKEN="YOUR_ACCESS_TOKEN"
export PINGONE_ENV_ID="YOUR_ENVIRONMENT_ID"

curl -X GET \
  "https://api.pingone.com/v1/environments/$PINGONE_ENV_ID/users" \
  -H "Authorization: Bearer $ACCESS_TOKEN"

Expected Response (JSON, truncated):

{
  "_links": {
    "self": {
      "href": "/v1/environments/{environmentID}/users"
    }
  },
  "_embedded": {
    "users": [
      {
        "id": "user-id-1",
        "username": "johndoe",
        "email": "[email protected]",
        "name": {
          "given": "John",
          "family": "Doe"
        }
        // ... more user data
      }
    ]
  }
}

This successful response confirms your application can authenticate with PingOne and access resources based on its granted permissions. For a comprehensive list of PingOne APIs and their usage, refer to the PingOne Platform API Reference.

Common next steps

After successfully completing your first API request, consider these common next steps to further integrate and secure your applications with Ping Identity:

Explore Other Grant Types: For user-facing applications, investigate other OAuth 2.0 grant types like Authorization Code Flow (with PKCE for native/SPA apps) or Implicit Flow. These are crucial for enabling single sign-on (SSO) and managing user consent. The PingOne authentication documentation provides details on these flows.
Integrate with SDKs: Ping Identity provides Software Development Kits (SDKs) for various languages and platforms, simplifying integration. These SDKs handle token management, refresh flows, and secure communication. Check the PingOne SDKs and Tools documentation for available libraries.
User and Group Management: Learn how to programmatically manage users and groups within PingOne. This includes creating, updating, deleting users, and assigning them to groups for role-based access control (RBAC). The Users API documentation is a key resource.
Multi-Factor Authentication (MFA): Implement MFA for enhanced security. PingOne offers various MFA options, including PingOne MFA, which can be integrated into authentication flows. Review the PingOne MFA documentation.
Access Policies: Define and enforce granular access policies to control who can access what resources under which conditions. These policies are central to Ping Identity's security framework. Information on this is available in the PingOne policy settings.
Webhooks and Eventing: Utilize webhooks to receive real-time notifications about identity events (e.g., user creation, password changes). This allows for reactive automation and integration with other systems. Consult the PingOne Webhooks documentation.
Monitoring and Logging: Set up monitoring and logging to track authentication events, API usage, and potential security incidents. PingOne provides audit logs and integration points for external security information and event management (SIEM) systems.

These steps help build a comprehensive and secure identity solution tailored to your application's requirements.

Troubleshooting the first call

Encountering issues during your first API call is common. Here's a quick reference for common problems and their solutions:

Problem	What to check	Where to check
`401 Unauthorized` (access token request)	Incorrect Client ID or Client Secret. Incorrect Base64 encoding.	PingOne Admin Console > Applications > Your Application > Configuration; Terminal/Code for Base64 string.
`400 Bad Request` (access token request)	Incorrect `grant_type`, missing `scope`, or malformed URL/body.	Request body and URL in your code/curl; PingOne API Reference for token endpoint.
`403 Forbidden` (authenticated API call)	Access token is expired or invalid. Insufficient scopes granted to the application.	Decoded access token (JWT) for expiration; PingOne Admin Console > Applications > Your Application > Scopes.
`404 Not Found`	Incorrect environment ID or API endpoint URL.	PingOne Admin Console > Environments > Your Environment ID; PingOne API Reference for correct endpoint paths.
`SSL Handshake Error`	Client system trust store issues. Network proxy/firewall blocking access.	System network configuration; consult network administrator.
Missing data in API response	Insufficient scopes for the requested resource.	PingOne Admin Console > Applications > Your Application > Scopes; PingOne API Reference for required scopes.
PingOne Admin Console login issues	Incorrect username/password. Account not activated.	Check email for activation link; use password reset feature.

Always review the exact error message provided in the API response, as it often contains specific details that can guide your troubleshooting. The Ping Identity documentation, particularly the sections on API errors and troubleshooting, is an invaluable resource.

Ping Identity Getting Started: Account Setup & First Request (2026)

Getting started overview

Create an account and get keys

Account Creation

Environment and Application Setup

Your first request

1. Obtain an Access Token (Client Credentials Flow)

2. Make an Authenticated API Call (Example)

Common next steps

Troubleshooting the first call

Frequently asked questions

Reviews

Discussion

Written by