Credential used to access protected resources on behalf of a user. Typically short-lived and scoped to specific permissions. Core of OAuth 2.0 authorization.