Access Token.
An OAuth 2.0 credential the client presents to a resource server to access a protected resource, typically a JWT in modern deployments.
Access token lifetime is the single most-tuned variable in OAuth deployments. Too long and theft is catastrophic; too short and the refresh-token round-trip latency hurts UX. The 2026 default of 5–15 minutes is the consensus middle ground.
Common questions
What's the difference between an access token and an ID token?
How long should an access token live?
Should access tokens be JWTs or opaque?
Related terms
In the guides
OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.
Session Management: JWTs vs Opaque Tokens, and How to Pick
JWT-based and opaque-token sessions trade off scale against revocability, the 2026 default is hybrid. Patterns, revocation, and where each is the right answer.