# Validation Decisions #### As per [above section](/feature-guides/authentication/token-validation-api/integration-steps.md), SP might have invoked the validation API and below are some guidelines on how to make decision on token validation response. #### Based on the response from earlier section, “[Verify Access Token](/feature-guides/authentication/token-validation-api/integration-steps/2.-verifying-access-token-api.md)” and “[Obtain User information API](broken://pages/-Mkg-h9NOVvq2u0kpZss)”, SP should check below in chronological order: 1.**(Mandatory)** As per response of “Verify Access Token” API, If the token is not active i.e. active=false, then the resource server or SP should deny access to the resource. 2.**(Mandatory)** If the SP wants to verify if the token presented is issued by a particular client, then it should verify the value of “client\_id” or the values available under “client\_claims” from the response of “Verify Access Token” API. * For example, if SP wants to validate that the token presented is issued by “SDG Digital Vault App” then it should check below values: ```xml "client_id":"sdg_digivault", "client_claims": { "distinguished_name":"CN=SDG DigitalVault", "sub":"sdg_digitalvault", "name":"SDG Digital Vault App", "domain":"urn:safelayer:eidas:domain:oauth:client", "acr":"urn:safelayer:tws:policies:authentication:level:low", "amr":"["urn:oasis:names:tc:SAML:1:0:am:password"] } ``` 3.**(Optional but recommended)** If SP needs to determine the "uuid" of the user who has been authenticated with the presented access token, then it should check the value of "*sub*" attribute returned in "Verify Access Token" API response. * For example, SP needs to get the "uuid" of the authenticated user as per below: ```svg { "sub": "800F475AC0E7A9ED01B2D5D2C25A59B3", … ………… ………… "acr": "urn:safelayer:tws:policies:authentication:level:high", "mobile": "9715555555555", "amr": [ "urn:safelayer:tws:policies:authentication:adaptive:methods:mobileid", "urn:uae:authentication:method:verified"] } ``` 4.**(Optional but recommended)** If SP needs to fetch the claims or attributes (e.g. Emirates ID etc.) of the user belonging to the access token, then SP should invoke “User information API” as mentioned in[ previous Section](broken://pages/-Mkg-h9NOVvq2u0kpZss). * For example: SP needs to get the Emirates ID of the authenticated user, then they should call "User information API" and validate the attributes returned in the response. 5.**(Optional)** If SP needs to make sure that the presented access token is issued for a particular scope, in order to decide whether to provide access or not, then it should check the value of the “scope” parameter in the validation token response. ``` { "active": true, "scope": "urn:uae:digitalid:profile:general", "exp": } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.uaepass.ae/feature-guides/authentication/token-validation-api/validation-decisions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.