Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1, 3, 4, 10 – 13 and 20 – 22 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Fitzpatrick (US 8973118), hereafter Fitz and Kilian-Kehr (US 7865731), hereafter Kil have been fully considered and are persuasive. Claim(s) 2, 5 – 9 and 14 – 19 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1, 3, 4, 10 – 13 and 20 – 22 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Steve Filipek (attorney) for filed amended claims on 10-20-2021:
1.	(currently amended)	A method of using access tokens for identification of breach attempts in a client-server communication, the method comprising: 

storing, by the token server system, the at least two token configuration parameters;
generating, by the token server system, a valid token in response to the token generation request;
transmitting, by the token server system to the client device, the valid token; 
receiving, by the token server system, a token validation request for validation of a token from an Application Programming Interface (API) server, the token validation request comprising the token received by the API server from the client device in one or more API calls of an API session, the token comprising token parameters;
accessing, by the token server system, the at least two token configuration parameters associated with a valid token for the client, the at least two token configuration parameters comprising: 
a number of allowable access attempts using the valid token in the API session, and
a range of frequency of allowable access attempts using the valid token in the API session; 
comparing, by the token server system, the token parameters to the at least two token configuration parameters associated with the valid token; 
determining, by the token server system, one of that a number of times the token validation request is received from the API server during the API session exceeds the number of allowable access attempts and that a frequency at which the token validation request is received from the API server during the API session exceeds the range of frequency of allowable access attempts; and 
transmitting, by the token server system to the API server, validation information comprising 

2.	(canceled herein)	

3.	(previously presented)	The method as claimed in claim 1, wherein the at least two token configuration parameters further comprise an allowed access pattern associated with the valid token.

4.	(original)	The method as claimed in claim 3, wherein the allowed access pattern is determined based on historical access patterns of the valid token in a pre-defined time period. 

5.	(canceled). 

6.-7.	(canceled previously).	

8.	(cancelled).	 
 
9.	(cancelled).

10.	(proposed changes)	 A server system for using access tokens for identification of breach attempts in a client-server communication, the server system comprising: 
a memory comprising stored instructions; and
a processor operably connected to the memory and configured to execute stored instructions which when executed cause the server system to perform:
receive from a client device, a token generation request, the token generation request comprising at least two token configuration parameters defined by a user of the client device; 

generate a valid token in response to the token generation request;
transmit the valid token to the client device; 
receive
access
a number of allowable access attempts using the token in the API session, and
a range of frequency of allowable access attempts using the token in the API session;
 compare
determine one of that a number of times the token validation request is received from the API server during the API session exceeds the number of allowable access attempts and that a frequency at which the token validation request is received from the API server during the API session exceeds the range of frequency of allowable access attempts; and 
transmit validation information to the API server, the validation information comprising 

11.	(previously presented)	The server system as claimed in claim 10, wherein the token validation request comprises at least an information of:
a number of access attempts using the valid token during the API session; and


12.	(previously presented)	The server system as claimed in claim 10, wherein the at least two token configuration parameters further comprise an allowed access pattern associated with the valid token.

13.	(original)	The server system as claimed in claim 12, wherein the allowed access pattern for the API session is determined based on historical access patterns of the valid token in a pre-defined time period.  

14.-15.	(canceled).

16.	(cancelled).
 
17.	(cancelled).

18.-19. 	(canceled).	 

20.	(proposed changes)	A method of using access tokens for identification of breach attempts in a client-server communication, the method comprising:
receiving, by an Application Programming Interface (API) server, an API request for client-server communication, the API request comprising a token, the token received by the API server from a client device in one or more API calls of an API session;
sending, by the API server, a token validation request for validation of the token to a token server system; and
receiving verification information corresponding to whether the token conforms to at least two token configuration parameters from the token server system, wherein the at least two 
a number of allowable access attempts using the valid token in the API session, 
a range of frequency of allowable access attempts using the valid token in the API session, and
an allowed access pattern associated with the token, wherein the allowed access pattern is determined based on historical access patterns of the valid token in previous API sessions taken over a predefined time period.

21.	(New)	The method of claim 3, further comprising, after comparing the token parameters to the at least two token configuration parameters associated with the valid token:
determining, by the token server system, that an access pattern does not comply with the allowed access pattern associated with the valid token; and 
 transmitting, by the token server system to the API server, validation information comprising a validation failure message indicating a breach attempt.

22.	(New)	The server system as claimed in claims 12, wherein the memory stores further instructions causing the processor which when executed cause the server system to perform, after comparing the token parameters to the at least two token configuration parameters associated with the valid token:
determine that an access pattern does not comply with the allowed access pattern associated with the valid token; and 
 transmit validation information to the API server, wherein the validation information comprises a validation failure message indicating a breach attempt.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 


Further, a second prior art of record Kil teaches C4L18-23: the security token is configured to lock itself down after a predetermined number of failed access attempts. The security token also includes an internal clock and configured to lock down after a predetermined number of failed access attempts within a predetermined period of time. C10L16-24: user provides an instruction to the application service which generates a command C and communicates C to the smart card which executes the command C and generates a response R'... The application service communicates R' to the proximity token.



Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 10 and 20 mutatis mutandis.  Claim(s) 2, 5 – 9 and 14 – 19 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.