Konubinix' opinionated web of thoughts

ID Tokens vs Access Tokens

fleeting

ID Tokens vs access token.

Access tokens are defined in OAuth, ID tokens are defined in OpenID Connect

https://oauth.net/id-tokens-vs-access-tokens/

  • ID tokens are meant to be read by the OAuth client. Access tokens are meant to be read by the resource server.
  • ID tokens are JWTs. Access tokens can be JWTs but may also be a random string.
  • ID tokens should never be sent to an API. Access tokens should never be read by the client

https://oauth.net/id-tokens-vs-access-tokens/

Notes linking here