Access tokens are digital keys that verify and authenticate a user’s identity before granting them the ability to access resources in various contexts, such as application programming interfaces (APIs), web applications, and cloud services. Used as an alternative to traditional password-based systems, access tokens act as proof of authorization, enabling secure communication between clients and servers.
Access token uses
API access
- Allow applications to request tokens from an authorization server and use these tokens to access APIs
- Restrict access to certain API functionalities to only authorized applications, services, or users
- Secure API endpoints
Cloud services
- Control access to resources such as databases, storage containers, and virtual machines
- Help cloud platforms manage access to their services
- Limit access to and interaction with sensitive cloud resources to authenticated and authorized entities
Federated identity systems
- Enable users to access resources across different security domains or organizations
- Help map a user’s identity and permissions across various systems
- Simplify access management in multi-organization collaborations
Internet of Things (IoT)
- Maintain the integrity and privacy of IoT communications
- Restrict access and data transmission capabilities to authorized devices
- Secure communication between IoT devices and the cloud or other devices
Mobile applications
- Authenticate and authorize users without storing their credentials
Single sign-on (SSO) systems
- Help maintain a user’s authenticated session across different applications
- Provide seamless access to multiple applications or services with one set of credentials
- Reduce the need for repeated logins
Web Authentication (e.g., OAuth2 and OpenID Connect)
- Use in conjunction with OAuth2 and OpenID Connect protocols for user authentication and authorization
Benefits of access tokens
Access tokens provide several benefits beyond secure authentication and authorization, including:
- Granular access control
Access tokens can be configured to limit the permissions granted to a client application to reduce unauthorized exposure of sensitive data or resources. - Interoperability
Access tokens enable interoperability between different services and applications, allowing seamless integration and access to shared resources across distributed environments. - Revocability
If an access token is compromised or no longer needed, it can be revoked or invalidated by the authorization server, enhancing security and control over access to resources. - Stateless Authentication
With bearer tokens, the resource server can independently validate the token without relying on a centralized session state.
Access token types
There are various types of access tokens used in the different contexts noted above. The choice of access token type depends on several criteria, such as security requirements, interoperability, and the specific use case of the application or service.
Regardless of which type of access token is used, it is important to remember that they allow access to sensitive data and, thus, require the same security controls as other access methods.
Commonly used types of access tokens are as follows.
API keys
API keys are used to identify the calling program or user and can be used to control access and track usage.
Bearer tokens
A type of access token, bearer tokens are self-contained and represent the authorization granted to the client application.
Bearer tokens do not contain any information about the user. This means that the bearer (i.e., whoever has this token) can use it. They are often used in HTTP authentication, where the bearer tokens are presented by the client to the resource server in the authorization header of HTTP requests to access protected resources.
JSON web tokens (JWT)
JWTs are a type of access token that is self-contained and uses JSON (JavaScript Object Notation)-based data structures to encode information about the authentication session and authorized scopes. They allow resource servers to verify their authenticity and integrity without needing to communicate with the authorization server. JWTs are often used in OpenID Connect for identity tokens and access tokens.
OAuth access tokens
OAuth access tokens are used in the OAuth authentication protocol to allow an application to access specific parts of a user’s data without needing their password. These tokens have the flexibility to be issued for various scopes and durations.
Reference tokens
Unlike JWTs or bearer tokens, reference tokens are not self-contained. They are references to token data stored on the authorization server. When a client presents a reference token to a resource server, the resource server must make a separate request to the authorization server to validate the token and retrieve the associated token data.
While reference tokens provide additional security and control, they require more interaction between the resource server and the authorization server.
Refresh tokens
Refresh tokens are used in conjunction with OAuth access tokens. A client can present users with a refresh token when the other ones expire without requiring reauthentication. Refresh tokens are used when users need continuous access to resources over extended periods.
Access token contents
Access tokens contain information necessary for the resource server to validate and authorize access to protected resources. The exact contents of an access token vary based on the authentication protocol (e.g., OAuth 2.0, OpenID Connect) and implementation but commonly include the following information.
| Issuer (iss) | The authorization server or identity provider that issued the token |
| Subject (sub) | The unique identifier of the authenticated user or entity |
| Audience (aud) | The intended audience or recipient of the token (i.e., the target resource) |
| Expiration Time (exp) | When the token expires and should no longer be considered valid |
| Issued At (iat) | The token’s creation time |
| Scope | The permissions or access rights granted to the client application (i.e., defines what actions the client can perform on behalf of the authenticated user) |
| Token Type (token_type) | The type of token (e.g., bearer token or refresh token) |
| Client ID | The identifier of the client that requested the token |
How access tokens work
Access tokens work by associating a user’s credentials with their actions while interacting with a system. When a user logs into a system, an access token is issued, which includes details about the user’s identity and permissions, and it is attached to all the user’s actions within the system. This allows the system to verify that the user is who they claim to be and that they have permission to perform the actions they are trying to undertake.
The access token cycle at a glance
- Authorization request
The client redirects the user to an authorization server along with the client ID, requested scope, and a redirect URI. - Authentication
The user or client application authenticate themselves to the authorization server or identity provider. - Authorization
The authorization server validates the user’s credentials and grants access to the requested resources. - Token issuance
An access token is issued by the authorization server to the authenticated user or client application, which includes information about the user, permissions, and other metadata necessary for accessing protected resources. - Token presentation
The access token to the resource server. - Token validation
The resource server validates the access token to ensure its authenticity, integrity, and validity. - Resource access
The resource server grants access to the protected resources. - Token expiration and renewal
When an access token expires, the session ends, or the client application obtains a new access token (e.g., refresh token) to continue accessing protected resources.
Access token security
Access tokens must be secured appropriately to ensure the confidentiality, integrity, and authenticity of the authentication and authorization processes they support. The following are commonly used security measures to protect access tokens.
- Bind access tokens to specific client devices or user sessions.
- Combine access tokens with additional authentication factors, such as passwords, biometrics, or hardware tokens.
- Configure access tokens with short lifetimes and use refresh tokens for extended use.
- Encrypt access tokens.
- Establish mechanisms for revoking access tokens.
- Implement logging, monitoring, and auditing mechanisms.
- Limit the scope of access tokens, granting just enough permissions to complete the required task.
- Store access tokens securely.
- Transmit access tokens over secure channels (e.g., HTTPS).
- Validate tokens by checking their signature, issuer, audience, and expiration time.
Form follows function when selecting access token types
Using access tokens provides a low-friction authentication. Access tokens are a proven security mechanism for authorization and resource delegation in distributed environments. Take time to evaluate the use cases and requirements when making decisions about which type of access token to use.
You might also be interested in:
Unleash the power of unified identity security
Mitigate cyber risk across the spectrum of access