DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.
The claim objections have been withdrawn in view of the claim amendment. 

Response to Arguments
Applicant's arguments filed 05/31/22 have been fully considered. 
In response to Applicant’s argument regarding the 101 rejection (pages 8-12 of Remarks), Examiner acknowledged Applicant’s perspective but respectfully disagreed for the following reasons.
Regarding Applicant’s argument that claim 5 is different from the examples provided in the 2019 Revised Guidance, Examiner acknowledged Applicant’s point of view but these provided examples are not exhaustive and are only some of the examples under the grouping of certain methods of organizing human activity.  According to the 2019 Revised Guidance, managing personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions) falls under certain methods of organizing human activity.  The limitations of “obtain, during the future interval of time, a second request including the access key and proof of successful completion of a second authentication”, “analyze the access key to determine that the first request and the second request are from a same requestor”, and “verify the proof of successful completion of the second authentication based at least in part on difference between the proof of completion of the second authentication and the proof of successful completion of the first authentication” still belong to managing personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions).  Note that following access control rules also belongs to this category.
In addition, claim 5 as a whole does not recite additional limitations that would integrate the judicial exception into a practical application.  The additional element of “one or more processors” and “memory” are recited at a high-level of generality and generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer system. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.  Although the purpose of the invention as disclosed in the specification is to acheive certain improvements, they are not clearly reflected in the claim.  The actual scope and steps in the claim do not necessarily result in such improvements.  Applicant can further clarify by tying the steps in claims 5 and 13 to the entities (i.e. client, authorization server, resource server, etc.) as disclosed in the specification and the drawings to integrate the judicial exception into a practical application. Claim 13 is also not allowable at least for the reasons discussed above with respect to claim 5.

In response to Applicant’s argument regarding the 102 and 103 rejections of claims 13-20 (pages 12-13 and 15 of Remarks), Examiner acknowledged Applicant’s perspective but these arguments are moot in view of the new grounds of rejection presented below in view of newly found prior arts.
In response to Applicant’s argument regarding the 102 and 103 rejections of claims 5-11 (pages 13-15 of Remarks), Examiner acknowledged Applicant’s perspective and these rejections have been withdrawn upon further consideration.

Claim Objections
Claim 5 is objected to because of the following informalities:  
“the proof of completion” in line 11 of claim 5 should read “the proof of successful completion”.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 5 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  Claim 5 recites obtain a first request for access at a interval of time in the future, the first request including proof of successful completion of a first authentication; provide, in response to the first request, an access key; obtain, during the future interval of time, a second request including the access key and proof of successful completion of a second authentication; verify the proof of successful completion of the second authentication based at least in part on difference between the proof of completion of the second authentication and the proof of successful completion of the first authentication; analyze the access key to determine that the first request and the second request are from a same requestor; and allow the second request to be fulfilled.
The claim recites a method of organizing human activity.  The claimed invention is a method that provides an access key in response to obtaining a first request for a subsequent access that includes a proof of successful completion of a first authentication and allows a subsequent second request to be fulfilled upon verifying a proof of completion of a second authentication based on a difference between the proofs of successful completion of first and second authentications and determining the two requests are from a same requestor based on analyzing the access key which is a method of managing interactions between people.  Thus, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because the claim does not recite additional elements that integrate the judicial exception into a practical application.  
Claim 5 recites the additional elements of one or more processors and memory that stores computer-executable instructions that, as a result of being executed by the one or more processors, cause the system to perform the steps. However, the “one or more processors” and “memory” are recited at a high-level of generality and generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer system. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
Considering the claim as a whole, looking at the elements individually and in an ordered combination, does not integrate the abstract idea into a practical application using the considerations set forth above.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional element of “one or more processors” and “memory” are recited at a high-level of generality and generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer system. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
There are no well-understood, routine, and conventional additional elements recited in the claim.
	Thus, the claimed elements, either individually, or in the ordered combination do not add significantly more to the abstract idea.
Dependent claims 6 and 9 further clarify the concept recited in claim 5 however this clarification still falls under the concept recited in claim 5 and does not amount to significantly more than the judicial exception.  Dependent claim 9 recites an additional element of a second computer system however it is recited at a high-level of generality and generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer system. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
Claim 13 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  Claim 13 recites transmit a first request indicating an intent to access protected information, where the first request includes a first token indicating authorization to access the protected information; receive an acknowledgement to access the protected information during a future interval of time; in response to the acknowledgement, obtain a second token different from the first token and transmit a second request to access the information during the future interval time, the second request including the acknowledgement, the first token and the second token.
The claim recites a method of organizing human activity.  The claimed invention is a method that receives an acknowledgement to subsequently access protected information upon transmitting a first request indicating an intent to access and transmits a subsequent second request including the acknowledgement, the first token and the second token to access the protected information which is a method of managing interactions between people.  Thus, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because the claim does not recite additional elements that integrate the judicial exception into a practical application.  
Claim 13 recites the additional elements of a non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to perform the steps. However, the “one or more processors” and “a non-transitory computer-readable storage medium” are recited at a high-level of generality and generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer system. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
Dependent claims 15-20 further clarify the concept recited in claim 13 however this clarification still falls under the concept recited in claim 13 and does not amount to significantly more than the judicial exception.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 13, 15, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of Williams (US 20030005118).

Claim 13, Kitchen discloses A non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: 
transmit a first request indicating an intent to access protected information, where the first request includes a first token indicating authorization to access the protected information; (e.g. col. 2, ll. 56-59, col. 16, ll. 23-26:  a second request for the resource is received from the client device. The second request includes the first cryptographic token…the proxy server 120 receives as a result of the refresh instruction a second request for the resource from the client device 110. The second request includes the first cryptographic token)
receive an acknowledgement to access the protected information during a future interval of time; and (e.g. col. 2, ll. 65-col. 3, ll. 1, col. 16, ll. 44-48: transmitting a second response including the refresh instruction, a second refresh time, and a second cryptographic token that is not valid until a second predetermined time is reached…the proxy server 120 transmits at operation a second response including the refresh instruction, a second refresh time, and a second cryptographic token that is not valid until a second predetermined time is reached)
in response to the acknowledgement, obtain a second token different from the first token. transmit a second request to access the protected information during the future interval of time, the second request including the acknowledgement and the second token. (e.g. col. 3, ll. 10-13, col. 12, ll. 35-37, col. 17, ll. 7-12: receiving a third request for the resource from the client device, wherein the third request includes at least one of the first cryptographic token and the second cryptographic token...the proxy server 120 receives a third request for the resource from the client device 110 as a result of the second response. The third request includes at least one of the first cryptographic token and the second cryptographic token, depending on which one was last transmitted to the client device 110)
Although Kitchen discloses transmit a second request to access the protected information during the future interval of time, the second request including the acknowledgement and the second token (see above), Kitchen does not appear to explicitly disclose but Williams discloses the second request including the first token (e.g. fig. 3D, ¶72: client sends service request with domain token and service token to protected server).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Williams into the invention of Kitchen for the purpose of making it harder for an unauthorized party illegally obtaining one token to gain access to the protected resource thereby increasing the security of the system.

Claim 15, Kitchen-Williams discloses The non-transitory computer-readable storage medium of claim 13, wherein the acknowledgement includes a client identifier, a resource identifier, or one or more timestamps. (Kitchen, e.g. col. 2, ll. 65-col. 3, ll. 1, e.g. col. 12, ll. 35-37, col. 16, ll. 44-48)

Claim 18, Kitchen-Williams discloses The non-transitory computer-readable storage medium of claim 13, wherein the instructions further include instructions that cause the computer system to obtain the protected information from a resource server. (Kitchen, e.g. col. 3, ll. 10-19)

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of Williams (US 20030005118) and further in view of Shin (US 20210112407).

Claim 14, Kitchen-Williams discloses The non-transitory computer-readable storage medium of claim 13, wherein the acknowledgement includes an access key (Kitchen, e.g. col. 12, ll. 35-37) and does not appear to explicitly disclose but Shin discloses that is encrypted by a resource server (e.g. ¶24).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Shin into the invention of Kitchen-Williams for the purpose of preventing unauthorized access to the data.

Claims 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of Williams (US 20030005118) and further in view of Kishimoto (US 20200076791).

Claim 16, Kitchen-Williams discloses The non-transitory computer-readable storage medium of claim 13, (see above) and does not appear to explicitly disclose but Kishimoto discloses wherein the future interval of time is indicated by at least a pair of timestamps indicating a time window during which the protected information can be obtained by transmitting the second request. (Kishimoto, e.g. Table 1, ¶40)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Kishimoto into the invention of Kitchen-Williams for the purpose of indicating date/time when the token becomes valid and when the token expires thereby specifying the validity of the token (Kishimoto, ¶40).

Claim 17, Kitchen-Williams-Kishimoto discloses The non-transitory computer-readable storage medium of claim 16, wherein the instructions that cause the computer system to transmit the second request further include instructions that cause the computer system to include the pair of timestamps in the second request. (Kishimoto, e.g. Table 1, ¶40, 59).  Same motivation as in claim 16 would apply.

Claim 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of Williams (US 20030005118) and further in view of Machani (US 9819672).

Claim 19, Kitchen-Williams discloses The non-transitory computer-readable storage medium of claim 13, wherein the first token is obtained as a result of transmitting to an authorization server. (Kitchen, e.g. col. 2, ll. 48-53)
Although Kitchen-Willliams discloses transmitting to an authorization server (see above), the combination does not appear to explicitly disclose but Machani discloses transmitting a refresh token (e.g. col. 5, ll. 4-11).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Kishimoto into the invention of Kitchen-Williams for the purpose of obtaining a new access token from an authorization server when the access token becomes invalid or expires (Machina, col. 5, ll. 6-9).

Claim 20, Kitchen-Williams-Machani discloses The non-transitory computer-readable storage medium of claim 19, wherein the first request is an Application Programming Interface (API) request. (Kitchen, e.g. col. 3, ll. 33-36)

Allowable Subject Matter
Claims 1-4 are allowed.
The following is an examiner’s statement of reasons for allowance:
None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in independent claim 1: “receiving a first request that indicates an intent to access a resource, the first request including a first bearer token”, “generating an access key to access including information that indicates an interval of time during which the access key is valid and the first bearer token”, “encrypting the access key to obtain an encrypted key”, “providing the encrypted key in response to the first request”, “receiving a second request to access the resource, the second request identifying the resource and comprising the encrypted key and a second bearer token”, “decrypting the encrypted key to result in a decrypted key;”, and “verifying that the second request is received within the interval of time, that the second bearer token indicates authorization to fulfill the second request and that the first bearer token and second bearer token are different” in combination with other limitations as a whole and in the context recited in the claim.
	Dependent claims are allowed as they depend from allowable independent claim.
Claims 7-8 and 10-12 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 20040236938 discloses the server authenticates the user for the first application based on a userID and password of the user, and the server returns a token of the authentication to the client computer. The client computer uses the token to request a first function performed by the first application. The user subsequently requests a second function performed by the second application. In response, the client computer determines that the user has not yet been authenticated for the second application and sends a request to the server for an authentication ticket for using the second application. In response to the request for the authentication ticket, the server checks the authentication token. If valid, the server returns an authentication ticket to the client computer. The client computer requests the second function to the server. The client computer request for the second function includes the authentication ticket. The server determines that the authentication ticket supplied with the client request is valid before the second application performs the second function.

US 20090300744 discloses the user may submit his or her user credentials (e.g., username and password), which is typical. In an alternative scenario, the user device may also submit a device certificate (or device ID and device password), thereby providing two factors for authentication…when the account authority service receives the credentials from the user device, it authenticates them and, if the credentials satisfy the secure server's security requirements (as determined in a decision operation 314), the account authority service sends a security token to the user device in an operation 320…The user device receives the security token in receiving operation 322 and forwards it to the secure server in a sending operation 324. In a granting operation 326, the secure server interrogates the security token to determine a level of privilege to authorize for the user/device, based on the authentication performed by the account authority service. In one implementation, the secure server interrogates the security token to determine whether both user credentials and device credentials were included in the authentication with the account authority service. If so, the secure server can allow a higher level of privilege to the user via the user device. Otherwise, the secure server can allow a lower level of privilege to the user or allow not access at all.

US 20190007214 discloses the method involves generating (205) first token value that includes a hash value generated by hashing secret key and first set of other values using hash algorithm. The first token value is included (210) in a first cookie. The first cookie is sent to a client device. The first cookie does not include the secret key. A first request for an action to be performed on a first resource that is hosted at an origin server is received (215) from the client device. A second set of one or more other values is determined using the first request. A fourth token value is generated by hashing the secret key and the second set of one or more other values using the hash algorithm. The determination is made that the second token value, the third token value, and the generated fourth token value are equivalent. The first request is sent to the origin server responsive to the determining that the second token value, the third token value, and the generated fourth token value are equivalent.

Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:30 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436