Class: Token
The Token object is the base object for representing tokens, API keys, and
authentication credentials used across different contexts. This object provides
common attributes for all token types, including protocol-specific
authentication tokens (Kerberos, OIDC, SAML) and API/client tokens used for
service authentication. When to use this object: Use the base
token object directly in API activity events to represent API
tokens, client tokens, or API keys used to authenticate API requests. Examples
include: Okta API tokens, Microsoft Entra ID Application Registration client
secrets, Stripe API keys, AWS API keys. When NOT to use this object: Do NOT use
the base token object for protocol-specific authentication tokens
in authentication events - use authentication_token instead (which
extends this object). Do NOT use token for tracking credential
lifecycle and usage patterns - use programmatic_credential
instead.
URI: ocsf:Token
classDiagram
class Token
click Token href "../Token/"
Object <|-- Token
click Object href "../Object/"
Token <|-- AuthenticationToken
click AuthenticationToken href "../AuthenticationToken/"
Token : created_time
Token : expiration_time
Token : is_renewable
Token : modified_time
Token : name
Token : tenant_uid
Token : type
Token : type_id
Token --> "0..1 _recommended_" TokenTypeIdEnum : type_id
click TokenTypeIdEnum href "../TokenTypeIdEnum/"
Token : uid
Token : zone
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| created_time | 0..1 recommended TimestampT |
The time that the token was created | direct |
| expiration_time | 0..1 TimestampT |
The expiration time of the token | direct |
| is_renewable | 0..1 Boolean |
Indicates whether the token is renewable | direct |
| modified_time | 0..1 TimestampT |
The last time the token was updated | direct |
| name | 0..1 String |
The human-friendly name of a token or key, if available, such as the | direct |
| tenant_uid | 0..1 String |
The unique identifier of the tenant or organization that owns the token or ke... | direct |
| type | 0..1 recommended String |
The type of the token, normalized to the caption of the type_id |
direct |
| type_id | 0..1 recommended TokenTypeIdEnum |
The normalized token type identifier | direct |
| uid | 0..1 String |
The unique ID of a token or key, if available, such as the Secret |
direct |
| zone | 0..1 String |
The network zone or geographic region that the token or key is authorized to ... | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Api | token | range | Token |
In Subsets
Aliases
- Token
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Token |
| native | ocsf:Token |
LinkML Source
Direct
name: Token
description: 'The Token object is the base object for representing tokens, API keys,
and
authentication credentials used across different contexts. This object provides
common attributes for all token types, including protocol-specific
authentication tokens (Kerberos, OIDC, SAML) and API/client tokens used for
service authentication. When to use this object: Use the base
<code>token</code> object directly in API activity events to represent API
tokens, client tokens, or API keys used to authenticate API requests. Examples
include: Okta API tokens, Microsoft Entra ID Application Registration client
secrets, Stripe API keys, AWS API keys. When NOT to use this object: Do NOT use
the base <code>token</code> object for protocol-specific authentication tokens
in authentication events - use <code>authentication_token</code> instead (which
extends this object). Do NOT use <code>token</code> for tracking credential
lifecycle and usage patterns - use <code>programmatic_credential</code>
instead.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Token
is_a: Object
slots:
- created_time
- expiration_time
- is_renewable
- modified_time
- name
- tenant_uid
- type
- type_id
- uid
- zone
slot_usage:
created_time:
name: created_time
description: The time that the token was created.
recommended: true
expiration_time:
name: expiration_time
description: The expiration time of the token.
is_renewable:
name: is_renewable
description: Indicates whether the token is renewable.
modified_time:
name: modified_time
description: The last time the token was updated.
name:
name: name
description: 'The human-friendly name of a token or key, if available, such as
the
<code>name</code> from the Okta API Token API.'
tenant_uid:
name: tenant_uid
description: 'The unique identifier of the tenant or organization that owns the
token or key,
or the tenant context in which the token is authorized for use. This is
particularly relevant in multi-tenant Identity Provider scenarios where tokens
are scoped to specific tenants.'
type:
name: type
description: 'The type of the token, normalized to the caption of the <code>type_id</code>
value. This indicates whether the token is a Client Token, API Token, or one
of
the protocol-specific token types.'
recommended: true
type_id:
name: type_id
description: 'The normalized token type identifier. Valid values: 0 (Unknown),
1 (Ticket
Granting Ticket - Kerberos), 2 (Service Ticket - Kerberos), 3 (Identity Token
-
OIDC), 4 (Refresh Token - OIDC), 5 (SAML Assertion), 6 (Client Token -
IdP-issued), 7 (API Token - generic API keys), 99 (Other).'
range: TokenTypeIdEnum
recommended: true
uid:
name: uid
description: 'The unique ID of a token or key, if available, such as the <code>Secret
ID</code> of Entra ID Application Registration Client Secrets.'
zone:
name: zone
description: 'The network zone or geographic region that the token or key is authorized
to be
used from. This may represent network-based access restrictions, geographic
limitations, or other zone-based authorization policies. Examples include
Okta''s network zone restrictions or cloud provider region restrictions.'
Induced
name: Token
description: 'The Token object is the base object for representing tokens, API keys,
and
authentication credentials used across different contexts. This object provides
common attributes for all token types, including protocol-specific
authentication tokens (Kerberos, OIDC, SAML) and API/client tokens used for
service authentication. When to use this object: Use the base
<code>token</code> object directly in API activity events to represent API
tokens, client tokens, or API keys used to authenticate API requests. Examples
include: Okta API tokens, Microsoft Entra ID Application Registration client
secrets, Stripe API keys, AWS API keys. When NOT to use this object: Do NOT use
the base <code>token</code> object for protocol-specific authentication tokens
in authentication events - use <code>authentication_token</code> instead (which
extends this object). Do NOT use <code>token</code> for tracking credential
lifecycle and usage patterns - use <code>programmatic_credential</code>
instead.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Token
is_a: Object
slot_usage:
created_time:
name: created_time
description: The time that the token was created.
recommended: true
expiration_time:
name: expiration_time
description: The expiration time of the token.
is_renewable:
name: is_renewable
description: Indicates whether the token is renewable.
modified_time:
name: modified_time
description: The last time the token was updated.
name:
name: name
description: 'The human-friendly name of a token or key, if available, such as
the
<code>name</code> from the Okta API Token API.'
tenant_uid:
name: tenant_uid
description: 'The unique identifier of the tenant or organization that owns the
token or key,
or the tenant context in which the token is authorized for use. This is
particularly relevant in multi-tenant Identity Provider scenarios where tokens
are scoped to specific tenants.'
type:
name: type
description: 'The type of the token, normalized to the caption of the <code>type_id</code>
value. This indicates whether the token is a Client Token, API Token, or one
of
the protocol-specific token types.'
recommended: true
type_id:
name: type_id
description: 'The normalized token type identifier. Valid values: 0 (Unknown),
1 (Ticket
Granting Ticket - Kerberos), 2 (Service Ticket - Kerberos), 3 (Identity Token
-
OIDC), 4 (Refresh Token - OIDC), 5 (SAML Assertion), 6 (Client Token -
IdP-issued), 7 (API Token - generic API keys), 99 (Other).'
range: TokenTypeIdEnum
recommended: true
uid:
name: uid
description: 'The unique ID of a token or key, if available, such as the <code>Secret
ID</code> of Entra ID Application Registration Client Secrets.'
zone:
name: zone
description: 'The network zone or geographic region that the token or key is authorized
to be
used from. This may represent network-based access restrictions, geographic
limitations, or other zone-based authorization policies. Examples include
Okta''s network zone restrictions or cloud provider region restrictions.'
attributes:
created_time:
name: created_time
description: The time that the token was created.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: Token
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
recommended: true
expiration_time:
name: expiration_time
description: The expiration time of the token.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Expiration Time
rank: 1000
alias: expiration_time
owner: Token
domain_of:
- Osint
- Session
- Token
- AuthenticationToken
- Certificate
- HttpCookie
- FileHosting
- NetworkFileActivity
range: TimestampT
is_renewable:
name: is_renewable
description: Indicates whether the token is renewable.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Renewable
rank: 1000
alias: is_renewable
owner: Token
domain_of:
- Token
- AuthenticationToken
range: boolean
modified_time:
name: modified_time
description: The last time the token was updated.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modified Time
rank: 1000
alias: modified_time
owner: Token
domain_of:
- Osint
- RelatedEvent
- Scim
- Sso
- Token
- Resource
- Advisory
- Cve
- Database
- Databucket
- File
- FindingObject
- FindingInfo
- LdapPerson
- Metadata
- Table
- Device
- RegKey
- RegValue
range: TimestampT
name:
name: name
description: 'The human-friendly name of a token or key, if available, such as
the
<code>name</code> from the Okta API Token API.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Token
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
tenant_uid:
name: tenant_uid
description: 'The unique identifier of the tenant or organization that owns the
token or key,
or the tenant context in which the token is authorized for use. This is
particularly relevant in multi-tenant Identity Provider scenarios where tokens
are scoped to specific tenants.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tenant UID
rank: 1000
alias: tenant_uid
owner: Token
domain_of:
- Token
- Idp
- Metadata
range: string
type:
name: type
description: 'The type of the token, normalized to the caption of the <code>type_id</code>
value. This indicates whether the token is a Client Token, API Token, or one
of
the protocol-specific token types.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Token
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
recommended: true
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: 'The normalized token type identifier. Valid values: 0 (Unknown),
1 (Ticket
Granting Ticket - Kerberos), 2 (Service Ticket - Kerberos), 3 (Identity Token
-
OIDC), 4 (Refresh Token - OIDC), 5 (SAML Assertion), 6 (Client Token -
IdP-issued), 7 (API Token - generic API keys), 99 (Other).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: Token
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: TokenTypeIdEnum
recommended: true
uid:
name: uid
description: 'The unique ID of a token or key, if available, such as the <code>Secret
ID</code> of Entra ID Application Registration Client Secrets.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Token
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
zone:
name: zone
description: 'The network zone or geographic region that the token or key is authorized
to be
used from. This may represent network-based access restrictions, geographic
limitations, or other zone-based authorization policies. Examples include
Okta''s network zone restrictions or cloud provider region restrictions.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Zone
rank: 1000
alias: zone
owner: Token
domain_of:
- Token
- Cloud
- Databucket
- Endpoint
- ResourceDetails
range: string