An Access Token is a credential that can be used by an application to access an API. The access token informs the API that the bearer of the token has been authorised to access the API and perform specific actions specified by the scope that has been granted. Access Tokens can be either an opaque string or a JSON Web Token; access tokens issued by our authorisation server are always JSON Web Tokens (JWT).
Access tokens must be kept confidential in transit and in storage. The only parties that should ever see an access token are the application itself, the authorisation server, and the resource server. The application should ensure the storage of the access token is not accessible to other applications on the same device. The access token can only be used over an HTTPS connection, since passing it over a non-encrypted channel would make it trivial for third parties to intercept.
When an access token is used to call an API endpoint. the access token should be used as a Bearer credential and transmitted in an HTTP Authorization header to the API.
Requesting Access Tokens
Please click here to view details of our token endpoint