Access tokens are digital keys that verify and authenticate a user’s identity before granting them the ability to access resources in various contexts, such as application programming interfaces (APIs), web applications, and cloud services. Used as an alternative to traditional password-based systems, access tokens act as proof of authorization, enabling secure communication between clients and servers.
Key elements of access tokens
Access tokens contain a header, payload, and signature, which work together to verify users’ access privileges for resources. The header includes information about the token type and algorithm used to create it. Information about the user (e.g., permissions and expirations) is included in the payload. The signature contains the data necessary for the recipient to verify the authenticity of the token. Access token signatures are usually encoded (e.g., hashed) to prevent misuse or replication.
How to get access tokens
Access tokens are issued by explicit resource owner's grant or refresh token. They can be used to get access at a later date without requesting access of the user again but, for security reasons, access tokens have a limited lifetime. Once an access token has expired, it can no longer be used.
Where to find an access token
Any user logged onto a system or application has an access token that is created when they initiate their session and log on to the service. Each process executed as part of a user’s session has a copy of the token, which contains a logon secure identifier or SID to identify the current session.
Access and refresh tokens can be stored in server-side sessions, making them available for requests that originate from server-side code. This is referred to as a backend for frontend (BFF) proxy. Applications can use dedicated APIs to store access tokens, keep them in memory, or store them in cookies.
Access token uses
API access
- Allow applications to request tokens from an authorization server and use these tokens to access APIs
- Restrict access to certain API functionalities to only authorized applications, services, or users
- Secure API endpoints
Cloud services
- Control access to resources such as databases, storage containers, and virtual machines
- Help cloud platforms manage access to their services
- Limit access to and interaction with sensitive cloud resources to authenticated and authorized entities
Federated identity systems
- Enable users to access resources across different security domains or organizations
- Help map a user’s identity and permissions across various systems
- Simplify access management in multi-organization collaborations
Internet of Things (IoT)
- Maintain the integrity and privacy of IoT communications
- Restrict access and data transmission capabilities to authorized devices
- Secure communication between IoT devices and the cloud or other devices
Mobile applications
- Authenticate and authorize users without storing their credentials
Single sign-on (SSO) systems
- Help maintain a user’s authenticated session across different applications
- Provide seamless access to multiple applications or services with one set of credentials
- Reduce the need for repeated logins
Web Authentication (e.g., OAuth2 and OpenID Connect)
- Use in conjunction with OAuth2 and OpenID Connect protocols for user authentication and authorization
Importance of access tokens
Access tokens are important because they help protect digital resources from unauthorized access. Among the benefits that demonstrate this importance are the following.
Better security
Access tokens are a more secure alternative to passwords because they are harder to steal or overcome. Additionally, because access tokens are typically stateless, the server does not need to store user session information.
Compliance
Tokens can setup to include metadata about consent and usage. This information can be used to help organizations meet compliance requirements by providing a clear and auditable way to manage and restrict access to sensitive resources.
Delegated access
Access tokens can be used to allow third-party applications to perform actions on behalf of a user without needing to expose the user's credentials. Examples include enabling logins using social media accounts or integrating with third-party services.
Efficiency
Access tokens reduce cryptography overhead because only one signature needs to be built to obtain the token.
Granular access control
Access tokens can be configured to limit the permissions granted to a client application to reduce unauthorized exposure of sensitive data or resources.
Interoperability
Access tokens enable interoperability between different services and applications, allowing seamless integration and access to shared resources across distributed environments. For example, in an API ecosystem, one service can request an access token to interact with another service on behalf of a user without needing to share credentials.
Reduced attack surface
Access tokens can be programmed to be short-lived, which reduces the potential and impact of a compromise by reducing the window of opportunity for misuse.
Revocability
If an access token is compromised or no longer needed, it can be revoked or invalidated by the authorization server, enhancing security and control over access to resources.
Scalability
Access tokens enable systems to scale more efficiently because they eliminate the need for the server to maintain session state. This is particularly beneficial in distributed systems or microservices architectures where services can independently verify tokens without relying on a central session store.
Streamlined development
Access tokens simplify the process of managing user sessions and permissions across various parts of an application. Because they can easily be passed in headers or query parameters, developers can use them for many different use cases to provide secure access with minimal overhead.
Access token types
There are various types of access tokens used in the different contexts noted above. The choice of access token type depends on several criteria, such as security requirements, interoperability, and the specific use case of the application or service.
Regardless of which type of access token is used, it is important to remember that they allow access to sensitive data and, thus, require the same security controls as other access methods.
Commonly used types of access tokens are as follows.
API keys
API keys are used to identify the calling program or user and can be used to control access and track usage.
Bearer tokens
A type of access token, bearer tokens are self-contained and represent the authorization granted to the client application.
Bearer tokens do not contain any information about the user. This means that the bearer (i.e., whoever has this token) can use it. They are often used in HTTP authentication, where the bearer tokens are presented by the client to the resource server in the authorization header of HTTP requests to access protected resources.
JSON web tokens (JWT)
JWTs are a type of access token that is self-contained and uses JSON- (JavaScript Object Notation) based data structures to encode information about the authentication session and authorized scopes. They allow resource servers to verify their authenticity and integrity without needing to communicate with the authorization server. JWTs are often used in OpenID Connect for identity tokens and access tokens.
OAuth access tokens
OAuth access tokens are used in the OAuth authentication protocol to allow an application to access specific parts of a user’s data without needing their password. These tokens have the flexibility to be issued for various scopes and durations.
Reference tokens
Unlike JWTs or bearer tokens, reference tokens are not self-contained. They are references to token data stored on the authorization server. When a client presents a reference token to a resource server, the resource server must make a separate request to the authorization server to validate the token and retrieve the associated token data.
While reference tokens provide additional security and control, they require more interaction between the resource server and the authorization server.
Refresh tokens
Refresh tokens are used in conjunction with OAuth access tokens. A client can present users with a refresh token when the other ones expire without requiring reauthentication. Refresh tokens are used when users need continuous access to resources over extended periods.
Access token contents
Access tokens contain information necessary for the resource server to validate and authorize access to protected resources. The exact contents of an access token vary based on the authentication protocol (e.g., OAuth 2.0, OpenID Connect) and implementation but commonly include the following information.
How access tokens work
Access tokens work by associating a user’s credentials with their actions while interacting with a system. When a user logs into a system, an access token is issued, which includes details about the user’s identity and permissions, and it is attached to all the user’s actions within the system. This allows the system to verify that the user is who they claim to be and that they have permission to perform the actions they are trying to undertake.
The access token cycle at a glance
- Authorization request
The client redirects the user to an authorization server along with the client ID, requested scope, and a redirect URI. - Authentication
The user or client application authenticate themselves to the authorization server or identity provider. - Authorization
The authorization server validates the user’s credentials and grants access to the requested resources. - Access token issuance
An access token is issued by the authorization server to the authenticated user or client application, which includes information about the user, permissions, and other metadata necessary for accessing protected resources. - Access token presentation
The access token to the resource server. - Access token validation
The resource server validates the access token to ensure its authenticity, integrity, and validity. - Resource access
The resource server grants access to the protected resources. - Access token expiration and renewal
When an access token expires, the session ends, or the client application obtains a new access token (e.g., refresh token) to continue accessing protected resources.
Revocation of access tokens
A powerful security feature of access tokens is the ability to revoke them before their expiration date. Scenarios when an access token would need to be revoked are if a token has been compromised, a user logs out, or if users’ permissions or roles have changed.
Tokens can be revoked in several ways. OAuth 2.0 specifies a revocation endpoint that allows clients to notify the authorization server to invalidate a token. Some systems use token blacklisting, where revoked tokens are added to a blacklist that is checked during each request.
Users can often revoke their own tokens, especially in applications that provide a way to view and manage active sessions. For example, many web services allow users to log out from all devices, which revokes all active tokens. In environments using API gateways, the gateway can enforce token revocation by checking with the authentication service or using a revocation list to ensure that the token is still valid.
Regardless of how it is done, when an access token is revoked, access to resources is immediately stopped. Some systems maintain a centralized list of revoked tokens, which is checked during each request. This list is used to determine whether an access token has been revoked and should be denied access.
Access token security
Access tokens must be secured appropriately to ensure the confidentiality, integrity, and authenticity of the authentication and authorization processes they support. The following are commonly used security measures to protect access tokens:
- Bind access tokens to specific client devices or user sessions.
- Combine access tokens with additional authentication factors, such as passwords, biometrics, or hardware tokens.
- Configure access tokens with short lifetimes and use refresh tokens for extended use.
- Encrypt access tokens.
- Establish mechanisms for revoking access tokens.
- Implement logging, monitoring, and auditing mechanisms.
- Limit the scope of access tokens, granting just enough permissions to complete the required task.
- Store access tokens securely.
- Transmit access tokens over secure channels (e.g., HTTPS).
- Validate tokens by checking their signature, issuer, audience, and expiration time.
Examples of access tokens in use
The following are several common examples of how access tokens are used.
API access
Access tokens are often used to authenticate requests when interacting with RESTful APIs. An example is when a mobile app needs to fetch user data from a backend service. The app includes an access token in the request headers to prove that the request is from an authenticated user.
Cloud services
In cloud environments (e.g., AWS, Azure, and GCP) access tokens can be used to grant temporary credentials to services or applications. For example, in AWS an EC2 instance can use access token that allows it to interact with S3 buckets.
Secure API calls
An example of how secure API calls are used is with mobile apps. These applications often use access tokens to securely communicate with backend services, ensuring that only authenticated users can perform actions, such as retrieving or updating their data.
Session management
JWTs (JSON Web Tokens) can be used to manage sessions in web applications. After logging in, a user is sent a JWT, which is stored on the client-side (e.g., in local storage or a cookie) and sent with each request to verify the user's identity.
Single sign-on (SSO)
In enterprise environments, SSO systems can issue access tokens to enable users to log in once and access multiple applications without needing to authenticate separately for each one.
Third-party services access
Social and other accounts (e.g., Google or Facebook) can be used to log in to a third-party application. In this case, the application receives an access token that allows it to interact with those services on the user’s behalf without requiring them to enter their credentials.
Transaction authentication
Payment gateways often use access tokens to authenticate API requests related to processing payments to ensure that only authorized transactions are executed.
Form follows function when selecting access token types
Using access tokens provides a low-friction authentication. Access tokens are a proven security mechanism for authorization and resource delegation in distributed environments. Take time to evaluate the use cases and requirements when making decisions about which type of access token to use.
