An OAuth 2 access token is like a hotel-room key card.

Hotel key card

It gives access, all by itself without further checking, to a particular resource (in this case, room 238 at the Omni Interlocken in Denver.) Check.

It’s issued to a particular person, who has to be authenticated first (like by showing my driver’s license at the check-in.) Check.

Nothing on the outside tells you who it’s been issued to or what it’s for. Check.

It’s not obscured or encrypted, so you have to take good care of it (if a bad guy got it and knew what it was for, he could get into my hotel room and rob me blind.) Check.

You can give it to someone else and have them access the resource for you (like giving a colleague the card and asking them to go up to your room and get the VGA dongle that you stupidly left on the desk.) Check.

If you lose it, you can go back to the issuer and get another one which is functionally identical (somehow it wasn’t there when you got back from the bar, but the front desk can get you another, assuming you have your wallet and ID.) Check.

It expires after a while. (I gave it back to the front desk when I left because I knew it wouldn’t be useful any more.) Check.


Comment feed for ongoing:Comments feed

From: Ed Davies (May 24 2013, at 09:17)

Would comparison of the ways in which the tokens/keys are cancelled be fruitful?


From: Tim (May 24 2013, at 09:48)

Ed: You can revoke OAuth access tokens either interactively or programmatically, for example see

I actually don’t know how that works with hotel-room keys.


From: Josh Brown (May 24 2013, at 17:35)

The obvious conclusion, then, is an OAuth2 based hotel key. With NFC, of course.


From: Peter Phillips (May 31 2013, at 09:58)

The analogy is helpful, but I don't understand this correspondence:

"Nothing on the outside tells you who it’s been issued to or what it’s for. Check."

But the OAuth2 token is not encrypted. If I had a token, I could easily read the 'audience' field any (probably) know where I could use it.

If you gave me a hotel key without room/hotel information would be a lot harder to use. (Assuming the hotel name isn't encoded on the magnetic strip).

Or am I missing something?


author · Dad
colophon · rights

May 24, 2013
· Technology (90 fragments)
· · Identity (44 more)

By .

The opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.

I’m on Mastodon!