Token
// Definition
A portable credential — typically a signed string — that a server issues and a client presents on subsequent requests to prove identity or authorisation. Tokens are stateless alternatives to server-side sessions; the server can verify them without a database lookup. Common forms: opaque bearer tokens (random strings referenced in a database), JWTs (self-contained with claims and a signature), and OAuth access tokens (short-lived grants scoped to specific resources). Key testing considerations: token expiry, revocation, scope enforcement, and transmission security (HTTPS-only, no logging).
// Related terms
JWT
JSON Web Token — a compact, URL-safe token format for transmitting claims between parties. A JWT has three Base64URL-encoded sections separated by dots: header (signing algorithm), payload (claims like `sub`, `exp`, `roles`), and signature. Because the payload is encoded but not encrypted, any holder of the token can read the claims — never store secrets in a JWT payload. Test JWTs by checking expiry enforcement, algorithm validation (reject `alg: none`), and rejection of tampered signatures.
OAuth 2.0
An open delegation protocol that lets users grant third-party applications scoped access to their resources without sharing their password. OAuth 2.0 defines four grant flows — Authorization Code (web apps), Client Credentials (server-to-server), Device Code (CLI tools / TVs), and PKCE (mobile apps). QA engineers test OAuth flows by validating token exchange, scope enforcement, refresh token behaviour, and failure modes like expired tokens, insufficient scopes, and revoked access.
Session
A server-side or client-side record that persists a user's authenticated state across requests. Sessions are created on login, referenced by a session ID sent in a cookie or header, and invalidated on logout or expiry. Testing considerations include: session fixation (attacker sets the victim's session ID before login), failure to rotate the ID after privilege escalation, excessively long session lifetimes that extend exposure after credential compromise, and whether logout actually invalidates the server-side session.
Authentication
The process of verifying who a caller is. Common schemes: API key, Bearer token, OAuth 2.0, mutual TLS. Distinct from authorisation, which decides what they're allowed to do.
Authorization
The process of determining what an authenticated caller is permitted to do. Where authentication answers "who are you?", authorization answers "what are you allowed to do?" Common models include role-based access control (RBAC), attribute-based access control (ABAC), and scope-based delegation (OAuth). Testing authorization means verifying that every protected action enforces its policy — including negative cases where a lower-privileged user is explicitly denied access rather than silently downgraded.