Konubinix' opinionated web of thoughts

ID Tokens vs Access Tokens


ID Tokens vs access token.

Access tokens are defined in OAuth, ID tokens are defined in OpenID Connect


  • ID tokens are meant to be read by the OAuth client. Access tokens are meant to be read by the resource server.
  • ID tokens are JWTs. Access tokens can be JWTs but may also be a random string.
  • ID tokens should never be sent to an API. Access tokens should never be read by the client


Notes linking here