A peek into Bearer tokens

This "article" gives insight into how bearer tokens work, for anyone who doesn't know how bearer tokens are made or what they really are.

There are two kinds of bearer tokens, both of which are made via the JWT (JSON Web Token) standard, using the HS256 algorithm.

The two kinds of tokens are MSA (Microsoft Account) tokens and Yggdrasil tokens (Mojang account tokens).

When you log into a Mojang account, you're given a Bearer token to use with any endpoint that requires authentication. The header Authorization is where you put the Bearer token - e.g Authorization: Bearer [bearer_token_here].

Yggdrasil Tokens

Yggdrasil is Mojang's authentication system for Mojang accounts.

An example Yggdrasil authentication token, when decoded (try with the official JWT site!), looks like this:

{
  "agg": "Adult", // possibly can also be "Child"?
  "sub": "f1fe88c8d6434bf191b76d5b4297ce99", // internal Mojang account identifier (userId value)
  "lim": "msaforced", // how the API blocks accounts that have forced migration enabled
  "yggt": "bcfaf1c02b3d475fa0c1fa24ba702ff6", // yggdrasil token itself
  "spr": "8f932de0efb8448cb95a4378a83f459d", // Minecraft profile UUID (optional - THIS WAS REMOVED FOR FORCED MIGRATION)
  "iss": "Yggdrasil-Auth", // issued by "Yggdrasil-Auth"
  "exp": 1607018676, // expiry date
  "iat": 1606845876 // created at
}

MSA Tokens

Microsoft Accounts are what Minecraft players who made their accounts after December 1st, 2020 log in with, so it's good to take a peek inside a MSA token! These are similar yet different in many ways to Yggdrasil tokens.

An example MSA token, when decoded (try with the official JWT site!), looks like this:

{
  "xuid": "2556731038473355", // xUID (Xbox user identifier basically)
  "sub": "917d9d8653d9e4e9866b1a2425ea49b2", // determines the token from others
  "nbf": 1606845146, // seems to be same as "iat"
  "roles": [], // ??? perhaps "entitlements" that have been referenced before on API
  "iss": "authentication", // issued by "authentication" (xbox auth) - Yggdrasil normally says "Yggdrasil-Auth"
  "exp": 1606931546, // expire time
  "iat": 1606845146, // created at
  "yuid": "752438effc5242fc9d54705d89f780a7" // internal account identifier for the Minecraft profile. when you migrate a Minecraft profile to a Microsoft account, you may notice that the "sub" value from the old Mojang token becomes the "yuid" value in the new MSA token.
}