Process of verifying the user. (verifying what they have to access )
Determines what users can and cannot access
It consist of three parts separated by dots (.),
- Header- consists of two parts: the type of the token, which is JWT, and the signing algorithm
- Payload- contains the claims. Claims are statements about an entity (typically, the user) and additional data
- Signature- encoded header
xxxxx.yyyyy.zzzzz
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiNjI5ODUxNTcyODdiNzkyNTNmYzE5YjM1IiwiZW1haWwiOiJzdWRhbUBnbWFpbC5jb20iLCJpYXQiOjE2NTQxNTcwMjAsImV4cCI6MTY1NDE2NDIyMH0.CZ01aCZfpF0k8Pdvun4SJWtOE_EJl6gZusr91csHnQc
Access tokens are used as bearer tokens. A bearer token means that the bearer (who holds the access token) can access authorized resources without further identification.
Have a short lifespan for security purpose. When it expires, the user must authenticate again to get a new access token.
This token is a long-lived token compared to the access token and is used to request a new access token in cases where it is expired.