Oauth - Access Token

Card Puncher Data Processing


An access token is a token representing an access authorization created during:

It is equivalent to a session identifier in format.

It is a string representing an access authorization to protected resources issued to the client rather than using the resource owner's credentials directly.

In this term, it's a token that serves as delegation-specific credentials.

The client uses the access token to access the protected resources owned by a resource owner hosted by a resource server.


The access token is generally a JSON file with the access token value and security properties such as scope, token type, expiration, …

   "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZ.... JWT",
   "scope":"openid profile email",

Pros and Cons

The access token provides an abstraction layer, replacing different authorization constructs (e.g., username and password) with a single token understood by the resource server.

This abstraction enables:

  • issuing access tokens more restrictive than the authorization grant used to obtain them,
  • removing the resource server's need to understand a wide range of authentication methods.

The access token content is usually opaque to the client.


Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements.

An access token is a string representing an authorization issued to the client. The string is usually opaque to the client.

The token may be:


The properties denotes:

  • a specific scope,
  • durations of access (lifetime), (short-live or long-lived)
  • and other access attributes.

The token properties are granted by the resource owner, and enforced by the resource server and authorization server.

Access token may have a shorter lifetime and fewer permissions than authorized by the resource owner.


Access token attributes and the methods used to access protected resources are beyond the scope of the Oauth specification and are defined by companion specifications such as Bearer Token.



Access tokens are issued to third-party clients with the approval of the resource owner by the authorization server via the following endpoints:

The implementation of access token are beyond the scope of the Oauth specification and are defined by companion specifications such as the Bearer Token.


When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again.

Documentation / Reference

Recommended Pages
Card Puncher Data Processing
Authentication - Token

A token is a authentication material Token-based authentication is implemented by: generating a token when the user authenticates and then setting that token in the Authorization header of each...
Card Puncher Data Processing
OAuth - Authorization Code

An authorization code is a intermediate credential used in a authorization code flow to retrieve a access token. It's a shared secret that does not long live because it's passed back via the query parameters...
Card Puncher Data Processing
OAuth - Implicit Grant and flow

The implicit grant is a grant type (flow) that issued directly an access token. (It does not support the issuance of refresh tokens). This grant type is called implicit, as no intermediate credentials...
Card Puncher Data Processing
OAuth - Resource Owner Password Credentials

password credentials (ie login+password in OAuth. Resource owner password credentials is a OAuth grant type flow The resource owner password credentials can be used directly as an authorization grant...
Card Puncher Data Processing
OAuth - Token Endpoint

The token endpoint is an authorization endpoint used by the client to obtain an access token by presenting its: authorization grant or refresh token. The token endpoint is used with every authorization...
Card Puncher Data Processing
Oauth - Authorization

The access authorization from the resource owner is expressed in the form of an authorization grant. The client gets a grant and uses it to request access token (except in the implicit grant that send...
Card Puncher Data Processing
Oauth - Authorization Code Flow

The authorization code grant type (flow) works with an intermediate credential called a authorization code. It is a indirect and redirection-based flow that is optimized for confidential clients. The...
Card Puncher Data Processing
Oauth - Authorization Grant (Resource Owner Authorization|Authorization Credentials)

An Authorization Grant is a credential representing the resource owner's authorization to access its protected resources. The flow for each type of grant is expressed using grant type: one of four...
Card Puncher Data Processing
Oauth - Authorization Server

Authorization Server in Oauth is one of the 4 oauth role. The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. The authorization...
Card Puncher Data Processing
Oauth - Bearer Token

bearer token is a access token implementation defined in the OAuth 2.0 Authorization Framework The token may be a Json Web Token (JWT) or an other access token . Any party in possession of a bearer...

Share this page:
Follow us:
Task Runner