Access Token

A major risk of leaking an access token like a JWT (JSON Web Token) is session hijacking—where an attacker, upon obtaining the token, can impersonate the legitimate user and gain unauthorized access to protected resources.

Why is this bad?

• No built-in revocation – Unlike session-based authentication, a stolen JWT remains valid until it expires unless extra mechanisms (e.g., blacklists) are in place.
• Privilege escalation – If the token includes admin privileges, the attacker can cause serious damage.
• API abuse – Attackers can use the token to send malicious requests, access sensitive data, or perform actions on behalf of the victim.