An access token is a credential a client presents on a request to prove it is authorized to reach a protected resource (API).
It's typically issued in an OAuth 2.0 flow and sent in the `Authorization: Bearer <token>` header.
As the name 'Bearer token' implies, whoever holds it can exercise its privileges — so a leaked token means account takeover, making HTTPS transport, short lifetimes, and secure storage essential. Access tokens come in two forms: (1) opaque tokens: a random string the server validates by looking it up (introspection), easy to revoke instantly; (2) self-contained tokens: usually JWTs, valid and authorized by signature verification alone — fast, needing no lookup, but hard to revoke immediately.
Lifetime management matters: keep access tokens short (minutes to an hour) to limit leak damage, and when they expire, obtain a new one using a longer-lived refresh token. Refresh tokens are more sensitive, so protect them with server-side storage, rotation, and device binding. Storage location is a direct security concern — localStorage readable by JS is vulnerable to XSS, while HttpOnly cookies resist XSS but need CSRF defense (SameSite). Pre-validating tokens at an API gateway avoids duplicating auth logic in every backend.