## The Simple Version
| | ID Token | Access Token |
|--|----------|--------------|
| **Says** | "This is who you are" | "This lets you access something" |
| **Used by** | Your app (frontend) | An API (backend) |
| **Contains** | User identity info | Permissions/scopes |
---
## ID Token — "Who are you?"
The ID token proves the user's identity. Your app reads it to know **who logged in**.
- It's a JWT signed by the identity provider
- It contains claims like `sub`, `name`, `email`, `picture`
- Your app **reads** it; it should never be sent to an API
**Example:**
```json
{
"iss": "https://auth.example.com/",
"sub": "248289761001",
"name": "Jane Doe",
"email": "jane@example.com",
"exp": 1704070800
}
```
---
## Access Token — "Here is what you can do"
The access token proves your app has permission to call an API. The API **reads** it to decide whether to fulfill the request.
- Can be a JWT or an opaque string
- It contains scopes that say what data the app is allowed to access
- Your app **sends** it to APIs as a Bearer token in the `Authorization` header
**Example request:**
```http
GET /api/user-data HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...
```
---
## Think of It Like a Badge and a Key Card
- **ID Token** = Your photo ID badge. It says who you are. You show it to prove your identity.
- **Access Token** = A key card. It opens specific doors. The door checks the card to decide whether to let you in.
---
## How They Fit Into the Flow
```
1. User logs in at the identity provider
2. Your app receives:
├── ID Token → use this to know WHO the user is
└── Access Token → use this to talk to APIs on behalf of the user
3. When calling an API:
GET /api/data
Authorization: Bearer
(the API validates the access token and returns data)
```
---
## Key Takeaway
- **ID token** → for your app, to identify the user
- **Access token** → for APIs, to authorize the request
Never confuse the two. Sending an ID token to an API will be rejected. Sending an access token to your app will give you nothing useful.