← All glossary terms
Non-Human Identities5 min read

What is an OAuth Token?

OAuth tokens — access, refresh, and ID tokens — are the credentials of modern delegated authorization. Learn what each does and how to secure them.

What is an OAuth Token?

Definition

An OAuth token is a credential issued by an authorization server that allows a client (application) to access protected resources on behalf of a user or as itself.

OAuth 2.0 defines several token types:

  • Access token — short-lived; used to call APIs.
  • Refresh token — longer-lived; used to obtain new access tokens.
  • ID token (OpenID Connect) — describes the authenticated user; used for sign-in.

OAuth tokens are the foundation of modern delegated authorization across SaaS, cloud, mobile, and enterprise applications.

In simple terms:

An OAuth token is a time-bound permission slip an app uses to call APIs on someone's behalf.


Why It Matters

  • OAuth is the dominant authentication / authorization standard for APIs.
  • Tokens are everywhere — every signed-in app, integration, agent has them.
  • Compromised tokens enable account takeover, data theft, lateral movement.
  • Recent breaches (Storm-0558, Okta 2023, Microsoft) exploited OAuth tokens / signing keys.
  • Token hygiene (storage, rotation, scope) is core identity security work.

OAuth Token Types

1. Access Token

  • Short-lived (typically 5 min – 1 hour).
  • Sent with API calls (Authorization: Bearer <token>).
  • Includes scopes (claims) defining what's allowed.
  • Often a JWT (verifiable offline) or opaque (verified by introspection).

2. Refresh Token

  • Longer-lived (days, months, sometimes indefinite).
  • Used to obtain new access tokens without re-authentication.
  • Stored carefully (it's the long-lived credential).
  • Can be rotated on each use.

3. ID Token (OpenID Connect)

  • JWT describing the authenticated user.
  • Used for sign-in (not for API calls).
  • Audience-bound to the client.

4. Token in OBO (On-Behalf-Of)

  • Service exchanges incoming user token for one to call downstream API as the user.

5. Service-to-Service Tokens

  • Client credentials flow — no user; client_id + client_secret → access token.

OAuth Flows (Where Tokens Come From)

Authorization Code (with PKCE)

Most secure, most common for users. App redirects user to IdP; user consents; IdP returns code; app exchanges for tokens.

Client Credentials

Service-to-service. Client presents client_id + client_secret → access token. No user involved.

Device Code

For input-constrained devices (TVs, CLIs).

Implicit (Deprecated)

Returned tokens directly in URL — phased out for security.

Resource Owner Password Credentials (Deprecated)

User gives password to client — anti-pattern.


Common Risks

1. Token Theft

  • Stolen via XSS, MITM, malware, phishing, browser extension, vendor breach.

2. Refresh Token Compromise

  • Long-lived → adversary maintains persistent access.

3. Over-Permissioned Scopes

  • Apps granted broader scopes than needed.
  • Adversary tricks user into granting OAuth consent to malicious app.

5. Token Replay

  • Captured token reused; weak audience binding.

6. Token Logged

  • Tokens in logs / errors / URLs.

7. Storage Vulnerabilities

  • Tokens in localStorage / cookies vulnerable to XSS.

8. Token Signing Key Compromise

  • Microsoft Storm-0558: signing key stole → forged tokens.

9. Stale OAuth Grants

  • Apps granted years ago, no longer used, still active.

10. Cross-Tenant Token Misuse

  • Multi-tenant apps mishandling tokens across tenants.

Real-World Examples

1. Storm-0558

Adversary obtained Microsoft signing key; forged ID/access tokens; accessed government Exchange Online mailboxes. Mitigation: signing key rotation; key access controls; audit hardening.

2. Okta 2023

OAuth tokens / session cookies stolen from support portal → cross-tenant impact. Mitigation: defense-in-depth; better support tooling.

User received "Microsoft Login" prompt; granted broad scopes to malicious app; adversary read mail. Mitigation: app consent governance; admin consent for risky scopes; user education.

4. Refresh Token Theft

Mobile app stored refresh token in plaintext; rooted device leaked. Mitigation: refresh token rotation; secure enclave storage.

5. Stale OAuth Grant Abuse

Vendor app granted in 2019; vendor compromised in 2024; old grant abused. Mitigation: quarterly OAuth grant review; revoke unused.


Best Practices

Token Lifecycle

  • Short-lived access tokens (≤ 1 hour).
  • Refresh token rotation on each use.
  • Refresh token expiry (sliding or absolute).
  • Audience binding (aud claim).
  • Nonce / sub-binding to client.

Storage

  • Backend — secret manager.
  • Web frontend — httpOnly secure cookies; not localStorage.
  • Mobile — secure enclave / keychain.
  • CLI — OS credential vault.

Scope Management

  • Least privilege scopes.
  • Per-tenant or per-resource when possible.
  • Admin consent for risky scopes.
  • Quarterly review of granted scopes.
  • App publisher verification.
  • Block unverified publishers for sensitive scopes.
  • User education on consent prompts.
  • Quarantine newly granted apps for review.

Monitoring

  • Anomaly detection on token use (geo, time, volume).
  • Sign-in risk policies (Conditional Access).
  • OAuth grant audit (Microsoft Defender for Cloud Apps, Forestall).

Revocation

  • Quick revocation capability.
  • Practiced incident response for compromised tokens.

Signing Keys

  • HSM-backed signing keys.
  • Rotation cadence.
  • Strict access controls + audit.

Checklist

  • Short-lived access tokens?
  • Refresh token rotation?
  • Refresh token expiry?
  • Audience binding?
  • Tokens stored securely (no localStorage / no plaintext)?
  • Least-privilege scopes?
  • Admin consent for risky scopes?
  • App publisher verification?
  • Quarterly OAuth grant review?
  • Anomaly detection on token use?
  • Conditional Access / sign-in risk policies?
  • Quick revocation playbook?
  • HSM-backed signing keys + rotation?

How Forestall Helps

Forestall:

  • Inventories OAuth grants across SaaS / cloud.
  • Identifies over-permissioned grants.
  • Surfaces stale / unused grants.
  • Detects suspicious token usage patterns.
  • Tracks remediation.

Frequently Asked Questions

Is OAuth more secure than API keys?

Yes — short-lived, scoped, revocable, auditable. But misuse / misconfig / phishing remain risks.

What's the difference between an access token and refresh token?

Access = short-lived API credential. Refresh = longer-lived; used to get new access tokens.

Should I store refresh tokens at all?

If your app needs ongoing access without re-prompting, yes — but store securely (secret manager, secure enclave, encrypted at rest).

Can I trust JWT tokens offline?

Yes if signature verified against trusted issuer key, claims validated (iss, aud, exp, nbf), and key rotation handled.

What about token binding?

Emerging standards (DPoP, MTLS-bound tokens) bind tokens to client to prevent replay. Adopt where supported.


Conclusion

OAuth tokens are the credentials of modern delegated authorization — short-lived access tokens, longer-lived refresh tokens, and ID tokens for sign-in. Manage them carefully: short lifetimes, secure storage, scoped consent, anomaly detection, quarterly review, and signing key hygiene. Done right, OAuth gives you secure, fine-grained, revocable access control across humans, workloads, and AI agents.

OAuth TokenAccess TokenRefresh TokenOAuth 2.0Non-Human Identity

Govern OAuth tokens across your workforce and workloads.

Forestall surfaces over-permissioned OAuth grants and stale refresh tokens.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is an OAuth Token? | Forestall