An access token enables authentication and authorization to protected resources as it acts as a means of identification and permission level for those resources.
For example, DigitalOcean API users pass the API an access token that verifies that their requests are from a legitimate user associated with their account.
Access tokens may take different formats, such as JSON Web Tokens (JWTs) or OAuth Tokens. These formats typically consist of strings of characters that encapsulate necessary information, such as the user’s identity, authorized permissions, or relevant metadata. To ensure the integrity of the token and prevent tampering, the access token is further digitally signed.
Access tokens are designed to be stateless, ensuring that the server validating the token does not need to maintain a session state or store token-specific information. Typically, access tokens have an expiration date to reduce the risk of unauthorized access if the token is compromised. If the access token expires, the user must request a new access token through an authentication process. However, if necessary, the platform may revoke a user’s access token before the expiration date if the token is compromised or invalidated.
You can set DigitalOcean API token to expire at 30, 60, or 90 days or 1 year. We recommend setting expiration dates on your API token to help maintain your account’s security.
Access Token Example:
A personal access token (PAT) associates with a single user rather than an application or system. PATs are user-specific, meaning that the information stored within the access token ties to the user’s information. This information may encapsulate unique authentication and authorization to the system requiring the PAT, such as a system using an API. The platform or service provider generates the PAT for the user and often includes configurable scopes or permissions within the system or service. The PAT defines specific actions or resources that the user can access.
A bearer token is a type of access token used to authenticate and authorize protocols. The client presents their bearer token as proof of authentication to the server. The server then bears the responsibility to verify and authorize the request based on the token. This token-based authentication is used to replace other methods of authentication such as using a username and password. The DigitalOcean API uses this type of token to authenticate requests from users.
Bearer tokens are treated as sensitive information and Transport Layer Security (TLS) encryption is commonly used to protect the transmission of bearer tokens over networks. In HTTP requests to servers, bearer tokens are usually included in the request’s
Authorization header field.
Example of a GET request using a bearer token:
GET /api/resource HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFjY2VzcyBUb2tlbiIsImlhdCI6MTUxNjIzOTAyMn0.EG0V7GZNl4Fs3rGcYDXMUGgb_0u1k7YfAWv2QQ8h9M8