Glossary / Authorization
Access Token
An access token is a credential an application presents to an API to prove it is authorized to perform a request on a user's behalf, issued by an OAuth 2.0 authorization server and usually short-lived.
Also: access token
An access token is the credential that carries authorization in OAuth 2.0. After a user consents, the authorization server issues the token to the application, which includes it on each API call so the resource server knows the request is permitted and to what scope.
Access tokens are deliberately short-lived to limit the damage if one leaks. They can be opaque strings the API validates by introspection, or JSON Web Tokens the API can verify on its own. They carry only authorization, not proof of who the user is, which is the job of an ID token in OpenID Connect.
For CIAM, access tokens are what applications and APIs exchange after login to act for the customer, and keeping their lifetimes short with refresh tokens behind them is a core security practice.
Sources
- IETF RFC 6749, The OAuth 2.0 Authorization Framework: https://datatracker.ietf.org/doc/html/rfc6749
Related terms
Standards
- IETF RFC 6749