Token-Based Identity Authentication: Scenarios, Types, and Hierarchical Design

Overview

In information systems with account management, identity verification is crucial. The rise of mobile internet introduces multiple client types, leading to a “one server, N clients” architecture, each with distinct security threats, session lifecycles, permission models, and interface call patterns.

Usage Scenarios

Typical scenarios include web browser login, Android/iOS app login, API‑based login, PC‑to‑mobile QR‑code authorization, and mobile‑to‑PC QR‑code login.

Token Categories

Tokens are grouped into three main families:

1. Account‑Password Tokens

Username/password

API app_id/app_key

2. Session Tokens

Browser token

Mobile token

API application token

3. Interface Call Tokens

API access token

Authorization token

Cross‑platform PC‑mobile token

Token Comparison

Tokens are evaluated on natural attributes (usage cost, change cost) and controllable attributes (usage frequency, validity period). Security goals focus on minimizing exposure and limiting impact if a token is compromised.

Token Hierarchy

Four layers are defined: password layer, session layer, invocation layer, and application layer. The flow proceeds from user credential authentication → generation of client‑specific session tokens → exchange for short‑lived access tokens → optional generation of QR‑code tokens for cross‑device authorization.

Key Token Types

Account‑Password

Traditional username/password and app_id/app_key, rarely changed, high impact if leaked.

Client Session Token

Acts as a session, with differing lifetimes on web (short, higher exposure) and mobile (longer, lower exposure).

Access Token

Used for API calls, derived from a long‑lived session token, short lifespan to reduce risk.

pam_token & map_token

Special QR‑code based tokens for PC‑mobile mutual authentication, with very short lifetimes and rapid invalidation.

Conclusion and Outlook

The proposed token‑based authentication framework addresses token classification, privacy parameter settings, usage scenarios, and hierarchical conversion across lifecycles. It can be applied to user login, time‑limited coupons, invitation codes, QR‑code authorizations, OTP verification, multi‑platform API access, and unified identity centers.