Access token

An access token is a digital credential used in cybersecurity to authenticate and authorize a user or application to access specific protected resources. Issued after a successful authentication and authorization process — typically through protocols like OAuth 2.0 or OpenID Connect — it encapsulates the granted permissions, the identity of the requesting entity, and a defined validity period. Presented to a resource server (such as an API), it acts as proof of the bearer's right to perform specific actions, eliminating the need for repeated credential submission.

Access tokens are central to Identity & Access Management (IAM) systems, enabling fine-grained control through explicitly defined scopes and privileges. They are commonly cryptographically signed to ensure integrity and prevent tampering, and their time-limited nature minimizes the risk of misuse. By abstracting user credentials into temporary, scope-specific authorizations, access tokens are essential for securing distributed environments, cloud applications, and APIs — enforcing the principle of least privilege across complex digital ecosystems.