# Validation Decisions #### As per [above section](https://docs.uaepass.ae/feature-guides/authentication/token-validation-api/integration-steps), SP might have invoked the validation API and below are some guidelines on how to make decision on token validation response. #### Based on the response from earlier section, “[Verify Access Token](https://docs.uaepass.ae/feature-guides/authentication/token-validation-api/integration-steps/2.-verifying-access-token-api)” and “[Obtain User information API](https://docs.uaepass.ae/feature-guides/authentication/token-validation-api/broken-reference)”, SP should check below in chronological order: 1.**(Mandatory)** As per response of “Verify Access Token” API, If the token is not active i.e. active=false, then the resource server or SP should deny access to the resource. 2.**(Mandatory)** If the SP wants to verify if the token presented is issued by a particular client, then it should verify the value of “client\_id” or the values available under “client\_claims” from the response of “Verify Access Token” API. * For example, if SP wants to validate that the token presented is issued by “SDG Digital Vault App” then it should check below values: ```xml "client_id":"sdg_digivault", "client_claims": { "distinguished_name":"CN=SDG DigitalVault", "sub":"sdg_digitalvault", "name":"SDG Digital Vault App", "domain":"urn:safelayer:eidas:domain:oauth:client", "acr":"urn:safelayer:tws:policies:authentication:level:low", "amr":"["urn:oasis:names:tc:SAML:1:0:am:password"] } ``` 3.**(Optional but recommended)** If SP needs to determine the "uuid" of the user who has been authenticated with the presented access token, then it should check the value of "*sub*" attribute returned in "Verify Access Token" API response. * For example, SP needs to get the "uuid" of the authenticated user as per below: ```svg { "sub": "800F475AC0E7A9ED01B2D5D2C25A59B3", … ………… ………… "acr": "urn:safelayer:tws:policies:authentication:level:high", "mobile": "9715555555555", "amr": [ "urn:safelayer:tws:policies:authentication:adaptive:methods:mobileid", "urn:uae:authentication:method:verified"] } ``` 4.**(Optional but recommended)** If SP needs to fetch the claims or attributes (e.g. Emirates ID etc.) of the user belonging to the access token, then SP should invoke “User information API” as mentioned in[ previous Section](https://docs.uaepass.ae/feature-guides/authentication/token-validation-api/broken-reference). * For example: SP needs to get the Emirates ID of the authenticated user, then they should call "User information API" and validate the attributes returned in the response. 5.**(Optional)** If SP needs to make sure that the presented access token is issued for a particular scope, in order to decide whether to provide access or not, then it should check the value of the “scope” parameter in the validation token response. ``` { "active": true, "scope": "urn:uae:digitalid:profile:general", "exp": } ```