What is the difference between Bearer Token & PAT Token?

Question

When we issue the below command, I see it is generating the Bearer Token.

az account get-access-token --resource https://graph.microsoft.com

And there is something called us Personal Access Token (PAT). I would like to understand the difference between these two tokens and also the maximum validity of both the token. Also when to choose which?

Answer 1

You can google for the differences and when you want to choose one vs the other as it can be complex. But a high level summary.

PAT is a personal access token. Normally a user requests this and the system generates a complex string value. That string value is then used to identify the user in requests. Think of it like a key to a lock. PATs are generally limited to a fixed period of time such as 90 days.

Bearer tokens are for OAuth2 authentication. A bearer token is an encoded value that generally contains the user ID, authenticated token and a timetamp. It is most commonly used in REST APIs. If the API supports OAuth2 then it'll use a bearer token. The user (or client app) sends credentials to the server to authenticate. They get back a bearer token that is good for a fixed period of time (determined by the server). Subsequent calls to the API pass the bearer token for authentication.

Which do you use? Depends on the circumstance. If you are a user trying to authenticate against and API so you can script something then you'll use a PAT if the API supports it (aka Azure). If you are building an application to consume an API and the API supports OAuth2 then you'll need to get a client ID/secret from the API provider. Then you'll use OAuth2 to get the bearer token for your session and then use that until you're done. The next time you need to contact the API you'll request a new bearer token.

Both approaches have the same capabilities, it is just dependent upon what the API you're calling wants to use.