Programster's Blog

Tutorials focusing on Linux, programming, and open-source

OpenID Connect (OIDC) Token Types

The OpenID Connect specification has several different tokens that serve different purposes, as outlined below:

ID Tokens

  • These are returned as id_token in a response to the /token endpoint.
  • These are always JWT tokens, meaning that they have user information within encoded into the token, and that the token can be verified to check that it hasn't be tampered with.
  • These should never be sent to an API (this is what the access token is for).

Access Tokens

  • These are returned as access_token in responses.
  • These are bearer tokens that grant authorization as the user and thus should be kept secret.
  • Short-lived, but replacements can be created through the refresh token.
  • Can be used against /userinfo spec endpoint in order to retrieve information about the user.

Refresh Token

  • Used to obtain new access tokens.
  • Long-lived, but when expires, user must authenticate again.
  • Another bearer token
  • These should never be read by the client.


Last updated: 19th December 2022
First published: 18th November 2021