OAuth Access Tokens
datatracker.ietf.org/doc/html/rfc6749#section-1.4
An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.
Access tokens do not have to be in any particular format, and in practice, various OAuth servers have chosen many different formats for their access tokens.
Access tokens may be either "bearer tokens" or "sender-constrained" tokens. Sender-constrained tokens require the OAuth client to prove possession of a private key in some way in order to use the access token, such that the access token by itself would not be usable.
There are a number of properties of access tokens that are fundamental to the security model of OAuth:
- Access tokens must not be read or interpreted by the OAuth client. The OAuth client is not the intended audience of the token.
- Access tokens do not convey user identity or any other information about the user to the OAuth client.
- Access tokens should only be used to make requests to the resource server. Additionally, ID tokens must not be used to make requests to the resource server.
Related:
- OAuth 2.0 Refresh Tokens
- ID Tokens vs Access Tokens
- OAuth 2.0 Bearer Token Usage (RFC 6750)
- Token Introspection (RFC 7662)
- Token Revocation (RFC 7009)
- JSON Web Token (RFC 7519)
- JWT Profile for Access Tokens
More resources
- Self-Encoded Access Tokens (oauth.com)
- OAuth Access Tokens Explained (youtube.com)