Glossary: Access TokenGlossary

An access token is a security credential in OAuth 2 that acts as proof that an application has the authorization to access an API. They are often issued to an application by the authorization server after its end user has successfully authenticated (logged in).

Tokens typically contain claims, which are information about the token and the end user. In an access token, claims contain information about:

• The token itself, such as the URL for the authorization server that issued the token, the client ID of the token’s audience (the application for which the token is to be used), the date and time when the token expires, etc.
• The scopes that specify the resources that holder is authorized to access, and the type of access granted (read or read/write).

Access tokens are usually bearer tokens, which means that anyone who possesses an access token can use it to access the resources it’s associated with.

For security reasons, access tokens usually have a limited lifetime. Once past its end-of-life date and time, the token is invalid and can no longer be used to access the associated resources. To continue accessing those resources, the application will need to acquire a new access token (see Refresh Token for details).

In OIDC, authorization and authentication are often performed in the same workflow. When an application requests authorization from a authorization server for the first time in a session, the end user logs in and if authenticated, the authorization server provides the application with both an ID token and an access token.