Every time your client app calls the API to request protected data and resources from the Tiki Marketplace, you must pass the access token along with that API request. The passed token informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization.

Access tokens are issued by authentication and authorization server as part of an OAuth 2.0 flow and contain information about the user and the resource for which the token is intended. Access tokens are validated by resources to grant access to a client app based on the information they contain. 

Access tokens cannot be revoked and are valid until their expiry. A malicious actor that has obtained an access token can use it for extent of its lifetime. So, the access tokens are valid for only a short period of time and will be expired. Therefore, you should use a refresh token to get a new access token.