Token based vs. Certificates based authentication

Read this earlier post on Web Services Security.

There are a couple of major difference between a token and a certificate.

Tokens are essentially a symmetric key.  That means that the same key has to be both on the client and the server to be able to authenticate users.

Certificates use an asymmetric set of keys. Certificates are based on public-key cryptography and the client has one key (the private key) that is never shared by anyone else.

The public key is sent to the Certificate Authority to be signed and stamped into a certificate. When a client connect to the server it actually signs something using the private key (the one never shared). When client SSL is used it signs a Challenge that’s sent by the server and if WS-Security is used the client actually signs the whole message that’s sent. The client then uses the certificate (that included the public key) and verifies that it’s signed by the specific key that the client has (using public-key cryptography).

Cloud Advisory Services | Security Advisory Services | Data Science Advisory and Research

Specializing in high volume web and cloud application architecture, Anuj Varma’s customer base includes Fortune 100 companies (, British Petroleum, Schlumberger).

All content on this site is original and owned by AdverSite Web Holdings, Inc. – the parent company of No part of it may be reproduced without EXPLICIT consent from the owner of the content.

Anuj Varma – who has written posts on Anuj Varma, Technology Architect.

Leave a Reply

Your email address will not be published. Required fields are marked *