An access token is the credential an OAuth 2.0 client uses to authenticate API requests. It’s issued by the authorization server after a user grants the client permission, and it’s attached to each subsequent API call via an Authorization: Bearer <token> header.
Key properties
- Short-lived — typical lifetimes are 5 minutes to 1 hour. Short expiration limits the blast radius if the token leaks.
- Scoped — the token is valid only for the scopes the user granted (e.g.,
read:profile,write:posts). - Opaque or signed — can be a random string (looked up server-side) or a JWT (self-contained claims).
Access token vs ID token
- Access token: “this client can call the resource API.” Sent to the resource server.
- ID token: “this user is authenticated.” Read by the client, not sent to the resource server.
Swapping them is a common early bug. The ID token belongs to the client; the access token belongs to the API call.
Refreshing
When an access token expires, use a refresh token to get a new one — no re-authentication needed.
See the full auth glossary for related terms.