Definition: An access token is a short-lived credential a client sends to an API to prove permission to call protected endpoints. Servers validate the token before processing. Tokens usually carry scopes, expiry time, and issuer details, as either opaque strings or JSON Web Tokens. They must be stored securely and transmitted only over HTTPS. Most clients include tokens in the HTTP Authorization header using the Bearer scheme. When a token expires, the request fails with an authorization error. A companion refresh token can obtain a new access token without reauthenticating the user. Access tokens should be scoped narrowly to reduce risk.
Example: A mobile app sends Bearer abc123 in the Authorization header to call /me.
Also called: bearer token
Related: Authentication, Authorization, OAuth 2.0, API Key, HTTP (Hypertext Transfer Protocol)