What is an Authentication Token?

An Authentication Token (auth token) is a piece of information that verifies the identity of a user to a website, server, or anyone requesting verification of the user's identity.

Auth Tokens add an extra layer of security, along with having the additional benefit of being scalable and providing better access control. In terms of scalability, authentication tokens contain the data needed to verify a user's identity, and are stored locally on a user's device. They have negligible impact on a user's hardware, and therefore can be scaled to an arbitrarily large number of users. Since each token can store user-specific data, auth tokens can tell a server what amount of access to give to a user, providing access control to the server distributing authentication tokens.

Auth tokens come in the form of hardware or software tokens:

Hardware Tokens will check authentication through a physical object. Should the right drive, key, card, or other object be properly used with the device requesting access, then the authentication token is distributed to the device, allowing the device access to the corresponding website or server.
Software Tokens share the same purpose of hardware tokens, but do so through an on-device software application rather than a physical object. Many use two-factor-authentication (2FA) which will give a token upon confirmation with a second device. Common methods associated with 2FA are sending a code to a trusted phone number, authentication app, or email, which must then be used as input to obtain the authentication token.

Once this additional layer of software-based authentication is passed, the application or server will give the user an authentication token, which is similar to a ticket allowing the user to access the site. Like a ticket, authentication tokens outline the duration of validity and scope of access which will grant the user access until expiry.

On the Networking-Level

Typically, the user will send the server or application a JSON Web Token(JWT), which is a standard set in RFC7519. A JWT is made up of three parts: a header, a payload, and a signature.

The Header outlines what algorithm the machine will use to generate the signature.
The Payload outlines claims that the server will use to verify the user's identity.
The Signature validates the token, and ensures that the token has not been changed in delivery.

The information is encrypted, concatenated together with periods, and then sent over to the server. Once the server receives it and verifies the information, the server will return an authentication token, which grants access and outlines the lifetime of the token. This token is then saved locally (within the browser or through cookies) and can be checked every time the user accesses the site. Once the token expires, it is removed from local storage, requiring the user to authenticate again.