ORSYS le mag 2025 logo

The training and skills medium

Home > Cybersecurity glossary > Token 🟒 Protection

Token 🟒 Protection

A token at cyber security is a form of digital token used to authenticate, authorise or secure communications between users, applications or systems. It is often used to avoid directly handling sensitive information such as passwords.

Tokens are used in a variety of contexts:

  • Authentication (e.g. : JWT - JSON Web Token) β†’ authentication token
  • Authorisation (e.g. OAuth)
  • Securing sessions (tokens CSRFaccess tokens)
  • Secure APIs (access tokens transmitted with requests)

They are often temporary, signed or encrypted, and are used as a secure means of verifying a user's identity or the validity of a request.

Please note: a cybersecurity token is different from an AI token (elementary unit of text, fragment of a word) or a blockchain token (cryptoactive).

 

Criteria Token in cybersecurity Token in AI Blockchain token (crypto asset)
Nature Hardware/software device or coded string Text unit (word, sub-word, character) Digital instrument (smart contract, value)
Main function Authentication, session management, security Enabling text processing and modelling Representing a value or a right, facilitating exchanges
Service life Ephemeral (OTP), active session (limited JWT) Text pre-processing snapshot Indefinite as long as the blockchain exists
Physical support Yes (hardware tokens) or virtual (JWT) Software only (tokenisation algorithm) Purely virtual (smart contract on blockchain)
Context of use Safety, IAM, SSO, VPN Natural language processing, translation, chatbots Decentralised finance, governancedigital assets

 

 

 

🎯 Objectives

 

  • Protecting exchanges of sensitive information
  • Preventing unauthorised access
  • Offer a flexible authentication/authorisation method
  • Reduce the exposure of passwords or sensitive data

🧩 Types

 

  • JWT (JSON Web Token) for stateless authentication of users (the server does not store the session in memory)
  • OAuth token to enable applications to access resources without sharing identifiers
  • CSRF token to protect against cross-site request forgery attacks
  • API access token for secure calls to web services
  • Refresh token to obtain a new access token without re-authentication

 

βš™οΈ How to implement it

 

  1. Creating the token after authentication, the server generates a signed or encrypted token
  2. Transmission it is sent to the client (e.g. browser) and stored (ex. cookie or localStorage)
  3. Use the client sends it with each subsequent request (e.g. in the HTTP header)
  4. Check the server decodes and checks validity, signature and expiry.
  5. Renewal or revocation with refresh token or blacklisting mechanisms

 

🧨 Consequences

 

  • In the event of compromise A stolen token may allow unauthorised access until it has expired or been revoked.
  • Management complexity security, expiration, storage, transmission

 

πŸ› οΈ Tools

 

  • Auth0, Keycloak, Okta : complete management of tokens and authentication
  • JWT.io for decrypting and checking JWTs
  • Postman for testing API calls with tokens

πŸ’‘ Examples

 

  • A website uses JWT so that the user does not have to log in again for each page
  • A mobile application uses OAuth 2.0 to connect to a Google Account
  • An HTML form includes a CSRF token to prevent malicious submissions

 

Here is a real example of JWT (JSON Web Token)It is divided into three main parts:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

 

πŸ” Deciphering the three parts:

  • Header indicates the type of token and the signature algorithm
{
"alg": "HS256",
"typ": "JWT
}
  • Payload (data) contains information about the user or rights
{
"sub": "1234567890",
"name: "John Doe,
"iat": 1516239022
}
  • Signature result of the cryptographic signature of the first two parts, using a secret key

The server can check this signature to ensure that the content has not been modified. If the token is expired or falsified, it is rejected.

βœ… Advantages / ❌ Disadvantages

 

  • Advantages :
    • Enhanced security
    • Reduced server load (stateless)
    • Architecture flexibility (APIs, microservices)
  • Disadvantages :
    • Complex management (storage, rotation, revocation)
    • Risks of unsecured storage or transmission

πŸ§— Challenges

 

  • Protecting local token storage
  • Ensuring effective exhalation and rotation
  • Avoid interception attacks (eg. XSS, man-in-the-middle)

πŸ“ˆ Recent developments

 

  • Zero Trust integrating tokens into architectures without implicit trust
  • Confidential Computing secure token processing in an isolated environment
  • Token Binding link a token to a session or device to prevent theft

πŸ“Š Recent figures

 

  • By 2024, more than 90 % REST APIs use authentication tokens such as JWT (Source: Gartner, 2024)
  • Approximately 60 % of data leaks related to APIs are due to poor management of tokens (Source: Imperva, 2024)
  • The market for identity and access management (IAM) solutions is expected to reach 24.1 billion $ in 2025 (Source: MarketsandMarkets, 2024)
Back to Glossary

field of training

ο€­

Cybersecurity

associated training



Systems and network security, level 1



Hacking and security, level 1



Information systems security, summary

BEST

Towards the ORSYS Cyber Academy: a free space dedicated to cybersecurity