In computer operating systems and other software frameworks, an access token is any data structure that contains the security information needed by a process to access a secured object or another process that requires authorization. Secure objects are usually data in the file system with read and write privileges defined, and a process is any other program or service that requires authorization to access its functions. While an access token is simply a container capable of holding any information, it is usually used to store user privileges.
The concept of an access token was primarily conceived of and used by Microsoft® operating systems and programs, but their usefulness has carried them elsewhere. The application programming interface (API) for Google describes a method for using access tokens while programming applications that need to access data associated with a Google user's account. Some of the large social networking platforms also use access tokens in their API.
Basically, when a user logs into an operating system or software system framework, the system verifies the user and password in a security database, and an access token is created that identifies the user to any object or process on the system. Any processes — such as applications, programs, or services — that are started by the user will carry the access token with them. The access token, then, needs to store several bits of data that another program or object checks against to grant access.
Access tokens contain the security identifiers (SID), typically numeric codes, for the user, any user groups to which the user belongs, and the current log-on session. The token also contains a list of any privileges that the user or groups are allowed. There are a couple different types of access tokens, so the token also needs to identify its type, either primary or impersonation. A primary access token is the standard type used, but an impersonation token also can be created to act on the user's behalf.
When an access token is called on to do its job, it encounters a security reference monitor (SRM), a service that monitors access to objects and processes on the system. The SRM pulls up the security descriptor of the object or process for comparison with the access token. The security descriptor contains an access control list (ACL), where each access control entry (ACE) defines certain permissions for that object or process. For example, in the case of a file on the system, the security descriptor contains information about which users or groups have permission to read or write to the file. If the access token requesting access to open or edit the file doesn't match the permissions in the security descriptor, access fails and the user is denied access to the file.