- What is it? An access token is the string used when making authenticated requests to the API. The token represents that the user has authorized a third-party application to access that user’s account. Access tokens (which aren't always JWTs) are used to inform an API that the bearer of the token has been authorized to access the API and perform a predetermined set of actions (specified by the scopes granted).
- What do you use it for? The client uses an access token to make authenticated requests on behalf of the end user. When an access token expires, attempts to use it fail, and the app must obtain a new access token.
- How long is it valid? It is valid for 5 minutes, so if the error message is saying its invalid – perhaps it simply expired. You will use the access token when passing it in the header. Access Token lifetimes are kept to very short lifetimes. When an access token has been issued, it can be used until it expires.
- How long is it? 1000-1200 chars. We recommend that you plan for your application stack to handle tokens with length of at least 1200 characters in order to accommodate current and any future expansion plans.
- What does it contain? It contains a header, payload, and signature. A resource server can authorize the client to access particular resources based on the scopes and claims in the access token.
When an access token has been issued, you can use it until expiry. So if you use refresh token to obtain a new access token, where the lifetime overlaps, then both tokens can be used at the same time. The above fact is not related to OneTime or ReUse of refresh tokens.