An OAuth token is a cryptographic credential issued through the OAuth 2.0 framework that grants an application access to specific resources on behalf of a user or as a machine identity — without exposing the user's actual credentials.
⚙️ How Does It Work?
Access tokens are short-lived (typically 1 hour) and scoped to specific permissions. Refresh tokens allow applications to obtain new access tokens without re-authentication. Both types must be stored securely to prevent theft.
📍 Where Is It Used?
SaaS integrations, API authorization, mobile apps, CI/CD pipelines, any application needing delegated or machine access to APIs.
💡 Real-World Example
A CI/CD pipeline uses a long-lived OAuth refresh token to push code to GitHub on behalf of a service account. The token leaks via a misconfigured log file, giving attackers persistent access to all repositories. Mitigation: use short-lived tokens, scope to minimum permissions, and rotate regularly.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →