[[_service_protection_whatis_obtain_pat]] = What is a PAT and How to Obtain It A *protection API token* (PAT) is a special OAuth2 access token with a scope defined as *uma_protection*. When you create a resource server, {project_name} automatically creates a role, _uma_protection_, for the corresponding client application and associates it with the client's service account. .Service Account granted with *uma_protection* role image:{project_images}/service/rs-uma-protection-role.png[alt="Service Account granted with uma_protection role"] Resource servers can obtain a PAT from {project_name} like any other OAuth2 access token. For example, using curl: ```bash curl -X POST \ -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=client_credentials' \ "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token" ``` The example above is using the *client_credentials* grant type to obtain a PAT from the server. As a result, the server returns a response similar to the following: ```bash { "access_token": ${PAT}, "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": ${refresh_token}, "token_type": "bearer", "id_token": ${id_token}, "not-before-policy": 0, "session_state": "ccea4a55-9aec-4024-b11c-44f6f168439e" } ``` [NOTE] {project_name} can authenticate your client application in different ways. For simplicity, the *client_credentials* grant type is used here, which requires a _client_id_ and a _client_secret_. You can choose to use any supported authentication method.