https://blog.vitalvas.com/tags/oauth2/Recent content in Oauth2 on Blog NotesHugoen_USTue, 23 Jun 2026 14:27:15 -0400https://blog.vitalvas.com/post/2026/06/23/jwt-vs-opaque-access-tokens/Tue, 23 Jun 2026 14:27:15 -0400https://blog.vitalvas.com/post/2026/06/23/jwt-vs-opaque-access-tokens/<p>When you issue access tokens for an API, you face an early architectural decision: should the token carry its own meaning, or should it just be a reference? A JWT (JSON Web Token) is self-contained, it packs claims and a signature into the string itself. An opaque token is a random, meaningless identifier that points to state stored on the server. Both are valid OAuth 2.0 access token formats, and the choice shapes how validation, revocation, and scaling work for the rest of the system. This article compares the two approaches and the trade-offs that should drive the decision.</p>