Quiz Entry - updated: 2026.07.14
What's the difference between an OAuth ID Token and an Access Token?
The ID Token says who the user is (for the client to read); the Access Token grants what the client may do at an API (for the resource server to honor).
* Both issue together: ID Token says who, Access Token says what may be accessed. *
Both are returned in step 8, but they have different audiences and purposes:
| ID Token | Access Token | |
|---|---|---|
| Answers | "Who logged in?" (authentication / OIDC) | "What may be accessed?" (authorization) |
| Consumed by | the client app | the resource server / API |
| Typical content | user identity claims (sub, name, email) | scopes/permissions, audience |
| You should... | read its claims | send it to the API, don't crack it open |
Using an access token as proof of who the user is is a classic security mistake — that's the ID token's job.
Tip: ID Token → Identity. Access Token → Access. Same first-letter trick as OIDC vs OAuth.
Go deeper:
OpenID Connect Core 1.0 — the ID Token's definition and claims, the OIDC piece distinct from OAuth's access token.