Token-based authentication is the process of verifying a user and granting them a token that allows the user access to specific resources for a limited duration.
After the user’s credentials are validated, a token is issued for a limited duration (called a user session) that grants the user access to a specific set of sites, applications, or other resources based on the level of authorization determined by the token.
The user doesn’t need to re-enter their credentials every time they want to request access to certain resources protected by the token. The user only has to authenticate once per session. As long as the session is active, the token can be used for continuous authentication. Because tokens expire when the session is over, token-based authentication adds a greater degree of protection to user’s accounts.
Compared to standard password-based authentication, administrators have greater control over authentication tokens. It's up to administrators to determine the duration of token sessions and the finer details of the token transactions. Administrators can set tokens to reset when a user signs off or can set specific time limits for how long the token remains active in a given session.
Note: There are multiple authentication token types to use depending on your business needs. For example, deciding between an OAuth token, SAML token, or JSON web token (JWT) is situational and varies based on your use cases.
How does token-based authentication work?
The process for token-based authentication is generally as follows:
A user requests access to a protected server, site, application, or resource and is prompted to authenticate.
The server verifies the user’s credentials to determine if they are who they say they are.
After verification, the server issues the user a security token that grants them access to their authorized resources.
The token is stored in the user’s browser for the duration of the session and is referenced every time the user tries to access a different part of the server. The user’s access to certain resources is determined on the authorization built into the token.
The token session expires when the session times out, the user signs off, or the connection to the server is severed.