Access Grants Are Passwords
Published on Wednesday, December 3, 2025
Access grants are passwords. They're random and temporary but they are passwords. Knowing an access token is sufficient to gain access to a user's account which makes it no different from a password.
Because of this its important to keep them secret. That includes within your database where you should hash the token with some suitable algroithm. You don't need to use an advanced password hashing algorithm. SHA256 is perfectly acceptable. In fact, more secure password hashing algorithms may make looking up the token impossible so definitely avoid those!
An incomplete list of access grants which you should be hashing:
- Access tokens
- Refresh tokens
- Reset-password tokens
- Email-confirmation tokens
- MFA codes (those 6 digit codes apps text you)
To answer the more general question "when should I hash", you should hash a value if it can be used to grant access. There are more reasons to hash things to be sure but these are not the subject of this blog.
To answer the antithetical question "when should I not hash", you should not hash a value if its not secret, does not grant access, or the server needs to know the value of without the user providing it.
Sleep better; hash your passwords.