Salesforce Certified Identity and Access Management Practice Exam 2025 – All-in-One Guide to Exam Success!

The two primary types of tokens used in OAuth for access management are refresh tokens and access tokens.

Access tokens are utilized to grant access to the requested resources after successful authentication and authorization. These tokens allow clients to make requests to the server on behalf of the user, facilitating interaction with various APIs securely. They are typically short-lived to minimize security risks associated with token theft.

Refresh tokens serve a complementary role by allowing clients to obtain new access tokens without requiring the user to reauthenticate. When an access token expires, a refresh token can be presented to the authorization server to receive a new access token, thereby maintaining a seamless user experience.

This mechanism ensures that user sessions remain active and secure, providing a balance between security and usability. In contrast, the other options mention different types of tokens that do not play as central a role in the OAuth framework or are not tokens defined within OAuth specifications.