Tokens Tokens There are basically two main types of tokens that are related to identity: ID tokens and access tokens.
For example, if there's an app that uses Google to log in users and to sync their calendars, Google sends an ID token to the app that includes information about the user. The app then parses the token's contents and uses the information including details like name and profile picture to customize the user experience.
Subscribe to more awesome content! Contact Us Token Based Authentication A token is a piece of data that has no meaning or use on its own, but combined with the correct tokenization system, becomes a vital player in securing your application. Token based authentication works by ensuring that each request to a server is accompanied by a signed token which the server verifies for authenticity and only then responds to the request.
Be sure to validate ID tokens before using the information it contains. You can use a library to help with this task. Each token contains information for the intended audience which is usually the recipient.
According to the OpenID Connect specification, the audience of the ID token indicated by the aud claim must be the client ID of the application making the authentication request.
If this is not the case, you should not trust the token. Token with audience the aud claim of the token is set to the application's identifier, which means that only this specific application should consume this token. See the JWT Handbook for more information. Access tokens Access tokens which aren't always JWTs are used to inform an API that the bearer of the token has been authorized to access the API and perform a predetermined set of actions specified by the scopes granted.
In the Google example above, Google sends an access token to the app after the user logs in and provides consent for the app to read or write to their Google Calendar. Access tokens must never be used for authentication. Access tokens cannot tell if the user token with authenticated. The only user information the access token possesses is the user ID, located in the sub claim. In your applications, treat access tokens as opaque strings since they are meant for APIs.
Personal access tokens
Your application should not attempt to decode them or expect to receive tokens in a particular format. It only contains authorization information about which actions the application is allowed to token with at the API scope claim. This is what makes it useful for securing an API, but not for authenticating a user.
Specialized tokens There are three specialized tokens used in Auth0's token-based authentication scenarios: Refresh tokens: A token used to obtain a renewed access token without having to re-authenticate the user. IDP access tokens: Access tokens issued by identity providers after user authentication that you can use to call the third-party APIs.