Client applications obtain access tokens by making OAuth 2 or OpenID Connect (OIDC) requests to an authorization server. Resource servers require clients to authenticate using access tokens.

Access tokens are obtained from the token endpoint, when using the client credentials grant type, or from the authorization endpoint, when using the implicit grant type. Access tokens are typically granted on behalf of a specific authenticated user. Tokens granted directly to applications are called application tokens.