What is an access token?


A token is a authentication material

An access token is a token (string) representing an access authorization.


Token-based authentication is implemented by:

They carry just enough information to either:

  • authorize the user to perform an action,
  • or allow a client to get additional information about the authorization process (to then complete it).

The concept behind using tokens is that you can authenticate to a central authority and then have permissions granted to a separate system without needing to give that system your credentials.

If the server providing the service was compromised, credentials would still be safe, and the attacker would only have access to resources until the token expired. Hence tokens are generally short lived.


  • Unique – tokens are specific and can be generated per use or per device
  • Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials
  • Limited – tokens can be narrowly scoped to allow only the access necessary for the use case
  • Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be

Security Consideration

  • You should give tokens an expiration because technically, once a token is signed, it is valid forever unless the signing key is changed.
  • Do not send tokens over non-HTTPS connections
  • Do not add sensitive / privacy data to the payload


Don't store them in place where third party could have access.




Token type Language Size Signature
Authentication - Jwt (Json web token) - JSON Web Tokens (JWT) Json Low public/private key
Simple Web Tokens (SWT) Only symmetric
Security Assertion Markup Language Tokens (SAML) Xml High public/private key
bearer Generated or JWT
Hexadecimal nonce String

Access tokens:

  • have an expiration date
  • are short-lived.

This information may live:

  • inside the structure of the token
  • or in a database/map

Discover More
Jwt Auth Flow
Authentication - Jwt (Json web token)

json web token is a access token. It's also known as jot. When a JWT is signed, it becomes a JWS and can be used for sender authentication and authorization. The main purpose of JWTs is to transfer...
Authentication - Method / Protocol / Scheme

The authentication methods / construct / protocol validates the identity of a user (ie validates who you are). The method is implemented by a (identify|authentication) provider. In the traditional...
Oauth - Credential

This page lists all token used in OAuth Credential Type Type Description Used to access the protected resources Used to get a access token (and eventually a refresh token ...
Oauth - Token

in Auth
Security - (Identity+Authenticator=Credential)

Credentials are electronic information that is used to verify an identity. They are provided by client application (ie user, browser, application) to prove their identity Credentials are also known as:...
Security - Identity Assertions

Identity / Security An identity Authentication use as credentials: certificates or .
Security - Security Assertion Markup Language (SAML)

The Security Assertion Markup Language (SAML) standard is a XML token framework for creating, requesting, and exchanging security assertions between software entities on the Web. This framework specifies...
Web Security - Cross-site scripting (XSS)

cross-site scripting (XSS) is a injection security vulnerability that happens when external javascript code is injected in the page via user input. Injected JavaScript can then steal authentication tokens...
What are the HTTP Authentication schemes and methods?

This page lists the HTTP authentication schemes and the HTTP components that they used Via the Http Authorization Header: Basic Bearer Digest Others: DPoP HOBA 7486rfc 7486, Section 3...

Share this page:
Follow us:
Task Runner