This article presents an overview of tokens.
Authenticate a user and provide them with a time-limited token for accessing your protected content.
An access token refers to a token that a client can use to call endpoints.
Access tokens refer to tokens that enable clients to securely call protected endpoints. They contain information about the user and the resource for which it is intended.
An authorization code is a one-time use token which is generated during the authorization request after authentication. The client can exchange this authorization code with the authorization server for an access_token.
A refresh token refers to a one-time-use token that a client can use to exchange for a renewed access token and extend the duration of the privileged session. To obtain a refresh token, you need to include the ‘offline_access’ scope when you initiate an authorization request, and the user must authorize the ‘offline_access’ scope.
ID tokens refer to tokens which clients can use to identify a user, they contain information based on the requested claims & scope.