We hear the term “access tokens” whenever we talk about authentication. But what are these in the first place? Let’s figure this out.
What Are Access Tokens?
Access token is a code used for authenticating a web application to access specific resources.
These access tokens are provided as JSON Web Tokens (JWTs), which are then passed over the secure HTTPS protocol while in transit.
They are used in token-based authentication types. When you are successfully authenticated, the web application receives an access token. Now whenever an API is called on the app, this token will be passed as a credential.
The basic structure of a web token consists of the following parts separated by dots(.):
1. Header: this again consists of two parts; the token type (like JWT) and the token signing algorithm being used (like SHA256). Here’s an example: { "alg": SHA256", "typ": "JWT" }
2. Payload: this contains the claims. Claims are statements about an entity (like a user) with some additional data. These claims can be registered, public or private. Here’s an example payload:
{
"sub": "1234567890",
"name": "John Doe"
"admin": true
}
3. Signature: here, the encoded header and payload, along with a secret, the header’s algorithm comes together and signs it to create a signature. For example, here’s a signature code using the HMAC SHA256 algorithm:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
Putting it together, the output web token is three Base64-URL strings separated by dots:
eyJhbGci0iJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIi0iIxMjMONTY30DkwIiwibmFtZSI6IkpvaG4
gRG91IiwiaXNTb2NpYWwiOnRydWV9.
4pcPyMD0901PSyXnrXCjTwXyr4BsezdI1AVTmud2fU4
Leave a Reply