An Access Token is a credential used to access protected resources. An access token represents an authorization issued to a particular Connected App Client by a Stytch Member.
Access Tokens are issued by the Token Endpoint automatically at the end of every OAuth flow.
Access Tokens embed the authorization granted to a Connected App Client within the scope field. Stytch supports the standard OpenID scopes: openid, profile, email, phone, and offline_access.Additional Custom Scopes can be configured within your Project's RBAC Policy.
Access tokens granted to Connected App clients are JWTs (JSON Web Tokens) signed by your Stytch project's JWKS (JSON Web Key Set) using the RS256 algorithm. They can be validated locally by using a Stytch Backend SDK, or any library that supports the JWT protocol.