Good job, you've read 3 articles today!

What to do with the token

Access Tokens In this article Access tokens are used in token-based authentication to allow an application to access an API.

what to do with the token

The application receives an access token after a user successfully authenticates and authorizes access, then passes the access token as a credential when it calls the target API. The passed token informs the API that the bearer what to do with the token the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization.

For example, if your user authenticates using Facebook, the access token issued by Facebook can be used to call the Facebook Graph API. These tokens are controlled by the IdP and can be issued in any format.

what to do with the token

See Identity Provider Access Tokens for details. Opaque access tokens Opaque access tokens are tokens in a proprietary format that you cannot access and typically contain some identifier to information in a server's persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token.

what to do with the token

If you receive an opaque Access Token, you don't need to validate it. To learn more, see Get Access Tokens. They are self-contained therefore it is not necessary for the recipient to call a server to validate the token.

Discord: Change/Reset your Token - Leaked your token?

Management API access tokens An access token issued for the Auth0 Management API should be treated as opaque regardless of whether it actually isso you don't need to validate it. Access token security You should follow token best practices when using access tokens, and for JWTs, make sure that you validate an access token before assuming that its contents can be trusted.

what to do with the token

We recommend that you set the validity period of your token based on the security requirements of your API. For example, an access token that accesses a banking API should expire more quickly than one that accesses a to-do API.

what to do with the token

To learn more, see Update Access Token Lifetime. The length of lifetime depends on the flow used to obtain the token: Flow.

what to do with the token