ID Tokens vs Access Tokens

What's the difference between an ID Token and an Access Token? Access tokens are defined in OAuth, ID tokens are defined in OpenID Connect.

Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and validated by the API. An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client. The ID token may also contain information about the user such as their name or email address, although that is not a requirement of an ID token.

Here are some further differences between ID tokens and access tokens:

• ID tokens are meant to be read by the OAuth client. Access tokens are meant to be read by the resource server.
• ID tokens are JWTs. Access tokens can be JWTs but may also be a random string.
• ID tokens should never be sent to an API. Access tokens should never be read by the client.

Related:

• Access Tokens
• Refresh Tokens

More resources

• ID Tokens (oauth.com)
• ID Token and Access Token: What Is the Difference? (auth0.com)
• I don’t like Identity Tokens (leastprivilege.com)