On this page
About access token validation
This guide explains why access token validation is important and how to validate and decode the access token.
Learning outcomes
- Understand token validation.
- Understand what to check when validating tokens.
- Decode access tokens.
- Validate access tokens remotely.
About access token validation
If you're building a modern app or API, you want to know if your end user is authenticated. This is important to give context or to protect APIs from unauthenticated users. You can use Okta to authenticate your end users and issue them signed access and ID tokens. Your app can then use these tokens. It's important that your app uses only the access token to grant access, and not the ID token. See Access tokens vs ID tokens.
After signed tokens are issued to end users, they can be passed to your app for validation. There are two ways to verify a token: locally or remotely with Okta. The token is signed with a JSON Web Key (JWK) using the RS256 algorithm. To validate the signature, Okta provides your app with a public key that you can use.
- To jump straight to the local validation steps: What to check when validating an access token
- To see how to validate a token directly with Okta: Validate a token remotely with Okta
Note: Okta is the only app that should consume or validate access tokens from the org authorization server. Org authorization servers have the following issuer format: https://{yourOktaOrg}. Consider these access tokens as opaque strings because their content is subject to change at any time. Therefore, any attempts by your app to validate the tokens may not work in the future.
Access tokens vs ID tokens
Access tokens are intended for authorizing access to a resource. It's important that the resource server (your server-side app) accepts only an access token from a client.
ID tokens, on the other hand, are intended for authentication. They provide information about the resource owner so that you can verify that they're who they say they are. Authentication is important to clients. Because of this, when a client makes an authentication request, the ID token that's returned contains the client_id in the ID token's aud claim.
What to check when validating an access token
The high-level overview of validating an access token looks like this:
Retrieve the JSON Web Keys
Decode and validate the access token
Decode the access token, which is in JWT format. This involves the following steps:
- Verify the token signature.
- Verify the claims.
Validate a token remotely with Okta
Alternatively, you can validate an access or refresh token using the Token Introspection endpoint: Introspection request (opens new window). This endpoint takes your token as a URL query parameter and returns a simple JSON response with a Boolean active property.
This involves a network request that is slower for performing validation. But, you can use it when you want to guarantee that the access token hasn't been revoked.
See also
FAQs
The high-level overview of validating an access token looks like this:
- Retrieve your Okta JSON Web Keys (JWK) , which your app should check periodically and cache.
- Decode the access token, which is in JSON Web Token (JWT) format.
- Verify the signature used to sign the access token.
Token Authentication in 4 Easy Steps
- Request: The person asks for access to a server or protected resource. ...
- Verification: The server determines that the person should have access. ...
- Tokens: The server communicates with the authentication device, like a ring, key, phone, or similar device.
Steps:
- the client app contacts the authentication server using its client id and secret using x-www-form-urlencoded.
- the auth server validates the credentials and scope against its internal registry and returns the access token if they are valid.
You can check the validity of the access token by decoding it and checking the exp value. For more info on decoding JWTs, please check: GitHub - auth0/jwt-decode: Decode JWT tokens; useful for browser applications. (JWT).
How does Web API validate access token? ›
Web APIs must validate access tokens sent to them by a client. They must only accept tokens containing one of their AppId URIs as the aud claim. Web apps must validate ID tokens sent to them by using the user's browser in the hybrid flow, before allowing access to a user's data or establishing a session.
What is a token validation? ›
Validating Access Tokens
Successful OAuth transactions require the identity domain OAuth Authorization Server to issue access tokens for use in authenticating an API call. An access token represents an authorization issued to the client application that contains credentials used to access protected OAuth resources.
How do I verify my token? ›
You can validate your tokens locally by parsing the token, verifying the token signature, and validating the claims that are stored in the token. Parse the tokens. The JSON Web Token (JWT) is a standard way of securely passing information. It consists of three main parts: Header, Payload, and Signature.
What does validating access token mean? ›
If you come across this error message while publishing across Facebook, it means that Facebook's security algorithms have flagged your account. Although there are many reasons for this to happen, a few are fairly common. Notice of copyright violation. Running inappropriate/flagged images or videos on a page.
How can I verify a Google authentication API access token? ›
You can inspect a valid (not expired or revoked) ID token by using the tokeninfo endpoint. Replace ID_TOKEN with the valid, unexpired ID token. This command returns something similar to the following example: See more code actions.
Can access tokens be invalidated? ›
Token Revocation Mechanism
Another way to manage access tokens is by revoking them when they are no longer needed or when they are compromised. Token revocation is the process of invalidating a token before it expires, thereby preventing it from being used to access protected resources.
The second way to pass your API token is via a query parameter called key in the URL like below. Use of the X-Dataverse-key HTTP header form is preferred to passing key in the URL because query parameters like key appear in URLs and might accidentally get shared, exposing your API token. (Again it's like a password.)
How to get authentication token in C#? ›
Obtain an authentication token (C#)
To execute any operation in the Sitecore Experience Commerce (XC) system, the calling system must first connect to the Sitecore Identity Server to obtain an authentication token and include it in every call it makes to the Commerce Engine.
How is the access token verified? ›
For any access token to be valid, the following must be asserted: Signature is valid. The private key signed the token, and this private key has a corresponding public key in the JWKS response from the authorization server.
How do I validate my OAuth 2.0 token? ›
The token can be verified via introspect endpoint or by signature. The most common way to build built-in token verification into the system is to introspect the token on the API Gateway and verify the signature on other services.
How do I get a validation token? ›
Get validation tokens
- First, make sure you have registered your organisation and your qualification is completed. ...
- On your account dashboard, click on the "TechSoup Validation Tokens" tab.
- Use the links to access the tokens for the providers you need.
- Once on the page for the token you need, click on "Add new token".
Access token lifetime
By default, access tokens are good for 1 hour (3,600 seconds). When the access token has expired, your token management code must get a new one.
How do I know if my Google access token is valid? ›
To verify that the token is valid, ensure that the following criteria are satisfied:
- The ID token is properly signed by Google. ...
- The value of aud in the ID token is equal to one of your app's client IDs. ...
- The expiry time ( exp ) of the ID token has not passed.
Token validation is the mechanism by which an API validates the authenticity and longevity of access tokens. The mechanism to validate a token varies between applications, but for the most part, it comprises decoding the payload, parsing the properties, and performing further queries to validate credentials.
