In web or application development we all know token. But it comes to token and access_token together, we get confused.
Here is this tutorial to explain the difference. But we need to remember both of this terminalogy and their implementation plays a vitial role in security.
When we use token and access_token use together in one application, we need to differentiate about their usages. In general, token is the secret code in string format which is used for security when communicating with the server.
Simple token could be secret id or string provided by third party. It acts as communication key between the client and the third party server. Let's first understand secret_key and public_key. Then we will understand better how access_token and token work. They are similar in behavior.
Secret_key and public_key
When you register your app with third party server, they give you a key. This key is the token and they have a different names. Some vendors call it secret_key. There are various forms of it. Some also has public_key apart from secret_key. That's also another type of token for communication.
So you will see that we have two types of token though the names are different. The first one secret_key is used for certain client and server communication. So this is only two sided. Using secret_key you only communicate between your app and the server.
The second one public_key is used for different clients and the server communication. This is used when we do multi sided communcation. This communication exposes your own key with others. And this is ok. This is a way to verify yourself with other client or app with the help of server.
Access_token and token
They are work similarly with secret_key and public_key. In our application token represents the ID of the row in our database table.
This token is randomly generated by server and saved. And later we use this token as ID, and we do do like this? Well, IDs are easy to guess. If you know one user's ID, then you can guess the next user's ID which is very bad and less secure.
When we communicate with other client or different users of the same app, we use this token to verify ourselves with the other client and server.
But we don't use access_token to do it. Because if you send access_token to communicate with other client or users they would see your own secured token and would be able to guess other people's token.
Malwares would be able to guess the token and do insecure stuffs.
So the idea is, if you only communicate with the server use access_token to do it. If you communicate with other users use token to send data and verify.
