Article

Access token

Security
Time to read: 7 minutes

Access tokens are digital keys that verify and authenticate a user’s identity before granting them the ability to access resources in various contexts, such as application programming interfaces (APIs), web applications, and cloud services. Used as an alternative to traditional password-based systems, access tokens act as proof of authorization, enabling secure communication between clients and servers.

Access token uses
API access

  1. Allow applications to request tokens from an authorization server and use these tokens to access APIs
  2. Restrict access to certain API functionalities to only authorized applications, services, or users
  3. Secure API endpoints

Cloud services

  1. Control access to resources such as databases, storage containers, and virtual machines
  2. Help cloud platforms manage access to their services
  3. Limit access to and interaction with sensitive cloud resources to authenticated and authorized entities

Federated identity systems

  1. Enable users to access resources across different security domains or organizations
  2. Help map a user’s identity and permissions across various systems
  3. Simplify access management in multi-organization collaborations

Internet of Things (IoT)

  1. Maintain the integrity and privacy of IoT communications
  2. Restrict access and data transmission capabilities to authorized devices
  3. Secure communication between IoT devices and the cloud or other devices

Mobile applications

  1. Authenticate and authorize users without storing their credentials

Single sign-on (SSO) systems

  1. Help maintain a user’s authenticated session across different applications
  2. Provide seamless access to multiple applications or services with one set of credentials
  3. Reduce the need for repeated logins

Web Authentication (e.g., OAuth2 and OpenID Connect)

  1. Use in conjunction with OAuth2 and OpenID Connect protocols for user authentication and authorization

Benefits of access tokens
Access tokens provide several benefits beyond secure authentication and authorization, including:

  1. Granular access control
    Access tokens can be configured to limit the permissions granted to a client application to reduce unauthorized exposure of sensitive data or resources.
  2. Interoperability
    Access tokens enable interoperability between different services and applications, allowing seamless integration and access to shared resources across distributed environments.
  3. Revocability
    If an access token is compromised or no longer needed, it can be revoked or invalidated by the authorization server, enhancing security and control over access to resources.
  4. Stateless Authentication
    With bearer tokens, the resource server can independently validate the token without relying on a centralized session state.

Access token types

There are various types of access tokens used in the different contexts noted above. The choice of access token type depends on several criteria, such as security requirements, interoperability, and the specific use case of the application or service.

Regardless of which type of access token is used, it is important to remember that they allow access to sensitive data and, thus, require the same security controls as other access methods.

Commonly used types of access tokens are as follows.

API keys

API keys are used to identify the calling program or user and can be used to control access and track usage.

Bearer tokens

A type of access token, bearer tokens are self-contained and represent the authorization granted to the client application.

Bearer tokens do not contain any information about the user. This means that the bearer (i.e., whoever has this token) can use it. They are often used in HTTP authentication, where the bearer tokens are presented by the client to the resource server in the authorization header of HTTP requests to access protected resources.

JSON web tokens (JWT)

JWTs are a type of access token that is self-contained and uses JSON (JavaScript Object Notation)-based data structures to encode information about the authentication session and authorized scopes. They allow resource servers to verify their authenticity and integrity without needing to communicate with the authorization server. JWTs are often used in OpenID Connect for identity tokens and access tokens.

OAuth access tokens

OAuth access tokens are used in the OAuth authentication protocol to allow an application to access specific parts of a user’s data without needing their password. These tokens have the flexibility to be issued for various scopes and durations.

Reference tokens

Unlike JWTs or bearer tokens, reference tokens are not self-contained. They are references to token data stored on the authorization server. When a client presents a reference token to a resource server, the resource server must make a separate request to the authorization server to validate the token and retrieve the associated token data.

While reference tokens provide additional security and control, they require more interaction between the resource server and the authorization server.

Refresh tokens

Refresh tokens are used in conjunction with OAuth access tokens. A client can present users with a refresh token when the other ones expire without requiring reauthentication. Refresh tokens are used when users need continuous access to resources over extended periods.

Access token contents

Access tokens contain information necessary for the resource server to validate and authorize access to protected resources. The exact contents of an access token vary based on the authentication protocol (e.g., OAuth 2.0, OpenID Connect) and implementation but commonly include the following information.

How access tokens work

Access tokens work by associating a user’s credentials with their actions while interacting with a system. When a user logs into a system, an access token is issued, which includes details about the user’s identity and permissions, and it is attached to all the user’s actions within the system. This allows the system to verify that the user is who they claim to be and that they have permission to perform the actions they are trying to undertake.

The access token cycle at a glance

  1. Authorization request
    The client redirects the user to an authorization server along with the client ID, requested scope, and a redirect URI.
  2. Authentication
    The user or client application authenticate themselves to the authorization server or identity provider.
  3. Authorization
    The authorization server validates the user’s credentials and grants access to the requested resources.
  4. Token issuance
    An access token is issued by the authorization server to the authenticated user or client application, which includes information about the user, permissions, and other metadata necessary for accessing protected resources.
  5. Token presentation
    The access token to the resource server.
  6. Token validation
    The resource server validates the access token to ensure its authenticity, integrity, and validity.
  7. Resource access
    The resource server grants access to the protected resources.
  8. Token expiration and renewal
    When an access token expires, the session ends, or the client application obtains a new access token (e.g., refresh token) to continue accessing protected resources.

Access token security

Access tokens must be secured appropriately to ensure the confidentiality, integrity, and authenticity of the authentication and authorization processes they support. The following are commonly used security measures to protect access tokens.

  1. Bind access tokens to specific client devices or user sessions.
  2. Combine access tokens with additional authentication factors, such as passwords, biometrics, or hardware tokens.
  3. Configure access tokens with short lifetimes and use refresh tokens for extended use.
  4. Encrypt access tokens.
  5. Establish mechanisms for revoking access tokens.
  6. Implement logging, monitoring, and auditing mechanisms.
  7. Limit the scope of access tokens, granting just enough permissions to complete the required task.
  8. Store access tokens securely.
  9. Transmit access tokens over secure channels (e.g., HTTPS).
  10. Validate tokens by checking their signature, issuer, audience, and expiration time.

Form follows function when selecting access token types

Using access tokens provides a low-friction authentication. Access tokens are a proven security mechanism for authorization and resource delegation in distributed environments. Take time to evaluate the use cases and requirements when making decisions about which type of access token to use.

Unleash the power of unified identity security

Mitigate cyber risk across the spectrum of access

Resource Card

Moving from identity governance to identity security

Learn how AI-driven insights and automation can help mitigate identity threats and move from identity governance to identity security.

Resource Card

EQUINIX shares making the case for identity security

EQUINIX shares the journey from assessment to executive presentation when making the case for identity security.

Resource Card

Labcorp’s modernization journey: ensuring stakeholder engagement

Labcorp’s journey to modernize with migration phases, IAM maturity assessment, setting benchmarks, and adoption strategy.

Get started

See what SailPoint identity security can do for your organization

Discover how our solutions enable modern enterprises today to meet the challenge of ensuring secure access to resources without compromising productivity or innovation.

Request a demoContact us