Chapter 6. Access Token Design

We can’t emphasize enough the importance of the access token. That is why we focus on it for two consecutive chapters. In this chapter we talk about the token itself, how to design access tokens to best serve your APIs. In Chapter 7 we cover exposing access tokens to the outside world. We divided the content into two chapters so that you can reference it and get back to it more easily, but we think that you should study both chapters to understand the different aspects of the access token and how they impact your APIs’ security.

The access token is always related to a set of claims that your APIs use to make authorization decisions. The token can contain the claims as a payload or it can serve as a reference to them. Whatever your case, it is important that you understand how to design these claims — what information you should eventually associate with the token ...