An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.
Access tokens do not have to be in any particular format, and in practice, various OAuth servers have chosen many different formats for their access tokens.
Access tokens may be either "bearer tokens" or "sender-constrained" tokens. Sender-constrained tokens require the OAuth client to prove possession of a private key in some way in order to use the access token, such that the access token by itself would not be usable.
There are a number of properties of access tokens that are fundamental to the security model of OAuth: