Access Token
What is Access Token?
Access TokenShort-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf.
An access token represents the authorization a resource owner has granted to a client, scoped to specific permissions and audiences. In OAuth 2.0 (RFC 6749) and OpenID Connect, access tokens may be opaque — validated by calling the authorization server's introspection endpoint (RFC 7662) — or self-contained JWTs validated locally by signature. They are typically sent in the Authorization: Bearer header per RFC 6750 and must travel over TLS.
The core weakness of a plain bearer token is that possession equals authority: a token stolen from browser storage, a log, or a proxy can be replayed by anyone. This drove the rise of sender-constrained tokens. RFC 8705 binds a token to the client's TLS certificate (recording its hash in the cnf.x5t#S256 claim), and RFC 9449 (DPoP) binds the token to a client-held key pair, requiring a fresh signed proof JWT on every request so a replayed token is useless without the private key. Token-theft attacks — including the session/token replay seen in Lapsus$ and various "pass-the-token" cloud intrusions — are precisely what these mechanisms defeat.
Best practice: short lifetimes (minutes), narrow scopes, strict audience and issuer validation, rejecting the alg: none JWT trick, pairing with refresh tokens for renewal, and keeping tokens out of JavaScript-accessible storage. For high-value APIs, prefer DPoP- or mTLS-bound tokens over plain bearer tokens.
flowchart LR RO[Resource owner] -->|grants consent| AS[Authorization server] C[Client] -->|token request + DPoP/mTLS key| AS AS -->|short-lived access token<br/>scope + aud + cnf claim| C C -->|Bearer token + proof of possession| RS[Resource server / API] RS -->|validate signature/introspect<br/>check aud, exp, key binding| RS RS -->|allow or deny| C
● Examples
- 01
An OAuth 2.0 access token with scope=read:invoices and exp 15 minutes in the future.
- 02
An opaque token validated through the /introspect endpoint of the authorization server.
● Frequently asked questions
What is Access Token?
Short-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf. It belongs to the Identity & Access category of cybersecurity.
What does Access Token mean?
Short-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf.
How do you defend against Access Token?
Defences for Access Token typically combine technical controls and operational practices, as detailed in the full definition above.