Token-Based Identity Authentication System: Classification, Scenarios, and Hierarchical Design

In information systems with an account framework, identity verification is crucial. With the rise of mobile internet, a pattern of one server serving many clients has emerged, leading to diverse client environments, session lifecycles, permission models, and interface call methods.

The article outlines common usage scenarios such as web browser login, Android/iOS login, API login, QR‑code based PC‑to‑mobile and mobile‑to‑PC authorizations, and derives several token categories: raw username/password, API app_id/app_key, session tokens (browser, mobile, API), interface call tokens, and cross‑platform authorization tokens.

Tokens are compared across natural attributes (usage cost, change cost, environmental risk) and controllable attributes (usage frequency, validity period). The goal is to achieve security and limited impact by reducing exposure frequency and controlling token lifetimes.

A four‑layer hierarchy is proposed: password layer (traditional credentials), session layer (client‑specific session tokens), call layer (access_token for API calls), and application layer (higher‑level authorization scenarios). The hierarchy diagram is illustrated with images.

Sub‑sections detail each token type:

Account/Password : traditional username/password and app_id/app_key, characterized by significance, infrequent changes, and severe impact if leaked.

Client Session Token : acts as a session, with different lifecycles for web (short) and mobile (long) clients, influenced by environment security and input convenience.

access_token : credential for server‑side API access, obtained from a long‑lived session token, designed to have a short lifespan to limit damage if intercepted.

pam_token : QR‑code string generated by an authenticated PC, used by a mobile device to obtain a refresh_token and then an access_token; short 2‑minute lifespan.

map_token : generated by a logged‑in mobile app to authenticate a PC, linking mobile and web tokens; also short‑lived.

The design addresses token classification, privacy parameter settings, usage scenarios, and hierarchical conversion across lifecycles. It is applicable to various application‑layer contexts such as user login, time‑limited coupons, invitation codes, QR‑code authorizations, SMS/email verification codes, multi‑platform API usage, and unified identity authentication centers.

Images illustrating token categories and hierarchy are included below: