IDSync — identity software buyer platform
Run Stack Finder

Standards

Access Token

An access token is a short-lived credential issued by an OAuth 2.0 authorization server that a client presents to a resource server (API) to prove it has been authorized to act on behalf of a user or workload, within a specific scope.

Last reviewed 5/30/2026

Key points

  • Access tokens are typically JWTs but can be opaque (introspected via RFC 7662).
  • Short-lived by design — minutes to a single-digit hour. Long-lived access tokens are an anti-pattern.
  • Bearer semantics: whoever holds the token can use it. Bind them to clients with DPoP or mTLS for sensitive APIs.
  • Scopes (read:invoices, write:profile) limit what an access token can do — request the minimum your app needs.
  • Pair with refresh tokens to renew without re-prompting the user; pair with token introspection or short TTLs for revocability.

What is an access token?

An access token is the credential an OAuth 2.0 client presents to an API to prove it's been authorized to act. It's the answer to "what can this caller do, and for whom, right now?"

Two main shapes:

  • Self-contained JWT — the API can verify it locally using the issuer's public keys, no network call needed. Fast, scalable.
  • Opaque token — a random string; the API must call the authorization server's introspection endpoint (RFC 7662) to learn what it represents. Slower but easier to revoke instantly.

What's typically inside

For a JWT access token:

  • iss — the authorization server that issued it
  • sub — the resource owner (user) or client (for client_credentials)
  • aud — the API it's intended for
  • exp / iat — expiry and issued-at
  • scope — space-separated OAuth scopes
  • client_id — which OAuth client got it
  • Custom claims (tenant, roles, permissions)

When buyers care

  • API security review — token TTL, revocation strategy, scope granularity all show up in pen tests and audits.
  • Token theft incidents — see Microsoft midnight blizzard, GitHub OAuth app compromise. Short TTLs + sender-constrained tokens (DPoP, mTLS) limit blast radius.
  • B2B SaaS integrations — partners need scoped, revocable access. Long-lived API keys are the legacy alternative; OAuth + scoped access tokens are the modern one.

Common misconceptions

  • "Access tokens are for the user." No — they're for the API. The user's identity is in the ID token (OIDC). Use the right token for the right purpose.
  • "Longer TTLs are more user-friendly." Use refresh tokens instead. Long-lived access tokens are revocation nightmares.
  • **"Scopes don't matter, just grant .*."** Scopes are how you prove least privilege in audits.

Editorial note

Treat access tokens like cash: short-lived, narrowly scoped, easy to invalidate. If your design has a multi-day access token in env vars, you've built a static API key in a JWT costume.

Standards & references