Repeatedly sending credentials over the internet is a security risk. But when you need to sign in to cloud and web-based apps, it is unavoidable. Or is it?
Token-based authentication is a protocol which allows users to verify their identity, and in return receive a unique access token. During the life of the token, users then access the website or app that the token has been issued for, rather than having to re-enter credentials each time they go back to the same webpage, app, or any resource protected with that same token.
Authentication tokens work like a stamped ticket. The user retains access as long as the token remains valid. Once the user logs out or quits an app, the token is invalidated. Tokens offer a second layer of security, and administrators have detailed control over each action and transaction.
Token-based authorization offers the following benefits:
- Tokens are stateless. The token is self-contained and contains all the information it needs for authentication. This is great for scalability as it frees customer servers from having to store session state.
- Tokens can be generated from anywhere. Token generation is decoupled from token verification allowing you the option to handle the signing of tokens on a separate server or even through a different company.
- Fine-grained access control. Within the token payload you can easily specify user roles and permissions as well as resources that the user can access.