JFrog’s Access Tokens are standard JSON Web Tokens (JWTs). Because the tokens are standard JWTs, they can be quite long - since they contain the token’s claims (scope, subject and others), as well as additional information used to validate the token. The length of the token can create compatibility issues with various clients trying to authenticate with the JFrog platform. Moreover, some clients might not even support bearer token authentication (Authorization: Bearer <token>). To mitigate these length limitations, JFrog introduced the Reference Token, which is simply a short string of characters that refers to an actual token.
One type of access token is called an identity token, which is an access token that is scoped, or targeted, to a specific user’s permissions, or their identity. Because identity tokens are scoped tokens, they provide limited and focused permissions, and are revokable when a user is deleted or disabled, making them more secure.
To obtain a reference token using REST API, you can use the Create Token REST API, by setting the include_reference_token parameter to true. They can also use the JFrog Platform WebUI Profile page to generate this token.
To create a reference token through the JFrog Platform UI, there are two methods: To create an admin-scoped reference token see this guide, and to create an identity reference token, see this guide.