---
descriptions:
  access_token:
    permissions: >-
      The slugs of the permissions assigned on the [organization
      membership](/reference/authkit/organization-membership) via the role.
    entitlements: >
      The lookup keys of the Stripe entitlements available to the user’s
      [Organization](/reference/organization).
    role: >-
      Corresponds to the role on the [organization
      membership](/reference/authkit/organization-membership). If multiple roles
      are assigned to the user, this will be the highest priority role based on
      the order defined in the [priority
      order](/rbac/configuration/configure-roles/priority-order).
    roles: >-
      An array of all roles assigned to the user via the [organization
      membership](/reference/authkit/organization-membership).
    session_id: >-
      The session ID. You would use this with the [logout
      endpoint](/reference/authkit/logout).
reference:
  json:
    - key: access_token
      id: access_token
      url: /reference/authkit/session-tokens/access-token
      title: Access Token JWT
      properties:
        - key: iss
          type: string
          description: >
            The issuer of the JWT, will be your custom WorkOS auth domain if
            set.
        - key: sub
          type: string
          description: (user.id)
        - key: act
          type: object
          description: >
            An [RFC
            8693](https://www.rfc-editor.org/rfc/rfc8693#name-act-actor-claim)
            compatible claim

            present when the session was started using
            [impersonation](/authkit/impersonation).


            The nested `sub` claim contains the email adddress of the WorkOS
            Dashboard user impersonating

            the user.
          optional: true
        - key: org_id
          type: string
          description: (authentication.organization_id)
        - key: role
          type: string
          description: (access_token.role)
        - key: roles
          type: array
          description: (access_token.roles)
        - key: permissions
          type: 'string[]'
          description: (access_token.permissions)
          optional: true
        - key: entitlements
          type: 'string[]'
          description: (access_token.entitlements)
          optional: true
        - key: sid
          type: string
          description: (access_token.session_id)
        - key: jti
          type: string
          description: A unique identifier for this access token.
        - key: exp
          type: DateTime
          description: >-
            The token should not be trusted after this time. The timestamp is
            the number of seconds since epoch.
        - key: iat
          type: DateTime
          description: >-
            The token was issued at this time. The timestamp is the number of
            seconds since epoch.
originalPath: >-
  .tmp-workos-clone/packages/docs/content/reference/authkit/session-tokens/access-token.mdx
---

## Access token

The access token that is returned in successful authentication responses is a JWT that can be used to verify that a user has an active session. The JWT is signed by a JWKS which can be retrieved from the [WorkOS API](/reference/authkit/session-tokens/jwks).

<CodeBlock
  title="Decoded access token"
  referenceId="access_token"
  file="access-token"
/>