1. Earlier, it mainly expressed a concept of Windows operating system security (it still means this now). The access token contains the security information of the login session. When a user logs in, the system creates an access token, and then all processes running as that user have a copy of the token. Tokens uniquely represent users, user groups and user rights. The system uses tokens to control which security objects users can access and their ability to perform related system operations. There are two kinds of tokens: master token and simulated token. The master token is related to the process; An impersonation token is associated with a thread that impersonates the token. When a process has a token, it means that it has a privilege.
2. Nowadays, access tokens are mostly short-lived tokens in OAuth 2.0 protocol.
Let's explain the OAuth 2.0 protocol first:
OAuth (oauth2.0) is an open standard, which allows users to let third-party applications access private resources (such as photos, videos, contact lists) stored by users on a website without providing user names and passwords to third-party applications. OAuth 2.0 is an updated version of OAuth 1.0. 20 12 10 year 10 month, OAuth 2.0 protocol was officially released as RFC 6749.
About OAuth 2.0 bearer token:
OAuth 2.0 provides an unencrypted authentication method, which is based on the existing cookie authentication architecture. Token sends itself as a secret through HTTPS, thus replacing the encrypted sending method through HMAC and token secret, which will allow cURL to start APIcall and other simple scripting tools without following the original request method and signature. The server will issue an access token with a short validity period and a refresh token with a long life. This will allow the client to obtain a new access token without the user's operation again, and also limit the validity period of the access token.