Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Back to Glossary
Glossary2 min read

Token

A digitally generated string used to authenticate a user, authorize access, or maintain session state without repeatedly transmitting credentials.

A token in the context of application security is a piece of data that represents an identity, permission, or session. Rather than sending a username and password with every request, a user authenticates once and receives a token that subsequent requests include as proof of identity. Tokens come in many forms, including session tokens stored in cookies, JSON Web Tokens (JWTs) passed in HTTP headers, OAuth access tokens, and API keys.

How It Works

When a user logs in, the server verifies their credentials and issues a token. This token is typically a long, randomly generated string or a structured data format like JWT. The client stores the token and attaches it to future requests, usually in an HTTP header or cookie. The server validates the token on each request to confirm the user's identity and permissions without requiring re-authentication.

JWTs are a popular token format that encodes claims (such as user ID, roles, and expiration time) in a Base64-encoded JSON payload, signed with a secret key or asymmetric key pair. The server can verify the signature to ensure the token has not been tampered with. However, JWTs are not encrypted by default, meaning the payload is readable by anyone who possesses the token. Sensitive data should never be placed in JWT claims without additional encryption.

Token security depends on several factors: sufficient entropy to prevent guessing, secure transmission over TLS, proper storage on the client side, appropriate expiration times, and robust server-side validation. Tokens that lack expiration, use weak signing algorithms like none, or are stored in local storage where JavaScript can access them all present common attack vectors.

Why It Matters

Tokens are central to how modern applications manage authentication and authorization. A compromised token grants an attacker the same access as the legitimate user, often without triggering any alerts. During security assessments, evaluating token implementation reveals critical issues such as insecure storage, missing expiration, predictable generation, and insufficient validation that can lead to account takeover and privilege escalation.

Need your application tested? Get in touch.

Related terms

TLS (Transport Layer Security)TOTP (Time-Based One-Time Password)Two-Factor Authentication (2FA)

Go deeper

Read full articleRead full article

Need your application tested?

We find these vulnerabilities in real applications every day.

Request an Assessment