What Is an OAuth Token? Delegated Access Explained
An OAuth token is a credential issued through the OAuth flow that grants a client scoped, time-limited access to an API on behalf of a user or application without sharing a password.
OAuth lets an app act on behalf of a user or itself without handing over raw credentials. The result is an access token that carries specific scopes and an expiry. Pipelines use OAuth tokens to authenticate to APIs they deploy with, and token problems are a frequent source of 401 failures.
Delegated, scoped access
Instead of sharing a password, OAuth issues a token that grants only the permissions, called scopes, that were requested. The token represents that limited authority to the API.
Access and refresh tokens
- Access tokens are short-lived and sent with each request.
- Refresh tokens obtain new access tokens without re-login.
- Scopes limit what the token is permitted to do.
How it is sent
An OAuth access token is usually presented as a bearer token in the Authorization header. The API validates it and checks its scopes before allowing the call.
OAuth tokens in CI/CD
A pipeline stores a token as a secret and uses it to call deploy and platform APIs. Short-lived tokens minted per run are safer than long-lived ones that linger in secrets.
Why calls fail with 401 or 403
An expired token returns 401, and a token lacking the needed scope returns 403. Both are deterministic auth problems, not network blips, so the fix is a fresh or better-scoped token.
Transient versus auth failures
A dropped connection while presenting a valid token is transient and retryable; a 401 is not. Latchkey runners retry transient transport failures to common endpoints while surfacing genuine auth errors so you renew the token.
Key takeaways
- An OAuth token grants scoped, time-limited access without sharing a password.
- Access tokens are short-lived and sent as bearer tokens; refresh tokens renew them.
- A 401 or 403 is a deterministic auth problem, not a retryable blip.