Access Token: Definition, Architecture, Usage & More
Access Token: Definition, Architecture, Usage & More
Access Token: Definition, Architecture, Usage & More
An access token is a tiny piece of code that contains a large amount of data. Information about the user, permissions, groups, and timeframes is embedded within one token that passes from a server to a user's device.
Plenty of websites use access tokens. For example, if you've ever used credentials from one website (like Facebook) to gain entry to another website (like Salesforce), you've used an access token.
What’s Included in an Access Token?
A typical access token holds three distinct parts, all working together to verify a user's right to access a resource.
Three key elements are included in most access tokens.
- Header: Data about the token's type and the algorithm used to make it are included here.
- Payload: Information about the user, including permissions and expirations, is included here.
- Signature: Verification data, so the recipient can ensure the authenticity of the token, is included here. This signature is typically hashed, so it's difficult to hack and replicate.
The payload, also called the claims section, is critical to the success of the token. If you want to visit a specific resource on the server, but you're not given proper permissions within the payload, you won't gain access.
Developers can place all sorts of custom data within the payload too. For example, an access token from Google can grant access to multiple applications (APIs), and all of those credentials are specified with just one access token.
Access token types can vary from website to website. Facebook, for example, offers