Access Token
A major risk of leaking an access token like a JWT (JSON Web Token) is session hijacking—where an attacker, upon obtaining the token, can impersonate the legitimate user and gain unauthorized access to protected resources.
Why is this bad?
- No built-in revocation – Unlike session-based authentication, a stolen JWT remains valid until it expires unless extra mechanisms (e.g., blacklists) are in place.
- Privilege escalation – If the token includes admin privileges, the attacker can cause serious damage.
- API abuse – Attackers can use the token to send malicious requests, access sensitive data, or perform actions on behalf of the victim.