An access token is a digital credential used in cybersecurity to authenticate and authorize a user or application to access specific protected resources. Issued after a successful authentication process—typically through protocols like OAuth 2.0 or OpenID Connect—the token contains information about the granted permissions, the identity of the requesting entity, and its validity period. When presented to a resource server, such as an API or web service, it proves the bearer's right to perform requested actions without requiring repeated credential submission.

Access tokens are central to Identity & Access Management (IAM) systems, enabling fine-grained control over resource access through explicitly defined scopes or privileges. These tokens are commonly cryptographically signed to ensure integrity and authenticity, preventing tampering and impersonation. Their time-limited nature reduces the window for potential misuse, while their ability to abstract user credentials makes them essential for securing distributed environments, cloud applications, and enforcing the principle of least privilege across complex digital ecosystems.