Access token vs ID token.
An ID token is an OIDC authentication artifact — a JWT that proves who the user is, intended for the client application that requested the login. An access token is an OAuth authorization artifact — a credential that grants scoped access to an API (resource server). The ID token is about identity; the access token is about access. They have different audiences and must not be used interchangeably.
ID token vs Access token.
| Dimension | ID token | Access token |
|---|---|---|
| Spec | OpenID Connect | OAuth 2.0 / 2.1 |
| Audience (aud) | The client app | The API / resource server |
| Purpose | Prove who the user is | Grant scoped access |
| Format | Always a JWT | JWT or opaque string |
| Sent to | Consumed by the app itself | Sent to APIs as a bearer / DPoP credential |
| Inspect for | sub, name, email, auth_time | scope, aud, exp |
The bug this prevents
The single most common OAuth/OIDC integration mistake is sending the ID token to an API as proof of permission, or authorizing API calls by reading ID-token claims. The ID token is for the client app — it answers "who logged in?" It is not an API access credential. APIs must be called with the access token, and the API must validate the access token's audience and scopes.
If your backend accepts an ID token as a bearer credential, an attacker who obtains an ID token (which is often less protected, since it is "just identity") can call your APIs. Keep the tokens in their lanes.
- App reads the ID token to know who the user is.
- App sends the access token to call APIs.
- API validates the access token: signature, aud, exp, and required scope.
- Never authorize an API request from ID-token claims.
Common questions.
Can I send the ID token to my API?+
No. The ID token's audience is your client application, not your API. Send the access token to APIs. An API that accepts ID tokens as credentials has an authorization vulnerability.
Why is my access token opaque while my ID token is a JWT?+
ID tokens are always JWTs because the client must read their claims. Access tokens may be JWTs or opaque strings — opaque tokens are validated by introspection against the authorization server, which keeps token internals private from the client.
The whole picture, in one place.
This explainer is part of our complete guide to IAM — authentication, authorization, governance, privileged access, the standards, and how to run a program.