Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Tokens

Access tokens

search
printsuggest an editpdf paneldownload

Access tokens

An access token is a short-lived credential that an application can use to access an API. Its purpose is to inform that the bearer of this token has been authorized to access a specific API. Access tokens must be sent to an API according to the Bearer token Usage specification. Specifically, the access token must be sent to the API in the HTTP Authorization header.

To obtain an access token, see OAuth endpoints.

copy link to clipboardOpaque tokens

An opaque access token is a random, 32-bytes, hex-encoded, string consisting of 64 characters. It does not contain any information about the validity of the token. The opaque token is returned to all clients of a mobile app and to the web clients that the opaque token is configured for.

Example opaque access token

E19C77561880BBF24F9E60B0D9051401FE2216A93F8683438A0DF2169CFE078F

copy link to clipboardJWTs

The OneWelcome Identity Platform can issue a JSON Web Token (JWT) as an access token. However, the receiver does not have to treat it as a JWT, but can also treat it as an opaque token and present it to the OneWelcome Identity Platform for validation. For details about access token validation, see Token Introspection.

The JWT token is returned when this is configured for a web client. It contains the user identifier when the access token is created for a specific user.

copy link to clipboardExample JWT access token

A JWT contains three sections: a header, a payload, and a signature. Only the header and payload sections are shown in the example below.

copy link to clipboardHeader example

{
  "kid": "f463bf2c-81a6-4979-82a5-aa5d032b6fe5",
  "alg": "RS256"
}

copy link to clipboardPayload example

{
  "ver": 1,
  "jti": "AT.d405c8b0-2afc-4720-a567-e890fecd28b2",
  "iss": "https://tenant.onewelcome.io/oauth",
  "aud": "profile-api",
  "iat": 1537437991,
  "nbf": 1537437991,
  "exp": 1537441591,
  "client_id": "example-client",
  "cid": "example-client",
  "scp": [
    "profile",
    "read"
  ],
  "scope": "profile read",
  "sub": "1c0e2c84-b05f-4c23-9175-c238f70901be",
  "usl": 5
}

copy link to clipboardAccess token claims

The payload of a JWT access token contains a number of claims. These claims can be used to validate the access token but also tell what authorizations have been granted and for whom.

Claim Description
ver Version indication for this access token
jti JWT ID. A unique identifier of this JWT
iss Issuer of this access token
aud Audiences that this token is intended for
iat Time when the access token was issued
nbf Time before which the access token is not valid
exp Time when the access token expires
client_id Client ID of the client that requested the access token
cid [DEPRECATED] Client ID of the client that requested the access token.
scope String value containing a space-separated list of scopes that were granted for this access token.
scp [DEPRECATED] Array of scopes that were granted for this access token.
sub User identifier
usl [DEPRECATED] Usage limit. Integer value that represents the usage limit for this access token.
group_permissions [DEPRECATED] Stringified representation of the user's group memberships and permissions. Requires configuration of delegated administration.
The group_permissions claim is omitted when the size of the JWT access token exceeds the limit. This is to prevent the JWT access token from being used to request data. When a group_permissions is expected, but it exceeds the limit, it can be requested via the token introspection endpoint. This claim is only returned when the OAuth client requesting the access token has the Group permissions version set to Legacy: V1 within its client configuration.
urn:onegini.com:oidc:group_policies User's policies and group memberships. Requires configuration of delegated administration.
The urn:onegini.com:oidc:group_policies claim is omitted when the size of the JWT access token exceeds the limit. This is to prevent the JWT access token from being used to request data. If the length of the token is exceeded, the urn:onegini.com:oidc:group_policies claim can be requested using token introspection or user-info endpoints, or included in the id-token.

On this page