A method for regulating access to a protected resource is disclosed. The method includes: receiving, from a client application executing on a first device, a first signal including a request to obtain an access token for accessing a protected resource, the request including: a client identifier uniquely identifying the client application; a user identifier uniquely identifying an end user of the client application; and a public key associated with the end user; in response to validating the request, transmitting, to the client application on the first device, a second signal including an access token for accessing the protected resource; receiving, from a web server associated with the protected resource, a third signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validating the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, sending to the web server a fourth signal including a notification that the bearer token is valid.