What is token theft?

By Identra · Updated

Token theft is the stealing of authentication tokens, session cookies, OAuth tokens, API keys, or refresh tokens, that a user, workload, or AI agent has already earned by signing in. Because the token proves authentication already happened, an attacker who replays it inherits the session without needing the password or the MFA challenge.

Key numbers

How do attackers steal tokens?

Every authenticated session produces artifacts: a session cookie in the browser, an access token held by an app, a refresh token that quietly renews both. Attackers have industrialized three main ways of taking them. Adversary-in-the-middle (AiTM) phishing puts a reverse proxy between the victim and the real login page, so the user completes a genuine sign-in, including the MFA prompt, while the proxy captures the resulting session cookie. It is the modern engine behind most session hijacking.

Infostealer malware takes a different path: it lands on the endpoint and harvests cookies, saved passwords, and tokens directly from browser storage and application caches, which is one reason enterprise browser security has become an identity problem rather than just an endpoint problem. The third path skips the user entirely. Attackers steal OAuth and API tokens from the systems that hold them: source code, CI logs, misconfigured storage, or a compromised SaaS vendor whose integration tokens fan out into customer tenants, a blast radius pattern closely related to OAuth app risk.

  • AiTM phishing proxies: capture session cookies during a real, MFA-completed login
  • Infostealer malware: exfiltrates cookies and tokens from browsers and app caches on the device
  • Supply-chain and infrastructure theft: OAuth grants, refresh tokens, and API keys lifted from vendors, repos, logs, and pipelines
  • Pass-the-cookie replay: the stolen artifact is imported into the attacker's browser and simply reused

Why does token theft bypass MFA?

MFA protects the moment of authentication. A token is what you get after that moment succeeds. When an attacker replays a stolen session cookie or refresh token, the identity provider sees a bearer of valid proof, not a new login, so there is no password prompt and no MFA challenge to fail. Conditional access checks that were satisfied at issuance, device compliance, location, MFA strength, travel with the token unless the provider re-evaluates them continuously.

This is why token theft grew as MFA adoption grew. Organizations that rolled out one-time codes and push notifications forced attackers up the stack: instead of stealing the password before MFA, they steal the session after it. Even phishing-resistant MFA such as FIDO2 passkeys, which defeats AiTM capture of the login itself, does not help if malware lifts the cookie from the browser afterward. The result on the human side is an account takeover that never tripped a single authentication control.

What does token theft look like for non-human and AI identities?

Most token theft coverage focuses on employee sessions, but the larger and less defended surface is non-human identity. Service accounts, workloads, and integrations authenticate almost exclusively with long-lived bearer artifacts: API keys, OAuth refresh tokens, signing secrets, personal access tokens. These rarely have MFA to bypass in the first place, are seldom rotated, and often sit in places attackers already search, which is the core failure mode behind secret sprawl. The 2025 Salesloft Drift incident showed the scale: OAuth tokens stolen from one vendor's integration extended attacker access into hundreds of downstream customer environments.

AI agents raise the stakes again. An AI agent typically holds delegated tokens for email, calendars, code repositories, and internal tools, sometimes many at once, and stores them wherever its runtime keeps state. Stealing an agent's token can be worth more than stealing a user's session, because the agent's credential is broad, long-lived, and exercised by software that no one is watching. Sound API key security and vaulting reduce exposure, but the theft problem follows the token wherever it travels at runtime.

How do you detect token theft?

A stolen token is used from somewhere new, and that is the detection seam. The strongest signals are anomalies in how a previously issued token is exercised: a session cookie replayed from a different IP range, autonomous system, or device fingerprint than the one it was issued to; a refresh token redeemed from infrastructure the tenant has never seen; impossible travel between the issuing sign-in and the token's next use.

Identity providers surface some of this natively, with detections for anomalous tokens, attacker-in-the-middle patterns, and unfamiliar sign-in properties. Mature programs fold those signals into a broader identity threat detection and response practice: correlating token anomalies with endpoint infostealer alerts, watching for OAuth grants that suddenly pull data at machine speed, and treating a burst of activity from a normally quiet service account token as an incident, not a curiosity. For non-human tokens, detection depends on knowing baseline usage per credential, which requires an inventory of which tokens exist and who legitimately uses them from where.

How do you prevent token theft and replay?

Prevention works at three layers: make theft harder, make stolen tokens useless, and shrink what any single token can do. Making theft harder means phishing-resistant authentication to defeat AiTM capture, hardened and monitored endpoints to counter infostealers, and disciplined secrets management so machine tokens are vaulted rather than scattered through code and config.

Making stolen tokens useless is the more durable win. Token binding cryptographically ties a token to the device it was issued to, so a replayed copy fails. Continuous access evaluation revokes sessions in near real time when risk changes, instead of trusting a check performed at issuance. Short token lifetimes and aggressive refresh rotation narrow the replay window. For non-human identities, the equivalent is replacing static long-lived keys with short-lived, workload-attested credentials and zero standing privileges, so there is less durable material to steal. Finally, scope reduction through least privilege means that when a token is stolen anyway, it opens one door, not the estate.

  • Deploy phishing-resistant MFA to cut off AiTM capture of human sessions
  • Bind tokens to devices and enforce continuous access evaluation so replay fails
  • Shorten token lifetimes and rotate refresh tokens on every use
  • Vault machine credentials and prefer short-lived, attested tokens over static API keys
  • Scope every token to least privilege so theft yields minimal reach

How Identra thinks about it

Identra treats token theft as a runtime problem, because a stolen token only becomes an attack when it is used. Posture controls decide how tokens are issued; what matters after that is observing how every credential, human, workload, or AI agent, actually behaves in production. That is the premise of runtime identity security: baseline each identity's real usage, and a replayed session cookie, a service account key exercised from new infrastructure, or an agent token pulling data it never touched before all surface as the same class of anomaly. As agents multiply the number of delegated tokens in flight, we believe detection at the point of use, not just protection at the point of issuance, is what closes the gap.

Go deeper: The Non-Human Majority

Frequently asked questions

Does MFA stop token theft?

No. MFA protects the login, and a token is proof that a login already succeeded. Replaying a stolen session cookie or refresh token requires no new authentication, so no MFA prompt appears. Phishing-resistant MFA blocks AiTM capture during sign-in, but it cannot protect a token that malware steals from the browser afterward.

What is the difference between token theft and session hijacking?

They overlap heavily. Session hijacking is the takeover of an active session, most often by stealing its cookie. Token theft is the broader category: it covers session cookies but also OAuth access and refresh tokens, API keys, and machine credentials that may never correspond to an interactive session at all.

How do I know if a token has been stolen?

Look for issued-versus-used mismatches: a token exercised from a different device, IP range, or country than its issuing sign-in, impossible travel between events, anomalous token detections from your identity provider, or a quiet service account credential suddenly producing high-volume activity. Correlating these with endpoint infostealer alerts raises confidence quickly.

Are AI agent tokens at risk of theft?

Yes, and often more exposed than user sessions. Agents hold delegated OAuth tokens and API keys for many systems at once, store them in runtime state, and use them without a human watching. A stolen agent token can grant broad, long-lived access, which is why short-lived credentials and runtime monitoring matter for agents especially.

Related terms