Tokens¶
When a user or application completes an OAuth 2.0 or OpenID Connect flow with WSO2 Identity Server, the server issues tokens. Each token type has a distinct role and a specific intended consumer.
| Token | Consumed by | Purpose |
|---|---|---|
| Access token | Resource server (API) | Authorize the client to access a protected resource |
| Refresh token | Authorization server token endpoint | Get new access tokens without re-authentication |
| ID token | Client application | Verify the identity of the authenticated user |
Note
- Configure OIDC settings to set token types, expiry times, and other per-application token behavior.
- Learn how token binding securely links access tokens to the client that requested them.
Access tokens¶
An access token is a short-lived credential that a client presents to a resource server to prove authorization to act on behalf of a user or application.
Learn more about access tokens including supported token types, validation behavior, and token lifetime. To configure access token settings for your application, see OIDC settings for apps.
Refresh tokens¶
A refresh token is a longer-lived credential. Clients exchange it for a new access token after the current one expires, without requiring re-authentication.
Learn more about refresh tokens including rotation behavior and graceful rotation runtime rules. To configure refresh token settings for your application, see OIDC settings for apps.
ID tokens¶
An ID token is a signed JWT issued by WSO2 Identity Server as part of an OpenID Connect authentication flow. The client application uses it to verify who authenticated, how, and when — ID tokens must not be sent to resource servers as authorization credentials.
Learn more about ID tokens including their claims and encryption mechanics. To configure ID token settings for your application, see OIDC settings for apps.