Security Token Service
A Security Token Service (STS) is a web service that issues, validates, and exchanges security tokens — such as temporary credentials or identity assertions — allowing systems to authenticate and authorize access without repeatedly sharing…
Definition
A Security Token Service (STS) is a web service that issues, validates, and exchanges security tokens — such as temporary credentials or identity assertions — allowing systems to authenticate and authorize access without repeatedly sharing long-lived secrets.
Overview
An STS acts as a trusted intermediary in federated identity and token-based authentication flows: a client authenticates to the STS (often via a separate identity provider), and in return receives a short-lived security token that downstream services can accept as proof of identity or authorization, rather than requiring each service to independently verify the original credentials. This pattern reduces how widely long-lived secrets like passwords or root API keys need to be shared, since temporary tokens can be scoped to specific permissions and expire automatically. A well-known implementation is AWS Security Token Service, which issues temporary, limited-privilege credentials for accessing AWS resources — commonly used for cross-account access, federated login (e.g., via Identity and Access Management (IAM) roles), and workloads running on EC2 or Lambda that need temporary credentials rather than permanent access keys. Similar concepts appear in broader identity standards like OAuth 2.0 token exchange and SAML assertions issued by an identity provider, and the resulting tokens are frequently handled alongside broader Secrets Management practice. Because implementations and exact mechanics vary significantly across vendors and standards, teams should consult vendor-specific documentation (such as AWS's own STS reference) when implementing token exchange flows; broader identity and access patterns are covered in Cloud Security Fundamentals.
Key Features
- Issues short-lived, scoped security tokens instead of long-lived secrets
- Acts as a trusted intermediary in federated authentication flows
- Reduces exposure of permanent credentials across systems
- AWS STS is a widely used implementation for temporary AWS credentials
- Supports cross-account access and federated identity scenarios
- Related to broader standards like OAuth 2.0 token exchange and SAML
Use Cases
Frequently Asked Questions
From the Blog
Cybersecurity for Developers: The OWASP Top 10 Explained
The OWASP Top 10 is the industry standard list of critical web application security risks. This guide explains each vulnerability, shows what an attack looks like, and gives concrete code fixes that every developer can implement today.
Read More AI & TechnologyLarge Language Models (LLMs) Explained for Beginners
An LLM predicts the next piece of text, one token at a time — this guide explains how ChatGPT, Claude, and Gemini actually work.
Read More AI & TechnologyHow Large Language Models Actually Work
LLMs seem magical until you understand what they are: next-token predictors trained on massive text corpora. This guide explains tokenisation, embeddings, the transformer architecture, attention mechanism, and how training works — without requiring a maths degree.
Read More