4

I have got a React application and also a backend API server which are hosted separately. I use cognito for authentication. When the user signs in, I receive 3 tokens - id token, access token and refresh token.

I have read that id token is used for authentication while access token is used for authorisation.

I am a bit confused which token (id token or access token) should I use when making API requests to the API server.

girish
  • 265
  • 1
  • 14
  • Please see [this](https://stackoverflow.com/questions/48543948/aws-cognito-whats-the-difference-between-access-and-identity-tokens) also – Sabir Khan Mar 25 '19 at 13:34

1 Answers1

3

You should use the access token. It is for authorization. When you check if a user has rights to access resource it is authorization.

Authentication checks the user identity, so it gives you answer to the question - Is this really that user?

These terms should sink in, so read it here once more: Authentication versus Authorization

Sabir Khan
  • 8,389
  • 6
  • 31
  • 75
andrija
  • 690
  • 6
  • 17