What is Authentication Token?
A piece of data that proves a user's identity to a system, typically issued after successful login and used for subsequent requests.
Tokens replace passwords for ongoing sessions — you authenticate once, then use the token.
Types
- Session tokens: Server-stored, referenced by cookie
- JWT (JSON Web Tokens): Self-contained, signed, stateless
- Bearer tokens: Whoever possesses the token is authenticated
- Refresh tokens: Long-lived tokens used to obtain new access tokens
Security
- Tokens should be transmitted over HTTPS only
- Set appropriate expiration times
- Store tokens securely (HttpOnly cookies, not localStorage)
- Implement token revocation for logout and compromise
Related Terms
OAuth 2.0
An authorization framework that allows third-party applications to access user accounts without sharing passwords, using access tokens instead.
Session Hijacking
An attack where an attacker steals or predicts a valid session token to gain unauthorized access to a user's authenticated session. Once hijacked, the attacker can act as the legitimate user without knowing their password.
Time-Based One-Time Password (TOTP)
A two-factor authentication method that generates temporary codes based on the current time and a shared secret, used by apps like Google Authenticator.
Have more questions?
Use our guided flow to get the right next privacy step for Authentication Token.
Open Guided Flow