> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Connected App Access Token Object

An **Access Token** is a credential used to access protected resources. An access token represents an authorization issued to a particular Connected App Client by a Stytch User.

Access Tokens are issued by the [**Token Endpoint**](../exchange-authorization-code) automatically at the end of every successful OAuth flow.

Access Tokens embed the authorization granted to a Connected App Client within the scope field. Stytch supports the standard OpenID scopes: `openid`, `profile`, `email`, `phone`, and `offline_access`.

Access tokens granted to Connected App clients are **JWTs (JSON Web Tokens)** signed by your Stytch project's [**JWKS (JSON Web Key Set)**](../configuration/get-jwks) using the RS256 algorithm. They can be validated locally by using a [Stytch Backend SDK](../methods/authenticate-access-token-local), or any library that supports the JWT protocol.

### Fields

<ResponseField name="iss" type="string">
  The issuer of the token. By default, this is your project's Custom Domain, or `stytch.com/${projectId}` if the token was retrieved using the stytch.com domain. See the [Custom Domain](/connected-apps/resources/custom-domains) guide for more information.
</ResponseField>

<ResponseField name="sub" type="string">
  The subject of the token. This is a unique identifier for the user.
</ResponseField>

<ResponseField name="aud" type="string">
  The audience (`client_id`) that the token is intended for. Additional custom audiences can be defined for the token by setting the `access_token_custom_audience` parameter on the client object.
</ResponseField>

<ResponseField name="exp" type="number">
  The expiration time of the token, expressed as a Unix timestamp.
</ResponseField>

<ResponseField name="nbf" type="number">
  The time before which the JWT must not be accepted for processing, expressed as a Unix timestamp.
</ResponseField>

<ResponseField name="iat" type="number">
  The time at which the token was issued, expressed as a Unix timestamp.
</ResponseField>

<ResponseField name="jti" type="string">
  A unique identifier for the JWT.
</ResponseField>

<ResponseField name="scope" type="string">
  A space separated list of scopes granted to the client. For example, `read:users write:users`.
</ResponseField>

<Panel>
  ```json 200 theme={null}
  {
      "iss" : "https://${projectDomain}",
      "sub" : "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
      "aud" : [
          "PROJECT_ID"
      ],
      "client_id": "connected-app-test-d731954d-dab3-4a2b-bdee-07f3ad1be888",
      "exp" : 1738786128,
      "nbf" : 1738782528,
      "iat" : 1738782528,
      "jti" : "LOe49j3s9d9dmacslUvrb15ZIjPbptMm7fS5UlE52JCF",
      "scope" : "openid email profile phone"
  }
  ```
</Panel>
