oauth2.dev

access_token

IETF

Registry Context

`access_token` is the access token value issued by an OAuth 2.0 authorization server. RFC 6749 requires it in successful token responses and in implicit-grant authorization responses, although current security guidance discourages the implicit grant.

Technical Summary

RFC 6749 defines `access_token` as a REQUIRED response parameter in the URI fragment of a successful implicit-grant authorization response and in the JSON entity-body of a successful token endpoint response.

When Used

implicit-grant authorization response; successful token endpoint response

Normative Requirements

Clients

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    use the implicit grant or another response type that issues an access token in the authorization response..

    Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.

    "clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response"

Authorization servers

REQUIRED
2
  1. RFC 6749 - Section 4.2.2

    include the `access_token` parameter in the fragment component of the redirection URI using `application/x-www-form-urlencoded` encoding..

    Condition: When the resource owner grants an implicit-grant access request.

    `access_token` — "REQUIRED. The access token issued by the authorization server."

  2. RFC 6749 - Section 5.1

    include the `access_token` parameter in the entity-body of the HTTP 200 (OK) response..

    Condition: When constructing a successful token response.

    `access_token` — "REQUIRED. The access token issued by the authorization server."

Validation Guidance

error

For an implicit-grant success response, verify that `access_token` is present in the URI fragment.

error

For a successful token endpoint response, verify that `access_token` is present in the HTTP 200 response entity-body.

error

Verify that successful token-response parameters are serialized as a top-level JSON object using the `application/json` media type.

warning

Warn when a client uses the implicit grant or another response type that returns an access token in the authorization response unless the RFC 9700 exception is demonstrably satisfied.

Security Notes

RFC 9700 - Section 2.1.2

Access tokens issued in authorization responses are vulnerable to leakage and replay, and no standardized sender-constraining method binds such tokens to a specific client. RFC 9700 therefore discourages the implicit grant except where injection and leakage risks are mitigated.

Reference

Details

Entry Id
access_token
Name
access_token
Parameter Usage Location
authorization response, token response
Change Controller
IETF
Reference
RFC6749