Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsBEIJING ZITIAO NETWORK TECHNOLOGY CO., LTD. › 18768407
Last updated: April 19, 2026
Application No. 18/768,407

APPLICATION PERMISSION MANAGEMENT

Non-Final OA §102§103
Filed
Jul 10, 2024
Examiner
HO, VIVIAN DANG
Art Unit
2497
Tech Center
2400 — Computer Networks
Assignee
BEIJING ZITIAO NETWORK TECHNOLOGY CO., LTD.
OA Round
1 (Non-Final)
Grant Probability
Favorable
1-2
OA Rounds
3y 1m
To Grant

Examiner Intelligence

HO, VIVIAN DANG View full profile →
Grants only 0% of cases
0%
Career Allow Rate
0 granted / 0 resolved
-58.0% vs TC avg
Minimal +0% lift
Without
With
+0.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 1m
Avg Prosecution
4 currently pending
Career history
4
Total Applications
across all art units

Statute-Specific Performance

§103
80.0%
+40.0% vs TC avg
§102
10.0%
-30.0% vs TC avg
§112
10.0%
-30.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 0 resolved cases

Office Action

§102 §103
Detailed Action Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. CN 202410382470.2, filed on 03/29/2024. Specification The disclosure is objected to because of the following informalities: "second authentication module 260" should be changed to "second authentication module 280" in paragraph [0051]. Appropriate correction is required. Claim Objection Claim 4 is objected to because the claim recites “the target token” where there is no recitation of “target token” prior to “the target token” limitations in the claim. For examination purposes, claim 4 will be read as the “a target token”. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim(s) 1, 4-6, 8-9, 11, 14-16, 18-20 is/are rejected under 35 U.S.C. 102(a1)(a2) as being anticipated by Zhang (CN 114528571 A). (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Regarding claim 1,Zhang teaches a method of permission management, comprising: receiving a usage request for a target application of a platform, the usage request comprising token information ([Page 1, lines 27-30] “These open application programming interfaces are usually called open APIs. The platform is displayed, and developers can access and use related service resources through these open APIs without accessing the source code in the server or understanding the details of the internal working mechanism”, target application of a platform is an open platform invoking API service resources or permissions; [Page 2, lines 38-42] “In a second aspect, embodiments of the present disclosure provide a data processing method. The above data processing method includes: receiving an access request sent by a demand side, and the information carried in the access request includes: user account, token information related to invocation timing, address information of the target service resource requested to be invoked, and the above-mentioned target service resource needs”; [Page 4, lines 2-6] “The above-mentioned data processing module is used for decrypting and authorizing the above-mentioned token information to obtain an access response result. The above-mentioned result sending module is used for sending the above-mentioned access response result to the demand side.”, Page 3 discloses user request as access request which includes token information of user account and target application of a platform (platform is displayed and developers can access through the access response result; verifying the token information with token management data, the token management data being generated based on a token creation request of a target user associated with the target application, the token creation request indicating at least a specified permission of at least one workspace of the target user in the platform ([page 11, lines 58-60, page 12 lines 1-4] “Based on the above operations S201 to S205, in the resource access method provided by the embodiments of the present disclosure, the overall logic of resource access is to generate token information by real-time encryption and calculation according to the resource access information and encryption algorithm pre-obtained from the server at the calling time., and the token information is related to the calling time and the access rights of the user account to the service resources, so that the token information generated corresponding to the request at different times and the request of different users is different, effectively realizing the authorization verification”, discloses user request as access request which includes generating token information of user account; [Page 7, lines 38-48] “For example, in the system architecture composed of the first demand side 110 and the server side 130, referring to the single-dotted line in FIG. The development of online shopping applications through a software development app) or a browser (for example, a web version software development system, the first user 101 develops online shopping applications through the web version software development system) at runtime, by executing the embodiments of the present disclosure The provided resource access method initiates an access request to the server 130 for calling the target service resource, and receives an access response result from the server 130 . The server 130 analyzes and processes the received access request by executing the data processing method provided by the embodiment of the present disclosure, and calls the service resource for calculation of the access response result (for example, the data obtained according to the access request, the query result, and the query result)”, page 8 discloses the “target user” as the first user 101 is the software developer; [page 8, lines 43-49] “In an implementation scenario, referring to the one-dot chain line in FIG. 1 , the first user 101 is, for example, a software developer, and the software developer develops applications or web version software based on the software installed in the terminal devices 111 , 112 , and 113 . The system performs an application development process. During this process, the software developer will perform one or more operations on the interactive interface corresponding to the software development application or the web version software development system, thereby receiving the first user 101 on the terminal device”; target user is developer of open APIs (workspace) and ; [Page 15, lines 38-41] “Referring to FIG. 6 , the data processing method provided by the embodiment of the present disclosure includes the following operations: S601, S602, and S603. Operations S601 to S603 are performed by the server, and the server performs permission management for the demander to access the API service resource corresponding to the API interface”; [Page 14, lines 43-45] “In operation S601, an access request sent by a demand side is received, and the information carried in the access request includes: user account, token information related to the invocation timing, address information of the target service resource requested to be invoked, and the target service resource to be executed by the above-mentioned target service resource.”; Page 14 discloses verifying the token with token management data (applicant discloses token management data as “being generated based on a token creation request or access request”); [[Page 15,lines 5-7] “According to an embodiment of the present disclosure, resource access information and encryption algorithms can be transmitted between the sender and receiver of information corresponding to the demand side (110 or 120 in the example of FIG. 1 ) and the server (130 of the example in FIG. 1 ) through an agreed medium , for example, it is transmitted by mail, or the demand side obtains data packets by accessing a specific access address given by the server (the access password is shared by both sender and receiver)” and Page 13 discloses target application is created by target user or developer (user 1) with the target platform of applications (applicant discloses the usage request “comprising token information”; in response to the token information being verified, determining whether a usage permission corresponding to the token information matches the usage request ([page 11, lines 31-35] “From the perspective of the server side, since the association between the user account and the access authority of the service resource is pre-configured and stored on the server side, after receiving the access request, the server side decrypts the token information and obtains the authority Verification, to determine whether the user account of the current user has call/access rights to the target service resource), page 10 discloses “a usage permission corresponding to usage request” as resource access rights corresponds to token information of access request; and in response to the usage permission matching the usage request, responding to the usage request with the target application ([Page 11, lines 15-17] “In operation S204, the access request carrying the above-mentioned user account, the above-mentioned token information, the above-mentioned address information and the above-mentioned target instruction is sent to the server”; [Page 11, lines28-29] “In the above operations S204-S205, the demand side may obtain the corresponding authority verification result from the server side according to the user account and token information.”; [Page 11, lines 51-52] “…so as to obtain the corresponding data processing result, and send the target service resource to the corresponding target service resource for execution. The data processing result is fed back to the demand side as an access response result”); page 1 discloses the “target instruction” as “the resource needs to execute; at the above-mentioned calling time, according to the resource access information (permission) and encryption algorithm pre-obtained from the server”; page 3 discloses user request as access request which includes token information of user account and target application of a platform (platform is displayed and developers can access through the access response result; and page 10 discloses “permissions” as access rights and “access response result” as in “usage request result”). Regarding claim 4, Zheng teaches, the method of claim 1, outlined above. Zheng teaches the method of claim 1, further comprising: in response to receiving the token creation request, performing an encryption processing on the target token generated based on the token creation request to update the token management data ([Page 15, lines 48-51] “The token information is generated according to the resource access information and encryption algorithm pre-obtained from the server when the demand side calls the target service resource; wherein the resource access information is related to the access authority of the user account to the service resource link”; [Page 16, lines 7-11- ] “On the one hand, since the token information corresponding to each access request is calculated in real time by each demand side at the calling time (recalculation is required for each request), the timeliness does not need to be considered, so the demand side does not need to work hard to tokenize In the development of regular update or replacement, the server does not need to face the pressure of frequent token update”), page 16 discloses token information is generated and perform encryption and updated by real time. Regarding the non-transitory storage medium, comprising claims 14, the claim recite similar limitations as the method claim 4, therefore, rejected based on the same rational as claim 4. Regarding claim 5, Zheng teaches, the method of claims 4, outlined above. Zheng teaches the method of claim 4, further comprising: providing target token information corresponding to the target token to the target user ([Page 15, lines 58-60, page 16, lines 1-5] “In one embodiment, after the above-mentioned operations S201 to S203 are performed on the demand side, operation S204 is performed, and an access request carrying the above-mentioned user account, the above-mentioned token information, the above-mentioned address information and the above-mentioned target instruction is sent to the server side. Correspondingly, the server side receives the access request sent by the demand side (corresponding to operation S601). Next, the server performs operation S602 to obtain an access response result, and performs operation S603 to send the access response result to the demand side. Correspondingly, the access response result sent by the server is received at the demand side (corresponding to operation S205)”), page 15 discloses an access request or usage request including input information of selecting the workspace and permission in the token creation to developer or user 1; page 14 discloses target token information as token information is generated and perform encryption and updated by real time. Regarding the non-transitory storage medium, comprising claims 15, the claim recite similar limitations as the method claim 5, therefore, rejected based on the same rational as claim 5. Regarding claim 6, Zheng teaches, the method of claim 1, outlined above. Zheng teaches the method of claim 1, wherein in response to the token information being verified, determining whether a usage permission corresponding to the token information matches the usage request, the determining comprising: in response to the token information being verified, obtaining identity information corresponding to the token information ([page 14, lines 36-41] “According to an embodiment of the present disclosure, the above-mentioned confirmation information includes: user account (used to indicate user identity, which can also be described as user identification, such as the login name, user name, mobile phone number, etc. of an open platform), payment information, purchase specific Service resources (for example, the purchased service resources for image recognition), and the purchase validity period of specific service resources; [page 16, lines 58-58] “In sub-operation S7013, the above-mentioned character string information is split to obtain the decrypted timestamp information and the user login password”; [page 17, lines 12-15] “In the above operation S702, performing identity verification on the user corresponding to the above user account according to the above decrypted resource access information, including: verifying whether the decrypted time stamp information is consistent with the time stamp information corresponding to the above access request”, Page 2 “According to an embodiment of the present disclosure, the above-mentioned decrypting and authority verification of the above-mentioned token information to obtain an access response result includes: decrypting the above-mentioned token information to obtain decrypted resource access information; according to the above-mentioned decrypted resource access information , perform identity verification”); and determining whether the usage permission corresponding to the identity information matches the usage request ([page 17, lines 16-20] “After verification, the decrypted time stamp information is consistent with the time stamp information corresponding to the above access request, and the decrypted user login password is consistent with the above target user login password Under the circumstance, it is determined that the identity verification of the user account corresponding to the above-mentioned user account has passed”, page 17 discloses the usage request identity information matches or is consistent with the usage request or token information of the access request ). Regarding the non-transitory storage medium, comprising claims 16, the claim recite similar limitations as the method claim 6, therefore, rejected based on the same rational as claim 6. Regarding claim 8, Zheng teaches, the method of claims 1 , outlined above. Zheng teaches the method of claim 1, further comprising: in response to the token information failing to be verified, denying the usage request ([Page 11, lines 41-46] “In this way, when performing permission verification, it is possible to obtain the verification result of user A's access to the target service resource: API service resource 2 does not have access permission, so the access response result of access failure will be fed back to the demander. Correspondingly, on the demand side, the result of receiving the access response from the server is: access failed”). Regarding the non-transitory storage medium, comprising claims 18, the claims recite similar limitations as the method claim 8, therefore, rejected based on the same rational as claim 8. Zheng teaches the method of claim 9, the method of claim 1, wherein the target application is created by the target user with the target platform ([Page 14, lines 15-26] “Referring to FIG. 5A , in the above operation S401 , obtaining resource access information and an encryption algorithm includes the following operations: S501 , S502 and S503. In operation S501, confirmation information about successful payment of a specific service resource is received, where the specific service resource is a service resource to be enjoyed by the above-mentioned user when developing or using an application. For example, the operator of an application (an example of a user) can purchase specific service resources corresponding to an API interface for a developing application or a published application through the open platform on the terminal device, then in the development process of the application Or during use, have access rights to the above-mentioned specific service resources (here is an example of satisfying access authorization conditions”), page 14 discloses target application is created by target user or developer (user 1) with the target platform of applications; and the usage request is an invocation of a target interface for the target application, the target interface being provided based on a configuration operation of the target user in the target platform ([page 14, lines 38-46] “Referring to FIG. 6 , the data processing method provided by the embodiment of the present disclosure includes the following operations: S601, S602, and S603. Operations S601 to S603 are performed by the server, and the server performs permission management for the demander to access the API service resource corresponding to the API interface. In operation S601, an access request sent by a demand side is received, and the information carried in the access request includes: user account, token information related to the invocation timing, address information of the target service resource requested to be invoked, and the target service resource to be executed by the above-mentioned target service resource. instruction”, usage request includes invocating the API interface for the target application; [page 16, lines 20-21] “FIG. 7 schematically shows a detailed implementation flowchart of operation S602 according to an embodiment of the present disclosure”; [page 16, lines 43-45] “In sub-operation S7011, preconfigured target resource access information is queried from a database according to the user account, where the target resource access information includes: a target access key used by the user account to access the authorized service resource”, page 16 discloses the configuration of the target user and platform. Regarding the non-transitory storage medium, comprising claims 19, the claim recite similar limitations as the method claim 9, therefore, rejected based on the same rational as claim 9. Zheng teaches the method of claim 11, an electronic device, comprising: at least one processing unit ([Page 19, lines 40-41] “Referring to FIG. 10 , an electronic device 1000 provided by an embodiment of the present disclosure includes a processor 1001”); and at least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, in response to the instructions being executed by the at least one processing unit causing the electronic device to perform a method of permission management comprising: ([Page 19, lines 40-46] “Referring to FIG. 10 , an electronic device 1000 provided by an embodiment of the present disclosure includes a processor 1001 , a communication interface 1002 , a memory 1003 and a communication bus 1004 , wherein the processor 1001 , the communication interface 1002 and the memory 1003 communicate with each other through the communication bus 1004 The memory 1003 is used to store computer programs; the processor 1001 is used to implement the above-mentioned resource access method or data processing method when executing the program stored in the memory); ([Page 19, lines 59-60, page 20 lines 1-6] “According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, such as, but not limited to, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM) , erasable programmable read only memory (EPROM or flash memory), portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing. In this disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device”); receiving a usage request for a target application of a platform, the usage request comprising token information ([Page 1, lines 24-27] “These open application programming interfaces are usually called open APIs. The platform is displayed, and developers can access and use related service resources through these open APIs without accessing the source code in the server or understanding the details of the internal working mechanism”, target application of a platform is an open platform invoking API service resources or permissions; [Page 2, lines 28-33] “In a second aspect, embodiments of the present disclosure provide a data processing method. The above data processing method includes: receiving an access request sent by a demand side, and the information carried in the access request includes: user account, token information related to invocation timing, address information of the target service resource requested to be invoked, and the above-mentioned target service resource needs…. The above-mentioned data processing module is used for decrypting and authorizing the above-mentioned token information to obtain an access response result. The above-mentioned result sending module is used for sending the above-mentioned access response result to the demand side.”, Page 2 discloses user request as access request which includes token information of user account and target application of a platform (platform is displayed and developers can access through the access response result; verifying the token information with token management data, the token management data being generated based on a token creation request of a target user associated with the target application, the token creation request at least indicating at least a specified permission of at least one workspace of the target user in the platform indicating at least a specified permission of at least one workspace of the target user in the platform ([page 11, lines 58-60, page 12, lines 1-4] “Based on the above operations S201 to S205, in the resource access method provided by the embodiments of the present disclosure, the overall logic of resource access is to generate token information by real-time encryption and calculation according to the resource access information and encryption algorithm pre-obtained from the server at the calling time., and the token information is related to the calling time and the access rights of the user account to the service resources, so that the token information generated corresponding to the request at different times and the request of different users is different, effectively realizing the authorization verification”, discloses token creation of request access or resource access; [Page 7, lines 38-47] “For example, in the system architecture composed of the first demand side 110 and the server side 130, referring to the single-dotted line in FIG. The development of online shopping applications through a software development app) or a browser (for example, a web version software development system, the first user 101 develops online shopping applications through the web version software development system) at runtime, by executing the embodiments of the present disclosure The provided resource access method initiates an access request to the server 130 for calling the target service resource, and receives an access response result from the server 130 . The server 130 analyzes and processes the received access request by executing the data processing method provided by the embodiment of the present disclosure, and calls the service resource for calculation of the access response result (for example, the data obtained according to the access request, the query result, and the query result)”, page 7 discloses the “target user” as the first user 101 is the software developer; [page 8, lines 43-49] “In an implementation scenario, referring to the one-dot chain line in FIG. 1 , the first user 101 is, for example, a software developer, and the software developer develops applications or web version software based on the software installed in the terminal devices 111 , 112 , and 113 . The system performs an application development process. During this process, the software developer will perform one or more operations on the interactive interface corresponding to the software development application or the web version software development system, thereby receiving the first user 101 on the terminal device”; target user is developer of open APIs (workspace), [Page 15, lines 38-41] “Referring to FIG. 6 , the data processing method provided by the embodiment of the present disclosure includes the following operations: S601, S602, and S603. Operations S601 to S603 are performed by the server, and the server performs permission management for the demander to access the API service resource corresponding to the API interface”, verify the token with token management data and Page 15 discloses target application is created by target user or developer (user 1) with the target platform of applications; in response to the token information being verified, determining whether a usage permission corresponding to the token information matches the usage request ([page 11, lines 31-35] “From the perspective of the server side, since the association between the user account and the access authority of the service resource is pre-configured and stored on the server side, after receiving the access request, the server side decrypts the token information and obtains the authority Verification, to determine whether the user account of the current user has call/access rights to the target service resource), page 11 discloses “a usage permission corresponding to usage request” as resource access rights corresponds to token information of access request; and in response to the usage permission matching the usage request, responding to the usage request with the target application ([Page 11, lines 15-25] “In operation S204, the access request carrying the above-mentioned user account, the above-mentioned token information, the above-mentioned address information and the above-mentioned target instruction is sent to the server. In the above operations S204-S205, the demand side may obtain the corresponding authority verification result from the server side according to the user account and token information.”; [Page 11, lines 51-53] “…so as to obtain the corresponding data processing result, and send the target service resource to the corresponding target service resource for execution. The data processing result is fed back to the demand side as an access response result”); Page 1 discloses the “target instruction” as “the resource needs to execute; at the above-mentioned calling time, according to the resource access information (permission) and encryption algorithm pre-obtained from the server”, and Page 11 discloses “permissions” as access rights and “access response result” as in “usage request result”). Zheng teaches the method of claim 20, an electronic device, comprising: a non-transitory computer-readable storage medium having a computer program stored thereon, the computer program being executable by a processor to implement the method of permission management comprising ([page 19, lines 40-46] “Referring to FIG. 10 , an electronic device 1000 provided by an embodiment of the present disclosure includes a processor 1001 , a communication interface 1002 , a memory 1003 and a communication bus 1004 , wherein the processor 1001 , the communication interface 1002 and the memory 1003 communicate with each other through the communication bus 1004 The memory 1003 is used to store computer programs; the processor 1001 is used to implement the above-mentioned resource access method or data processing method when executing the program stored in the memory); ([Page 20, lines 4-6] “In this disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device”); receiving a usage request for a target application of a platform, the usage request comprising token information ([Page 1, lines 24-27] “These open application programming interfaces are usually called open APIs. The platform is displayed, and developers can access and use related service resources through these open APIs without accessing the source code in the server or understanding the details of the internal working mechanism”, target application of a platform is an open platform invoking API service resources or permissions; [Page 2, lines 28-33] “In a second aspect, embodiments of the present disclosure provide a data processing method. The above data processing method includes: receiving an access request sent by a demand side, and the information carried in the access request includes: user account, token information related to invocation timing, address information of the target service resource requested to be invoked, and the above-mentioned target service resource needs…. The above-mentioned data processing module is used for decrypting and authorizing the above-mentioned token information to obtain an access response result. The above-mentioned result sending module is used for sending the above-mentioned access response result to the demand side.”, Page 2 discloses user request as access request which includes token information of user account and target application of a platform (platform is displayed and developers can access through the access response result; verifying the token information with token management data, the token management data being generated based on a token creation request of a target user associated with the target application, the token creation request indicating at least a specified permission of at least one workspace of the target user in the platform ([page 11, lines 58-60, page 12 lines 1-4] “Based on the above operations S201 to S205, in the resource access method provided by the embodiments of the present disclosure, the overall logic of resource access is to generate token information by real-time encryption and calculation according to the resource access information and encryption algorithm pre-obtained from the server at the calling time., and the token information is related to the calling time and the access rights of the user account to the service resources, so that the token information generated corresponding to the request at different times and the request of different users is different, effectively realizing the authorization verification”; [Page 7, lines 38-48] “For example, in the system architecture composed of the first demand side 110 and the server side 130, referring to the single-dotted line in FIG. The development of online shopping applications through a software development app) or a browser (for example, a web version software development system, the first user 101 develops online shopping applications through the web version software development system) at runtime, by executing the embodiments of the present disclosure The provided resource access method initiates an access request to the server 130 for calling the target service resource, and receives an access response result from the server 130 . The server 130 analyzes and processes the received access request by executing the data processing method provided by the embodiment of the present disclosure, and calls the service resource for calculation of the access response result (for example, the data obtained according to the access request, the query result, and the query result)”, page 8 discloses the “target user” as the first user 101 is the software developer; [page 8, lines 43-49] “In an implementation scenario, referring to the one-dot chain line in FIG. 1 , the first user 101 is, for example, a software developer, and the software developer develops applications or web version software based on the software installed in the terminal devices 111 , 112 , and 113 . The system performs an application development process. During this process, the software developer will perform one or more operations on the interactive interface corresponding to the software development application or the web version software development system, thereby receiving the first user 101 on the terminal device”; target user is developer of open APIs (workspace) and; [Page 15, lines 38-41] “Referring to FIG. 6 , the data processing method provided by the embodiment of the present disclosure includes the following operations: S601, S602, and S603. Operations S601 to S603 are performed by the server, and the server performs permission management for the demander to access the API service resource corresponding to the API interface”; [Page 14, lines 43-45] “In operation S601, an access request sent by a demand side is received, and the information carried in the access request includes: user account, token information related to the invocation timing, address information of the target service resource requested to be invoked, and the target service resource to be executed by the above-mentioned target service resource”; Page 14 discloses verifying the token with token management data (applicant discloses token management data as “being generated based on a token creation request or access request”); [Page 15, lines 5-7] “According to an embodiment of the present disclosure, resource access information and encryption algorithms can be transmitted between the sender and receiver of information corresponding to the demand side (110 or 120 in the example of FIG. 1 ) and the server (130 of the example in FIG. 1 ) through an agreed medium , for example, it is transmitted by mail, or the demand side obtains data packets by accessing a specific access address given by the server (the access password is shared by both sender and receiver)” and Page 15 discloses target application is created by target user or developer (user 1) with the target platform of applications (applicant discloses the usage request “comprising token information”; in response to the token information being verified, determining whether a usage permission corresponding to the token information matches the usage request ([page 11, lines 31-35] “From the perspective of the server side, since the association between the user account and the access authority of the service resource is pre-configured and stored on the server side, after receiving the access request, the server side decrypts the token information and obtains the authority Verification, to determine whether the user account of the current user has call/access rights to the target service resource), page 10 discloses “a usage permission corresponding to usage request” as resource access rights corresponds to token information of access request; and in response to the usage permission matching the usage request, responding to the usage request with the target application ([Page 11, lines 15-25] “In operation S204, the access request carrying the above-mentioned user account, the above-mentioned token information, the above-mentioned address information and the above-mentioned target instruction is sent to the server. In the above operations S204-S205, the demand side may obtain the corresponding authority verification result from the server side according to the user account and token information.”; [Page 11, lines 51-53] “…so as to obtain the corresponding data processing result, and send the target service resource to the corresponding target service resource for execution. The data processing result is fed back to the demand side as an access response result”); Page 1 discloses the “target instruction” as “the resource needs to execute; at the above-mentioned calling time, according to the resource access information (permission) and encryption algorithm pre-obtained from the server”, and Page 11 discloses “permissions” as access rights and “access response result” as in “usage request result”. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 2 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (CN 114528571 A) in view of Guccione (US 20230041959 A1). Regarding claim 2, Zheng discloses all features of claim 1 as outlined above. Zheng teaches the method of claim 1, further comprising: providing a token creation interface to the target user, the token creation interface comprising a first control for selecting the workspace ([Page 8, lines 51-59]” For example, in one embodiment, the above-mentioned web version software development system includes: an open platform, the open platform has an API interface, and users can purchase and use a specific API interface on the open platform (in some open platforms, users can also The software development kits (SDK packages) corresponding to these API interfaces are used to implement calls to the corresponding API service resources, thereby realizing application development and construction. In another embodiment, the above-mentioned software development application has the right to use the service resource corresponding to a specific API interface by means of pre-purchase, and can call the service resource corresponding to the authorized API”, page 8 discloses a control for selecting the workspace or API interface; and obtaining the token creation request based on input information received in the token creation interface ([Page 11, lines 15-26] “In operation S204, the access request carrying the above-mentioned user account, the above-mentioned token information, the above-mentioned address information and the above-mentioned target instruction is sent to the server. For example, in an implementation scenario, after the token information Token1 is generated, it will carry the user account CA, the token information Token1 and the target service resource that needs to be called: the address information of the API service resource 2 and the call to the API service resource 2 to execute. The target command is sent to the server. In operation S205, an access response result from the server is received; wherein the access response result is obtained by the server decrypting the token information and verifying the authority”), page 11 discloses an access request or usage request including input information of selecting the workspace and permission in the token creation. However, Zheng does not explicitly teach a second control for selecting permission type. Guccione teaches the a second control for selecting permission type ([0099] “At FIG. 4E, the user has selected a create application function resulting in a display of an application definition box 438. The application definition box 438 includes information prompts for the user to enter information such as an application name, a folder for accessing the application in the GUI, and permissions for the application. The user may select “generate access token” to create the application at 440. The create application function then generates an application key for the new application and an access token corresponding to a client device with which secrets associated with the application will be shared.”), Fig 4E discloses a control for selecting the workspace’s permission types as an interface that accepts developer's/admins permission grant. Zheng in view of Guccione are analogous in a token system used to manage user access. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Zheng to incorporate the teachings of Guccione to determine inputting information in the token. Doing so would allow the platform to select the interface that accepts developer’s/admin’s permission grants (Guccione [0007] “In view of the above, a computer-implemented method is provided for managing secrets in an enterprise computing network. The method may include generating, at a secrets vault client device, at least one secret record. An application record is generated at the secrets vault client device and associated with a computing environment in which the secrets are to be used”). Regarding the non-transitory storage medium, comprising claims 12, the claim recite similar limitations as the method claim 2, therefore, rejected based on the same rational as claim 2. Claim(s) 3 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (CN 114528571 A) in view of Finkelstein Vincent (EP 3570518 A1). Regarding claim 3, Zheng in view of Finkelstein Vincent teaches, the method of claim 2, outlined above. Zheng does not disclose the below limitation. Finkelstein Vincent teaches the method of claim 2, wherein the token creation interface further comprises one or more of: a third control for inputting a token identification ([0018] According to one embodiment, a usage token J is used comprising at least the following parameters: creation date, creation time, duration of validity, type of usage, token number, user's pseudo, signature of the hash of the token content”; [0037] “105 The user 1 enters his digital identity account number through the keyboard of the PC, for example, then the PC sends this information (digital identity account) entered to the web site 3, 106, 107 The website requests the usage token generation system for a usage token J for the entered identity account, the usage token being unique, dated and limited in time…The identity directory has accepted the token request and generation of a usage token for the application required by the user is authorized”), Fig. 2 discloses a control for inputting token identification; or a fourth control for specifying valid time of a token. Zheng in view of Finkelstein Vincent are analogous in a token system used to manage user access. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Zheng to incorporate the teachings of to determine inputting information in the token. Doing so would allow the platform to identity the digital identity (Finkelstein Vincent [0003] “The systems for payment and reservations via the Internet implement a step of identifying the individual. This in particular poses the problem of possible use of digital identity. Online payment or e-payment may become fraudulent if a third party has disarmed the confidential data of an individual, for example his identity and his banking details”. Regarding the non-transitory storage medium, comprising claims 13, the claim recite similar limitations as the method claim 3, therefore, rejected based on the same rational as claim 3. Claim(s) 7 and 17 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang (CN 114528571 A), in view of Jones (US 20180302391 A1). Regarding claim 7, Zheng teaches the method of claim 6 outlined above. Zheng teaches the method of claim 6, wherein determining whether the usage permission corresponding to the identity information matches the usage request comprises: providing the identity information, an application identification of the target application and a target action corresponding authentication information from the permission management module ([page 15, lines 38-41] “Referring to FIG. 6 , the data processing method provided by the embodiment of the present disclosure includes the following operations: S601, S602, and S603. Operations S601 to S603 are performed by the server, and the server performs permission management for the demander to access the API service resource corresponding to the API interface”, page 14 discloses server granting target action or permission containing authentication information to the user; [page 15, lines 43-46] “In operation S601, an access request sent by a demand side is received, and the information carried in the access request includes: user account, token information related to the invocation timing, address information of the target service resource requested to be invoked, and the target service resource to be executed by the above-mentioned target service resource. Instruction”; [Page 14, line 56] “In operation S603, the above-mentioned access response result is sent to the demander”, page 15 discloses providing the identity information; [page 15, lines 35-38] “In operation S703a, if the identity verification of the user account is passed, it is determined whether the user account has the right to call the target service resource according to a preconfigured relationship between the user account and the access authority of the service resource), page 15 discloses the permission management system corresponding to identity information. However, Zheng does not teach teaches obtaining authentication information from the permission management module, the authentication information indicating whether the usage permission determined based on the identity information matches the application identification and the target action. Jones teaches obtaining authentication information from the permission management module, the authentication information indicating whether the usage permission determined based on the identity information matches the application identification and the target action ([0054] In some aspects, in act 452, the authorization server 170 may communicate with the identity provider 160 to confirm that the client credentials contained in the access token are valid. In act 454 the identity provider 160 responds to the authorization server 170 indicating whether the client credentials are valid. If the client credentials are valid, the authorization server 170 validates the access token”; [0055] “In act 455 if the access token is successfully validated, the authorization server 170 communicates with the resource server 180 to return a validation response. The resource server 180 uses the access token to authorize access to resources. In one aspect, the resource server 180 may match the returned validation response from the authorization server 170 with the scopes requested in the request sent by the service provider 140. If the authorization sets match, the resource server 180 honors the request. If the authorizations do not match, then the resource server 180 may reject the request. In act 460, the resource server 180 establishes communications with the service provider 140 to provide the requested resource from the resource server 180. In act 470, the requested resource is served to the client 110 by the service provider 140). Zheng in view of Jones are analogous in a token system used to manage user access. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Zheng to incorporate the teachings of Jones to determine inputting information in the token. Doing so would allow the platform to select the interface that accepts developer’s/admin’s input information (Jones [0003] “ Some authorization systems utilize role based-access control schemes that affiliate a user's identity with one or more roles and permissions to control the service the user or client is entitled to use”). Regarding the non-transitory storage medium, comprising claims 17, the claim recite similar limitations as the method claim 7, therefore, rejected based on the same rational as claim 7. Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (CN 114528571 A) in view of Galloway (US 20190229922). Regarding Claim 10, Zheng in view of Galloway discloses all features of claim 1 as outlined above. Zheng does not teach the token information included in the header. However, Galloway further teaches the token information included in the header ([0037] “At 230, the user 201 may re-submit the original action request and the token received from the authentication service 203. For example, the token may be included in the header of the request 203. The token and/or the request may be serialized as previously disclosed or, more generally, it may be included in the request in any suitable format”). Zheng in view of Galloway are analogous in a token system used to manage user access. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Zheng to incorporate the teachings of Galloway to determine the information in the header. Doing so would allow the platform to categorize the token (Galloway [0037] “At 230, the user 201 may re-submit the original action request and the token received from the authentication service 203. For example, the token may be included in the header of the request 203”). Conclusion The prior art made of record and not relied upon is considered pertinent to the applicant’s disclosure: Garrapalli (US 20250260573 A1) discloses a system for receiving a token service, a first external request from a remote token service for a first dynamically generated token. ([0003] “Systems and methods are described herein for novel uses and/or improvements to access token generation. More specifically, systems and methods are described for improving security in network environments by dynamically generating access credentials off-line that are resilient to impersonation attempt. For example, one technical problem or vulnerability in access tokens is token leakage”). Priebatsch (US-8838501-B1) discloses a system of facilitation token authorizing a manager based on a resource received from the request manager ( [Col 2, lines 46-50] “The request manager may receive authorization tokens from either or both of the requester and resource; the tokens may include information regarding the identity, location, and/or payment information of the requester and conditions for granting requests from the resource”). Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIVIAN D. HO whose telephone number is (571) 272-9957. The examiner can normally be reached M-F 8:00 - 5:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /VIVIAN D HO/Examiner, Art Unit 2497 /BASSAM A NOAMAN/Primary Examiner, Art Unit 2497
Read full office action

Prosecution Timeline

Jul 10, 2024
Application Filed
Jan 28, 2026
Non-Final Rejection — §102, §103 (current)

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
Grant Probability
3y 1m
Median Time to Grant
Low
PTA Risk
Based on 0 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month