In computing, a personal access token (or PAT) is a string of characters that can be used to authenticate a user when accessing a computer system instead of the usual password.[1][2][3][4] Though associated with a single account, multiple PATs may be created, and can be manipulated independently of the password associated with that account, including creation and revocation of PATs without altering the password. The PAT is usually generated automatically by the remote system — for example, as a string of 52 alphanumeric characters. Typically, permissions may also be adjusted for each PAT individually, allowing or restricting access to certain classes of data or functions on the remote system. These permissions can usually be adjusted only after authenticating with the password. This can be a useful form of delegation of authorization, for example, when creating programs that will access the remote system. The PAT will typically be stored in a location accessible to the program, and therefore not typically as secure as a password. If the program or PAT is compromised, the damage will be limited by the permissions available to that PAT, and the PAT itself can easily be revoked to prevent further exploitation.

If the token is a JWT token it can use the exp[5] claim to declare a expiration time and the jti[6] claim to declare a unique identifier for the JWT which can be used to revoke it.

References

edit
  1. ^ "Creating a personal access token". GitHub. Retrieved 2021-03-08.
  2. ^ "Personal access tokens". GitLab. Retrieved 2021-03-08.
  3. ^ "Personal access tokens". Bitbucket. Retrieved 2021-03-08.
  4. ^ "Use personal access tokens". Microsoft Azure. Retrieved 2021-03-08.
  5. ^ Jones, Michael B.; Bradley, John; Sakimura, Nat (May 2015). "JSON Web Token (JWT)". Internet Engineering Task Force. Retrieved 20 October 2024.
  6. ^ Jones, Michael B.; Bradley, John; Sakimura, Nat (May 2015). "JSON Web Token (JWT)". Internet Engineering Task Force. Retrieved 20 October 2024.