Overview
This article clarifies what are the differences between an access token and an ID token.
Applies To
- Access tokens
- ID tokens
- OIDC
Solution
Access tokens
Access tokens are used to grant access to protected resources such as APIs, usually on behalf of a user. They can be either a JWT or an opaque string. If an audience is provided, they will always be a JWT.
When to use:
- For API calls or to access protected resources.
- For delegated authorization.
Not suitable for:
- User authentication (see here for details about the difference between authentication vs authorization).
- Providing user profile information directly.
ID tokens
ID tokens are used to authenticate the user and provide user identity information to the application. They are always JWTs.
When to use:
- To verify the user has been authenticated.
- To retrieve user profile information for display in the UI.
- Within the client application only.
Not suitable for:
- Calling APIs or accessing protected resources.
- Making authorization decisions for access.