Access Token
What is Access Token?
Access TokenShort-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf.
An access token represents the authorization a resource owner has granted to a client, scoped to specific permissions and audiences. In OAuth 2.0 and OpenID Connect, access tokens may be opaque (validated by introspection) or self-contained JWTs (validated locally by signature). They are typically sent in the Authorization: Bearer header and must travel over TLS. Best practice is short lifetimes (minutes), narrow scopes, audience and issuer validation, and storage outside JavaScript memory where possible. Pair with refresh tokens for renewal, and prefer sender-constrained variants such as DPoP or mTLS-bound tokens for high-value APIs.
● Examples
- 01
An OAuth 2.0 access token with scope=read:invoices and exp 15 minutes in the future.
- 02
An opaque token validated through the /introspect endpoint of the authorization server.
● Frequently asked questions
What is Access Token?
Short-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf. It belongs to the Identity & Access category of cybersecurity.
What does Access Token mean?
Short-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf.
How does Access Token work?
An access token represents the authorization a resource owner has granted to a client, scoped to specific permissions and audiences. In OAuth 2.0 and OpenID Connect, access tokens may be opaque (validated by introspection) or self-contained JWTs (validated locally by signature). They are typically sent in the Authorization: Bearer header and must travel over TLS. Best practice is short lifetimes (minutes), narrow scopes, audience and issuer validation, and storage outside JavaScript memory where possible. Pair with refresh tokens for renewal, and prefer sender-constrained variants such as DPoP or mTLS-bound tokens for high-value APIs.
How do you defend against Access Token?
Defences for Access Token typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- identity-access№ 574
JWT (JSON Web Token)
Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers.
- identity-access№ 088
Bearer Token
An opaque or structured credential (RFC 6750) granting access to a resource simply by possession, without proof that the holder is the rightful owner.
- identity-access№ 913
Refresh Token
Long-lived credential used to obtain new short-lived access tokens from an OAuth 2.0 authorization server without prompting the user to log in again.
- identity-access№ 749
OAuth 2.0
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
- identity-access№ 760
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that lets clients verify a user's identity and obtain basic profile information via signed ID tokens.
- appsec№ 052
API Security
The discipline of designing, building and operating application programming interfaces so that authentication, authorization, data exposure and abuse-resistance hold up under attack.
● See also
- № 575JWT Vulnerabilities