Explore our platform and learn how it can help your application shine.
Learn about modern authentication techniques and best practices.
Learn about access management practices and technologies.
Learn to manage user accounts and access at scale.
Understand multi-tenancy, a foundation of shared computing.
Learn how to design and build successful SaaS applications.
Understand what is required to provide an enterprise-ready product.
Understand the uses and benefits of Attribute-Based Access Control.
Learn how Single Sign On (SSO) can improve security and UX.
Learn about OpenID Connect, an open authentication protocol.
Learn about SAML, a popular SSO protocol.
Learn about our history, our team, and our mission.
An authentication token (auth token) is a computer-generated code that verifies a user’s identity. Auth tokens are used to access websites, applications, services, and application programming interfaces (APIs). They allow users to access these resources without having to re-enter their login credentials each time they visit.
Auth tokens are encrypted and machine-generated. They can be expired or revoked, which provides better protection against attack scenarios like brute-force attacks or stolen passwords.
Auth tokens can be thought of as electronic keys that store personal information. They provide an extra layer of security to access data or a network through a method known as Multi-Factor Authentication (MFA).
Advantages of auth tokens include:
Auth tokens can be hardware or software-based. Some types of authentication tokens include:
In addition to software-based tokens, there are also hardware authentication tokens—for example, physical access tokens and ID tokens.
Token-based authentication simplifies the authentication process for known users. It allows users to access these resources without having to re-enter their login credentials each time they visit. To begin with, the user sends a request to the server, using a username and password. The server then validates them based on values registered in its credentials database. If the credentials are confirmed, the server responds with an authentication token (which is also kept in the database).
When the same user sends requests to access secured resources in the future, the requests can be authorized with the authentication token, rather than the username and password. The server validates the token against the registered token in the database and grants access. Authentication can be carried out using various types of tokens like OAuth and JSON Web Tokens (JWT).
JWT uses a secure method, based on signed tokens, which makes it easy to identify modifications. Hardware tokens can contain a credential or generate a one-time password based on a challenge.
Token-based authentication offers numerous advantages for both developers and users. Below are some of the key benefits:
Enhanced Security
Token-based authentication provides an additional layer of security, making it difficult for attackers to gain unauthorized access. Since the tokens expire after a certain period, they are more secure than traditional, persistent login methods.
Stateless and Scalable
Token-based authentication is stateless, meaning that the server does not need to keep a record of which users are logged in. This results in better scalability as new servers can be added without affecting the existing users’ sessions.
Reduced Server Load
As tokens are stored on the client-side, the server is freed from the responsibility of maintaining session information. This significantly reduces the server load, making the application faster and more efficient.
Cross-Platform Compatibility
Tokens can be used across different platforms, services, and devices, offering greater flexibility for developers. This makes it easier to integrate various services or microservices, whether they are web-based, mobile, or other types of applications.
Easier to Implement Single Sign-On (SSO)
With token-based authentication, implementing Single Sign-On (SSO) becomes more straightforward. Once a user is authenticated and receives a token, this token can be used to access other services within the same ecosystem without requiring the user to log in again.
Related: All You Need to Know About JWT Authentication
There are many ways to grant users authentication tokens—hardware-based tokens, one-time passwords (usually granted via mobile phones) and software-based tokens that are typically based on the JWT standard.
All tokens store user credentials and data in a secure manner. The token is also able to verify that the data is correct and was not tampered with, a crucial security requirement with so many data privacy laws out there today. They also dramatically enhance user experience, because they allow users to sign in without having to memorize passwords.
Token-based authentication typically follows a 4-step process:
Here are a few common types of tokens that are being used by developers to authenticate users or service accounts today.
JSON Web Token (JWT) is an open standard (RFC 7519). It defines a simple, self-contained method for transmitting information between parties securely. The JWT standard uses JavaScript Object Notation (JSON) objects to transmit tokens between parties. These tokens can be used for authentication, and to transfer additional information about the user or account.
Because of their small size, JWTs can be sent as URLs, POST parameters, or HTTP headers, and can be transmitted quickly. The JWT contains all the necessary information about the entity, to avoid multiple queries to the database. The JWT receiver doesn’t need to call the server to validate the token.
A JWT is composed of three parts:
A refresh token is a special kind of token used in token-based authentication systems to obtain a new access token. Unlike the access token, which is used to grant users direct access to a system or application, the refresh token is used to renew an expired access token without requiring the user to log in again.
Typically, access tokens have a short lifespan for security reasons. When an access token expires, the system can use the refresh token to acquire a new one, ensuring prolonged user sessions and enhancing user experience. Importantly, refresh tokens are usually long-lived and stored securely, as their compromise could enable potential unauthorized access.
Federated tokens are authentication credentials issued by an identity provider (IdP) that allow users to access multiple systems or services without separately logging into each one. This form of token is part of federated identity management, where user identities are trusted across multiple IT systems or organizations.
When a user first logs in, the IdP validates their identity and provides tokens that other systems trust. For instance, if you’ve ever logged into a service using your Google or Facebook account, you’ve used federated identity. The tokens prove your identity to other services without requiring you to enter your credentials again, simplifying access and enhancing user experience across diverse platforms.
One-time password (OTP) tokens are secure hardware devices or software programs that can generate one-time passwords. Most commonly, these are personal identification numbers (PIN), numeric codes between 4-12 digits.
Smartphones are commonly used to generate or receive one-time passwords. Once a user proves ownership of their phone, they can use an authenticator app that generates OTP passwords—in this case the phone serves as a code generator. Alternatively, OTPs can be sent to the device by SMS.
Related: What is Passwordless Authentication?
One-time password tokens enhance existing identity and password systems by adding dynamically generated credentials. Depending on the provider, OTP tokens generate PINs either synchronously or asynchronously:
API Tokens are used as unique identifiers of an application requesting access to your service. Your service then generates an API token for the application to use when requesting your service. The API Token can then be matched with the one you have stored to authenticate and provide access. You can implement a Session ID in some use cases, but that is basically a very specific deviation.
API tokens have gained popularity as they replace the unsafe practice of sending username and password combinations over HTTP. OAuth2 (access tokens) is one of the most common ways of implementing API security today.
Hardware tokens are physical devices that enable the authorization of users to access protected networks. They are also sometimes called authentication or security tokens. The purpose of a hardware token is to add a layer of security via two-factor or multi-factor authentication (2FA or MFA). The token owner links the token to the system or service they want to access.
Hardware tokens are designed for user experience and customizability, so they can come in multiple forms. The most common types of tokens are key fobs and USB or wireless tokens. Hardware tokens can be divided into three categories.
Contactless—a contactless token doesn’t require you to enter an access code or connect to a device. This type of token uses a wireless connection to access the system, which may grant or deny access based on the credentials associated with the connection.
Disconnected—a disconnected token doesn’t need to be physically inserted into the system being accessed. It works by setting up the device to generate one-time access codes, which serve as part of 2FA or MFA. Typically, a disconnected token will be a mobile device like a smartphone.
Connected—a connected token must be physically connected to a system in order to enable access. The token is scanned by a reader, which receives any relevant authentication credentials. This could be a USB token or a key fob (e.g. Yubikey).
Related: API Token Generation
Cybercrime is becoming more sophisticated, which means that managed service providers (MSPs) must continuously update their security techniques and policies. There has been an increase in attacks that target credentials via methods like phishing, brute force and dictionary attacks. This means that authentication can no longer rely on passwords alone.
When combined with additional authentication techniques, token-based authentication can create a more complex barrier to prevent sophisticated hackers from exploiting stolen passwords. Tokens are only retrievable from the unique device that created them (i.e. a smartphone or key fob), making them a highly effective authorization methodology today.
While there are many advantages to authentication token platforms, some risk always remains. Tokens housed in mobile devices are convenient to use but may be exposed through device vulnerabilities. If the tokens are sent via text, they can be easily intercepted in transit. If a device is lost or stolen, a malicious actor can gain access to the tokens stored in it.
But always keep in mind that you should never rely on a single authentication measure. Token authentication should be considered as one component in a two-factor or multi-factor authentication strategy.
Like any other methodology or technique, there are pros and cons you must take into account before opting for this methodology.
Make sure you are planning properly and breaking down your use-cases. You can make the right decision only after doing so. Self-service is another key feature you should look to integrate into your ecosystem from the get go.
The Complete Guide to SaaS Multi-Tenant Architecture
Looking to take your User Management to the next level?