Information about tokens
Access Tokens In this article Access tokens are used in token-based authentication to allow an application to access an API. The application receives an access information about tokens after a user successfully authenticates and authorizes access, then passes the access token as a credential when it calls the target API.
The passed token informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. For example, if your user authenticates using Facebook, the access token issued by Facebook can be used to call the Facebook Graph API.
These tokens are controlled by the IdP and can be issued in any format. See Identity Provider Access Tokens for details.
Opaque access tokens Opaque access tokens are tokens in a proprietary format that you cannot access and typically contain some identifier to information in a server's persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token. If you receive an information about tokens Access Token, you don't need to validate it.
Everything You Ever Wanted to Know About Authentication
To learn more, see Get Access Tokens. They are self-contained therefore it is not necessary for the recipient to call a server to validate the token. Management API access tokens An access token issued for the Auth0 Management API should be treated as opaque regardless of whether it actually isso you don't need to validate it.
Access token security You should follow token best practices when using access tokens, and for JWTs, make sure that you validate an access token before assuming that its contents can be trusted.
We recommend that you set the validity period of your token based on the security requirements of your API. For example, an access token that accesses a banking API should expire more quickly than one that accesses a to-do API. To learn more, see Update Access Token Lifetime.
The length of lifetime depends on the flow used to obtain the token: Flow.