for example:
Cloud development application wants to access your Baidu network disk, read the network disk picture and print it to you. But it needs your account number and password to log in and access your network disk. Will you rest assured to give it your account password? But you can authorize the network disk to print a token to the cloud, which is valid for 10 days. Yunchong printing this token, is equivalent to having your account number and password. You can use token to access your network disk data. So your password won't leak. You can cancel this authorization at any time, which prevents others from reading your data. If you give your account number and password, you will have to change your password if you want to cancel the authorization in the future.
it is not secure for users to store their passwords locally, and others have a chance to see your plaintext password. API is stateless, do you have to bring your user name and password with you every time you request it? it won't be safe.
essentially token = username + password
this involves a lot of knowledge points, which is simply "the unique identity of the user", which is easy to understand.
you can learn more about
https://blog.csdn.net/xunfeng.
you can see my note https://codeshelper.com/n/13.
Token means token. If I use token to verify, I don't need to enter my user name and password many times. I can achieve single sign-on, outh authentication and other functions.
token can be thought of as an encapsulated user state