Access Tokens can be categorized in two classes: 

• By-reference in terms of an arbitrary value that must be verified via Introspection to determine the Authorization Context for any particular token value.
• Self-contained in terms JSON WebTokens (JWT) that are signed (JWS) and optionally also encrypted (JWE). Tokens of this kind contain all required information to determine the Authorization Context. Such tokens may optionally also be verified via Introspection or for augmenting the token with additional claims .

In either case, the resulting token (value) is ment for use as a standard Bearer Tokens in the request to the value-added service for which the token regulates access.

The Authorization Context of an Access Token referes to attributes such as:

• The issuer (iss)of the access token. See corresponding claim in ID Token.
• The subject identifier (sub) of the access token, ie. a reference to the end-user (resource owner) that authorized the access token. See corresponding claim in ID Token.
• Intended audience (aud)for the access token, ie. a reference to the Value-Added Service (VAS) that the access token regulates access to. Note that this is not related to the corresponding claim in the ID Token. The audience for the ID Token (being the OIDC Client) is different from the audience for an Access Token (being the VAS in question). 
• Active state / expiry (exp)of the access token
• The specific set of scopes and claims associated with the access token, ie. the set included in the Authorize request that subsequently resulted in the issuance of the Access Token in a reponse to a Token request

The Default Acess Token in this release of the OIDC Provider from BankID has its origin from Apache CXF and has the following characteristics:

• By-reference token with corresponding support for validation via introspect
• Standard beared token
• Works with any audience
• Works with any set of scopes and claims
• Has a lifetime of 300 seconds

The default token has generic characteristics and can be used as a general-purpose token unless a more specific or tailor-made token is desired. The default token is public since it can be used by any Value-added Service (VAS) that is registered with (and hence trust) the OIDC Provider from BankID. The default token is used by the TINFO-service.

See the list of supported Value-added Services (VAS) for further information of Access Tokens for each such service.