Subscribe to the Non-Human & AI Identity Journal

Token Capture

The theft of an authentication token after a successful login or approval event. Unlike password theft, token capture lets an attacker reuse an already issued credential, which can preserve access until the token is revoked or expires.

Expanded Definition

Token capture is the post-authentication theft of a live credential such as an OAuth access token, session cookie, bearer token, or refresh token. In NHI operations, it matters because the attacker does not need to defeat the original login flow again; the stolen token can be replayed until it expires, is bound to context, or is revoked. That makes token capture distinct from password theft, and often more urgent than a simple credential reset.

Definitions vary across vendors on whether refresh-token theft, session hijacking, and bearer-token replay should be grouped under one label, but the security outcome is the same: an issued identity artifact is used outside its intended context. NIST Cybersecurity Framework 2.0 frames this under identity and access governance, especially when valid credentials are misused after issuance, and the distinction between authentication and authorization becomes operationally important. For NHI teams, token capture is usually tied to poor token lifetime design, weak device binding, excessive scopes, or failure to revoke on anomaly. The most common misapplication is treating a captured token as if it were a password problem, which occurs when responders rotate the user secret but leave active sessions and downstream grants untouched.

Examples and Use Cases

Implementing token controls rigorously often introduces friction between session continuity and rapid containment, requiring organisations to weigh user experience against the cost of shorter token lifetimes and stronger revocation logic.

  • An oauth token is stolen from a collaboration thread and replayed against SaaS APIs, similar to patterns described in the Salesloft OAuth token breach.
  • A refresh token leaked in CI/CD logs allows an attacker to mint new access tokens long after the original login, a scenario frequently discussed in the Guide to the Secret Sprawl Challenge.
  • A browser session cookie is captured from an unmanaged device, then reused to bypass MFA prompts and enter an admin console.
  • A service token copied into a ticketing system is harvested from a shared workspace, echoing the exposure patterns behind the Internet Archive breach.
  • An AI agent uses a short-lived token to call a tool, but the token is intercepted before expiry because it was logged in plaintext during debugging.

Token capture is often easier when tokens are broad in scope, reusable across services, or stored outside controlled vaults. The NIST Cybersecurity Framework 2.0 reinforces why identity event monitoring and rapid containment must be paired with token lifecycle controls rather than added later as an afterthought.

Why It Matters in NHI Security

Token capture is one of the fastest paths from a single exposed artifact to broad NHI compromise. Unlike password theft, it frequently bypasses initial authentication protections, makes detection harder, and can persist until the token naturally expires or is explicitly revoked. That is why token hygiene is central to NHI governance, especially for agentic systems, automation pipelines, and SaaS integrations that issue long-lived bearer tokens or refresh tokens.

The risk is not theoretical. NHIMG research shows that 44% of NHI tokens are exposed in the wild, being sent or stored in platforms like Teams, Jira tickets, Confluence pages, and code commits, which makes replay attacks far easier once an attacker finds a valid artifact. In practice, organisations need revocation workflows, scope minimisation, device or workload binding, and logging that can distinguish legitimate token use from replay. The broader lesson is that a token is not just a secret; it is a portable identity event.

Organisations typically encounter the consequences only after an investigation reveals that a valid session or API call originated from an untrusted host, at which point token capture becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Token exposure and reuse map directly to improper secret and token management risks.
NIST CSF 2.0 PR.AA Identity verification and access lifecycle controls address post-login token misuse.
NIST Zero Trust (SP 800-207) PL-5 Zero trust requires continuous validation because captured tokens can bypass initial authentication.
NIST SP 800-63 AAL2 Assurance levels help define when token-based sessions need stronger replay resistance.
OWASP Agentic AI Top 10 LLM-06 Agentic systems are vulnerable when tool-access tokens are exposed or replayed.

Inventory tokens, shorten lifetimes, and revoke exposed credentials immediately when misuse is suspected.