AM 7.3.1


UMA permission endpoint, as defined in the Federated Authorization for User-Managed Access (UMA) 2.0 specification.

Use this endpoint to request permission tickets to the authorization server during the UMA grant flow.

Supported HTTP methods
Action HTTP method



You must compose the path to the token endpoint addressing the specific realm where the token will be issued. For example,

The permission request endpoint does not support any parameters. To authenticate to the endpoint, send an Authorization: Bearer header with the PAT of the resource owner.

To request a ticket, send an HTTP POST request to the endpoint specifying the resource and the scope that the permission ticket applies to in the payload, as a JSON object that follows the UMA 2.0 specification. For example:

$ curl -X POST \
--header 'authorization: Bearer 057ad16f-7dba-4049-9f34-e609d230d43a' \
--header 'content-type: application/json' \
--data '[
        "resource_id" : "ef4d750e-3831-483b-b395-c6f059b5e15d0",
        "resource_scopes" : ["download"]
]' \
    "ticket": "eyJ0eXAiOiJ…​XPeJi3E"

Both of the objects in the JSON body are required. To obtain the resource ID, query the /uma/resource_set endpoint.

The default lifetime for a permission ticket is 120 seconds. To change it, go to Realms > Realm Name > Services > UMA Provider, and edit the Permission Ticket Lifetime property.

For an example of requesting a permission ticket in the flow, see UMA grant flow.

Copyright © 2010-2024 ForgeRock, all rights reserved.