LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's the difference between an OAuth ID Token and an Access Token?

The ID Token says who the user is (for the client to read); the Access Token grants what the client may do at an API (for the resource server to honor).

ID Token (who logged in; for the client) vs Access Token (what may be accessed; for the API).

* Both issue together: ID Token says who, Access Token says what may be accessed. *

Both are returned in step 8, but they have different audiences and purposes:

ID Token Access Token
Answers "Who logged in?" (authentication / OIDC) "What may be accessed?" (authorization)
Consumed by the client app the resource server / API
Typical content user identity claims (sub, name, email) scopes/permissions, audience
You should... read its claims send it to the API, don't crack it open

Using an access token as proof of who the user is is a classic security mistake — that's the ID token's job.

Tip: ID Token → Identity. Access Token → Access. Same first-letter trick as OIDC vs OAuth.

Go deeper:

  • doc OpenID Connect Core 1.0 — the ID Token's definition and claims, the OIDC piece distinct from OAuth's access token.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 14, 2026