How does the web app use the Access Token to fetch the user's data from the API (the final two steps of the OAuth flow)?
It calls the API and presents the Access Token in the request's Authorization header; the API validates the token and, if the scopes allow, returns the data.
Once the app has obtained the access token (the preceding step of the flow), it makes the "magic API call" — the last two steps:
- Request — the app sends a
GETto the resource server with the token, conventionally asAuthorization: Bearer <access_token>. - Response — the API checks the token (signature, expiry, audience, scopes) and, if valid and authorized, returns the protected data (e.g. the user's profile or picture).
The access token thus acts like a time-limited, permission-scoped API key issued on the user's behalf — the app never needed the user's actual password to reach the API.
Tip: "Bearer" literally means whoever bears (holds) this token may use it — so an access token must be protected like cash: anyone holding it can spend it until it expires.
Go deeper:
MDN: Authorization header — the Authorization-header mechanics for presenting a bearer token to an API.