> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to use Access Tokens to call APIs.

# Use Access Tokens

<Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Access+tokens">Access tokens</Tooltip> are used in token-based authentication to allow an application to access an API. For example, a Calendar application needs access to a Calendar API in the cloud so that it can read the user's scheduled events and create new events.

Once an application has received an access token, it will include that token as a credential when making API requests. To do so, it should transmit the access token to the API as a **Bearer** credential in an HTTP **Authorization** header.

For example:

```http lines theme={null}
GET /calendar/v1/events
    Host​: api.example.com
    
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuYXV0aDAuY29tLyIsImF1ZCI6Imh0dHBzOi8vYXBpLmV4YW1wbGUuY29tL2NhbGFuZGFyL3YxLyIsInN1YiI6InVzcl8xMjMiLCJpYXQiOjE0NTg3ODU3OTYsImV4cCI6MTQ1ODg3MjE5Nn0.CA7eaHjIHz5NxeIJoFK9krqaeZrPLwmMmgI_XiQiIkQ
```

In this example, the Access Token is a <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> that decodes to the following claims:

```json lines theme={null}
{
      "alg": "RS256",
      "typ": "JWT"
    }
    .
    {
      "iss": "https://example.auth0.com/",
      "aud": "https://api.example.com/calendar/v1/",
      "sub": "usr_123",
      "scope": "read write",
      "iat": 1458785796,
      "exp": 1458872196
    }
```

Before permitting access to the API using this token, the API must [validate the access token](/docs/secure/tokens/access-tokens/validate-access-tokens).

Once the Access Token has been successfully validated, the API can be sure that:

* The token was issued by Auth0.
* The token was issued to an application being used by a user with an identifier of `usr_123`.
* The user granted the application access to read from and write to their calendar.

The API can now process the request, allowing the application to read from and write to user `usr_123`'s calendar.

## Learn more

* [Get Access Tokens](/docs/secure/tokens/access-tokens/get-access-tokens)
* [Validate Access Tokens](/docs/secure/tokens/access-tokens/validate-access-tokens)
* [Identity Provider Access Tokens](/docs/secure/tokens/access-tokens/identity-provider-access-tokens)
* [Management API Access Tokens](/docs/secure/tokens/access-tokens/management-api-access-tokens)
* [JSON Web Tokens](/docs/secure/tokens/json-web-tokens)
* [Token Best Practices](/docs/secure/tokens/token-best-practices)