JFrog’s Access Tokens are standard JSON Web Tokens (JWTs). Because the tokens are standard JWTs, they can be quite long - since they contain the token’s claims (scope, subject and others), as well as additional information used to validate the token. The length of the token can create compatibility issues with various clients trying to authenticate with the JFrog platform. Moreover, some clients might not even support bearer token authentication (Authorization: Bearer <token>). To mitigate these length limitations, JFrog introduced the Reference Token, which is simply a short string of characters that refers to an actual JWT Access token. Unlike a regular JWT token, reference tokens follow this pattern: .*\bcmVmd[A-Za-z0-9]{59}\b.*, starting with cmVMd followed by 59 more alphanumeric characters.
One type of access token is called an identity token, which is an access token that is scoped, or targeted, to a specific user’s permissions, or their identity. Because identity tokens are scoped tokens, they provide limited and focused permissions, and are revokable when a user is deleted or disabled, making them more secure. You can create a reference token of an identity token, to use for user authentication.
To obtain a reference token using REST API, you can use the Create Token REST API, by setting the include_reference_token parameter to true. They can also use the JFrog Platform WebUI Profile page to generate this token.
To create a reference token through the JFrog Platform UI, there are two methods: To create an admin-scoped reference token see this guide, and to create an identity reference token, see this guide.