Chapter 7. Secure Access Tokens

Access tokens are essentially text strings that serve as message credentials. You design them to enable your APIs to authorize requests. In some ways, access tokens are similar to API keys but access tokens are much more versatile, offering features such as expiration, limited scope of access, or revocation. They enable an end-to-end security solution that meets the main security requirements of both APIs and clients. In our experience, developers and architects do not often fully understand the best practices for using access tokens securely.

Therefore, in this chapter, we provide an end-to-end set of security requirements for your access tokens that considers both APIs and clients. We explain the different token formats you can use so that clients receive access tokens that do not reveal sensitive data, while APIs receive access tokens that enable them to authorize ...