An access token is a credential used by an application or client to call a protected resource after authorization has been granted.
An access token is a credential used by an application or client to call a protected resource after authorization has been granted. In plain language, it is the proof a service presents to an API to show that access was approved for a specific purpose.
Access tokens matter because modern applications rarely send the user’s main password to every backend service. Instead, they use tokens that can be scoped, time-limited, and monitored more safely.
They also matter because token design affects how much access a client has, how long that access lasts, and how quickly defenders can respond if something goes wrong.
Access tokens appear in OAuth flows, API gateways, mobile app integrations, OpenID Connect ecosystems, and API Security. Teams connect them to Authorization, Refresh Token, Token Revocation, and Session Management.
Access tokens are central to modern distributed systems because they let services enforce authorization without constantly reusing primary credentials.
A mobile app sends the user’s access token when calling a calendar API. The API reads the token, checks the approved scope, and allows only the calendar actions that token was meant to authorize.
An access token is not the same as a password. It is normally narrower in purpose, can expire sooner, and is usually intended for a specific client or resource pattern.
It is also different from a Refresh Token. The access token is what the API expects during ordinary use, while the refresh token is generally used to obtain a new access token when needed.