Konubinix' opinionated web of thoughts

ID Tokens vs Access Tokens


ID Tokens vs access token.

they are two different tokens and do totally different things.

and Importantly, we say that they have different audiences. […] the audience of an access token is the resource server, whereas the audience of the id token is the client application.


Access tokens are defined in OAuth, ID tokens are defined in OpenID Connect


  • ID tokens are meant to be read by the OAuth client. Access tokens are meant to be read by the resource server.
  • ID tokens are JWTs. Access tokens can be JWTs but may also be a random string.
  • ID tokens should never be sent to an API. Access tokens should never be read by the client


ID tokens are conceptually analogous to ID cards, in that they contain a set of claims about the user, like name and email. This is different from an access token, which does not include any identifiable information and instead exists to authorize access to resource servers with limited scope


Access Tokens do not include any user information


Possession of the access token is not proof of authentication because access tokens can be acquired in multiple ways. Consider refresh tokens, which a client can exchange for another access token when the original is invalidated. This process occurs automatically between machines and does not involve the human user in any way, so the access token is not a proxy for authentication. ID tokens can only be obtained when the human user explicitly gives a client access to whatever information it requires. In other words, the user must go through the process of “Sign[ing] in with Google,” which only the account holder is capable of doing,assuming credentials have not been compromised


Notes linking here