Access Token
// Definition
A short-lived credential a client sends with each request to access protected resources, often a JWT carried in an Authorization header. Because it grants access, it must be transmitted securely, expire reasonably, and never contain sensitive data in a readable payload. QA checks: a missing, invalid or expired access token is rejected with 401, and a token belonging to one user cannot access another user's data.
// Related terms
Refresh Token
A longer-lived credential used to obtain a new access token when the current one expires, without forcing the user to log in again. Because it is more powerful than an access token, it should be stored securely, be revocable, and be invalidated on logout or password change. QA checks: after logout or a password reset, a previously issued refresh token can no longer mint new access tokens where the product requires it.
JWT
JSON Web Token — a compact, URL-safe token format for transmitting claims between parties. A JWT has three Base64URL-encoded sections separated by dots: header (signing algorithm), payload (claims like `sub`, `exp`, `roles`), and signature. Because the payload is encoded but not encrypted, any holder of the token can read the claims — never store secrets in a JWT payload. Test JWTs by checking expiry enforcement, algorithm validation (reject `alg: none`), and rejection of tampered signatures.
Token
A portable credential — typically a signed string — that a server issues and a client presents on subsequent requests to prove identity or authorisation. Tokens are stateless alternatives to server-side sessions; the server can verify them without a database lookup. Common forms: opaque bearer tokens (random strings referenced in a database), JWTs (self-contained with claims and a signature), and OAuth access tokens (short-lived grants scoped to specific resources). Key testing considerations: token expiry, revocation, scope enforcement, and transmission security (HTTPS-only, no logging).
Authorization
The process of determining what an authenticated caller is permitted to do. Where authentication answers "who are you?", authorization answers "what are you allowed to do?" Common models include role-based access control (RBAC), attribute-based access control (ABAC), and scope-based delegation (OAuth). Testing authorization means verifying that every protected action enforces its policy — including negative cases where a lower-privileged user is explicitly denied access rather than silently downgraded.