It’s very simple, it’s your API access password (using your term). Usually you buy the right to use a service, usually web. It is needed as much as it needs a password here on this site, on Facebook, on a control panel of some service, etc. because it needs:
- ensure that only the right person will use it,
- count the use for the right person if it has limits,
- verify that this person is using the service properly,
- allow only those who own certain data to access them.
If you are going to access mechanically through a system and not interactively, you have no reason to ask for user and password, although nothing prevents that. As it will not be something that the person will have to keep remembering and typing, it can be very big and very complex, hence it does not need two tokens access (user and password), one of which is usually a more obvious name and the other depends on each person, but they usually use things that are easy to remember. Make a virtually indecipherable code.
There are cases that the token carries extra information that may help with authorization. The most important thing is that it is unique. It is used in all service requests. Not to be confused with token session* or security.
It is obvious that this does not give much security, we are talking about authentication of access and security. This code is trafficked by the internet, is placed in systems and turns and moves the incautious programmer put that token publicly on the internet. Here it happens often. Each should be responsible for giving security to it not to be accessed improperly.
It does not guarantee misuse, either because the "owner" of the token passed for someone else to use, either because he did not care enough so that it was not stolen.
I don’t like the term API that everyone uses in this context. API is something else. People access a service, generally external, in general using web technologies, to have access to data, to do certain processing, to use certain technologies, etc. It is true that the person is accessing the service via an API, but the service is not an API, even though people think it’s.
There is no API application. There is an API for an application.
Tokens are used to validate users when accessing a particular API or system to ensure the authenticity of who accessed, or is accessing.
– MarceloBoni
I answered without mentioning Node.js, because it doesn’t seem to make sense in the way the question was asked that it has any relation to this technology, in fact I don’t even know if it should be mentioned in the question. Unless the question was another and I wish I knew how to implement this in Node.js, but it would be a very different question.
– Maniero
@Mustache thank you very much, you answered exactly what I wanted to know. I only mentioned Node.js, in case someone wants to give a detailed how it works in Ode, but it’s not really important. I edited the question using the term Access Token, to be more specific. I didn’t know this term existed, it would have made everything easier.
– Asura Khan