An access model where the API evaluates signed or otherwise trusted token content before granting access. It works well only when the token carries accurate, minimal, and well-governed claims, because the token becomes the primary representation of trust at runtime.
Expanded Definition
Token-based authorisation is a runtime access pattern in which the API trusts the claims carried inside a signed token, then decides whether to allow an action without repeatedly querying a human approval path. In NHI environments, that token often represents a service account, workload, or agent identity.
The model is efficient, but it is only as reliable as the token’s contents and governance. Scope, audience, issuer, expiry, and subject claims must remain minimal and accurate, because every extra claim expands the blast radius if the token is exposed or over-privileged. That is why token-based authorisation is usually discussed alongside least privilege, token rotation, and policy enforcement under NIST Cybersecurity Framework 2.0 and zero trust design.
Definitions vary across vendors when tokens are treated as authentication artefacts, session containers, or both, so teams should separate proof of identity from authorisation decisions. The most common misapplication is treating a bearer token as a permanent access grant, which occurs when long-lived tokens are reused across environments and never revalidated after role changes.
Examples and Use Cases
Implementing token-based authorisation rigorously often introduces lifecycle and revocation overhead, requiring organisations to weigh API performance against the cost of tighter controls.
- A cloud workload presents a short-lived access token to fetch secrets from a vault, and the vault authorises based on issuer, audience, and scope rather than on static network location.
- An AI agent calls internal tools with a delegated token that permits only one project and one action class, reducing the damage if the agent is redirected or compromised.
- A CI/CD runner uses a federated token for deployment, but the policy engine rejects requests once the token leaves its intended repository and environment boundary. This pattern helps explain failures seen in incidents such as the Salesloft OAuth token breach.
- A customer-facing API validates a bearer token and then maps its claims to RBAC roles, which is useful when the token is issued by a trusted identity broker and kept short-lived.
- Token exchange is used to downscope a broad service credential into a narrower, task-specific token before an agent can perform write operations.
For implementation guidance, many teams pair these patterns with NIST Cybersecurity Framework 2.0 and review token handling practices against incident patterns documented in the Guide to the Secret Sprawl Challenge.
Why It Matters in NHI Security
Token-based authorisation becomes a security issue when organisations assume the token itself proves ongoing legitimacy. In reality, tokens are often copied into tickets, logs, chat threads, build artifacts, or endpoint caches, and then reused long after the original context has changed. NHIMG research shows that 44% of NHI tokens are exposed in the wild, and 91% of former employee tokens remain active after offboarding, which turns a convenience mechanism into a persistent access path.
That risk is amplified in agentic systems, where an agent may hold a token with tool access, data access, or deployment rights. If scope is too broad, the agent can become an efficient attacker path rather than a controlled operator. This is why token governance should include expiry, audience binding, rotation, revocation, and post-issuance policy checks, not just secure storage. It also helps explain why breaches involving exposed secrets, such as the Dropbox Sign breach and the JetBrains GitHub plugin token exposure, are so operationally disruptive.
The practical lesson is simple: once a token is stolen or over-scoped, access becomes difficult to distinguish from legitimate automation. Organisations typically encounter unauthorized API activity only after an exposed token is replayed, at which point token-based authorisation becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers token exposure, scope control, and lifecycle governance for NHI access. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero trust requires policy-based authorization for every token-presented request. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access control applies directly to token claims and delegated rights. |
Minimise token scope, enforce expiry, and revoke exposed NHI tokens immediately.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 29, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
