Types of tokens
Tokens are programming elements that represent the right to perform an operation depending on the token type.
ID token (id_token)
Trimble Identity issues an ID token (using OpenID framework) when the user logs on. An ID token is an artifact that proves the user has been authenticated. The ID token contains information about the user, such as user name and email, and is used to authenticate a user.
The ID token, a JWT (JSON Web Token), conforms to an industry-standard (IETF RFC 7519) and contains three parts: A header, a body, and a signature.
The header contains the type of token and the hash algorithm used on the contents of the token. The body, also called the payload, contains Identity claims about a user. Claims can include registered names like the token issuer, the subject of the token, and the time of issuance. The recipient of a JWT uses the signature to validate the integrity of the information conveyed in the JWT.
Access token (access_token)
The access token is generated using the grant types specified in the OAuth flow. The access token’s primary function is to authorize a user. Access tokens are issued via OAuth 2.0 endpoint /OAuth/token. Access tokens must be used to gain access to an API.
Access tokens are short-lived, with a lifetime of 60 minutes (1 hour). If the access token expires or becomes invalid, it can be requested through refresh tokens or regenerated.
Refresh token (refresh_token)
A refresh token is used to obtain access tokens after an initial authorization grant without interaction with the end-user. When the access token becomes invalid or expires, the refresh token can be used to request another access token for the same set of scopes (or a subset of those scopes). A refresh token is valid for nine days.
To request an access token using the refresh token, see Refresh a Token.
Token validity timeframes
| Token type | Valid for |
|---|---|
| Access token | 1 hour |
| ID token | 1 hour |
| Access code | 10 minutes |
| MFA code | 10 minutes |
| Refresh token | 9 days |
| Session cookies | 3 days |