Access Token

Authentication Security Notes Jan 6, 2025 JAVASCRIPT

Definition

When you log into a website or app, you don’t want to type your password every time you click a link or load a new page. Instead, after you prove who you are once, the system gives you something that represents your authenticated session - that’s an access token. It’s like a wristband at a concert: you show your ticket at the entrance once, get the wristband, and then flash the wristband every time you want to access different areas without showing your ticket again.

An access token is a credential that your application uses to prove to APIs that you’re authorized to make requests. When you use a mobile app that connects to its backend services, every request carries an access token that says “this user already logged in and has permission to do this.” The server validates the token instead of asking for your password repeatedly.

Access tokens are designed to be short-lived - typically anywhere from a few minutes to an hour. This is intentional. If someone steals your access token, they can only use it briefly before it expires. Compare this to a password which, if stolen, could be used indefinitely. The short lifespan is a security feature, not a bug. When your access token expires, you use a separate refresh token (if you have one) to get a new access token without logging in again.

Example

Mobile Banking App: When you log into your bank’s app, it receives an access token valid for 15 minutes. Every time you check your balance or make a transfer, the app sends this token to prove it’s really you. After 15 minutes, the token expires and the app silently gets a new one using a refresh token, so you don’t notice any interruption.

Social Media Integration: When you connect Spotify to your Facebook account, Facebook gives Spotify an access token. This token lets Spotify post on your behalf and see your friends’ music preferences. The token has specific permissions (scopes) - Spotify can post but maybe can’t see your private messages.

Third-Party App Access: You use a fitness app that syncs with Google Fit. You don’t give the fitness app your Google password. Instead, you authorize it once, and Google gives the app an access token that only allows it to read fitness data - nothing else in your Google account.

API Testing: When developers test APIs using tools like Postman, they include an access token in the Authorization header. The API server validates this token before returning any data. No token or expired token? The request is rejected with a 401 Unauthorized error.

Single Sign-On (SSO): When your company uses SSO, logging into one application gives you access tokens for all connected applications. You sign into the corporate portal once, and tokens are issued for your email, HR system, and project management tools.

Analogy

The Temporary VIP Pass: An access token is like a VIP pass at an event venue. You show your ID and purchase confirmation at the main gate (authentication), and they give you a wristband (access token) that gets you into various areas. The wristband expires at the end of the day, so even if someone finds it tomorrow, it’s useless. The wristband proves you’re authorized without you having to show your ID at every door.

The Hotel Key Card: When you check into a hotel, you show your ID once and get a key card (access token). The card lets you into your room, the pool, the gym - wherever your booking allows. The card is programmed to stop working on your checkout date (expiration). If you lose the card, you can get a new one at the front desk by showing ID (refresh token exchange). The card itself doesn’t contain your personal information - it just contains proof of your authorization.

The Library Session: At a library, you show your library card once to the librarian when you enter. They mark you as “checked in” and you’re free to access the stacks. You don’t show your card for every book you touch - your presence in the library (session with access token) is your proof of authorization.

The Parking Validation Stamp: When you shop at a mall, some stores stamp your parking ticket so you don’t have to pay. The stamp (access token) proves you shopped there, so you get validated parking without showing your receipt at every parking machine. The stamp is only valid that day.

Code Example


// Using an access token in API request
const response = await fetch('https://api.example.com/user/profile', {
  headers: {
    'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...',
    'Content-Type': 'application/json'
  }
});

Diagram

sequenceDiagram
    participant Client
    participant AuthServer as Auth Server
    participant API

    Client->>AuthServer: 1. Authenticate (username/password)
    AuthServer->>AuthServer: Validate credentials
    AuthServer->>Client: 2. Access Token (TTL: 15-60 min)

    Note over Client: Token stored securely

    Client->>API: 3. Request + Bearer token
    API->>API: Validate token signature
    API->>API: Check expiration
    API->>Client: 4. Protected resource

    Note over Client,API: Later...

    Client->>API: 5. Request + Bearer token
    API->>API: Token expired!
    API->>Client: 6. 401 Unauthorized

    Note over Client: Use refresh token to get new access token

Security Notes

SECURITY NOTES
CRITICAL - Store access tokens securely (never in localStorage for web apps, use httpOnly cookies or memory). Set short expiration times (5-60 minutes). Transmit only over HTTPS. Validate tokens on every request. Implement token rotation. Monitor for token theft via rate limiting and anomaly detection. Never log access tokens. Use separate tokens for different scopes/audiences.

Standards & RFCs

Standards & RFCs
1)RFC 6749- [](https://reference.apios.info/terms/rfc-6749/) - [OAuth 2.0](https://reference.apios.info/terms/oauth-example/) Authorization Framework
2)RFC 6750- [](https://reference.apios.info/terms/rfc-6750/) - [Bearer Token](https://reference.apios.info/terms/bearer-token/) Usage