Access Token

An Access Token is a short-lived credential that can be used by an application to access an API. It's purpose is to inform that the bearer of this token has been authorized to access a specific API. Access Tokens should be sent to an API according to the Bearer token Usage specification. Specifically, the Access Token should be sent to the API in the HTTP Authorization header.

Static clients

The Token Server issues a JWT as access token. Howver, the receiver does not have to treat it as a JWT but can also treat it as an opaque token and present it to the Token Server for validation. See the Token Introspection documentation for details on validation an access token.

Example JWT Access Token

In this section you can see an example of a JWT Access Token. A JWT contains three sections: a header, a payload and a signature. Only the header and payload sections are displayed in the example below.

Header

{
  "kid": "f463bf2c-81a6-4979-82a5-aa5d032b6fe5",
  "alg": "RS256"
}

Payload

{
  "ver": 1,
  "jti": "AT.d405c8b0-2afc-4720-a567-e890fecd28b2",
  "iss": "https://token-server.onegini.com/oauth",
  "aud": "profile-api",
  "iat": 1537437991,
  "nbf": 1537437991,
  "exp": 1537441591,
  "cid": "example-client",
  "scp": [
    "profile",
    "read"
  ],
  "sub": "1c0e2c84-b05f-4c23-9175-c238f70901be",
  "usl": 5
}

The payload of a JWT Access Token contains a number of claims. These claims can be used to validate the Access Token but also tell for whom and what authorizations have been granted.

Dynamic clients

Due to the limitation on the SDK side, the Token Server issues opaque tokens for dynamic clients.

Example Opaque Access Token

The token server generates opaque access token as a 32b hex-encoded string (64 chars).

   E19C77561880BBF24F9E60B0D9051401FE2216A93F8683438A0DF2169CFE078F