A token (sometimes called a security token) is an object that controls access to a digital asset. Traditionally, this term has been used to describe a hardware authenticator, a small device used in a networked environment to create a one-time password that the owner enters into a login screen along with an ID and a PIN. However, in the context of web services and with the emerging need for devices and processes to authenticate to each other over open networks, the term token has been expanded to include software mechanisms, too.
A token may be an X.509 certificate, that associates an identity to a public key, for example. OASIS Web Services Security (WSS) Technical Committee, which has done a lot of the work on WS Security, has developed standards that deal with structure and usage of various kinds of tokens to support security in XML environments and web services. These include; the Web Services Security Username Token Profile 1.0, and the Web Services Security X.509 Certificate Token Profile.