OAuth2 Access Token

OAuth2 Access Token is a credential that represents the authorization granted to the client. It's used to access protected resources on the resource server on behalf of the resource owner (user).

Token Types

• Bearer Token: Anyone with the token can use it (most common)
• JWT: Self-contained token with claims
• Opaque Token: Random string, requires introspection

Usage

// Bearer token in Authorization header
GET /api/user/profile
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

// Response
{
  "id": "123",
  "name": "John Doe",
  "email": "john@example.com"
}

Token Response

POST /token

// Response
{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "dGhpcyBpcyBhIHJlZnJl...",
  "scope": "read:profile write:profile"
}

Security Considerations

• Use short expiration times (minutes to hours)
• Transmit only over HTTPS
• Store securely (not in localStorage for sensitive apps)
• Validate scopes on resource server
• Consider token binding for high-security use cases

Token Leakage Vectors

• Referer headers when navigating away
• Browser history if in URL
• Logs if logged improperly
• XSS attacks stealing from JavaScript

See Also

• OAuth2
• OAuth2 Refresh Token
• JSON Web Token (JWT)