What is Access Token? What's the use?


What exactly is an Access Token?

What is an Access Token in an API application?

I would like a response to Node.js, but I believe that API creation exists in several languages, so I do not think it is necessary to be just for JavaScript (Node.js).

asked by anonymous 24.01.2017 / 02:36

1 answer


This word has several meanings in various contexts of computing. I think what you really want to know is access token ? (the question was edited later to include the term)

It's very simple, it's your password to access the API (using your term). Usually you buy the right to use a service, usually web. It is required as much as you need a password here on this site, on Facebook, on a control panel for some service, etc. because you need:

  • Ensure that only the right person will use it,
  • count usage to the right person if you have limits,
  • verify that this person is using the service properly,
  • Allow only those who own certain data to access them.

If you are going to access mechanically through a system and not interactively, you do not have to ask for a username and password, although nothing prevents it from being so. As it will not be something that the person will have to keep remembering and typing, it can be very large and very complex, hence it does not need two access tokens (user and password), one of which is usually a The most obvious name and the other depends on each person, but they often use things that are easy to remember. Make a virtually indecipherable code soon.

There are cases where token loads extra information that may help with authorization. The most important thing is that he is unique. It is used in all service requests. Do not confuse with session token or security.

Obviously this does not give much security, we're talking about authentication for access, not security. This code is trafficked through the internet, it is put into systems and it turns and messes the unsuspecting programmer puts that token publicly on the internet. It happens here often. Each one should be responsible for ensuring that it is not accessed improperly.

It does not guarantee misuse, either because the token owner passed on to another person to use, or because he did not care enough for it to be stolen.

I do not like the term API that everyone uses in this context. API is something else . People access a service, usually external, usually using web technologies, to access data, make certain processes, use certain technologies, etc. It's true that the person is accessing the service via an API, but the service is not an API, even though people think it is.

There is no API application. There is an API for an application.

24.01.2017 / 10:56