Token-Based Authentication

Another thing that API designers will do, especially for APIs that won't just be used in the browser, is to have the user enter their secure credentials once, and then to give the user a time-limited access token. That can be used more safely in Javascript code than a durable password or API key, because if an attacker is somehow able to steal it, it's likely to already be expired. We call these session tokens, because they're only intended to last the life of one user session. The API will then store those access tokens on the server and check whether incoming requests (1) have a token (2) that the server knows about and (3) has not yet expired.