Access Token

An access token is a security credential issued by an authentication server to a client application after successful authentication and authorization. It is used by the client to access protected resources on behalf of the user.

It is a tiny piece of code or text that contains a large amount of data. It may include information about the user, permissions, groups, and timeframes. This data is embedded within a single token that passes from the server to the user's device.

Components of an Access Token

An access token typically consists of three distinct parts, all working in unison to verify a user's right to access a resource. These parts include:

  • Header: This section contains metadata about the token, such as its type and the algorithm used for signing it.

  • Payload: Also known as the claims section, this part includes crucial information about the user, such as permissions, expiration times, and other custom data. The payload is vital for the token's functionality; without the proper permissions specified within it, access to the requested resource will be denied. Developers can include various custom data in the payload. For example, an access token issued by Google can grant access to multiple APIs, with all the necessary credentials specified within a single token.

  • Signature: This part provides verification data to ensure the token's authenticity. The signature is typically created by hashing the header and payload with a secret key or private key, making it difficult to tamper with or replicate.

Notable Examples

  • Developers can place all sorts of custom data within the payload too. For example, an access token from Google can grant access to multiple applications (APIs), and all of those credentials are specified with just one access token.

  • Access token types can vary from website to website. Facebook, for example, offers four access token types. Other sites have dozens more.

  • But no matter how much data is included, access tokens tend to be short. A JSON Web Token (JWT), for example, is made up of three Base64-URL strings.

Reference: https://www.okta.com/identity-101/access-token/

How Access Token Works

  • Client Authentication: The client authenticates with the authentication server using credentials, such as a client ID and secret.

  • Token Request: The client submits a request for an access token, providing necessary information like client credentials and an authorization grant.

  • Token Issuance: The authentication server validates the request and issues an access token.

  • Storage: The token is sent to the client's browser for storage, which can be done using cookies, session storage, or local storage.

  • Resource Access: The client accesses protected resources by including the access token in the HTTP request header (Authorization: Bearer <token>). Each time a new resource is accessed, the token is verified again.

  • Token Validation: The resource server validates the access token and processes the request if the token is valid.

  • Deletion: When the session ends, the token is discarded.

Reference for the Below Contents: https://www.okta.com/identity-101/access-token/

Access tokens can be used for single sign-on (SSO). Your credentials from one site become your key to enter another. You'll follow these steps:

  • Authorization: You agree to use your credentials from one site to enter another.

  • Connection: The first site connects the second and asks for help. The second site creates an access token.

  • Storage: The access token is stored in your browser.

  • Entry: The access token from the second site gives you entry into the first.

Requests for SSO expire quickly. As explained, most requests expire within about 10 minutes, but some shut down the process after just 60 seconds

Access tokens are a fundamental part of modern authentication systems, providing a secure and scalable method for accessing resources on behalf of a user.

Last updated